Documentation
¶
Index ¶
- Constants
- Variables
- func ApplyGroupMappings(db *gorm.DB, groups []ConfigGroupMapping) (modifiedRoleIDs []string, err error)
- func ApplyUserMappings(db *gorm.DB, users []ConfigUserMapping) (modifiedRoleIDs []string, err error)
- func Asset(name string) ([]byte, error)
- func AssetDigest(name string) ([sha256.Size]byte, error)
- func AssetDir(name string) ([]string, error)
- func AssetInfo(name string) (os.FileInfo, error)
- func AssetNames() []string
- func AssetString(name string) (string, error)
- func Digests() (map[string][sha256.Size]byte, error)
- func Healthz(c *gin.Context)
- func ImportProviders(db *gorm.DB, providers []ConfigProvider) error
- func ImportRoleMappings(db *gorm.DB, groups []ConfigGroupMapping, users []ConfigUserMapping) error
- func MustAsset(name string) []byte
- func MustAssetString(name string) string
- func NewAPIMux(reg *Registry, router *gin.RouterGroup)
- func NewPostgresDB(connection string) (*gorm.DB, error)
- func NewSQLiteDB(dbpath string) (*gorm.DB, error)
- func NewToken(db *gorm.DB, userId string, permissions string, sessionDuration time.Duration, ...) (secret string, err error)
- func RestoreAsset(dir, name string) error
- func RestoreAssets(dir, name string) error
- func Run(options Options) (err error)
- type API
- func (a *API) CreateAPIKey(c *gin.Context)
- func (a *API) CreateDestination(c *gin.Context)
- func (a *API) CreateToken(c *gin.Context)
- func (a *API) DeleteAPIKey(c *gin.Context)
- func (a *API) GetDestination(c *gin.Context)
- func (a *API) GetGroup(c *gin.Context)
- func (a *API) GetProvider(c *gin.Context)
- func (a *API) GetRole(c *gin.Context)
- func (a *API) GetUser(c *gin.Context)
- func (a *API) ListAPIKeys(c *gin.Context)
- func (a *API) ListDestinations(c *gin.Context)
- func (a *API) ListGroups(c *gin.Context)
- func (a *API) ListProviders(c *gin.Context)
- func (a *API) ListRoles(c *gin.Context)
- func (a *API) ListUsers(c *gin.Context)
- func (a *API) Login(c *gin.Context)
- func (a *API) Logout(c *gin.Context)
- func (a *API) Version(c *gin.Context)
- type APIKey
- type Config
- type ConfigDestination
- type ConfigGroupMapping
- type ConfigOkta
- type ConfigProvider
- type ConfigRole
- type ConfigSecretProvider
- type ConfigUserMapping
- type CustomJWTClaims
- type Destination
- type DestinationKind
- type Error
- type Group
- type Http
- type Label
- type Okta
- type Options
- type PostgresOptions
- type Provider
- func (p *Provider) BeforeCreate(tx *gorm.DB) (err error)
- func (p *Provider) BeforeDelete(tx *gorm.DB) error
- func (p *Provider) CreateUser(db *gorm.DB, user *User, email string) error
- func (p *Provider) DeleteUser(db *gorm.DB, u User) error
- func (p *Provider) SyncGroups(r *Registry) error
- func (p *Provider) SyncUsers(r *Registry) error
- func (p *Provider) Validate(r *Registry) error
- type ProviderKind
- type Registry
- type Role
- type Settings
- type StaticFileSystem
- type Telemetry
- type Token
- type User
Constants ¶
View Source
const ( ErrExistingKey = Error("a key with this name already exists") ErrUnkownKey = Error("an API key with this ID does not exist") ErrKeyPermissionsNotFound = Error("api-key permissions are required") )
View Source
const ( DefaultProvidersSyncInterval time.Duration = time.Second * 60 DefaultDestinationsSyncInterval time.Duration = time.Minute * 5 DefaultSessionDuration time.Duration = time.Hour * 12 )
View Source
const AssetDebug = false
AssetDebug is true if the assets were built with the debug flag enabled.
