helios

command module

v0.0.0-...-0ac0b20 Latest Latest Go to latest Published: Jan 9, 2020 License: Apache-2.0 Imports: 22 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/cyakimov/helios

Links

Open Source Insights

README ¶

⚠ This project is on early stage and it's not ready for production yet ⚠

Helios is an Identity & Access Proxy (IAP) that authorizes HTTP requests based on sets of rules. It is the building block towards BeyondCorp, a model designed by Google to secure applications in Zero-Trust networks.

In a nutshell, with Helios you can:

Identify users using existing identity providers like Google, Auth0, Azure AD, etc.
Secure and authenticate access to any domain or path
Configure authorization policies using CEL expressions
Use Helios as gateway or reverse proxy

Motivation

My goal is to build an open source alternative to Cloudflare Access and Cloud IAP.

Beyond that, I started this project off for 2 reasons:

I wanted to exercise and continue improving my Go skills.
I'm interested in BeyondCorp, Google's implementation of Zero Trust. I believe Zero Trust is the future of Enterprise Security.
Last but not least, because it's fun!

Install

Install Go.

Next download the project and build the binary file.

$ go get -u github.com/cyakimov/helios

Usage

helios -config config.example.yaml

List flags with

helios -help

Configuring authorization rules

The supported condition attributes are based on details about the request (e.g., its timestamp, originating IP address , identity, etc.). Examples and a description of attribute types are described below.

Available Attributes

request.host
request.path
request.ip
request.timestamp

For example, by setting Expression to a CEL expression that uses request.ip you can limit access to only members who have a private IP of 10.0.0.1

request.ip == "10.0.0.1"

Alternatively, you can check if a request comes from a particular network:

request.ip.network("192.168.0.0/24")

Example Date/Time Expressions

Allow access temporarily until a specified expiration date/time:

timestamp(request.time) < timestamp("2019-01-01T07:00:00Z")

Allow access only during specified working hours:

timestamp(request.time).getHours("America/Santiago") >= 9 &&
timestamp(request.time).getHours("America/Santiago") <= 17 &&
timestamp(request.time).getDayOfWeek("America/Santiago") >= 1 &&
timestamp(request.time).getDayOfWeek("America/Santiago") <= 5

Allow access only for a specified month and year:

timestamp(request.time).getFullYear("America/Santiago") == 2018
timestamp(request.time).getMonth("America/Santiago") < 6

Example URL Host/Path Expressions

Allow access only for certain subdomains or URL paths in the request:

request.host == "hr.example.com"
request.host.endsWith(".example.com")
request.path == "/admin/payroll.js"
request.path.startsWith("/admin")

Development

Prerequisites

Go 1.13
mkcert

Environment Setup

Deploy local CA

mkcert -install

Create a certificate for local development

mkcert localhost 127.0.0.1

Install dependencies

go mod download

Run the program

go run . -config config.example.yaml

Roadmap 🗺

Status	Milestone
🚀	Expression engine
❌	Support popular identity providers
❌	Use templates for error pages
❌	Export prometheus metrics
❌	Create a Github page
❌	Dynamic policies

Documentation ¶

There is no documentation for this package.

Source Files ¶

View all Source files

Directories ¶

Path	Synopsis
authentication
providers
providers/auth0
providers/azuread
providers/google
authorization

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL