auth

package
v1.0.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Aug 23, 2018 License: MIT Imports: 23 Imported by: 0

Documentation

Index

Constants

View Source 
const SignatureHeader = "GAP-Signature"

SignatureHeader is the header name where the signed request header is stored.

View Source 
const VERSION = "2.2.1-alpha"

VERSION is the version of sso_auth

Variables

View Source 
var (
	// ErrUserNotAuthorized is an error for unauthorized users.
	ErrUserNotAuthorized = errors.New("user not authorized")
)
View Source 
var SignatureHeaders = []string{
	"Content-Length",
	"Content-Md5",
	"Content-Type",
	"Date",
	"Authorization",
	"X-Forwarded-User",
	"X-Forwarded-Email",
	"X-Forwarded-Access-Token",
	"Cookie",
	"Gap-Auth",
}

SignatureHeaders are the headers that are valid in the request.

Functions

func AssignStatsdClient 

func AssignStatsdClient(opts *Options) func(*Authenticator) error

AssignStatsdClient is function that takes in an Options struct and assigns a statsd client to the proxy and provider.

func GetActionTag 

func GetActionTag(req *http.Request) string

GetActionTag returns the tag associated with a route

func NewLoggingHandler 

func NewLoggingHandler(out io.Writer, h http.Handler, v bool, StatsdClient *statsd.Client) http.Handler

NewLoggingHandler creates a new loggingHandler

func SetCookieStore 

func SetCookieStore(opts *Options) func(*Authenticator) error

SetCookieStore sets the cookie store to use a miscreant cipher

Types

type Authenticator 

type Authenticator struct {
	Validator        func(string) bool
	EmailDomains     []string
	ProxyRootDomains []string
	Host             string
	CookieSecure     bool

	ProxyPrefix        string
	ServeMux           http.Handler
	SetXAuthRequest    bool
	SkipProviderButton bool
	PassUserHeaders    bool

	AuthCodeCipher aead.Cipher

	ProxyClientID     string
	ProxyClientSecret string

	StatsdClient *statsd.Client

	CacheRefreshTTL    time.Duration
	SessionLifetimeTTL time.Duration

	Header string
	Footer string
	// contains filtered or unexported fields
}

Authenticator stores all the information associated with proxying the request.

func NewAuthenticator 

func NewAuthenticator(opts *Options, optionFuncs ...func(*Authenticator) error) (*Authenticator, error)

NewAuthenticator creates a Authenticator struct and applies the optional functions slice to the struct.

func (*Authenticator) ErrorResponse 

func (p *Authenticator) ErrorResponse(rw http.ResponseWriter, req *http.Request, message string, code int)

ErrorResponse renders an error page for errors given a message and a status code.

func (*Authenticator) GetProfile 

func (p *Authenticator) GetProfile(rw http.ResponseWriter, req *http.Request)

GetProfile gets a list of groups of which a user is a member.

func (*Authenticator) GetRedirectURI 

func (p *Authenticator) GetRedirectURI(host string) string

GetRedirectURI returns the redirect url for a given OAuthProxy, setting the scheme to be https if CookieSecure is true.

func (*Authenticator) LoadSession 

func (p *Authenticator) LoadSession(req *http.Request) (*sessions.SessionState, error)

LoadSession wraps the SessionStore LoadSession function, conditionally calling the custom AuthLoadSession function if SessionStore is a CookieStore so that it will fall back on the old payloads cipher if necessary. TODO: remove this once the cookie refresh time has passed.

func (*Authenticator) OAuthCallback 

func (p *Authenticator) OAuthCallback(rw http.ResponseWriter, req *http.Request)

OAuthCallback handles the callback from the provider, and returns an error response if there is an error. If there is no error it will redirect to the redirect url.

func (*Authenticator) OAuthStart 

func (p *Authenticator) OAuthStart(rw http.ResponseWriter, req *http.Request)

OAuthStart starts the authentication process by redirecting to the provider. It provides a `redirectURI`, allowing the provider to redirect back to the sso proxy after authentication.

func (*Authenticator) PingPage 

func (p *Authenticator) PingPage(rw http.ResponseWriter, req *http.Request)

PingPage handles the /ping route

func (*Authenticator) ProxyOAuthRedirect 

func (p *Authenticator) ProxyOAuthRedirect(rw http.ResponseWriter, req *http.Request, session *sessions.SessionState, tags []string)

ProxyOAuthRedirect redirects the user back to sso proxy's redirection endpoint.

func (*Authenticator) Redeem 

func (p *Authenticator) Redeem(rw http.ResponseWriter, req *http.Request)

Redeem has a signed access token, and provides the user information associated with the access token.

func (*Authenticator) Refresh 

func (p *Authenticator) Refresh(rw http.ResponseWriter, req *http.Request)

Refresh takes a refresh token and returns a new access token

func (*Authenticator) RobotsTxt 

func (p *Authenticator) RobotsTxt(rw http.ResponseWriter, req *http.Request)

RobotsTxt handles the /robots.txt route.

func (*Authenticator) SignIn 

func (p *Authenticator) SignIn(rw http.ResponseWriter, req *http.Request)

SignIn handles the /sign_in endpoint. It attempts to authenticate the user, and if the user is not authenticated, it renders a sign in page.

func (*Authenticator) SignInPage 

func (p *Authenticator) SignInPage(rw http.ResponseWriter, req *http.Request, code int)

SignInPage directs the user to the sign in page

func (*Authenticator) SignOut 

func (p *Authenticator) SignOut(rw http.ResponseWriter, req *http.Request)

SignOut signs the user out.

func (*Authenticator) SignOutPage 

func (p *Authenticator) SignOutPage(rw http.ResponseWriter, req *http.Request, message string)

SignOutPage renders a sign out page with a message

func (*Authenticator) Stop 

func (p *Authenticator) Stop()

Stop calls the provider's stop function

func (*Authenticator) ValidateToken 

func (p *Authenticator) ValidateToken(rw http.ResponseWriter, req *http.Request)

ValidateToken validates the X-Access-Token from the header and returns an error response if it's invalid

type HTTPError 

type HTTPError struct {
	Code    int
	Message string
}

HTTPError stores the status code and a message for a given HTTP error.

func (HTTPError) Error 

func (h HTTPError) Error() string

Error fulfills the error interface, returning a string representation of the error.

type Options 

type Options struct {
	RedirectURL       string `envconfig:"REDIRECT_URL" `
	ClientID          string `envconfig:"CLIENT_ID"`
	ClientSecret      string `envconfig:"CLIENT_SECRET"`
	ProxyClientID     string `envconfig:"PROXY_CLIENT_ID"`
	ProxyClientSecret string `envconfig:"PROXY_CLIENT_SECRET"`

	Host string `envconfig:"HOST"`
	Port int    `envconfig:"PORT" default:"4180"`

	EmailDomains     []string `envconfig:"SSO_EMAIL_DOMAIN"`
	ProxyRootDomains []string `envconfig:"PROXY_ROOT_DOMAIN"`

	GoogleAdminEmail         string `envconfig:"GOOGLE_ADMIN_EMAIL"`
	GoogleServiceAccountJSON string `envconfig:"GOOGLE_SERVICE_ACCOUNT_JSON"`

	Footer string `envconfig:"FOOTER"`

	CookieName      string
	CookieSecret    string        `envconfig:"COOKIE_SECRET"`
	OldCookieSecret string        `envconfig:"OLD_COOKIE_SECRET"`
	CookieDomain    string        `envconfig:"COOKIE_DOMAIN"`
	CookieExpire    time.Duration `envconfig:"COOKIE_EXPIRE" default:"168h"`
	CookieRefresh   time.Duration `envconfig:"COOKIE_REFRESH" default:"1h"`
	CookieSecure    bool          `envconfig:"COOKIE_SECURE" default:"true"`
	CookieHTTPOnly  bool          `envconfig:"COOKIE_HTTP_ONLY" default:"true"`

	RequestTimeout  time.Duration `envconfig:"REQUEST_TIMEOUT" default:"2s"`
	TCPWriteTimeout time.Duration `envconfig:"TCP_WRITE_TIMEOUT" default:"30s"`
	TCPReadTimeout  time.Duration `envconfig:"TCP_READ_TIMEOUT" default:"30s"`

	AuthCodeSecret string `envconfig:"AUTH_CODE_SECRET"`

	GroupsCacheRefreshTTL time.Duration `envconfig:"GROUPS_CACHE_REFRESH_TTL" default:"10m"`
	SessionLifetimeTTL    time.Duration `envconfig:"SESSION_LIFETIME_TTL" default:"720h"`

	PassHostHeader     bool `envconfig:"PASS_HOST_HEADER" default:"true"`
	SkipProviderButton bool `envconfig:"SKIP_PROVIDER_BUTTON"`
	PassUserHeaders    bool `envconfig:"PASS_USER_HEADERS" default:"true"`
	SetXAuthRequest    bool `envconfig:"SET_XAUTHREQUEST" default:"false"`

	// These options allow for other providers besides Google, with potential overrides.
	Provider       string `envconfig:"PROVIDER" default:"google"`
	SignInURL      string `envconfig:"SIGNIN_URL"`
	RedeemURL      string `envconfig:"REDEEM_URL"`
	ProfileURL     string `envconfig:"PROFILE_URL"`
	ValidateURL    string `envconfig:"VALIDATE_URL"`
	Scope          string `envconfig:"SCOPE"`
	ApprovalPrompt string `envconfig:"APPROVAL_PROMPT" default:"force"`

	RequestLogging bool `envconfig:"REQUEST_LOGGING" default:"true"`

	StatsdPort int    `envconfig:"STATSD_PORT"`
	StatsdHost string `envconfig:"STATSD_HOST"`

	GroupsCacheStopFunc func()
	// contains filtered or unexported fields
}

Options are config options that can be set by environment variables RedirectURL string - the OAuth Redirect URL. ie: \"https://internalapp.yourcompany.com/oauth2/callback\ ClientID - string - the OAuth ClientID ie "123456.apps.googleusercontent.com" ClientSecret string - the OAuth Client Secret ProxyClientID - string - the client id that matches the sso proxy client id ProxyClientSecret - string - the client secret that matches the sso proxy client secret Host - string - The host that is in the header that is required on incoming requests Port - string - Port to listen on EmailDomains - []string - authenticate emails with the specified domain (may be given multiple times). Use * to authenticate any email ProxyRootDomains - []string - only redirect to specified proxy domains (may be given multiple times) GoogleAdminEmail - string - the google admin to impersonate for api calls GoogleServiceAccountJSON - string - the path to the service account json credentials Footer - string custom footer string. Use \"-\" to disable default footer. CookieSecret - string - the seed string for secure cookies (optionally base64 encoded) CookieDomain - string - an optional cookie domain to force cookies to (ie: .yourcompany.com)* CookieExpire - duration - expire timeframe for cookie, defaults at 168 hours CookieRefresh - duration - refresh the cookie after this duration default 0 CookieSecure - bool - set secure (HTTPS) cookie flag CookieHTTPOnly - bool - set httponly cookie flag RequestTimeout - duration - overall request timeout AuthCodeSecret - string - the seed string for secure auth codes (optionally base64 encoded) PassHostHeader - bool - pass the request Host Header to upstream (default true) SkipProviderButton - bool - if true, will skip sign-in-page to directly reach the next step: oauth/start PassUserHeaders - bool (default true) - pass X-Forwarded-User and X-Forwarded-Email information to upstream SetXAuthRequest - set X-Auth-Request-User and X-Auth-Request-Email response headers (useful in Nginx auth_request mode) Provider - provider name SignInURL - provider sign in endpoint RedeemURL - provider token redemption endpoint ProfileURL - provider profile access endpoint ValidateURL - access token validation endpoint Scope - Oauth scope specification ApprovalPrompt - OAuth approval prompt RequestLogging - bool to log requests StatsdPort - port where statsd client listens StatsdHost - host where statsd client listens

func NewOptions 

func NewOptions() *Options

NewOptions returns new options

func (*Options) Validate 

func (o *Options) Validate() error

Validate validates options

type SignatureData 

type SignatureData struct {
	// contains filtered or unexported fields
}

SignatureData represents the data associated with signatures

Source Files

View all Source files

Directories

Path Synopsis
Package circuit implements the Circuit Breaker pattern.
 Package circuit implements the Circuit Breaker pattern.
Package singleflight provides a duplicate function call suppression mechanism.
 Package singleflight provides a duplicate function call suppression mechanism.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.