auth

package
v1.24.1 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Feb 26, 2024 License: MIT Imports: 27 Imported by: 0

Documentation

Index

Constants

View Source
const (
	HeaderUserName  = "author-name"
	HeaderUserEmail = "author-email"
	HeaderUserRole  = "author-role"
)

The frontend-service now defines the default author for git commits. The frontend-service also allows overwriting the default values, see function `getRequestAuthorFromGoogleIAP`. The cd-service generally expects these headers, either in the grpc context or the http headers.

View Source
const (
	PermissionCreateLock                   = "CreateLock"
	PermissionDeleteLock                   = "DeleteLock"
	PermissionCreateRelease                = "CreateRelease"
	PermissionDeployRelease                = "DeployRelease"
	PermissionCreateUndeploy               = "CreateUndeploy"
	PermissionDeployUndeploy               = "DeployUndeploy"
	PermissionCreateEnvironment            = "CreateEnvironment"
	PermissionDeleteEnvironmentApplication = "DeleteEnvironmentApplication"
	PermissionDeployReleaseTrain           = "DeployReleaseTrain"
	// The default permission template.
	PermissionTemplate = "%s,%s,%s:%s,%s,allow"
)
View Source
const (

	// Kuberpult login path.
	LoginPATH = "/login"
)

Variables

This section is empty.

Functions

func AllowBypassingAzureAuth

func AllowBypassingAzureAuth(allowedPaths []string, requestUrlPath string, requestMethod string, allowedPrefixes []string) bool

func CheckUserPermissions

func CheckUserPermissions(rbacConfig RBACConfig, user *User, env, team, envGroup, application, action string) error

Checks user permissions on the RBAC policy.

func Decode64

func Decode64(s string) (string, error)

func Encode64

func Encode64(s string) string

func HttpAuthMiddleWare

func HttpAuthMiddleWare(resp http.ResponseWriter, req *http.Request, jwks *keyfunc.JWKS, clientId string, tenantId string, allowedPaths []string, allowedPrefixes []string) error

func JWKSInitAzure

func JWKSInitAzure(ctx context.Context) (*keyfunc.JWKS, error)

func JWKSInitAzureFromJson

func JWKSInitAzureFromJson() (*keyfunc.JWKS, error)

func NewDexReverseProxy

func NewDexReverseProxy(serverAddr string) func(writer http.ResponseWriter, request *http.Request)

NewDexReverseProxy returns a reverse proxy to the Dex server.

func ReadRbacPolicy

func ReadRbacPolicy(dexEnabled bool, DexRbacPolicyPath string) (policy map[string]*Permission, err error)

func ReadScopes

func ReadScopes(s string) (scopes []string)

Helper function to parse the scopes

func ValidateOIDCToken

func ValidateOIDCToken(ctx context.Context, issuerURL, rawToken string, allowedAudience string) (token *oidc.IDToken, err error)

func ValidateToken

func ValidateToken(jwtB64 string, jwks *keyfunc.JWKS, clientId string, tenantId string) (jwt.MapClaims, error)

func VerifyToken

func VerifyToken(ctx context.Context, r *http.Request, clientID, baseURL string) (group string, err error)

Verifies if the user is authenticated.

func WriteUserRoleToGrpcContext

func WriteUserRoleToGrpcContext(ctx context.Context, userRole string) context.Context

WriteUserRoleToGrpcContext adds the user role to the GRPC context. Only used when RBAC is enabled.

func WriteUserRoleToHttpHeader

func WriteUserRoleToHttpHeader(r *http.Request, role string)

WriteUserRoleToHttpHeader should only be used in the frontend-service WriteUserRoleToHttpHeader writes the user role into http headers it is used for requests like /release and managing locks which are delegated from frontend-service to cd-service

func WriteUserToContext

func WriteUserToContext(ctx context.Context, u User) context.Context

WriteUserToContext should be used in both frontend-service and cd-service. WriteUserToContext adds the User to the context for extraction later. The user must not be nil. Returning the new context that has been created.

