GO-2023-2075: Kiali content spoofing vulnerability in github.com/kiali/kiali

authentication

package

v1.47.0 Latest Latest Go to latest Published: Feb 25, 2022 License: Apache-2.0 Imports: 16 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/kiali/kiali

Links

Open Source Insights

Documentation ¶

Index ¶

Constants
func InitializeAuthenticationController(strategy string)
func NewTokenAuthController(persistor SessionPersistor, ...) *tokenAuthController
type AuthController
- func GetAuthController() AuthController
type AuthenticationFailureError
- func (e *AuthenticationFailureError) Error() string
type CookieSessionPersistor
type SessionPersistor
type UserSessionData

Constants ¶

View Source

const (
	AESSessionCookieName       = config.TokenCookieName + "-aes"
	AESSessionChunksCookieName = config.TokenCookieName + "-chunks"
)

Variables ¶

This section is empty.

Functions ¶

func InitializeAuthenticationController ¶

func InitializeAuthenticationController(strategy string)

InitializeAuthenticationController initializes the authentication controller associated to the given strategy and prepares it to control user sessions and handle authentication requests. This should be called during Kiali startup, before starting to listen to HTTP requests.

func NewTokenAuthController ¶

func NewTokenAuthController(persistor SessionPersistor, businessInstantiator func(authInfo *api.AuthInfo) (*business.Layer, error)) *tokenAuthController

NewTokenAuthController initializes a new controller for handling token authentication, with the given persistor and the given businessInstantiator. The businessInstantiator can be nil and the initialized contoller will use the business.Get function.

Types ¶

type AuthController ¶

type AuthController interface {
	// Authenticate handles an HTTP request that contains credentials. The method to pass the credentials
	// is chosen by the authentication controller implementation. The credentials are verified and if
	// it is supported by the controller, RBAC permissions are verified to ensure that the logging in user
	// has enough privileges to login to Kiali.
	// An AuthenticationFailureError is returned if the authentication request is rejected (unauthorized). Any
	// other kind of error means that something unexpected happened.
	Authenticate(r *http.Request, w http.ResponseWriter) (*UserSessionData, error)

	// ValidateSession restores a session previously created by the Authenticate function. The validity of
	// the restored should be verified as much as possible by the implementing controllers.
	// If the session is still valid, a populated UserSessionData is returned. Otherwise, nil is returned.
	ValidateSession(r *http.Request, w http.ResponseWriter) (*UserSessionData, error)

	// TerminateSession performs the needed procedures to terminate an existing session. If there is no
	// active session, nothing is performed. If there is some invalid session, it is cleared.
	TerminateSession(r *http.Request, w http.ResponseWriter)
}

AuthController is the interface that all Kiali authentication strategies should implement. An authentication controller is initialized during Kiali startup.

func GetAuthController ¶

func GetAuthController() AuthController

GetAuthController gets the authentication controller that is currently configured and handling user sessions and any authentication related requests.

type AuthenticationFailureError ¶

type AuthenticationFailureError struct {
	// A description of the authentication failure
	Reason string

	// Wraps the error causing the authentication failure
	Detail error
}

AuthenticationFailureError is a helper Error to assist callers of the TokenAuthController.Authenticate function in distinguishing between authentication failures and unexpected errors.

func (*AuthenticationFailureError) Error ¶

func (e *AuthenticationFailureError) Error() string

Error returns the string representation of an AuthenticationFailureError

type CookieSessionPersistor ¶

type CookieSessionPersistor struct{}

CookieSessionPersistor is a session storage based on browser cookies. Session persistence is achieved by storing all session data in browser cookies. Only client-side storage is used and no back-end storage is needed. Browser cookies have size constraints and the workaround for large session data/payload is using multiple cookies. There is still a (browser dependant) limit on the number of cookies that a website can set but we haven't heard of a user facing problems because of reaching this limit.

func (CookieSessionPersistor) CreateSession ¶

func (p CookieSessionPersistor) CreateSession(_ *http.Request, w http.ResponseWriter, strategy string, expiresOn time.Time, payload interface{}) error

CreateSession starts a user session using HTTP Cookies for persistance across HTTP requests. For improved security, the data of the session is encrypted using the AES-GCM algorithm and the encrypted data is what is sent in cookies. The strategy, expiresOn and payload arguments are all required.

func (CookieSessionPersistor) ReadSession ¶

func (p CookieSessionPersistor) ReadSession(r *http.Request, w http.ResponseWriter, payload interface{}) (*sessionData, error)

ReadSession restores (decrypts) and returns the data that was persisted when using the CreateSession function. If a payload is provided, the original data is parsed and stored in the payload argument. As part of restoring the session, validation of expiration time is performed and no data is returned assuming the session is stale. Also, it is verified that the currently configured authentication strategy is the same as when the session was created.

func (CookieSessionPersistor) TerminateSession ¶

func (p CookieSessionPersistor) TerminateSession(r *http.Request, w http.ResponseWriter)

TerminateSession destroys any persisted data of a session created by the CreateSession function. The session is terminated unconditionally (that is, there is no validation of the session), allowing clearing any stale cookies/session.

type SessionPersistor ¶

type SessionPersistor interface {
	CreateSession(r *http.Request, w http.ResponseWriter, strategy string, expiresOn time.Time, payload interface{}) error
	ReadSession(r *http.Request, w http.ResponseWriter, payload interface{}) (sData *sessionData, err error)
	TerminateSession(r *http.Request, w http.ResponseWriter)
}

type UserSessionData ¶

type UserSessionData struct {
	// The expired time for the token
	// A string with the Datetime when the token will be expired
	//
	// example: Thu, 07 Mar 2019 17:50:26 +0000
	// required: true
	ExpiresOn time.Time `json:"expiresOn"`

	// The username for the token
	// A string with the user's username
	//
	// example: admin
	// required: true
	Username string `json:"username"`

	// The authentication token
	// A string with the authentication token for the user
	//
	// example: zI1NiIsIsR5cCI6IkpXVCJ9.ezJ1c2VybmFtZSI6ImFkbWluIiwiZXhwIjoxNTI5NTIzNjU0fQ.PPZvRGnR6VA4v7FmgSfQcGQr-VD
	// required: true
	Token string
}

UserSessionData tokenResponse

This is used for returning the token ¶

swagger:model UserSessionData

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL