authentication

package
v1.87.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jul 8, 2024 License: Apache-2.0 Imports: 33 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	// SessionCookieName is the name of the cookie that holds the session data.
	// This is usually an encrypted api token.
	SessionCookieName = "kiali-token"
	// NonceCookieName is the cookie name used to store a nonce code
	// when user is starting authentication with the external server. This code
	// is used to mitigate replay attacks.
	NonceCookieName = "kiali-token-nonce"
	// NumberOfChunksCookieName is the name of the cookie that holds the number of chunks of a session.
	// This may or may not be set depending on the size of the session data.
	NumberOfChunksCookieName = "kiali-token-chunks"
)
View Source 
const (
	// OpenIdServerCAFile is a certificate file used to connect to the OpenID server.
	// This is for cases when the authentication server is using TLS with a self-signed
	// certificate.
	OpenIdServerCAFile = "/kiali-cabundle/openid-server-ca.crt"
)
View Source 
const SessionCookieMaxSize = 3584

SessionCookieMaxSize is the maximum size of session cookies. This is 3.5K. Major browsers limit cookie size to 4K, but this includes metadata like expiration date, the cookie name, etc. So use 3.5K for cookie data and leave 0.5K for metadata.

Variables

View Source 
var ContextKeyAuthInfo contextKey = "authInfo"
View Source 
var ErrSessionNotFound = errors.New("not found")

ErrSessionNotFound is returned when a session or sessions do not exist.

Functions

func GetAuthInfoContext 

func GetAuthInfoContext(ctx context.Context) interface{}

func NewCookieSessionPersistor 

func NewCookieSessionPersistor[T any](conf *config.Config) (*cookieSessionPersistor[T], error)

NewCookieSessionPersistor creates a new CookieSessionPersistor.

func NewHeaderAuthController 

func NewHeaderAuthController(conf *config.Config, homeClusterSAClient kubernetes.ClientInterface) (*headerAuthController, error)

NewHeaderAuthController initializes a new controller for allowing already authenticated requests, with the given persistor and the given businessInstantiator. The businessInstantiator can be nil and the initialized controller will use the business.Get function.

func NewTokenAuthController 

func NewTokenAuthController(clientFactory kubernetes.ClientFactory, kialiCache cache.KialiCache, conf *config.Config, discovery *istio.Discovery) (*tokenAuthController, error)

NewTokenAuthController initializes a new controller for handling token authentication, with the given persistor and the given businessInstantiator. The businessInstantiator can be nil and the initialized contoller will use the business.Get function.

func SetAuthInfoContext 

func SetAuthInfoContext(ctx context.Context, value interface{}) context.Context

Types

type AuthController 

type AuthController interface {
	// Authenticate handles an HTTP request that contains credentials. The method to pass the credentials
	// is chosen by the authentication controller implementation. The credentials are verified and if
	// it is supported by the controller, RBAC permissions are verified to ensure that the logging in user
	// has enough privileges to login to Kiali.
	// An AuthenticationFailureError is returned if the authentication request is rejected (unauthorized). Any
	// other kind of error means that something unexpected happened.
	Authenticate(r *http.Request, w http.ResponseWriter) (*UserSessionData, error)

	// ValidateSession restores a session previously created by the Authenticate function. The validity of
	// the restored should be verified as much as possible by the implementing controllers.
	// If the session is still valid, a populated UserSessionData is returned. Otherwise, nil is returned.
	ValidateSession(r *http.Request, w http.ResponseWriter) (UserSessions, error)

	// TerminateSession performs the needed procedures to terminate an existing session. If there is no
	// active session, nothing is performed. If there is some invalid session, it is cleared.
	TerminateSession(r *http.Request, w http.ResponseWriter) error
}

AuthController is the interface that all Kiali authentication strategies should implement. An authentication controller is initialized during Kiali startup.

type AuthenticationFailureError 

type AuthenticationFailureError struct {
	// Wraps the error causing the authentication failure
	Detail error

	// The status code that should have the HTTP response for this error.
	HttpStatus int

	// A description of the authentication failure
	Reason string
}

AuthenticationFailureError is a helper Error to assist callers of the TokenAuthController.Authenticate function in distinguishing between authentication failures and unexpected errors.

func (*AuthenticationFailureError) Error 

func (e *AuthenticationFailureError) Error() string

Error returns the string representation of an AuthenticationFailureError

type OpenIdAuthController 

type OpenIdAuthController struct {
	SessionStore SessionPersistor[oidcSessionPayload]
	// contains filtered or unexported fields
}

OpenIdAuthController contains the backing logic to implement Kiali's "openid" authentication strategy. Only the authorization code flow is implemented.

