Documentation

Index

Constants

View Source
const (
	// ImpersonateUserHeader is used to impersonate a particular user during an API server request
	ImpersonateUserHeader = "Impersonate-User"

	// ImpersonateGroupHeader is used to impersonate a particular group during an API server request.
	// It can be repeated multiplied times for multiple groups.
	ImpersonateGroupHeader = "Impersonate-Group"

	// ImpersonateUserExtraHeaderPrefix is a prefix for a header used to impersonate an entry in the
	// extra map[string][]string for user.Info.  The key for the `extra` map is suffix.
	// The same key can be repeated multiple times to have multiple elements in the slice under a single key.
	// For instance:
	// Impersonate-Extra-Foo: one
	// Impersonate-Extra-Foo: two
	// results in extra["Foo"] = []string{"one", "two"}
	ImpersonateUserExtraHeaderPrefix = "Impersonate-Extra-"
)

    These correspond to the headers used in pkg/apis/authentication. We don't want the package dependency, but you must not change the values.

    Variables

    View Source
    var CertCallbackRefreshDuration = 5 * time.Minute

      CertCallbackRefreshDuration is exposed so that integration tests can crank up the reload speed.

      Functions

      func DebugWrappers

      func DebugWrappers(rt http.RoundTripper) http.RoundTripper

        DebugWrappers wraps a round tripper and logs based on the current log level.

        func HTTPWrappersForConfig

        func HTTPWrappersForConfig(config *Config, rt http.RoundTripper) (http.RoundTripper, error)

          HTTPWrappersForConfig wraps a round tripper with any relevant layered behavior from the config. Exposed to allow more clients that need HTTP-like behavior but then must hijack the underlying connection (like WebSocket or HTTP2 clients). Pure HTTP clients should use the RoundTripper returned from New.

          func New

          func New(config *Config) (http.RoundTripper, error)

            New returns an http.RoundTripper that will provide the authentication or transport level security defined by the provided Config.

            func NewAuthProxyRoundTripper

            func NewAuthProxyRoundTripper(username string, groups []string, extra map[string][]string, rt http.RoundTripper) http.RoundTripper

              NewAuthProxyRoundTripper provides a roundtripper which will add auth proxy fields to requests for authentication terminating proxy cases assuming you pull the user from the context: username is the user.Info.GetName() of the user groups is the user.Info.GetGroups() of the user extra is the user.Info.GetExtra() of the user extra can contain any additional information that the authenticator thought was interesting, for example authorization scopes. In order to faithfully round-trip through an impersonation flow, these keys MUST be lowercase.

              func NewBasicAuthRoundTripper

              func NewBasicAuthRoundTripper(username, password string, rt http.RoundTripper) http.RoundTripper

                NewBasicAuthRoundTripper will apply a BASIC auth authorization header to a request unless it has already been set.

                func NewBearerAuthRoundTripper

                func NewBearerAuthRoundTripper(bearer string, rt http.RoundTripper) http.RoundTripper

                  NewBearerAuthRoundTripper adds the provided bearer token to a request unless the authorization header has already been set.

                  func NewBearerAuthWithRefreshRoundTripper

                  func NewBearerAuthWithRefreshRoundTripper(bearer string, tokenFile string, rt http.RoundTripper) (http.RoundTripper, error)

                    NewBearerAuthWithRefreshRoundTripper adds the provided bearer token to a request unless the authorization header has already been set. If tokenFile is non-empty, it is periodically read, and the last successfully read content is used as the bearer token. If tokenFile is non-empty and bearer is empty, the tokenFile is read immediately to populate the initial bearer token.

                    func NewCachedFileTokenSource

                    func NewCachedFileTokenSource(path string) *cachingTokenSource

                      NewCachedFileTokenSource returns a resettable token source which reads a token from a file at a specified path and periodically reloads it.

                      func NewCachedTokenSource

                      func NewCachedTokenSource(ts oauth2.TokenSource) *cachingTokenSource

                        NewCachedTokenSource returns resettable token source with caching. It reads a token from a designed TokenSource if not in cache or expired.

                        func NewDebuggingRoundTripper

                        func NewDebuggingRoundTripper(rt http.RoundTripper, levels ...DebugLevel) http.RoundTripper

                          NewDebuggingRoundTripper allows to display in the logs output debug information on the API requests performed by the client.

                          func NewImpersonatingRoundTripper

                          func NewImpersonatingRoundTripper(impersonate ImpersonationConfig, delegate http.RoundTripper) http.RoundTripper

                            NewImpersonatingRoundTripper will add an Act-As header to a request unless it has already been set.

                            func NewUserAgentRoundTripper

                            func NewUserAgentRoundTripper(agent string, rt http.RoundTripper) http.RoundTripper

                              NewUserAgentRoundTripper will add User-Agent header to a request unless it has already been set.

                              func ResettableTokenSourceWrapTransport

                              func ResettableTokenSourceWrapTransport(ts ResettableTokenSource) func(http.RoundTripper) http.RoundTripper

                                ResettableTokenSourceWrapTransport returns a WrapTransport that injects bearer tokens authentication from an ResettableTokenSource.

                                func SetAuthProxyHeaders

                                func SetAuthProxyHeaders(req *http.Request, username string, groups []string, extra map[string][]string)

                                  SetAuthProxyHeaders stomps the auth proxy header fields. It mutates its argument.

                                  func TLSConfigFor

                                  func TLSConfigFor(c *Config) (*tls.Config, error)

                                    TLSConfigFor returns a tls.Config that will provide the transport level security defined by the provided Config. Will return nil if no transport level security is requested.

                                    func TokenSourceWrapTransport

                                    func TokenSourceWrapTransport(ts oauth2.TokenSource) func(http.RoundTripper) http.RoundTripper

                                      TokenSourceWrapTransport returns a WrapTransport that injects bearer tokens authentication from an oauth2.TokenSource.

                                      Types

                                      type Config

                                      type Config struct {
                                      	// UserAgent is an optional field that specifies the caller of this
                                      	// request.
                                      	UserAgent string
                                      
                                      	// The base TLS configuration for this transport.
                                      	TLS TLSConfig
                                      
                                      	// Username and password for basic authentication
                                      	Username string
                                      	Password string `datapolicy:"password"`
                                      
                                      	// Bearer token for authentication
                                      	BearerToken string `datapolicy:"token"`
                                      
                                      	// Path to a file containing a BearerToken.
                                      	// If set, the contents are periodically read.
                                      	// The last successfully read value takes precedence over BearerToken.
                                      	BearerTokenFile string
                                      
                                      	// Impersonate is the config that this Config will impersonate using
                                      	Impersonate ImpersonationConfig
                                      
                                      	// DisableCompression bypasses automatic GZip compression requests to the
                                      	// server.
                                      	DisableCompression bool
                                      
                                      	// Transport may be used for custom HTTP behavior. This attribute may
                                      	// not be specified with the TLS client certificate options. Use
                                      	// WrapTransport for most client level operations.
                                      	Transport http.RoundTripper
                                      
                                      	// WrapTransport will be invoked for custom HTTP behavior after the
                                      	// underlying transport is initialized (either the transport created
                                      	// from TLSClientConfig, Transport, or http.DefaultTransport). The
                                      	// config may layer other RoundTrippers on top of the returned
                                      	// RoundTripper.
                                      	//
                                      	// A future release will change this field to an array. Use config.Wrap()
                                      	// instead of setting this value directly.
                                      	WrapTransport WrapperFunc
                                      
                                      	// Dial specifies the dial function for creating unencrypted TCP connections.
                                      	Dial func(ctx context.Context, network, address string) (net.Conn, error)
                                      
                                      	// Proxy is the proxy func to be used for all requests made by this
                                      	// transport. If Proxy is nil, http.ProxyFromEnvironment is used. If Proxy
                                      	// returns a nil *URL, no proxy is used.
                                      	//
                                      	// socks5 proxying does not currently support spdy streaming endpoints.
                                      	Proxy func(*http.Request) (*url.URL, error)
                                      }

                                        Config holds various options for establishing a transport.

                                        func (*Config) HasBasicAuth

                                        func (c *Config) HasBasicAuth() bool

                                          HasBasicAuth returns whether the configuration has basic authentication or not.

                                          func (*Config) HasCA

                                          func (c *Config) HasCA() bool

                                            HasCA returns whether the configuration has a certificate authority or not.

                                            func (*Config) HasCertAuth

                                            func (c *Config) HasCertAuth() bool

                                              HasCertAuth returns whether the configuration has certificate authentication or not.

                                              func (*Config) HasCertCallback

                                              func (c *Config) HasCertCallback() bool

                                                HasCertCallback returns whether the configuration has certificate callback or not.

                                                func (*Config) HasTokenAuth

                                                func (c *Config) HasTokenAuth() bool

                                                  HasTokenAuth returns whether the configuration has token authentication or not.

                                                  func (*Config) Wrap

                                                  func (c *Config) Wrap(fn WrapperFunc)

                                                    Wrap adds a transport middleware function that will give the caller an opportunity to wrap the underlying http.RoundTripper prior to the first API call being made. The provided function is invoked after any existing transport wrappers are invoked.

                                                    type DebugLevel

                                                    type DebugLevel int

                                                      DebugLevel is used to enable debugging of certain HTTP requests and responses fields via the debuggingRoundTripper.

                                                      const (
                                                      	// DebugJustURL will add to the debug output HTTP requests method and url.
                                                      	DebugJustURL DebugLevel = iota
                                                      	// DebugURLTiming will add to the debug output the duration of HTTP requests.
                                                      	DebugURLTiming
                                                      	// DebugCurlCommand will add to the debug output the curl command equivalent to the
                                                      	// HTTP request.
                                                      	DebugCurlCommand
                                                      	// DebugRequestHeaders will add to the debug output the HTTP requests headers.
                                                      	DebugRequestHeaders
                                                      	// DebugResponseStatus will add to the debug output the HTTP response status.
                                                      	DebugResponseStatus
                                                      	// DebugResponseHeaders will add to the debug output the HTTP response headers.
                                                      	DebugResponseHeaders
                                                      )

                                                      type ImpersonationConfig

                                                      type ImpersonationConfig struct {
                                                      	// UserName matches user.Info.GetName()
                                                      	UserName string
                                                      	// Groups matches user.Info.GetGroups()
                                                      	Groups []string
                                                      	// Extra matches user.Info.GetExtra()
                                                      	Extra map[string][]string
                                                      }

                                                        ImpersonationConfig has all the available impersonation options

                                                        type ResettableTokenSource

                                                        type ResettableTokenSource interface {
                                                        	oauth2.TokenSource
                                                        	ResetTokenOlderThan(time.Time)
                                                        }

                                                        type TLSConfig

                                                        type TLSConfig struct {
                                                        	CAFile         string // Path of the PEM-encoded server trusted root certificates.
                                                        	CertFile       string // Path of the PEM-encoded client certificate.
                                                        	KeyFile        string // Path of the PEM-encoded client key.
                                                        	ReloadTLSFiles bool   // Set to indicate that the original config provided files, and that they should be reloaded
                                                        
                                                        	Insecure   bool   // Server should be accessed without verifying the certificate. For testing only.
                                                        	ServerName string // Override for the server name passed to the server for SNI and used to verify certificates.
                                                        
                                                        	CAData   []byte // Bytes of the PEM-encoded server trusted root certificates. Supercedes CAFile.
                                                        	CertData []byte // Bytes of the PEM-encoded client certificate. Supercedes CertFile.
                                                        	KeyData  []byte // Bytes of the PEM-encoded client key. Supercedes KeyFile.
                                                        
                                                        	// NextProtos is a list of supported application level protocols, in order of preference.
                                                        	// Used to populate tls.Config.NextProtos.
                                                        	// To indicate to the server http/1.1 is preferred over http/2, set to ["http/1.1", "h2"] (though the server is free to ignore that preference).
                                                        	// To use only http/1.1, set to ["http/1.1"].
                                                        	NextProtos []string
                                                        
                                                        	GetCert func() (*tls.Certificate, error) // Callback that returns a TLS client certificate. CertData, CertFile, KeyData and KeyFile supercede this field.
                                                        }

                                                          TLSConfig holds the information needed to set up a TLS transport.

                                                          type WrapperFunc

                                                          type WrapperFunc func(rt http.RoundTripper) http.RoundTripper

                                                            WrapperFunc wraps an http.RoundTripper when a new transport is created for a client, allowing per connection behavior to be injected.

                                                            func ContextCanceller

                                                            func ContextCanceller(ctx context.Context, err error) WrapperFunc

                                                              ContextCanceller prevents new requests after the provided context is finished. err is returned when the context is closed, allowing the caller to provide a context appropriate error.

                                                              func Wrappers

                                                              func Wrappers(fns ...WrapperFunc) WrapperFunc

                                                                Wrappers accepts any number of wrappers and returns a wrapper function that is the equivalent of calling each of them in order. Nil values are ignored, which makes this function convenient for incrementally wrapping a function.

                                                                Directories

                                                                Path Synopsis