common

package
v0.0.0-...-0c4ea9a Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 13, 2023 License: MIT Imports: 19 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

View Source 
var (
	AfterLogoutPath  = "/site/after_logout"
	HomepagePath     = "/site/homepage"
	OIDCCallbackPath = "/oidc/callback"
	VerifyEndpoint   = "/verify"
)

Functions

func Contains 

func Contains(sli []string, ele []string) bool

This function examines if there is at least one common element between two []string objects. The JWT authenticator uses this function to verify that at least one of the audiences of the examined JWT tokens exists in the list of the audiences that the AuthService accepts.

func DoRequest 

func DoRequest(ctx context.Context, req *http.Request) (*http.Response, error)

func GetBearerToken 

func GetBearerToken(value string) string

func InterfaceSliceToStringSlice 

func InterfaceSliceToStringSlice(in []interface{}) []string

func MustParseURL 

func MustParseURL(rawURL string) *url.URL

func ParseJWT 

func ParseJWT(p string) ([]byte, error)

We copy the parseJWT() from: https://github.com/coreos/go-oidc/blob/v3/oidc/verify.go to perform one of the necessary local tests for the JWT authenticator.

func RealPath 

func RealPath(path string) (string, error)

func RequestLogger 

func RequestLogger(r *http.Request, info string) *log.Entry

func ResolvePathReference 

func ResolvePathReference(u *url.URL, p string) *url.URL

func ReturnHTML 

func ReturnHTML(w http.ResponseWriter, statusCode int, html string)

func ReturnJSONMessage 

func ReturnJSONMessage(w http.ResponseWriter, statusCode int, jsonMsg interface{})

func ReturnMessage 

func ReturnMessage(w http.ResponseWriter, statusCode int, msg string)

func SetLogLevel 

func SetLogLevel(level string)

func SetTLSContext 

func SetTLSContext(ctx context.Context, caBundle []byte) context.Context

func StandardLogger 

func StandardLogger() *log.Logger

func UserInfoToHeaders 

func UserInfoToHeaders(info user.Info, opts *HTTPHeaderOpts, transformer *UserIDTransformer) map[string]string

Types

type Audience 

type Audience []string

The `aud` claim of a JWT token can be one of the following types: * string * []string Similarly to the https://github.com/coreos/go-oidc/blob/v3/oidc/oidc.go we introduce a custom UnmarshalJSON function that allows us to handle both types.

func (*Audience) UnmarshalJSON 

func (a *Audience) UnmarshalJSON(b []byte) error

type AuthenticatorSpecificError 

type AuthenticatorSpecificError struct {
	Err error
}

The AuthenticatorSpecificError type is used to inform the calling code that the appropriate authentication method failed to authenticate the request. No other authentication method needs to be tested.

func (*AuthenticatorSpecificError) Error 

func (e *AuthenticatorSpecificError) Error() string

func (*AuthenticatorSpecificError) Unwrap 

func (e *AuthenticatorSpecificError) Unwrap() error

type Config 

type Config struct {
	// OIDC Provider
	ProviderURL *url.URL `required:"true" split_words:"true" envconfig:"OIDC_PROVIDER"`

	// OIDC Client
	ClientID                string   `required:"true" split_words:"true"`
	ClientSecret            string   `required:"true" split_words:"true"`
	OIDCAuthURL             *url.URL `split_words:"true"`
	RedirectURL             *url.URL `split_words:"true"`
	OIDCScopes              []string `split_words:"true" default:"openid,email"`
	StrictSessionValidation bool     `split_words:"true"`
	OIDCStateStorePath      string   `split_words:"true" default:"/var/lib/authservice/data.db"`

	// General
	AuthserviceURLPrefix *url.URL `required:"true" split_words:"true"`
	SkipAuthURLs         []string `split_words:"true" envconfig:"SKIP_AUTH_URLS"`
	AuthHeader           string   `split_words:"true" default:"Authorization"`
	AuthMethodHeader     string   `split_words:"true" default:"Auth-Method"`
	Audiences            []string `default:"istio-ingressgateway.istio-system.svc.cluster.local"`
	HomepageURL          *url.URL `split_words:"true"`
	AfterLoginURL        *url.URL `split_words:"true"`
	AfterLogoutURL       *url.URL `split_words:"true"`
	VerifyAuthURL        *url.URL `split_words:"true"`
	LogLevel             string   `split_words:"true" default:"INFO"`

	// Identity Headers
	UserIDHeader      string            `split_words:"true" default:"kubeflow-userid" envconfig:"USERID_HEADER"`
	GroupsHeader      string            `split_words:"true" default:"kubeflow-groups"`
	UserIDPrefix      string            `split_words:"true" envconfig:"USERID_PREFIX"`
	UserIDTransformer UserIDTransformer `envconfig:"USERID_TRANSFORMERS"`