RBAC is supported, although it requires that the cluster is configured with OpenId integration. Thus, it is possible to turn off RBAC for simpler setups.

func NewOpenIdAuthController 

func NewOpenIdAuthController(kialiCache cache.KialiCache, clientFactory kubernetes.ClientFactory, conf *config.Config, discovery *istio.Discovery) (*OpenIdAuthController, error)

NewOpenIdAuthController initializes a new controller for handling openid authentication, with the given persistor and the given businessInstantiator. The businessInstantiator can be nil and the initialized contoller will use the business.Get function.

func (OpenIdAuthController) Authenticate 

func (c OpenIdAuthController) Authenticate(r *http.Request, w http.ResponseWriter) (*UserSessionData, error)

Authenticate was the entry point to handle OpenId authentication using the implicit flow. Support for the implicit flow has been removed. This is left here, because the "Authenticate" function is required by the AuthController interface which must be implemented by all auth controllers. So, this simply returns an error.

func (OpenIdAuthController) GetAuthCallbackHandler 

func (c OpenIdAuthController) GetAuthCallbackHandler(fallbackHandler http.Handler) http.Handler

GetAuthCallbackHandler returns a http handler for authentication requests done to Kiali's web_root. This handler catches callbacks from the OpenId server. If it cannot be determined that the request is a callback from the authentication server, the request is passed to the fallbackHandler.

func (OpenIdAuthController) PostRoutes 

func (c OpenIdAuthController) PostRoutes(router *mux.Router)

PostRoutes adds the additional endpoints needed on the Kiali's router in order to properly enable OpenId authentication. Only one new route is added to do a redirection from Kiali to the OpenId server to initiate authentication.

func (OpenIdAuthController) TerminateSession 

func (c OpenIdAuthController) TerminateSession(r *http.Request, w http.ResponseWriter) error

TerminateSession unconditionally terminates any existing session without any validation.

func (OpenIdAuthController) ValidateSession 

func (c OpenIdAuthController) ValidateSession(r *http.Request, w http.ResponseWriter) (UserSessions, error)

ValidateSession restores a session previously created by the Authenticate function. A sanity check of the id_token is performed if Kiali is not configured to use the access_token. Also, if RBAC is enabled, a privilege check is performed to verify that the user still has privileges to use Kiali. If the session is still valid, a populated UserSessionData is returned. Otherwise, nil is returned.

type OpenshiftAuthController 

type OpenshiftAuthController struct {
	// contains filtered or unexported fields
}

OpenshiftAuthController contains the backing logic to implement Kiali's "openshift" authentication strategy. This authentication strategy is basically an implementation of OAuth's authorization code flow with the specifics of OpenShift.

Alternatively, it is possible that 3rd-parties are controlling the session. For these cases, Kiali can receive an OpenShift token via the "Authorization" HTTP Header or via the "oauth_token" URL parameter. Token received from 3rd parties are not persisted with the active Kiali's persistor, because that would collide and replace an existing Kiali session. So, it is assumed that the 3rd-party has its own persistence system (similarly to how 'header' auth works).

func NewOpenshiftAuthController 

func NewOpenshiftAuthController(conf *config.Config, clientFactory kubernetes.ClientFactory) (*OpenshiftAuthController, error)

NewOpenshiftAuthController initializes a new controller for handling OpenShift authentication. The OAuth service created inside the constructor will make a request to the OpenShift OAuth server to gather OAuth metadata.

func (*OpenshiftAuthController) Authenticate 

func (o *OpenshiftAuthController) Authenticate(r *http.Request, w http.ResponseWriter) (*UserSessionData, error)

Authenticate is not implemented for the openshift auth strategy because kiali no longer supports the implicit flow.

func (*OpenshiftAuthController) OpenshiftAuthCallback 

func (o *OpenshiftAuthController) OpenshiftAuthCallback(w http.ResponseWriter, r *http.Request)

