Documentation ¶
Index ¶
- Constants
- Variables
- func GetAuthInfoContext(ctx context.Context) interface{}
- func InitializeAuthenticationController(strategy string)
- func NewHeaderAuthController(persistor SessionPersistor, ...) *headerAuthController
- func NewOpenshiftAuthController(persistor SessionPersistor, ...) *openshiftAuthController
- func NewTokenAuthController(persistor SessionPersistor, ...) *tokenAuthController
- func SetAuthInfoContext(ctx context.Context, value interface{}) context.Context
- type AuthController
- type AuthenticationFailureError
- type CookieSessionPersistor
- func (p CookieSessionPersistor) CreateSession(_ *http.Request, w http.ResponseWriter, strategy string, expiresOn time.Time, ...) error
- func (p CookieSessionPersistor) ReadSession(r *http.Request, w http.ResponseWriter, payload interface{}) (*sessionData, error)
- func (p CookieSessionPersistor) TerminateSession(r *http.Request, w http.ResponseWriter)
- type OpenIdAuthController
- func (c OpenIdAuthController) Authenticate(r *http.Request, w http.ResponseWriter) (*UserSessionData, error)
- func (c OpenIdAuthController) GetAuthCallbackHandler(fallbackHandler http.Handler) http.Handler
- func (c OpenIdAuthController) PostRoutes(router *mux.Router)
- func (c OpenIdAuthController) TerminateSession(r *http.Request, w http.ResponseWriter) error
- func (c OpenIdAuthController) ValidateSession(r *http.Request, w http.ResponseWriter) (*UserSessionData, error)
- type SessionPersistor
- type TerminateSessionError
- type UserSessionData
Constants ¶
const ( // OpenIdNonceCookieName is the cookie name used to store a nonce code // when user is starting authentication with the external server. This code // is used to mitigate replay attacks. OpenIdNonceCookieName = config.TokenCookieName + "-openid-nonce" // OpenIdServerCAFile is a certificate file used to connect to the OpenID server. // This is for cases when the authentication server is using TLS with a self-signed // certificate. OpenIdServerCAFile = "/kiali-cabundle/openid-server-ca.crt" )
const ( AESSessionCookieName = config.TokenCookieName + "-aes" AESSessionChunksCookieName = config.TokenCookieName + "-chunks" )
const SessionCookieMaxSize = 3584
SessionCookieMaxSize is the maximum size of session cookies. This is 3.5K. Major browsers limit cookie size to 4K, but this includes metadata like expiration date, the cookie name, etc. So use 3.5K for cookie data and leave 0.5K for metadata.
Variables ¶
var ContextKeyAuthInfo contextKey = "authInfo"
Functions ¶
func GetAuthInfoContext ¶ added in v1.48.7
func InitializeAuthenticationController ¶
func InitializeAuthenticationController(strategy string)
InitializeAuthenticationController initializes the authentication controller associated to the given strategy and prepares it to control user sessions and handle authentication requests. This should be called during Kiali startup, before starting to listen to HTTP requests.
func NewHeaderAuthController ¶ added in v1.49.0
func NewHeaderAuthController(persistor SessionPersistor, businessInstantiator func(authInfo *api.AuthInfo) (*business.Layer, error)) *headerAuthController
NewHeaderAuthController initializes a new controller for allowing already authenticated requests, with the given persistor and the given businessInstantiator. The businessInstantiator can be nil and the initialized controller will use the business.Get function.
func NewOpenshiftAuthController ¶ added in v1.49.0
func NewOpenshiftAuthController(persistor SessionPersistor, businessInstantiator func(authInfo *api.AuthInfo) (*business.Layer, error)) *openshiftAuthController
NewOpenshiftAuthController initializes a new controller for handling OpenShift authentication, with the given persistor and the given businessInstantiator. The businessInstantiator can be nil and the initialized contoller will use the business.Get function.
func NewTokenAuthController ¶
func NewTokenAuthController(persistor SessionPersistor, businessInstantiator func(authInfo *api.AuthInfo) (*business.Layer, error)) *tokenAuthController
NewTokenAuthController initializes a new controller for handling token authentication, with the given persistor and the given businessInstantiator. The businessInstantiator can be nil and the initialized contoller will use the business.Get function.
