Documentation
¶
Index ¶
- Constants
- Variables
- func AppendClaimsAuthenticationRequestParameter(opts []oauth2.AuthCodeOption, requestedClaims map[string]*Claim) []oauth2.AuthCodeOption
- func GetScopesOrDefault(scopes []string) []string
- func ImplicitFlowURL(c *oauth2.Config, state string, opts ...oauth2.AuthCodeOption) string
- func InferGrantType(oidcConf *OIDCConfiguration) string
- func JoinCookies(key string, cookieList []*http.Cookie) (string, error)
- func MakeCookieMetadata(key, value string, flags ...string) ([]string, error)
- func NewDexHTTPReverseProxy(serverAddr string, transport http.RoundTripper) func(writer http.ResponseWriter, request *http.Request)
- func ParseNumFromEnv(env string, defaultValue, min, max int) int
- func RandString(n int) string
- func RandStringCharset(n int, charset string) string
- type Cache
- type Claim
- type ClaimsRequest
- type ClientApp
- type DebugTransport
- type DexRewriteURLRoundTripper
- type OIDCConfig
- type OIDCConfiguration
- type OIDCState
- type OIDCStateStorage
- type Provider
- type RedirectUrlSanitiser
- type Settings
- type TransportWithHeader
- type UserVerifier
Constants ¶
const ( GrantTypeAuthorizationCode = "authorization_code" GrantTypeImplicit = "implicit" ResponseTypeCode = "code" NoUserLocation = "/dashboard/login?err=NO_USER" )
const ( AuthCookieName = "argocd.token" EnvVarSSODebug = "ARGOCD_SSO_DEBUG" )
const CallbackEndpoint = "/auth/callback"
const EnvMaxCookieNumber = "ARGOCD_MAX_COOKIE_NUMBER"
const Location = "Location"
Variables ¶
var ErrCacheMiss = errors.New("cache: key is missing")
Functions ¶
func AppendClaimsAuthenticationRequestParameter ¶
func AppendClaimsAuthenticationRequestParameter(opts []oauth2.AuthCodeOption, requestedClaims map[string]*Claim) []oauth2.AuthCodeOption
AppendClaimsAuthenticationRequestParameter appends a OIDC claims authentication request parameter to `opts` with the `requestedClaims`
func GetScopesOrDefault ¶
func ImplicitFlowURL ¶
ImplicitFlowURL is an adaptation of oauth2.Config::AuthCodeURL() which returns a URL appropriate for an OAuth2 implicit login flow (as opposed to authorization code flow).
func InferGrantType ¶
func InferGrantType(oidcConf *OIDCConfiguration) string
InferGrantType infers the proper grant flow depending on the OAuth2 client config and OIDC configuration. Returns either: "authorization_code" or "implicit"
func JoinCookies ¶
JoinCookies combines chunks of cookie based on key as prefix. It returns cookie value as string. cookieString is of format key1=value1; key2=value2; key3=value3 first chunk will be of format argocd.token=<numberOfChunks>:token; attributes
func MakeCookieMetadata ¶
MakeCookieMetadata generates a string representing a Web cookie. Yum!
func NewDexHTTPReverseProxy ¶
func NewDexHTTPReverseProxy(serverAddr string, transport http.RoundTripper) func(writer http.ResponseWriter, request *http.Request)
func ParseNumFromEnv ¶
func RandString ¶
RandString generates, from a given charset, a cryptographically-secure pseudo-random string of a given length.