OpenshiftAuthCallback will attempt to extract the nonce cookie and the code from the request.

func (*OpenshiftAuthController) OpenshiftAuthRedirect 

func (o *OpenshiftAuthController) OpenshiftAuthRedirect(w http.ResponseWriter, r *http.Request)

OpenshiftAuthRedirect redirects the user to the OpenShift OAuth server to start the OAuth flow. This is necessary to save the verifier in the nonce cookie before redirecting to the OpenShift OAuth server.

func (*OpenshiftAuthController) TerminateSession 

func (o *OpenshiftAuthController) TerminateSession(r *http.Request, w http.ResponseWriter) error

TerminateSession session created by the Authenticate function. To properly clean the session, the OpenShift access_token is revoked/deleted by making a call to the relevant OpenShift API. If this process fails, the session is not cleared and an error is returned. The cleanup is done assuming the access_token was issued to be used only in Kiali.

func (*OpenshiftAuthController) ValidateSession 

func (o *OpenshiftAuthController) ValidateSession(r *http.Request, w http.ResponseWriter) (UserSessions, error)

ValidateSession restores a session previously created by the Authenticate function. The user token (access_token) is revalidated by re-fetching user info from the cluster, to ensure that the token hasn't been revoked. If the session is still valid, a populated UserSessionData is returned. Otherwise, nil is returned.

type SessionData 

type SessionData[T any] struct {
	// ExpiresOn is the time when the session expires. This can be zero meaning the session never expires.
	ExpiresOn time.Time `json:"expiresOn"`

	// Key should be a unique identifier for the session.
	// For now this is just the cluster name.
	Key string `json:"key,omitempty"`

	// Payload is the data being saved.
	Payload *T `json:"payload,omitempty"`

	// Strategy is the auth stretegy used to create the session.
	// Must match the currently configured strategy to be considered valid.
	Strategy string `json:"strategy"`
}

SessionData holds the data for a session and will be encrypted and stored in browser cookies. If the data is too large to fit in a browser cookie, it will be chunked and split over multiple cookies.

func NewSessionData 

func NewSessionData[T any](key string, strategy string, expiresOn time.Time, payload *T) (*SessionData[T], error)

NewSessionData create a new session object that you can then pass to CreateSession.

type SessionPersistor 

type SessionPersistor[T any] interface {
	CreateSession(r *http.Request, w http.ResponseWriter, s SessionData[T]) error
	ReadSession(r *http.Request, w http.ResponseWriter, key string) (sData *SessionData[T], err error)
	ReadAllSessions(r *http.Request, w http.ResponseWriter) (sessions []*SessionData[T], err error)
	TerminateSession(r *http.Request, w http.ResponseWriter, key string)
}

type TerminateSessionError 

type TerminateSessionError struct {
	// A description of the error.
	Message string

	// The HTTP Status code that should be sent to the client.
	HttpStatus int
}

TerminateSessionError is a helper type implementing the error interface. Its main goal is to pass the right HTTP status code that should be sent to the client if a session Logout operation fails.

func (TerminateSessionError) Error 

func (e TerminateSessionError) Error() string

Error returns the string representation of an instance of TerminateSessionError.

type UserSessionData 

type UserSessionData struct {
	// The expired time for the token
	// A string with the Datetime when the token will be expired
	//
	// example: Thu, 07 Mar 2019 17:50:26 +0000
	// required: true
	ExpiresOn time.Time `json:"expiresOn"`

	// The username for the token
	// A string with the user's username
	//
	// example: admin
	// required: true
	Username string `json:"username"`

	// The authentication information of the user to access the cluster API
	// It is usually only a bearer token that can be used to connect to the cluster API.
	// However, it is possible to add more options, like impersonation attributes.
	//
	// required: true
	AuthInfo *api.AuthInfo `json:"-"`
}

UserSessionData userSessionData This is used for returning the token swagger:model UserSessionData

type UserSessions 

type UserSessions map[string]*UserSessionData

UserSessionsData is a map of cluster to UserSessionData. It is used to store the user session data for each cluster since each cluster can have its own unique session. In some instances the auth info will be the same across all clusters but in other instances the auth info could be unique across clusters.

func (UserSessions) GetAuthInfos 

func (u UserSessions) GetAuthInfos() map[string]*api.AuthInfo

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.