Variables ¶
View Source
var ( RoleKindKubernetesRole = "role" RoleKindKubernetesClusterRole = "cluster-role" )
View Source
var ( TokenSecretLen = 24 TokenLen = IdLen + TokenSecretLen )
View Source
var ( CookieTokenName = "token" CookieLoginName = "login" CookieDomain = "" CookiePath = "/" // while these vars look goofy, they avoid "magic number" arguments to SetCookie CookieHTTPOnlyJavascriptAccessible = false // setting HttpOnly to false means JS can access it. CookieHTTPOnlyNotJavascriptAccessible = true // setting HttpOnly to true means JS can't access it. CookieSecureHTTPSOnly = true // setting Secure to true means the cookie is only sent over https connections CookieSecureHttpOrHTTPS = false // setting Secure to false means the cookie will be sent over http or https connections CookieMaxAgeDeleteImmediately = int(-1) // <0: delete immediately CookieMaxAgeNoExpiry = int(0) // zero has special meaning of "no expiry" )
View Source
var APIKeyLen = 24
View Source
var IdLen = 12
Functions ¶
func ApplyGroupMappings ¶ added in v0.0.15
func ApplyGroupMappings(db *gorm.DB, groups []ConfigGroupMapping) (modifiedRoleIDs []string, err error)
func ApplyUserMappings ¶ added in v0.3.3
func ApplyUserMappings(db *gorm.DB, users []ConfigUserMapping) (modifiedRoleIDs []string, err error)
func Asset ¶
Asset loads and returns the asset for the given name. It returns an error if the asset could not be found or could not be loaded.
func AssetDigest ¶
AssetDigest returns the digest of the file with the given name. It returns an error if the asset could not be found or the digest could not be loaded.
func AssetDir ¶
AssetDir returns the file names below a certain directory embedded in the file by go-bindata. For example if you run go-bindata on data/... and data contains the following hierarchy:
data/
foo.txt
img/
a.png
b.png
then AssetDir("data") would return []string{"foo.txt", "img"}, AssetDir("data/img") would return []string{"a.png", "b.png"}, AssetDir("foo.txt") and AssetDir("notexist") would return an error, and AssetDir("") will return []string{"data"}.
func AssetInfo ¶
AssetInfo loads and returns the asset info for the given name. It returns an error if the asset could not be found or could not be loaded.
func AssetString ¶
AssetString returns the asset contents as a string (instead of a []byte).
func ImportProviders ¶ added in v0.4.0
func ImportProviders(db *gorm.DB, providers []ConfigProvider) error
func ImportRoleMappings ¶ added in v0.3.3
func ImportRoleMappings(db *gorm.DB, groups []ConfigGroupMapping, users []ConfigUserMapping) error
ImportRoleMappings iterates over user and group config and applies a role mapping to them
func MustAsset ¶
MustAsset is like Asset but panics when Asset would return an error. It simplifies safe initialization of global variables.
func MustAssetString ¶
MustAssetString is like AssetString but panics when Asset would return an error. It simplifies safe initialization of global variables.
func NewAPIMux ¶ added in v0.4.0
func NewAPIMux(reg *Registry, router *gin.RouterGroup)
func NewToken ¶
func NewToken(db *gorm.DB, userId string, permissions string, sessionDuration time.Duration, token *Token) (secret string, err error)
NewToken creates a token for a user and returns the secret value they present for authentication
func RestoreAsset ¶
RestoreAsset restores an asset under the given directory.
func RestoreAssets ¶
RestoreAssets restores an asset under the given directory recursively.
Types ¶
type API ¶ added in v0.4.0
type API struct {
// contains filtered or unexported fields
}
func (*API) CreateAPIKey ¶ added in v0.4.0
func (*API) CreateDestination ¶ added in v0.4.0
func (*API) CreateToken ¶ added in v0.4.0
func (*API) DeleteAPIKey ¶ added in v0.4.0
func (*API) GetDestination ¶ added in v0.4.0
func (*API) GetProvider ¶ added in v0.4.0
func (*API) ListAPIKeys ¶ added in v0.4.0
func (*API) ListDestinations ¶ added in v0.4.0
func (*API) ListGroups ¶ added in v0.4.0
func (*API) ListProviders ¶ added in v0.4.0
type APIKey ¶
type Config ¶
type Config struct {
Secrets []ConfigSecretProvider `yaml:"secrets" validate:"dive"`
Providers []ConfigProvider `yaml:"providers" validate:"dive"`
Groups []ConfigGroupMapping `yaml:"groups" validate:"dive"`
Users []ConfigUserMapping `yaml:"users" validate:"dive"`
}
type ConfigDestination ¶ added in v0.2.3
type ConfigDestination struct {
Name string `yaml:"name"`
Labels []string `yaml:"labels"`
Kind DestinationKind `yaml:"kind" validate:"required"`
Namespaces []string `yaml:"namespaces"` // optional in the case of a cluster-role
}
type ConfigGroupMapping ¶ added in v0.0.15
type ConfigGroupMapping struct {
Name string `yaml:"name" validate:"required"`
Provider string `yaml:"provider" validate:"required"`
Roles []ConfigRole `yaml:"roles" validate:"required,dive"`
}
type ConfigOkta ¶ added in v0.4.0
type ConfigOkta struct {
APIToken string `yaml:"apiToken" validate:"required"`
}
type ConfigProvider ¶ added in v0.4.7
type ConfigProvider struct {
Kind string `yaml:"kind" validate:"required"`
Domain string `yaml:"domain" validate:"required"`
ClientID string `yaml:"clientID" validate:"required"`
ClientSecret string `yaml:"clientSecret" validate:"required"`
Config interface{} // contains identity-provider-specific config
}
func (*ConfigProvider) UnmarshalYAML ¶ added in v0.4.7
func (idp *ConfigProvider) UnmarshalYAML(unmarshal func(interface{}) error) error
type ConfigRole ¶ added in v0.4.7
type ConfigRole struct {
Name string `yaml:"name" validate:"required"`
Kind string `yaml:"kind" validate:"required,oneof=role cluster-role"`
Destinations []ConfigDestination `yaml:"destinations" validate:"required,dive"`
}
type ConfigSecretProvider ¶ added in v0.4.0
type ConfigSecretProvider struct {
Kind string `yaml:"kind" validate:"required"`
Name string `yaml:"name"` // optional
Config interface{} // contains secret-provider-specific config
}
func (*ConfigSecretProvider) UnmarshalYAML ¶ added in v0.4.0
func (sp *ConfigSecretProvider) UnmarshalYAML(unmarshal func(interface{}) error) error
type ConfigUserMapping ¶ added in v0.0.13
type ConfigUserMapping struct {
Email string `yaml:"email" validate:"required,email"`
Roles []ConfigRole `yaml:"roles" validate:"required,dive"`
}
type CustomJWTClaims ¶ added in v0.2.4
type Destination ¶
type Destination struct {
Id string `gorm:"primaryKey" validate:"uuid"`
Created int64 `gorm:"autoCreateTime"`
Updated int64 `gorm:"autoUpdateTime"`
NodeID string `gorm:"unique"`
Name string
Kind DestinationKind
KubernetesCa string
KubernetesEndpoint string
Labels []Label `gorm:"many2many:destinations_labels"`
}
func (*Destination) BeforeCreate ¶
func (d *Destination) BeforeCreate(tx *gorm.DB) (err error)
func (*Destination) BeforeDelete ¶
func (d *Destination) BeforeDelete(tx *gorm.DB) (err error)
TODO (jmorganca): use foreign constraints instead?
type DestinationKind ¶ added in v0.4.12
type DestinationKind string
var (
DestinationKindKubernetes DestinationKind = "kubernetes"
)
nolint: leaving room for more destination kinds
type Group ¶ added in v0.0.15
type Group struct {
Id string `gorm:"primaryKey" validate:"uuid"`
Created int64 `gorm:"autoCreateTime"`
Updated int64 `gorm:"autoUpdateTime"`
Name string
ProviderId string `validate:"uuid"`
Provider Provider `gorm:"foreignKey:ProviderId;references:Id"`
Roles []Role `gorm:"many2many:groups_roles"`
Users []User `gorm:"many2many:groups_users"`
}
type Http ¶ added in v0.0.6
type Http struct {
// contains filtered or unexported fields
}
func (*Http) WellKnownJWKs ¶ added in v0.0.6
type Okta ¶ added in v0.0.12
type Okta interface {
ValidateOktaConnection(domain string, clientID string, apiToken string) error
Emails(domain string, clientID string, apiToken string) ([]string, error)