func RandStringCharset ¶
Types ¶
type Claim ¶
type Claim struct {
Essential bool `protobuf:"varint,1,opt,name=essential,proto3" json:"essential,omitempty"`
Value string `protobuf:"bytes,2,opt,name=value,proto3" json:"value,omitempty"`
Values []string `protobuf:"bytes,3,rep,name=values,proto3" json:"values,omitempty"`
XXX_NoUnkeyedLiteral struct{} `json:"-"`
XXX_unrecognized []byte `json:"-"`
XXX_sizecache int32 `json:"-"`
}
type ClaimsRequest ¶
type ClientApp ¶
type ClientApp struct {
RedirectUrlSanitiser RedirectUrlSanitiser
// contains filtered or unexported fields
}
func NewClientApp ¶
func NewClientApp(settings *Settings, cache OIDCStateStorage, baseHRef string, userVerifier UserVerifier, RedirectUrlSanitiser RedirectUrlSanitiser) (*ClientApp, error)
NewClientApp will register the Argo CD client app (either via Dex or external OIDC) and return an object which has HTTP handlers for handling the HTTP responses for login and callback
func (*ClientApp) HandleCallback ¶
func (a *ClientApp) HandleCallback(w http.ResponseWriter, r *http.Request)
HandleCallback is the callback handler for an OAuth2 login flow
func (*ClientApp) HandleLogin ¶
func (a *ClientApp) HandleLogin(w http.ResponseWriter, r *http.Request)
HandleLogin formulates the proper OAuth2 URL (auth code or implicit) and redirects the user to the IDp login & consent page
func (*ClientApp) UpdateConfig ¶ added in v0.4.22
type DebugTransport ¶
type DebugTransport struct {
T http.RoundTripper
}
DebugTransport is a HTTP Client Transport to enable debugging
type DexRewriteURLRoundTripper ¶
type DexRewriteURLRoundTripper struct {
DexURL *url.URL
T http.RoundTripper
}
DexRewriteURLRoundTripper is an HTTP RoundTripper to rewrite HTTP requests to the specified dex server address. This is used when reverse proxying Dex to avoid the API server from unnecessarily communicating to Argo CD through its externally facing load balancer, which is not always permitted in firewalled/air-gapped networks.
func NewDexRewriteURLRoundTripper ¶
func NewDexRewriteURLRoundTripper(dexServerAddr string, T http.RoundTripper) DexRewriteURLRoundTripper
NewDexRewriteURLRoundTripper creates a new DexRewriteURLRoundTripper
type OIDCConfig ¶
type OIDCConfig struct {
Name string `json:"name,omitempty"`
Issuer string `json:"issuer,omitempty"`
ClientID string `json:"clientID,omitempty"`
ClientSecret string `json:"clientSecret,omitempty"`
CLIClientID string `json:"cliClientID,omitempty"`
RequestedScopes []string `json:"requestedScopes,omitempty"`
RequestedIDTokenClaims map[string]*Claim `json:"requestedIDTokenClaims,omitempty"`
LogoutURL string `json:"logoutURL,omitempty"`
ServerSecret string `json:"serverSecret"`
}
type OIDCConfiguration ¶
type OIDCConfiguration struct {
Issuer string `json:"issuer"`
ScopesSupported []string `json:"scopes_supported"`
ResponseTypesSupported []string `json:"response_types_supported"`
GrantTypesSupported []string `json:"grant_types_supported,omitempty"`
}
OIDCConfiguration holds a subset of interested fields from the OIDC configuration spec
func ParseConfig ¶
func ParseConfig(provider *gooidc.Provider) (*OIDCConfiguration, error)
ParseConfig parses the OIDC Config into the concrete datastructure
type OIDCState ¶
type OIDCState struct {
// ReturnURL is the URL in which to redirect a user back to after completing an OAuth2 login
ReturnURL string `json:"returnURL"`
}
type OIDCStateStorage ¶
type Provider ¶
type Provider interface {
Endpoint() (*oauth2.Endpoint, error)
ParseConfig() (*OIDCConfiguration, error)
Verify(clientID, tokenString string) (*gooidc.IDToken, error)
}
Provider is a wrapper around go-oidc provider to also provide the following features: 1. lazy initialization/querying of the provider 2. automatic detection of change in signing keys 3. convenience function for verifying tokens We have to initialize the provider lazily since Argo CD can be an OIDC client to itself (in the case of dex reverse proxy), which presents a chicken-and-egg problem of (1) serving dex over HTTP, and (2) querying the OIDC provider (ourself) to initialize the OIDC client.
type RedirectUrlSanitiser ¶
type Settings ¶
type Settings struct {
// URL is the externally facing URL users will visit to reach Argo CD.
// The value here is used when configuring SSO. Omitting this value will disable SSO.
URL string `json:"url,omitempty"`
OIDCConfig OIDCConfig
// Specifies token expiration duration
UserSessionDuration time.Duration `json:"userSessionDuration,omitempty"`
AdminPasswordMtime time.Time `json:"adminPasswordMtime"`
}
func (*Settings) OAuth2ClientID ¶
func (*Settings) OAuth2ClientSecret ¶
func (*Settings) RedirectURL ¶
type TransportWithHeader ¶
type TransportWithHeader struct {
RoundTripper http.RoundTripper
Header http.Header
}
TransportWithHeader is a HTTP Client Transport with default headers.
type UserVerifier ¶
type UserVerifier func(claims jwt.MapClaims) bool
Source Files