Types ¶
type AuthController ¶
type AuthController interface { // Authenticate handles an HTTP request that contains credentials. The method to pass the credentials // is chosen by the authentication controller implementation. The credentials are verified and if // it is supported by the controller, RBAC permissions are verified to ensure that the logging in user // has enough privileges to login to Kiali. // An AuthenticationFailureError is returned if the authentication request is rejected (unauthorized). Any // other kind of error means that something unexpected happened. Authenticate(r *http.Request, w http.ResponseWriter) (*UserSessionData, error) // ValidateSession restores a session previously created by the Authenticate function. The validity of // the restored should be verified as much as possible by the implementing controllers. // If the session is still valid, a populated UserSessionData is returned. Otherwise, nil is returned. ValidateSession(r *http.Request, w http.ResponseWriter) (*UserSessionData, error) // TerminateSession performs the needed procedures to terminate an existing session. If there is no // active session, nothing is performed. If there is some invalid session, it is cleared. TerminateSession(r *http.Request, w http.ResponseWriter) error }
AuthController is the interface that all Kiali authentication strategies should implement. An authentication controller is initialized during Kiali startup.
func GetAuthController ¶
func GetAuthController() AuthController
GetAuthController gets the authentication controller that is currently configured and handling user sessions and any authentication related requests.
type AuthenticationFailureError ¶
type AuthenticationFailureError struct { // Wraps the error causing the authentication failure Detail error // The status code that should have the HTTP response for this error. HttpStatus int // A description of the authentication failure Reason string }
AuthenticationFailureError is a helper Error to assist callers of the TokenAuthController.Authenticate function in distinguishing between authentication failures and unexpected errors.
func (*AuthenticationFailureError) Error ¶
func (e *AuthenticationFailureError) Error() string
Error returns the string representation of an AuthenticationFailureError
type CookieSessionPersistor ¶
type CookieSessionPersistor struct{}
CookieSessionPersistor is a session storage based on browser cookies. Session persistence is achieved by storing all session data in browser cookies. Only client-side storage is used and no back-end storage is needed. Browser cookies have size constraints and the workaround for large session data/payload is using multiple cookies. There is still a (browser dependant) limit on the number of cookies that a website can set but we haven't heard of a user facing problems because of reaching this limit.
func (CookieSessionPersistor) CreateSession ¶
func (p CookieSessionPersistor) CreateSession(_ *http.Request, w http.ResponseWriter, strategy string, expiresOn time.Time, payload interface{}) error
CreateSession starts a user session using HTTP Cookies for persistance across HTTP requests. For improved security, the data of the session is encrypted using the AES-GCM algorithm and the encrypted data is what is sent in cookies. The strategy, expiresOn and payload arguments are all required.
func (CookieSessionPersistor) ReadSession ¶
func (p CookieSessionPersistor) ReadSession(r *http.Request, w http.ResponseWriter, payload interface{}) (*sessionData, error)
ReadSession restores (decrypts) and returns the data that was persisted when using the CreateSession function. If a payload is provided, the original data is parsed and stored in the payload argument. As part of restoring the session, validation of expiration time is performed and no data is returned assuming the session is stale. Also, it is verified that the currently configured authentication strategy is the same as when the session was created.
func (CookieSessionPersistor) TerminateSession ¶
func (p CookieSessionPersistor) TerminateSession(r *http.Request, w http.ResponseWriter)
TerminateSession destroys any persisted data of a session created by the CreateSession function. The session is terminated unconditionally (that is, there is no validation of the session), allowing clearing any stale cookies/session.
type OpenIdAuthController ¶ added in v1.48.0
type OpenIdAuthController struct { // SessionStore persists the session between HTTP requests. SessionStore SessionPersistor // contains filtered or unexported fields }
OpenIdAuthController contains the backing logic to implement Kiali's "openid" authentication strategy. The implicit flow and the authorization code flow are implemented.