Groups(domain string, clientID string, apiToken string) (map[string][]string, error)
EmailFromCode(code string, domain string, clientID string, clientSecret string) (string, error)
}
type Options ¶
type Options struct {
ConfigPath string `mapstructure:"config-path"`
DBFile string `mapstructure:"db-file"`
TLSCache string `mapstructure:"tls-cache"`
RootAPIKey string `mapstructure:"root-api-key"`
EngineAPIKey string `mapstructure:"engine-api-key"`
PostgresOptions PostgresOptions `mapstructure:"pg"`
EnableTelemetry bool `mapstructure:"enable-telemetry"`
EnableCrashReporting bool `mapstructure:"enable-crash-reporting"`
ProvidersSyncInterval time.Duration `mapstructure:"providers-sync-interval"`
DestinationsSyncInterval time.Duration `mapstructure:"destinations-sync-interval"`
SessionDuration time.Duration `mapstructure:"session-duration"`
internal.Options `mapstructure:",squash"`
}
type PostgresOptions ¶ added in v0.4.11
type PostgresOptions struct {
PostgresHost string `mapstructure:"host"`
PostgresPort int `mapstructure:"port"`
PostgresDBName string `mapstructure:"db-name"`
PostgresUser string `mapstructure:"user"`
PostgresPassword string `mapstructure:"password"`
PostgresParameters string `mapstructure:"parameters"`
}
type Provider ¶ added in v0.4.0
type Provider struct {
Id string `gorm:"primaryKey" validate:"uuid"`
Created int64 `gorm:"autoCreateTime"`
Updated int64 `gorm:"autoUpdateTime"`
Kind ProviderKind `yaml:"kind"` // TODO: long-term we shouldn't have yaml serialization info here.
Domain string
ClientID string
ClientSecret string
// used for okta sync
APIToken string
Users []User `gorm:"many2many:users_providers"`
}
func (*Provider) BeforeCreate ¶ added in v0.4.0
func (*Provider) CreateUser ¶ added in v0.4.0
CreateUser will create a user and associate them with the provider If the user already exists, they will not be created, instead an association will be added instead
func (*Provider) DeleteUser ¶ added in v0.4.0
Delete will delete a user's association with a provider If this is their only provider, then the user will be deleted entirely TODO (jmorganca): wrap this in a transaction or at least find out why there seems to cause a bug when used in a nested transaction
func (*Provider) SyncGroups ¶ added in v0.4.0
type ProviderKind ¶ added in v0.4.12
type ProviderKind string
var (
ProviderKindOkta ProviderKind = "okta"
)
nolint: leaving room for more provider kinds
type Role ¶ added in v0.0.13
type Role struct {
Id string `gorm:"primaryKey" validate:"uuid"`
Created int64 `gorm:"autoCreateTime"`
Updated int64 `gorm:"autoUpdateTime"`
Name string `validate:"required"`
Kind string `validate:"required,rolekind"`
Namespace string
DestinationId string `validate:"uuid"`
Destination Destination `gorm:"foreignKey:DestinationId;references:Id"`
Groups []Group `gorm:"many2many:groups_roles"`
Users []User `gorm:"many2many:users_roles"`
}
type Settings ¶
type StaticFileSystem ¶
type StaticFileSystem struct {
// contains filtered or unexported fields
}
type Telemetry ¶ added in v0.3.3
type Telemetry struct {
// contains filtered or unexported fields
}
func (*Telemetry) EnqueueHeartbeat ¶ added in v0.3.3
func (*Telemetry) SetEnabled ¶ added in v0.3.3
type Token ¶
type Token struct {
Id string `gorm:"primaryKey" validate:"uuid"`
Created int64 `gorm:"autoCreateTime"`
Updated int64 `gorm:"autoUpdateTime"`
Expires int64
SecretHash []byte // if the hash of the presented token secret matches this value it is valid
Permissions string `validate:"permissions"` // space separated list of permissions/scopes that a token can perform
UserId string `validate:"uuid"`
User User `gorm:"foreignKey:UserId;references:Id;"`
}
func ValidateAndGetToken ¶ added in v0.0.13
func (*Token) CheckExpired ¶ added in v0.2.4
func (*Token) CheckSecret ¶
type User ¶
type User struct {
Id string `gorm:"primaryKey" validate:"uuid"`
Created int64 `gorm:"autoCreateTime"`
Updated int64 `gorm:"autoUpdateTime"`
Email string `gorm:"unique" validate:"email"`
Providers []Provider `gorm:"many2many:users_providers"`
Roles []Role `gorm:"many2many:users_roles"`
Groups []Group `gorm:"many2many:groups_users"`
}
Source Files
¶
Directories
Click to show internal directories.
Click to hide internal directories.