authentication

package
v1.86.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jun 17, 2024 License: Apache-2.0 Imports: 30 Imported by: 0

Documentation

Index

Constants

View Source
const (
	// OpenIdNonceCookieName is the cookie name used to store a nonce code
	// when user is starting authentication with the external server. This code
	// is used to mitigate replay attacks.
	OpenIdNonceCookieName = config.TokenCookieName + "-openid-nonce"

	// OpenIdServerCAFile is a certificate file used to connect to the OpenID server.
	// This is for cases when the authentication server is using TLS with a self-signed
	// certificate.
	OpenIdServerCAFile = "/kiali-cabundle/openid-server-ca.crt"
)
View Source
const (
	AESSessionCookieName       = config.TokenCookieName + "-aes"
	AESSessionChunksCookieName = config.TokenCookieName + "-chunks"
)
View Source
const SessionCookieMaxSize = 3584

SessionCookieMaxSize is the maximum size of session cookies. This is 3.5K. Major browsers limit cookie size to 4K, but this includes metadata like expiration date, the cookie name, etc. So use 3.5K for cookie data and leave 0.5K for metadata.

Variables

View Source
var ContextKeyAuthInfo contextKey = "authInfo"

Functions

func GetAuthInfoContext added in v1.48.7

func GetAuthInfoContext(ctx context.Context) interface{}

func NewCookieSessionPersistor added in v1.84.0

func NewCookieSessionPersistor(conf *config.Config) *cookieSessionPersistor

func NewHeaderAuthController added in v1.49.0

func NewHeaderAuthController(persistor SessionPersistor, homeClusterSAClient kubernetes.ClientInterface) *headerAuthController

NewHeaderAuthController initializes a new controller for allowing already authenticated requests, with the given persistor and the given businessInstantiator. The businessInstantiator can be nil and the initialized controller will use the business.Get function.

func NewTokenAuthController

func NewTokenAuthController(persistor SessionPersistor, clientFactory kubernetes.ClientFactory, kialiCache cache.KialiCache, conf *config.Config) *tokenAuthController

NewTokenAuthController initializes a new controller for handling token authentication, with the given persistor and the given businessInstantiator. The businessInstantiator can be nil and the initialized contoller will use the business.Get function.

func SetAuthInfoContext added in v1.48.7

func SetAuthInfoContext(ctx context.Context, value interface{}) context.Context

Types

type AuthController

type AuthController interface {
	// Authenticate handles an HTTP request that contains credentials. The method to pass the credentials
	// is chosen by the authentication controller implementation. The credentials are verified and if
	// it is supported by the controller, RBAC permissions are verified to ensure that the logging in user
	// has enough privileges to login to Kiali.
	// An AuthenticationFailureError is returned if the authentication request is rejected (unauthorized). Any
	// other kind of error means that something unexpected happened.
	Authenticate(r *http.Request, w http.ResponseWriter) (*UserSessionData, error)

	// ValidateSession restores a session previously created by the Authenticate function. The validity of
	// the restored should be verified as much as possible by the implementing controllers.
	// If the session is still valid, a populated UserSessionData is returned. Otherwise, nil is returned.
	ValidateSession(r *http.Request, w http.ResponseWriter) (*UserSessionData, error)

	// TerminateSession performs the needed procedures to terminate an existing session. If there is no
	// active session, nothing is performed. If there is some invalid session, it is cleared.
	TerminateSession(r *http.Request, w http.ResponseWriter) error
}

AuthController is the interface that all Kiali authentication strategies should implement. An authentication controller is initialized during Kiali startup.

type AuthenticationFailureError

type AuthenticationFailureError struct {
	// Wraps the error causing the authentication failure
	Detail error

	// The status code that should have the HTTP response for this error.
	HttpStatus int

	// A description of the authentication failure
	Reason string
}

AuthenticationFailureError is a helper Error to assist callers of the TokenAuthController.Authenticate function in distinguishing between authentication failures and unexpected errors.

func (*AuthenticationFailureError) Error

Error returns the string representation of an AuthenticationFailureError

type OpenIdAuthController added in v1.48.0

type OpenIdAuthController struct {
	// SessionStore persists the session between HTTP requests.
	SessionStore SessionPersistor
	// contains filtered or unexported fields
}

OpenIdAuthController contains the backing logic to implement Kiali's "openid" authentication strategy. Only the authorization code flow is implemented.

RBAC is supported, although it requires that the cluster is configured with OpenId integration. Thus, it is possible to turn off RBAC for simpler setups.

func NewOpenIdAuthController added in v1.48.0

func NewOpenIdAuthController(persistor SessionPersistor, kialiCache cache.KialiCache, clientFactory kubernetes.ClientFactory, conf *config.Config) *OpenIdAuthController

NewOpenIdAuthController initializes a new controller for handling openid authentication, with the given persistor and the given businessInstantiator. The businessInstantiator can be nil and the initialized contoller will use the business.Get function.

func (OpenIdAuthController) Authenticate added in v1.48.0

Authenticate was the entry point to handle OpenId authentication using the implicit flow. Support for the implicit flow has been removed. This is left here, because the "Authenticate" function is required by the AuthController interface which must be implemented by all auth controllers. So, this simply returns an error.

func (OpenIdAuthController) GetAuthCallbackHandler added in v1.48.0

func (c OpenIdAuthController) GetAuthCallbackHandler(fallbackHandler http.Handler) http.Handler

GetAuthCallbackHandler returns a http handler for authentication requests done to Kiali's web_root. This handler catches callbacks from the OpenId server. If it cannot be determined that the request is a callback from the authentication server, the request is passed to the fallbackHandler.

func (OpenIdAuthController) PostRoutes added in v1.48.0

func (c OpenIdAuthController) PostRoutes(router *mux.Router)

PostRoutes adds the additional endpoints needed on the Kiali's router in order to properly enable OpenId authentication. Only one new route is added to do a redirection from Kiali to the OpenId server to initiate authentication.

func (OpenIdAuthController) TerminateSession added in v1.48.0

func (c OpenIdAuthController) TerminateSession(r *http.Request, w http.ResponseWriter) error

TerminateSession unconditionally terminates any existing session without any validation.

func (OpenIdAuthController) ValidateSession added in v1.48.0

ValidateSession restores a session previously created by the Authenticate function. A sanity check of the id_token is performed if Kiali is not configured to use the access_token. Also, if RBAC is enabled, a privilege check is performed to verify that the user still has privileges to use Kiali. If the session is still valid, a populated UserSessionData is returned. Otherwise, nil is returned.

type OpenshiftAuthController added in v1.84.0

type OpenshiftAuthController struct {

	// SessionStore persists the session between HTTP requests.
	SessionStore SessionPersistor
	// contains filtered or unexported fields
}

OpenshiftAuthController contains the backing logic to implement Kiali's "openshift" authentication strategy. This authentication strategy is basically an implementation of OAuth's authorization code flow with the specifics of OpenShift.

Alternatively, it is possible that 3rd-parties are controlling the session. For these cases, Kiali can receive an OpenShift token via the "Authorization" HTTP Header or via the "oauth_token" URL parameter. Token received from 3rd parties are not persisted with the active Kiali's persistor, because that would collide and replace an existing Kiali session. So, it is assumed that the 3rd-party has its own persistence system (similarly to how 'header' auth works).

func NewOpenshiftAuthController added in v1.49.0

func NewOpenshiftAuthController(persistor SessionPersistor, openshiftOAuth *business.OpenshiftOAuthService, conf *config.Config) (*OpenshiftAuthController, error)

NewOpenshiftAuthController initializes a new controller for handling OpenShift authentication, with the given persistor and the given businessInstantiator. The businessInstantiator can be nil and the initialized contoller will use the business.Get function.

func (OpenshiftAuthController) Authenticate added in v1.84.0

Authenticate handles an HTTP request that contains the access_token, expires_in URL parameters. The access_token should be the token that was obtained from the OpenShift OAuth server and expires_in is the expiration date-time of the token. The token is validated by obtaining the information user tied to it. Although RBAC is always assumed when using OpenShift, privileges are not checked here.

func (OpenshiftAuthController) GetAuthCallbackHandler added in v1.84.0

func (c OpenshiftAuthController) GetAuthCallbackHandler(fallbackHandler http.Handler) http.Handler

GetAuthCallbackHandler will attempt to extract the nonce cookie and the code from the request. If neither one is present then it is assumed that the request is not a callback from the OAuth provider and the fallbackHandler is called instead. TODO: Supporting a separate login route for Kiali would obviate the need for the fallbackHandler.

func (OpenshiftAuthController) PostRoutes added in v1.84.0

func (c OpenshiftAuthController) PostRoutes(router *mux.Router)

PostRoutes adds the additional endpoints needed on the Kiali's router in order to properly enable Openshift authentication. Only one new route is added to do a redirection from Kiali to the Openshift OAuth server to initiate authentication.

func (OpenshiftAuthController) TerminateSession added in v1.84.0

func (o OpenshiftAuthController) TerminateSession(r *http.Request, w http.ResponseWriter) error

TerminateSession session created by the Authenticate function. To properly clean the session, the OpenShift access_token is revoked/deleted by making a call to the relevant OpenShift API. If this process fails, the session is not cleared and an error is returned. The cleanup is done assuming the access_token was issued to be used only in Kiali.

func (OpenshiftAuthController) ValidateSession added in v1.84.0

ValidateSession restores a session previously created by the Authenticate function. The user token (access_token) is revalidated by re-fetching user info from the cluster, to ensure that the token hasn't been revoked. If the session is still valid, a populated UserSessionData is returned. Otherwise, nil is returned.

type SessionPersistor

type SessionPersistor interface {
	CreateSession(r *http.Request, w http.ResponseWriter, strategy string, expiresOn time.Time, payload interface{}) error
	ReadSession(r *http.Request, w http.ResponseWriter, payload interface{}) (sData *sessionData, err error)
	TerminateSession(r *http.Request, w http.ResponseWriter)
}

type TerminateSessionError added in v1.49.0

type TerminateSessionError struct {
	// A description of the error.
	Message string

	// The HTTP Status code that should be sent to the client.
	HttpStatus int
}

TerminateSessionError is a helper type implementing the error interface. Its main goal is to pass the right HTTP status code that should be sent to the client if a session Logout operation fails.

func (TerminateSessionError) Error added in v1.49.0

func (e TerminateSessionError) Error() string

Error returns the string representation of an instance of TerminateSessionError.

type UserSessionData

type UserSessionData struct {
	// The expired time for the token
	// A string with the Datetime when the token will be expired
	//
	// example: Thu, 07 Mar 2019 17:50:26 +0000
	// required: true
	ExpiresOn time.Time `json:"expiresOn"`

	// The username for the token
	// A string with the user's username
	//
	// example: admin
	// required: true
	Username string `json:"username"`

	// The authentication information of the user to access the cluster API
	// It is usually only a bearer token that can be used to connect to the cluster API.
	// However, it is possible to add more options, like impersonation attributes.
	//
	// required: true
	AuthInfo *api.AuthInfo `json:"-"`
}

UserSessionData userSessionData This is used for returning the token swagger:model UserSessionData

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL