Documentation ¶
Index ¶
- Constants
- Variables
- func AuthenticatedUserMessage(username string) spoe.ActionSetVar
- func BuildHasErrorMessage() spoe.ActionSetVar
- func BuildRedirectURLMessage(url string) spoe.ActionSetVar
- type AESEncryptor
- type Authenticator
- type HmacSha256Computer
- type LDAPAuthenticator
- type LDAPConnectionDetails
- type OAuth2AuthenticatorOptions
- type OIDCAuthenticator
- type OIDCAuthenticatorOptions
- type OIDCClientConfig
- type OIDCClientsStore
- type SignatureProducer
- type SignatureVerifier
- type State
- type StaticOIDCClientsStore
Constants ¶
const ValidStateDuration = 30 * time.Second
ValidStateDuration is the amount of time before the state is considered expired. This will be replaced by an expiration in a JWT token in a future review.
Variables ¶
var ErrBadAuthorizationValue = errors.New("bad authorization value provided")
ErrBadAuthorizationValue error thrown when the authorization header value is in wrong format
var ErrHostArgNotFound = errors.New("host arg not found")
ErrSSLArgNotFound error thrown when the host arg has not been provided by HAProxy
var ErrNoCredential = errors.New("no credentials provided")
ErrNoCredential error thrown when no credentials are provided with the request
var ErrOIDCClientConfigNotFound = errors.New("no OIDC client found for this domain")
ErrOIDCClientConfigNotFound error thrown when there is no client config related to a given domain
var ErrPathqArgNotFound = errors.New("pathq arg not found")
ErrSSLArgNotFound error thrown when the pathq arg has not been provided by HAProxy
var ErrSSLArgNotFound = errors.New("SSL arg not found")
ErrSSLArgNotFound error thrown when the ssl arg has not been provided by HAProxy
var ErrTooManyUsersMatching = errors.New("there are too many user matching this request")
ErrTooManyUsersMatching error thrown when too many users are retrieved upon LDAP search
var ErrUserDoesntExist = errors.New("user does not exist")
ErrUserDoesntExist error thrown when provided user does not exist
var ErrWrongCredentials = errors.New("wrong credentials")
ErrWrongCredentials error thrown when credentials provided by user are wrong
var ErrorPageTemplate = `` /* 133-byte string literal not displayed */
ErrorPage is a template used in the case the final redirection cannot happen due to the bad signature of the original URL
var LogoutPageTemplate = `<html>
<head><title>Logout</title></head>
<body>You have been logged out successfully.</body>
</html>`
LogoutPage is an HTML content stating the user has been logged out successfully
var NonceLength = 12
NonceLength the length of the nonce to use
var RedirectPageTemplate = `` /* 168-byte string literal not displayed */
RedirectPage is a template used for the final redirection
Functions ¶
func AuthenticatedUserMessage ¶ added in v1.3.0
func AuthenticatedUserMessage(username string) spoe.ActionSetVar
AuthenticatedUserMessage build a message containing the username of the authenticated user
func BuildHasErrorMessage ¶
func BuildHasErrorMessage() spoe.ActionSetVar
BuildHasErrorMessage build a message stating an error was thrown in SPOE agent
func BuildRedirectURLMessage ¶
func BuildRedirectURLMessage(url string) spoe.ActionSetVar
BuildRedirectURLMessage build a message containing the URL the user should be redirected too
Types ¶
type AESEncryptor ¶
type AESEncryptor struct { Key []byte // contains filtered or unexported fields }
AESEncryptor represent an encryptor leveraging AES-GCM. GCM mode operation is used to ensure the encryption is authenticated.
func NewAESEncryptor ¶
func NewAESEncryptor(secret string) *AESEncryptor
NewAESEncryptor create an instance of the AESEncryptor
type Authenticator ¶
type Authenticator interface { // Check whether the user is authenticated by this authenticator Authenticate(msg *spoe.Message) (bool, []spoe.Action, error) }
Authenticator the authenticator interface that can be implemented for LDAP, OAuth2, OIDC or whatever else.
type HmacSha256Computer ¶
type HmacSha256Computer struct {
// contains filtered or unexported fields
}
HmacSha256Computer represent a producer and verifier of HMAC SHA256 signatures SHA256 is prefered over SHA1 for the security margin it implies but both would be ok at this time even if SHA1 is known to be vulnerable to collision attacks.
func NewHmacSha256Computer ¶
func NewHmacSha256Computer(secret string) *HmacSha256Computer
NewHmacSha256Computer create an instance of HMAC SHA256 computer
func (*HmacSha256Computer) ProduceSignature ¶
func (hsc *HmacSha256Computer) ProduceSignature(data []byte) string
ProduceSignature produce a signature for the given data
type LDAPAuthenticator ¶
type LDAPAuthenticator struct {
// contains filtered or unexported fields
}
LDAPAuthenticator is the LDAP implementation of the Authenticator interface
func NewLDAPAuthenticator ¶
func NewLDAPAuthenticator(options LDAPConnectionDetails) *LDAPAuthenticator
NewLDAPAuthenticator create an instance of a LDAP authenticator
func (*LDAPAuthenticator) Authenticate ¶
Authenticate handle an authentication request coming from HAProxy
type LDAPConnectionDetails ¶
type LDAPConnectionDetails struct { URI string Port int UserDN string Password string BaseDN string UserFilter string VerifyTLS bool }
LDAPConnectionDetails represents the connection details
type OAuth2AuthenticatorOptions ¶
type OAuth2AuthenticatorOptions struct { Endpoints oauth2.Endpoint RedirectCallbackPath string LogoutPath string HealthCheckPath string // This is used to sign the redirection URL SignatureSecret string CookieName string CookieSecure bool CookieTTL time.Duration // The addr interface the callback will be exposed on. CallbackAddr string // The object retrieving the OIDC client configuration from the given domain ClientsStore OIDCClientsStore }
OAuth2AuthenticatorOptions options to customize to the OAuth2 authenticator
type OIDCAuthenticator ¶
type OIDCAuthenticator struct {
// contains filtered or unexported fields
}
OIDCAuthenticator is the OIDC implementation of the Authenticator interface
func NewOIDCAuthenticator ¶
func NewOIDCAuthenticator(options OIDCAuthenticatorOptions) *OIDCAuthenticator
NewOIDCAuthenticator create an instance of an OIDC authenticator
func (*OIDCAuthenticator) Authenticate ¶
Authenticate treat an authentication request coming from HAProxy
type OIDCAuthenticatorOptions ¶
type OIDCAuthenticatorOptions struct { OAuth2AuthenticatorOptions // The URL to the OIDC provider exposing the configuration ProviderURL string // This is used to encrypt the ID Token returned by the IdP. EncryptionSecret string }
OIDCAuthenticatorOptions options to customize to the OIDC authenticator
type OIDCClientConfig ¶
type OIDCClientsStore ¶
type OIDCClientsStore interface { // Retrieve the client_id and client_secret based on the domain GetClient(domain string) (*OIDCClientConfig, error) }
type SignatureProducer ¶
SignatureProducer produces a signature
type SignatureVerifier ¶
SignatureVerifier verify a signature
type StaticOIDCClientsStore ¶
type StaticOIDCClientsStore struct {
// contains filtered or unexported fields
}
func NewStaticOIDCClientStore ¶
func NewStaticOIDCClientStore(config map[string]OIDCClientConfig) *StaticOIDCClientsStore
func (*StaticOIDCClientsStore) GetClient ¶
func (ocf *StaticOIDCClientsStore) GetClient(domain string) (*OIDCClientConfig, error)