RBAC is supported, although it requires that the cluster is configured with OpenId integration. Thus, it is possible to turn off RBAC for simpler setups.
func NewOpenIdAuthController ¶ added in v1.48.0
func NewOpenIdAuthController(persistor SessionPersistor, businessInstantiator func(authInfo *api.AuthInfo) (*business.Layer, error)) *OpenIdAuthController
NewOpenIdAuthController initializes a new controller for handling openid authentication, with the given persistor and the given businessInstantiator. The businessInstantiator can be nil and the initialized contoller will use the business.Get function.
func (OpenIdAuthController) Authenticate ¶ added in v1.48.0
func (c OpenIdAuthController) Authenticate(r *http.Request, w http.ResponseWriter) (*UserSessionData, error)
Authenticate is the entry point to handle OpenId authentication using the implicit flow. The HTTP request should contain "id_token" and "state" as URL parameters. If RBAC is enabled, the id_token should be valid to be used in the Kubernetes API (thus, privileges are verified to allow login); else, only token validity is checked and users will share the same privileges. An AuthenticationFailureError is returned if the authentication failed. Any other kind of error means that something unexpected happened.
func (OpenIdAuthController) GetAuthCallbackHandler ¶ added in v1.48.0
func (c OpenIdAuthController) GetAuthCallbackHandler(fallbackHandler http.Handler) http.Handler
GetAuthCallbackHandler returns an http handler for authentication requests done to Kiali's web_root. This handler catches callbacks from the OpenId server. If it cannot be determined that the request is a callback from the authentication server, the request is passed to the fallbackHandler.
func (OpenIdAuthController) PostRoutes ¶ added in v1.48.0
func (c OpenIdAuthController) PostRoutes(router *mux.Router)
PostRoutes adds the additional endpoints needed on the Kiali's router in order to properly enable OpenId authentication. Only one new route is added to do a redirection from Kiali to the OpenId server to initiate authentication.
func (OpenIdAuthController) TerminateSession ¶ added in v1.48.0
func (c OpenIdAuthController) TerminateSession(r *http.Request, w http.ResponseWriter) error
TerminateSession unconditionally terminates any existing session without any validation.
func (OpenIdAuthController) ValidateSession ¶ added in v1.48.0
func (c OpenIdAuthController) ValidateSession(r *http.Request, w http.ResponseWriter) (*UserSessionData, error)
ValidateSession restores a session previously created by the Authenticate function. A sanity check of the id_token is performed if Kiali is not configured to use the access_token. Also, if RBAC is enabled, a privilege check is performed to verify that the user still has privileges to use Kiali. If the session is still valid, a populated UserSessionData is returned. Otherwise, nil is returned.
type SessionPersistor ¶
type SessionPersistor interface { CreateSession(r *http.Request, w http.ResponseWriter, strategy string, expiresOn time.Time, payload interface{}) error ReadSession(r *http.Request, w http.ResponseWriter, payload interface{}) (sData *sessionData, err error) TerminateSession(r *http.Request, w http.ResponseWriter) }
type TerminateSessionError ¶ added in v1.49.0
type TerminateSessionError struct { // A description of the error. Message string // The HTTP Status code that should be sent to the client. HttpStatus int }
TerminateSessionError is a helper type implementing the error interface. Its main goal is to pass the right HTTP status code that should be sent to the client if a session Logout operation fails.
func (TerminateSessionError) Error ¶ added in v1.49.0
func (e TerminateSessionError) Error() string
Error returns the string representation of an instance of TerminateSessionError.
type UserSessionData ¶
type UserSessionData struct { // The expired time for the token // A string with the Datetime when the token will be expired // // example: Thu, 07 Mar 2019 17:50:26 +0000 // required: true ExpiresOn time.Time `json:"expiresOn"` // The username for the token // A string with the user's username // // example: admin // required: true Username string `json:"username"` // The authentication information of the user to access the cluster API // It is usually only a bearer token that can be used to connect to the cluster API. // However, it is possible to add more options, like impersonation attributes. // // required: true AuthInfo *api.AuthInfo `json:"-"` }
UserSessionData userSessionData This is used for returning the token swagger:model UserSessionData