Documentation
¶
Index ¶
- Constants
- Variables
- func GetActionTag(req *http.Request) string
- func NewLoggingHandler(out io.Writer, h http.Handler, v bool, StatsdClient *statsd.Client) http.Handler
- func NewReverseProxy(to *url.URL) *httputil.ReverseProxy
- func NewReverseProxyHandler(reverseProxy *httputil.ReverseProxy, opts *Options, config *UpstreamConfig) (http.Handler, []string)
- func NewRewriteReverseProxy(route *RewriteRoute) *httputil.ReverseProxy
- func NewStreamingHandler(handler http.Handler, opts *Options, config *UpstreamConfig) http.Handler
- func NewTimeoutHandler(handler http.Handler, opts *Options, config *UpstreamConfig) http.Handler
- type EmailValidatorFn
- type ErrParsingConfig
- type OAuthProxy
- func (p *OAuthProxy) Authenticate(rw http.ResponseWriter, req *http.Request) (err error)
- func (p *OAuthProxy) AuthenticateOnly(rw http.ResponseWriter, req *http.Request)
- func (p *OAuthProxy) ClearCSRFCookie(rw http.ResponseWriter, req *http.Request)
- func (p *OAuthProxy) ClearSessionCookie(rw http.ResponseWriter, req *http.Request)
- func (p *OAuthProxy) ErrorPage(rw http.ResponseWriter, req *http.Request, code int, title string, ...)
- func (p *OAuthProxy) Favicon(rw http.ResponseWriter, req *http.Request)
- func (p *OAuthProxy) GetRedirectURL(host string) *url.URL
- func (p *OAuthProxy) Handle(host string, handler http.Handler, tags []string, ...)
- func (p *OAuthProxy) HandleRegex(regex *regexp.Regexp, handler http.Handler, tags []string, ...)
- func (p *OAuthProxy) Handler() http.Handler
- func (p *OAuthProxy) IsWhitelistedRequest(req *http.Request) bool
- func (p *OAuthProxy) LoadCookiedSession(req *http.Request) (*providers.SessionState, error)
- func (p *OAuthProxy) MakeCSRFCookie(req *http.Request, value string, expiration time.Duration, now time.Time) *http.Cookie
- func (p *OAuthProxy) MakeSessionCookie(req *http.Request, value string, expiration time.Duration, now time.Time) *http.Cookie
- func (p *OAuthProxy) OAuthCallback(rw http.ResponseWriter, req *http.Request)
- func (p *OAuthProxy) OAuthStart(rw http.ResponseWriter, req *http.Request, tags []string)
- func (p *OAuthProxy) PingPage(rw http.ResponseWriter, _ *http.Request)
- func (p *OAuthProxy) Proxy(rw http.ResponseWriter, req *http.Request)
- func (p *OAuthProxy) RobotsTxt(rw http.ResponseWriter, _ *http.Request)
- func (p *OAuthProxy) SaveSession(rw http.ResponseWriter, req *http.Request, s *providers.SessionState) error
- func (p *OAuthProxy) SetCSRFCookie(rw http.ResponseWriter, req *http.Request, val string)
- func (p *OAuthProxy) SetSessionCookie(rw http.ResponseWriter, req *http.Request, val string)
- func (p *OAuthProxy) SignOut(rw http.ResponseWriter, req *http.Request)
- func (p *OAuthProxy) UnknownHost(rw http.ResponseWriter, req *http.Request)
- type Options
- type OptionsConfig
- type RewriteRoute
- type RouteConfig
- type ServiceConfig
- type SimpleRoute
- type StateParameter
- type UpstreamConfig
- type UpstreamProxy
Constants ¶
const SignatureHeader = "Gap-Signature"
SignatureHeader is the header name where the signed request header is stored.
const VERSION = "2.2.1-alpha"
VERSION is the version of sso proxy
Variables ¶
var ( ErrLifetimeExpired = errors.New("user lifetime expired") ErrUserNotAuthorized = errors.New("user not authorized") ErrUnknownHost = errors.New("unknown host") ErrRefreshCookie = errors.New("stale cookie, refresh") )
Errors
var SignatureHeaders = []string{
"Content-Length",
"Content-Md5",
"Content-Type",
"Date",
"Authorization",
"X-Forwarded-User",
"X-Forwarded-Email",
"X-Forwarded-Groups",
"Cookie",
}
SignatureHeaders are the headers that are valid in the request.
Functions ¶
func GetActionTag ¶
GetActionTag returns the action triggered by an http.Request .
func NewLoggingHandler ¶
func NewLoggingHandler(out io.Writer, h http.Handler, v bool, StatsdClient *statsd.Client) http.Handler
NewLoggingHandler returns a new loggingHandler that wraps a handler, statsd client, and writer.
func NewReverseProxy ¶
func NewReverseProxy(to *url.URL) *httputil.ReverseProxy
NewReverseProxy creates a reverse proxy to a specified url. It adds an X-Forwarded-Host header that is the request's host.
func NewReverseProxyHandler ¶
func NewReverseProxyHandler(reverseProxy *httputil.ReverseProxy, opts *Options, config *UpstreamConfig) (http.Handler, []string)
NewReverseProxyHandler creates a new http.Handler given a httputil.ReverseProxy
func NewRewriteReverseProxy ¶
func NewRewriteReverseProxy(route *RewriteRoute) *httputil.ReverseProxy
NewRewriteReverseProxy creates a reverse proxy that is capable of creating upstream urls on the fly based on a from regex and a templated to field. It adds an X-Forwarded-Host header to the the upstream's request.
func NewStreamingHandler ¶
NewStreamingHandler creates a new handler capable of proxying a stream
func NewTimeoutHandler ¶
NewTimeoutHandler creates a new handler with a configure timeout.
Types ¶
type EmailValidatorFn ¶
EmailValidatorFn function type for validating email addresses.
type ErrParsingConfig ¶
ErrParsingConfig is an error specific to config parsing.
func (*ErrParsingConfig) Error ¶
func (e *ErrParsingConfig) Error() string
Error() implements the error interface, returning a string representation of the error.
type OAuthProxy ¶
type OAuthProxy struct { CookieCipher aead.Cipher OldCookieCipher aead.Cipher CookieDomain string CookieExpire time.Duration CookieHTTPOnly bool CookieName string CookieSecure bool CookieSeed string CSRFCookieName string EmailValidator EmailValidatorFn StatsdClient *statsd.Client // contains filtered or unexported fields }
OAuthProxy stores all the information associated with proxying the request.
func NewOAuthProxy ¶
func NewOAuthProxy(opts *Options, optFuncs ...func(*OAuthProxy) error) (*OAuthProxy, error)
NewOAuthProxy creates a new OAuthProxy struct.
func (*OAuthProxy) Authenticate ¶
func (p *OAuthProxy) Authenticate(rw http.ResponseWriter, req *http.Request) (err error)
Authenticate authenticates a request by checking for a session cookie, and validating its expiration, clearing the session cookie if it's invalid and returning an error if necessary..
func (*OAuthProxy) AuthenticateOnly ¶
func (p *OAuthProxy) AuthenticateOnly(rw http.ResponseWriter, req *http.Request)
AuthenticateOnly calls the Authenticate handler.
func (*OAuthProxy) ClearCSRFCookie ¶
func (p *OAuthProxy) ClearCSRFCookie(rw http.ResponseWriter, req *http.Request)
ClearCSRFCookie clears the CSRF cookie from the request
func (*OAuthProxy) ClearSessionCookie ¶
func (p *OAuthProxy) ClearSessionCookie(rw http.ResponseWriter, req *http.Request)
ClearSessionCookie clears the session cookie from a request
func (*OAuthProxy) ErrorPage ¶
func (p *OAuthProxy) ErrorPage(rw http.ResponseWriter, req *http.Request, code int, title string, message string)
ErrorPage renders an error page with a given status code, title, and message.
func (*OAuthProxy) Favicon ¶
func (p *OAuthProxy) Favicon(rw http.ResponseWriter, req *http.Request)
Favicon will proxy the request as usual if the user is already authenticated but responds with a 404 otherwise, to avoid spurious and confusing authentication attempts when a browser automatically requests the favicon on an error page.
func (*OAuthProxy) GetRedirectURL ¶
func (p *OAuthProxy) GetRedirectURL(host string) *url.URL
GetRedirectURL returns the redirect url for a given OAuthProxy, setting the scheme to be https if CookieSecure is true.
func (*OAuthProxy) Handle ¶
func (p *OAuthProxy) Handle(host string, handler http.Handler, tags []string, upstreamConfig *UpstreamConfig)
Handle constructs a route from the given host string and matches it to the provided http.Handler and UpstreamConfig
func (*OAuthProxy) HandleRegex ¶
func (p *OAuthProxy) HandleRegex(regex *regexp.Regexp, handler http.Handler, tags []string, upstreamConfig *UpstreamConfig)
HandleRegex constructs a route from the given regexp and matches it to the provided http.Handler and UpstreamConfig
func (*OAuthProxy) Handler ¶
func (p *OAuthProxy) Handler() http.Handler
Handler returns a http handler for an OAuthProxy
func (*OAuthProxy) IsWhitelistedRequest ¶
func (p *OAuthProxy) IsWhitelistedRequest(req *http.Request) bool
IsWhitelistedRequest cheks that proxy host exists and checks the SkipAuthRegex
func (*OAuthProxy) LoadCookiedSession ¶
func (p *OAuthProxy) LoadCookiedSession(req *http.Request) (*providers.SessionState, error)
LoadCookiedSession returns a SessionState from the cookie in the request.
func (*OAuthProxy) MakeCSRFCookie ¶
func (p *OAuthProxy) MakeCSRFCookie(req *http.Request, value string, expiration time.Duration, now time.Time) *http.Cookie
MakeCSRFCookie creates a CSRF cookie given the request, an expiration time, and the current time.
func (*OAuthProxy) MakeSessionCookie ¶
func (p *OAuthProxy) MakeSessionCookie(req *http.Request, value string, expiration time.Duration, now time.Time) *http.Cookie
MakeSessionCookie constructs a session cookie given the request, an expiration time and the current time.
func (*OAuthProxy) OAuthCallback ¶
func (p *OAuthProxy) OAuthCallback(rw http.ResponseWriter, req *http.Request)
OAuthCallback validates the cookie sent back from the provider, then validates the user information, and if authorized, redirects the user back to the original application.
func (*OAuthProxy) OAuthStart ¶
func (p *OAuthProxy) OAuthStart(rw http.ResponseWriter, req *http.Request, tags []string)
OAuthStart begins the authentication flow, encrypting the redirect url in a request to the provider's sign in endpoint.
func (*OAuthProxy) PingPage ¶
func (p *OAuthProxy) PingPage(rw http.ResponseWriter, _ *http.Request)
PingPage send back a 200 OK response.
func (*OAuthProxy) Proxy ¶
func (p *OAuthProxy) Proxy(rw http.ResponseWriter, req *http.Request)
Proxy authenticates a request, either proxying the request if it is authenticated, or starting the authentication process if not.
func (*OAuthProxy) RobotsTxt ¶
func (p *OAuthProxy) RobotsTxt(rw http.ResponseWriter, _ *http.Request)
RobotsTxt sets the User-Agent header in the response to be "Disallow"
func (*OAuthProxy) SaveSession ¶
func (p *OAuthProxy) SaveSession(rw http.ResponseWriter, req *http.Request, s *providers.SessionState) error
SaveSession saves a session state to a request cookie.
func (*OAuthProxy) SetCSRFCookie ¶
func (p *OAuthProxy) SetCSRFCookie(rw http.ResponseWriter, req *http.Request, val string)
SetCSRFCookie sets the CSRFCookie creates a CSRF cookie in a given request
func (*OAuthProxy) SetSessionCookie ¶
func (p *OAuthProxy) SetSessionCookie(rw http.ResponseWriter, req *http.Request, val string)
SetSessionCookie creates a sesion cookie based on the value and the expiration time.
func (*OAuthProxy) SignOut ¶
func (p *OAuthProxy) SignOut(rw http.ResponseWriter, req *http.Request)
SignOut redirects the request to the provider's sign out url.
func (*OAuthProxy) UnknownHost ¶
func (p *OAuthProxy) UnknownHost(rw http.ResponseWriter, req *http.Request)
UnknownHost returns an http error for unknown or invalid hosts
type Options ¶
type Options struct { Port int `envconfig:"PORT" default:"4180"` ProviderURLString string `envconfig:"PROVIDER_URL"` UpstreamConfigsFile string `envconfig:"UPSTREAM_CONFIGS"` Cluster string `envconfig:"CLUSTER"` Scheme string `envconfig:"SCHEME" default:"https"` SkipAuthPreflight bool `envconfig:"SKIP_AUTH_PREFLIGHT"` EmailDomains []string `envconfig:"EMAIL_DOMAIN"` ClientID string `envconfig:"CLIENT_ID"` ClientSecret string `envconfig:"CLIENT_SECRET"` DefaultUpstreamTimeout time.Duration `envconfig:"DEFAULT_UPSTREAM_TIMEOUT" default:"10s"` TCPWriteTimeout time.Duration `envconfig:"TCP_WRITE_TIMEOUT" default:"30s"` TCPReadTimeout time.Duration `envconfig:"TCP_READ_TIMEOUT" default:"30s"` CookieName string CookieSecret string `envconfig:"COOKIE_SECRET"` OldCookieSecret string `envconfig:"OLD_COOKIE_SECRET"` CookieDomain string `envconfig:"COOKIE_DOMAIN"` CookieExpire time.Duration `envconfig:"COOKIE_EXPIRE" default:"168h"` CookieSecure bool `envconfig:"COOKIE_SECURE" default:"true"` CookieHTTPOnly bool `envconfig:"COOKIE_HTTP_ONLY"` // These options allow for other providers besides Google, with potential overrides. Provider string `envconfig:"PROVIDER" default:"google"` Scope string `envconfig:"SCOPE"` SessionLifetimeTTL time.Duration `envconfig:"SESSION_LIFETIME_TTL" default:"720h"` SessionValidTTL time.Duration `envconfig:"SESSION_VALID_TTL" default:"1m"` GracePeriodTTL time.Duration `envconfig:"GRACE_PERIOD_TTL" default:"3h"` RequestLogging bool `envconfig:"REQUEST_LOGGING" default:"true"` StatsdHost string `envconfig:"STATSD_HOST"` StatsdPort int `envconfig:"STATSD_PORT"` StatsdClient *statsd.Client // contains filtered or unexported fields }
Options are configuration options that can be set by Environment Variables Port - int - port to listen on for HTTP clients ProviderURLString - the URL for the provider in this environment: "https://sso-auth.example.com" UpstreamConfigsFile - the path to upstream configs file Cluster - the cluster in which this is running, used for upstream configs Scheme - the default scheme, used for upstream configs SkipAuthPreflight - will skip authentication for OPTIONS requests, default false EmailDomains - csv list of emails with the specified domain to authenticate. Use * to authenticate any email ClientID - the OAuth Client ID: ie: "123456.apps.googleusercontent.com" ClientSecret - The OAuth Client Secret DefaultUpstreamTimeout - the default time period to wait for a response from an upstream TCPWriteTimeout - http server tcp write timeout TCPReadTimeout - http server tcp read timeout CookieName - name of the cookie CookieSecret - the seed string for secure cookies (optionally base64 encoded) CookieDomain - an optional cookie domain to force cookies to (ie: .yourcompany.com)* CookieExpire - expire timeframe for cookie CookieSecure - set secure (HTTPS) cookie flag CookieHTTPOnly - set HttpOnly cookie flag Provider - OAuth provider Scope - OAuth scope specification SessionLifetimeTTL - time to live for a session lifetime SessionValidTTL - time to live for a valid session GracePeriodTTL - time to reuse session data when provider unavailable RequestLoging - boolean whether or not to log requests StatsdHost - host addr for statsd client to listen on StatsdPort - port for statsdclient to listen on
type OptionsConfig ¶
type OptionsConfig struct { HeaderOverrides map[string]string `yaml:"header_overrides"` SkipAuthRegex []string `yaml:"skip_auth_regex"` AllowedGroups []string `yaml:"allowed_groups"` Timeout time.Duration `yaml:"timeout"` FlushInterval time.Duration `yaml:"flush_interval"` }
OptionsConfig maps to the yaml config fields:
- header_overrides - overrides any heads set either by sso proxy itself or upstream applications. This can be useful for modifying browser security headers.
- skip_auth_regex - skips authentication for paths matching these regular expressions.
- allowed_groups - optional list of authorized google groups that can access the service.
- timeout - duration before timing out request.
- flush_interval - interval at which the proxy should flush data to the browser
type RewriteRoute ¶
RewriteRoute contains a FromRegex and ToTemplate used to construct rewrite routes in the reverse proxy.
type RouteConfig ¶
type RouteConfig struct { From string `yaml:"from"` To string `yaml:"to"` Type string `yaml:"type"` Options *OptionsConfig `yaml:"options"` }
RouteConfig maps to the yaml config fields, * "from" - the domain that will be used to access the service * "to" - the cname of the proxied service (this tells sso proxy where to proxy requests that come in on the from field)
type ServiceConfig ¶
type ServiceConfig struct { Service string `yaml:"service"` ClusterConfigs map[string]*UpstreamConfig `yaml:",inline"` }
ServiceConfig represents the configuration for a given service
type SimpleRoute ¶
SimpleRoute contains a FromURL and ToURL used to construct simple routes in the reverse proxy.
type StateParameter ¶
type StateParameter struct { SessionID string `json:"session_id"` RedirectURI string `json:"redirect_uri"` }
StateParameter holds the redirect id along with the session id.
type UpstreamConfig ¶
type UpstreamConfig struct { Service string RouteConfig RouteConfig `yaml:",inline"` ExtraRoutes []*RouteConfig `yaml:"extra_routes"` // Generated at Parse Time Route interface{} // note: :/ SkipAuthCompiledRegex []*regexp.Regexp AllowedGroups []string HMACAuth hmacauth.HmacAuth Timeout time.Duration FlushInterval time.Duration HeaderOverrides map[string]string }
UpstreamConfig represents the configuration for a given cluster in a given service
type UpstreamProxy ¶
type UpstreamProxy struct {
// contains filtered or unexported fields
}
UpstreamProxy stores information necessary for proxying the request back to the upstream.
func (*UpstreamProxy) ServeHTTP ¶
func (u *UpstreamProxy) ServeHTTP(w http.ResponseWriter, r *http.Request)
ServeHTTP signs the http request and deletes cookie headers before calling the upstream's ServeHTTP function.
Source Files
¶
Directories
¶
Path | Synopsis |
---|---|
Package singleflight provides a duplicate function call suppression mechanism.
|
Package singleflight provides a duplicate function call suppression mechanism. |