Documentation ¶
Index ¶
- Constants
- Variables
- func GetSubjectAccountAndCapability(subject string) (string, settings.AccountCapability)
- func Groups(ctx context.Context, scopes []string) []string
- func Iat(ctx context.Context) (time.Time, error)
- func Iss(ctx context.Context) string
- func LoggedIn(ctx context.Context) bool
- func NewUserStateStorage(redis *redis.Client) *userStateStorage
- func Sub(ctx context.Context) string
- func Username(ctx context.Context) string
- func WithAuthMiddleware(disabled bool, authn TokenVerifier, next http.Handler) http.Handler
- type LoginAttempts
- type SessionManager
- func (mgr *SessionManager) AuthMiddlewareFunc(disabled bool) func(http.Handler) http.Handler
- func (mgr *SessionManager) Create(subject string, secondsBeforeExpiry int64, id string) (string, error)
- func (mgr *SessionManager) GetLoginFailures() map[string]LoginAttempts
- func (mgr *SessionManager) Parse(tokenString string) (jwt.Claims, string, error)
- func (mgr *SessionManager) RevokeToken(ctx context.Context, id string, expiringAt time.Duration) error
- func (mgr *SessionManager) VerifyToken(tokenString string) (jwt.Claims, string, error)
- func (mgr *SessionManager) VerifyUsernamePassword(username string, password string) error
- type TokenVerifier
- type UserStateStorage
Constants ¶
const ( // SessionManagerClaimsIssuer fills the "iss" field of the token. SessionManagerClaimsIssuer = "argocd" AuthErrorCtxKey = "auth-error" )
Variables ¶
var (
InvalidLoginErr = status.Errorf(codes.Unauthenticated, invalidLoginError)
)
Functions ¶
func GetSubjectAccountAndCapability ¶
func GetSubjectAccountAndCapability(subject string) (string, settings.AccountCapability)
GetSubjectAccountAndCapability analyzes Argo CD account token subject and extract account name and the capability it was generated for (default capability is API Key).
func NewUserStateStorage ¶
func NewUserStateStorage(redis *redis.Client) *userStateStorage
func WithAuthMiddleware ¶
WithAuthMiddleware is an HTTP middleware used to ensure incoming requests are authenticated before invoking the target handler. If disabled is true, it will just invoke the next handler in the chain.
Types ¶
type LoginAttempts ¶
type LoginAttempts struct { // Time of the last failed login LastFailed time.Time `json:"lastFailed"` // Number of consecutive login failures FailCount int `json:"failCount"` }
LoginAttempts is a timestamped counter for failed login attempts
type SessionManager ¶
type SessionManager struct {
// contains filtered or unexported fields
}
SessionManager generates and validates JWT tokens for login sessions.
func NewSessionManager ¶
func NewSessionManager(settingsMgr *settings.SettingsManager, projectsLister v1alpha1.AppProjectNamespaceLister, dexServerAddr string, dexTlsConfig *dex.DexTLSConfig, storage UserStateStorage) *SessionManager
NewSessionManager creates a new session manager from Argo CD settings
func (*SessionManager) AuthMiddlewareFunc ¶
AuthMiddlewareFunc returns a function that can be used as an authentication middleware for HTTP requests.
func (*SessionManager) Create ¶
func (mgr *SessionManager) Create(subject string, secondsBeforeExpiry int64, id string) (string, error)
Create creates a new token for a given subject (user) and returns it as a string. Passing a value of `0` for secondsBeforeExpiry creates a token that never expires. The id parameter holds an optional unique JWT token identifier and stored as a standard claim "jti" in the JWT token.
func (*SessionManager) GetLoginFailures ¶
func (mgr *SessionManager) GetLoginFailures() map[string]LoginAttempts
GetLoginFailures retrieves the login failure information from the cache. Any modifications to the LoginAttemps map must be done in a thread-safe manner.
func (*SessionManager) Parse ¶
func (mgr *SessionManager) Parse(tokenString string) (jwt.Claims, string, error)
Parse tries to parse the provided string and returns the token claims for local login.
func (*SessionManager) RevokeToken ¶
func (*SessionManager) VerifyToken ¶
func (mgr *SessionManager) VerifyToken(tokenString string) (jwt.Claims, string, error)
VerifyToken verifies if a token is correct. Tokens can be issued either from us or by an IDP. We choose how to verify based on the issuer.
func (*SessionManager) VerifyUsernamePassword ¶
func (mgr *SessionManager) VerifyUsernamePassword(username string, password string) error
VerifyUsernamePassword verifies if a username/password combo is correct
type TokenVerifier ¶
TokenVerifier defines the contract to invoke token verification logic
type UserStateStorage ¶
type UserStateStorage interface { Init(ctx context.Context) // GetLoginAttempts return number of concurrent login attempts GetLoginAttempts(attempts *map[string]LoginAttempts) error // SetLoginAttempts sets number of concurrent login attempts SetLoginAttempts(attempts map[string]LoginAttempts) error // RevokeToken revokes token with given id (information about revocation expires after specified timeout) RevokeToken(ctx context.Context, id string, expiringAt time.Duration) error // IsTokenRevoked checks if given token is revoked IsTokenRevoked(id string) bool }