func WriteUserToGrpcContext

func WriteUserToGrpcContext(ctx context.Context, u User) context.Context

func WriteUserToHttpHeader

func WriteUserToHttpHeader(r *http.Request, user User)

WriteUserToHttpHeader should only be used in the frontend-service WriteUserToHttpHeader writes the user into http headers it is used for requests like /release which are delegated from frontend-service to cd-service

Types

type DexAppClient

type DexAppClient struct {
	// The Dex issuer URL. Needs to be match the dex issuer helm config.
	IssuerURL string
	// The host Kuberpult is running on.
	BaseURL string
	// The Kuberpult client ID. Needs to match the dex staticClients.id helm configuration.
	ClientID string
	// The Kuberpult client secret. Needs to match the dex staticClients.secret helm configuration.
	ClientSecret string
	// The Dex redirect callback. Needs to match the dex staticClients.redirectURIs helm configuration.
	RedirectURI string
	// The available scopes.
	Scopes []string
	// The http client used.
	Client *http.Client
}

Dex App Client.

func NewDexAppClient

func NewDexAppClient(clientID, clientSecret, baseURL string, scopes []string) (*DexAppClient, error)

NewDexAppClient a Dex Client.

type DexAuthContext

type DexAuthContext struct {
	// The user role extracted from the Cookie.
	Role string
}

Extracted information from JWT/Cookie.

type DexGrpcContextReader

type DexGrpcContextReader struct {
	DexEnabled bool
}

func (*DexGrpcContextReader) ReadUserFromGrpcContext

func (x *DexGrpcContextReader) ReadUserFromGrpcContext(ctx context.Context) (*User, error)

ReadUserFromGrpcContext should only be used in the cd-service. ReadUserFromGrpcContext takes the User from middleware (context). It returns a User or an error if the user is not found.

type DexRewriteURLRoundTripper

type DexRewriteURLRoundTripper struct {
	DexURL *url.URL
	T      http.RoundTripper
}

DexRewriteURLRoundTripper creates a new DexRewriteURLRoundTripper. The round tripper is configured to avoid exposing the dex server via a virtual service. Since Kuberpult and dex are running on the same cluster, a reverse proxy is configured to redirect all dex calls internally.

func (DexRewriteURLRoundTripper) RoundTrip

type DummyGrpcContextReader

type DummyGrpcContextReader struct {
	Role string
}

func (*DummyGrpcContextReader) ReadUserFromGrpcContext

func (x *DummyGrpcContextReader) ReadUserFromGrpcContext(ctx context.Context) (*User, error)

type GrpcContextReader

type GrpcContextReader interface {
	ReadUserFromGrpcContext(ctx context.Context) (*User, error)
}

type Permission

type Permission struct {
	Role        string
	Application string
	Environment string
	Action      string
}

Struct to store an RBAC permission.

func ValidateRbacPermission

func ValidateRbacPermission(line string) (p *Permission, err error)

type RBACConfig

type RBACConfig struct {
	// Indicates if Dex is enabled.
	DexEnabled bool
	// The RBAC policy. A key is a permission, for example: "Developer, CreateLock, development:development, *, allow"
	Policy map[string]*Permission
}

All static rbac information that is required to check authentication of a given user.

type User

type User struct {
	Email string
	Name  string
	// Optional. User role, only used if RBAC is enabled.
	DexAuthContext *DexAuthContext
}

func GetUserOrDefault

func GetUserOrDefault(u *User, defaultUser User) User

func ReadUserFromContext

func ReadUserFromContext(ctx context.Context) (*User, error)

ReadUserFromContext returns a user from the ctx or an error if none was found, or it is invalid

func ReadUserFromHttpHeader

func ReadUserFromHttpHeader(ctx context.Context, r *http.Request) (*User, error)

ReadUserFromHttpHeader should only be used in the cd-service. ReadUserFromHttpHeader takes the User from the http request. It returns a User or an error if the user is not found.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL