Documentation
¶
Index ¶
- Constants
- func NewDexClient(hostAndPort string, caCrt, clientCrt, clientKey string) (api.DexClient, error)
- type AuthSource
- type Authenticator
- func (a *Authenticator) Authenticate(r *http.Request) (*User, error)
- func (a *Authenticator) CallbackFunc(fn func(loginInfo LoginJSON, successURL string, w http.ResponseWriter)) func(w http.ResponseWriter, r *http.Request)
- func (a *Authenticator) GetSpecialURLs() SpecialAuthURLs
- func (a *Authenticator) LoginFunc(w http.ResponseWriter, r *http.Request)
- func (a *Authenticator) LogoutFunc(w http.ResponseWriter, r *http.Request)
- func (a *Authenticator) SetCSRFCookie(path string, w *http.ResponseWriter)
- func (a *Authenticator) VerifyCSRFToken(r *http.Request) (err error)
- func (a *Authenticator) VerifySourceOrigin(r *http.Request) (err error)
- type Config
- type LoginJSON
- type SessionStore
- type SpecialAuthURLs
- type User
Constants ¶
const ( CSRFCookieName = "csrf-token" CSRFHeader = "X-CSRFToken" )
Variables ¶
This section is empty.
Functions ¶
Types ¶
type AuthSource ¶
type AuthSource int
AuthSource allows callers to switch between Tectonic and OpenShift login support.
const ( AuthSourceTectonic AuthSource = 0 AuthSourceOpenShift AuthSource = 1 )
type Authenticator ¶
type Authenticator struct {
// contains filtered or unexported fields
}
func NewAuthenticator ¶
func NewAuthenticator(ctx context.Context, c *Config) (*Authenticator, error)
NewAuthenticator initializes an Authenticator struct. It blocks until the authenticator is able to contact the provider.
func (*Authenticator) Authenticate ¶
func (a *Authenticator) Authenticate(r *http.Request) (*User, error)
func (*Authenticator) CallbackFunc ¶
func (a *Authenticator) CallbackFunc(fn func(loginInfo LoginJSON, successURL string, w http.ResponseWriter)) func(w http.ResponseWriter, r *http.Request)
CallbackFunc handles OAuth2 callbacks and code/token exchange. Requests with unexpected params are redirected to the root route.
func (*Authenticator) GetSpecialURLs ¶
func (a *Authenticator) GetSpecialURLs() SpecialAuthURLs
GetKubeAdminLogoutURL returns the logout URL for the special kube:admin user in OpenShift
func (*Authenticator) LoginFunc ¶
func (a *Authenticator) LoginFunc(w http.ResponseWriter, r *http.Request)
LoginFunc redirects to the OIDC provider for user login.
func (*Authenticator) LogoutFunc ¶
func (a *Authenticator) LogoutFunc(w http.ResponseWriter, r *http.Request)
LogoutFunc cleans up session cookies.
func (*Authenticator) SetCSRFCookie ¶
func (a *Authenticator) SetCSRFCookie(path string, w *http.ResponseWriter)
func (*Authenticator) VerifyCSRFToken ¶
func (a *Authenticator) VerifyCSRFToken(r *http.Request) (err error)
func (*Authenticator) VerifySourceOrigin ¶
func (a *Authenticator) VerifySourceOrigin(r *http.Request) (err error)
VerifySourceOrigin checks that the Origin request header, if present, matches the target origin. Otherwise, it checks the Referer request header. https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet#Identifying_Source_Origin
type Config ¶
type Config struct {
AuthSource AuthSource
IssuerURL string
IssuerCA string
RedirectURL string
ClientID string
ClientSecret string
Scope []string
// K8sCA is required for OpenShift OAuth metadata discovery. This is the CA
// used to talk to the master, which might be different than the issuer CA.
K8sCA string
SuccessURL string
ErrorURL string
RefererPath string
// cookiePath is an abstraction leak. (unfortunately, a necessary one.)
CookiePath string
SecureCookies bool
}
type SessionStore ¶
type SessionStore struct {
// contains filtered or unexported fields
}
func NewSessionStore ¶
func NewSessionStore(maxSessions int) *SessionStore
Source Files