Documentation
¶
Overview ¶
Package proxiedidentity provides a way to pass the identity of an end user through the SansShell proxy
Index ¶
- func AppendToMetadataInOutgoingContext(ctx context.Context, p *rpcauth.PrincipalAuthInput) context.Context
- func FromContext(ctx context.Context) *rpcauth.PrincipalAuthInput
- func ServerProxiedIdentityStreamInterceptor() grpc.StreamServerInterceptordeprecated
- func ServerProxiedIdentityUnaryInterceptor() grpc.UnaryServerInterceptordeprecated
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func AppendToMetadataInOutgoingContext ¶
func AppendToMetadataInOutgoingContext(ctx context.Context, p *rpcauth.PrincipalAuthInput) context.Context
AppendToMetadataInOutgoingContext includes the identity in the grpc metadata used in outgoing calls with the context.
func FromContext ¶
func FromContext(ctx context.Context) *rpcauth.PrincipalAuthInput
FromContext returns the identity in ctx if it exists.
This should ONLY be used if the caller is trusted to proxy requests. The best way to enforce this is to reject RPC requests that set `proxied-sansshell-identity` in the gRPC metadata when they come from callers other than a proxy.
Failing to do this authz check can let any caller assert any proxied identity, which can let a caller take dangerous actions like approving their own MPA requests.
func ServerProxiedIdentityStreamInterceptor
deprecated
func ServerProxiedIdentityStreamInterceptor() grpc.StreamServerInterceptor
ServerProxiedIdentityStreamInterceptor is a no-op.
Deprecated: This was formerly used to avoid unintentional proxying
func ServerProxiedIdentityUnaryInterceptor
deprecated
func ServerProxiedIdentityUnaryInterceptor() grpc.UnaryServerInterceptor
ServerProxiedIdentityUnaryInterceptor is a no-op.
Deprecated: This was formerly used to avoid unintentional proxying
Types ¶
This section is empty.
Source Files