	// IDToken
	UserIDClaim       string `split_words:"true" default:"email" envconfig:"USERID_CLAIM"`
	UserIDTokenHeader string `split_words:"true" envconfig:"USERID_TOKEN_HEADER"`
	GroupsClaim       string `split_words:"true" default:"groups"`
	IDTokenHeader     string `split_words:"true" default:"Authorization" envconfig:"ID_TOKEN_HEADER"`

	// Infra
	Hostname              string `split_words:"true" envconfig:"SERVER_HOSTNAME"`
	Port                  int    `split_words:"true" default:"8080" envconfig:"SERVER_PORT"`
	WebServerPort         int    `split_words:"true" default:"8082"`
	ReadinessProbePort    int    `split_words:"true" default:"8081"`
	CABundlePath          string `split_words:"true" envconfig:"CA_BUNDLE"`
	SessionStoreType      string `split_words:"true" default:"boltdb"`
	SessionStorePath      string `split_words:"true" default:"/var/lib/authservice/data.db"`
	SessionStoreRedisAddr string `split_words:"true" default:"127.0.0.1:6379"`
	SessionStoreRedisPWD  string `split_words:"true" default:"" envconfig:"SESSION_STORE_REDIS_PWD"`
	SessionStoreRedisDB   int    `split_words:"true" default:"0" envconfig:"SESSION_STORE_REDIS_DB"`
	SessionMaxAge         int    `split_words:"true" default:"86400"`
	SessionSameSite       string `split_words:"true" default:"Lax"`

	// Site
	ClientName          string            `split_words:"true" default:"AuthService"`
	ThemesURL           *url.URL          `split_words:"true" default:"themes"`
	Theme               string            `split_words:"true" default:"kubeflow"`
	TemplatePath        []string          `split_words:"true"`
	UserTemplateContext map[string]string `ignored:"true"`

	// bearerUserInfoCache configuration
	CacheEnabled           bool `split_words:"true" default:"false" envconfig:"CACHE_ENABLED"`
	CacheExpirationMinutes int  `split_words:"true" default:"5" envconfig:"CACHE_EXPIRATION_MINUTES"`

	// Authenticators configurations
	IDTokenAuthnEnabled     bool   `split_words:"true" default:"true" envconfig:"IDTOKEN_AUTHN_ENABLED"`
	KubernetesAuthnEnabled  bool   `split_words:"true" default:"true" envconfig:"KUBERNETES_AUTHN_ENABLED"`
	AccessTokenAuthnEnabled bool   `split_words:"true" default:"true" envconfig:"ACCESS_TOKEN_AUTHN_ENABLED"`
	AccessTokenAuthn        string `split_words:"true" default:"jwt" envconfig:"ACCESS_TOKEN_AUTHN"`

	// Authorization
	GroupsAllowlist  []string `split_words:"true" default:"*"`
	ExternalAuthzUrl string   `split_words:"true" default:""`
}

func ParseConfig 

func ParseConfig() (*Config, error)

type HTTPHeaderOpts 

type HTTPHeaderOpts struct {
	UserIDHeader     string
	UserIDPrefix     string
	GroupsHeader     string
	AuthMethodHeader string
}

HTTPHeaderOpts specifies the location of the user's identity and authentication method inside HTTP headers.

type JWTClaimOpts 

type JWTClaimOpts struct {
	UserIDClaim string
	GroupsClaim string
}

JWTClaimOpts specifies the location of the user's identity inside a JWT's claims.

type LoginExpiredError 

type LoginExpiredError struct {
	Err error
}

loginExpiredError is used by authenticators to inform the calling code that the provided credentials were recognized but the login has expired

func (*LoginExpiredError) Error 

func (e *LoginExpiredError) Error() string

func (*LoginExpiredError) Unwrap 

func (e *LoginExpiredError) Unwrap() error

type RequestError 

type RequestError struct {
	Response *http.Response
	Body     []byte
	Err      error
}

func (*RequestError) Error 

func (e *RequestError) Error() string

func (*RequestError) Unwrap 

func (e *RequestError) Unwrap() error

type UserIDTransformer 

type UserIDTransformer struct {
	// contains filtered or unexported fields
}

UserIDTransformer holds the UserID transformation rules.

func (*UserIDTransformer) Decode 

func (uit *UserIDTransformer) Decode(value string) error

Decode creates a new UserIDTransformer using as input a JSON formatted string for rules initialization. The accepted JSON format is: 

{
  [
    {"matches": "regex", "replaces": "value"}
  ]
}

func (*UserIDTransformer) Transform 

func (uit *UserIDTransformer) Transform(userID string) string

Transform modifies the UserID based on user provided rules. This method will search the rules in order, find the first that matches the userID and replace the match with the provided value. If no matching rule is found, it will return the original value. For example using the rules: 

[
  {"matches" : "user1@domain\\.com", "replaces": "anotherUser" },
  {"matches" : "@domain\\.com", "replaces": "" }
]

The userID `user@domain.com` will be transformed to `anotherUser` based on the first rule. The userID `user2@domain.com` will be transformed to `user2` based on the second rule. The userID `user@other.com` will not be transformed and the original value will be returned.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.