service

package
v0.19.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Nov 5, 2024 License: Apache-2.0 Imports: 38 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	HTTPAuthorizationBasePath = "/check"

	X_EXT_AUTH_REASON_HEADER      = "X-Ext-Auth-Reason"
	ENVOY_TRACE_REQUEST_ID_HEADER = "X-Request-Id"

	RESPONSE_MESSAGE_INVALID_REQUEST   = "Invalid request"
	RESPONSE_MESSAGE_SERVICE_NOT_FOUND = "Service not found"

	HTTP_MESSAGE_400 = "bad request"
	HTTP_MESSAGE_404 = "not found"
	HTTP_MESSAGE_413 = "request body too large"
	HTTP_MESSAGE_503 = "service unavailable"

	X_LOOKUP_KEY_NAME = "host"
)
View Source 
const OIDCBasePath = "/"

Variables

This section is empty.

Functions

func NewAuthPipeline 

func NewAuthPipeline(parentCtx gocontext.Context, req *envoy_auth.CheckRequest, authConfig evaluators.AuthConfig) auth.AuthPipeline

NewAuthPipeline creates an AuthPipeline instance

func NewAuthorizationJSON added in v0.15.0 

func NewAuthorizationJSON(request *envoy_auth.CheckRequest, authPipeline map[string]any) string

Types

type AuthAttributes added in v0.15.0 

type AuthAttributes struct {
	// Single resolved identity object, post-identity verification
	Identity any `json:"identity,omitempty"`
	// External metadata fetched
	Metadata map[string]any `json:"metadata,omitempty"`
	// Authorization results resolved by each authorization rule, access granted only
	Authorization map[string]any `json:"authorization,omitempty"`
	// Response objects exported by the auth service post-access granted
	Response map[string]any `json:"response,omitempty"`
	// Response objects returned by the callback requests issued by the auth service
	Callbacks map[string]any `json:"callbacks,omitempty"`
}

type AuthPipeline 

type AuthPipeline struct {
	Context    gocontext.Context
	Request    *envoy_auth.CheckRequest
	AuthConfig *evaluators.AuthConfig

	Identity      map[*evaluators.IdentityConfig]interface{}
	Metadata      map[*evaluators.MetadataConfig]interface{}
	Authorization map[*evaluators.AuthorizationConfig]interface{}
	Response      map[*evaluators.ResponseConfig]interface{}
	Callbacks     map[*evaluators.CallbackConfig]interface{}

	Logger log.Logger
	// contains filtered or unexported fields
}

AuthPipeline evaluates the context of an auth request upon the authconfigs defined for the requested API Throughout the pipeline, user identity, ad hoc metadata and authorization policies are evaluated and their corresponding resulting objects stored in the respective maps.

func (*AuthPipeline) Evaluate 

func (pipeline *AuthPipeline) Evaluate() auth.AuthResult

Evaluate evaluates all steps of the auth pipeline (identity → metadata → policy enforcement)

func (*AuthPipeline) GetAPI 

func (pipeline *AuthPipeline) GetAPI() interface{}

func (*AuthPipeline) GetAuthorizationJSON added in v0.6.0 

func (pipeline *AuthPipeline) GetAuthorizationJSON() string

func (*AuthPipeline) GetHttp 

func (pipeline *AuthPipeline) GetHttp() *envoy_auth.AttributeContext_HttpRequest

func (*AuthPipeline) GetRequest 

func (pipeline *AuthPipeline) GetRequest() *envoy_auth.CheckRequest

func (*AuthPipeline) GetResolvedIdentity 

func (pipeline *AuthPipeline) GetResolvedIdentity() (interface{}, interface{})

type AuthService 

type AuthService struct {
	Index                  index.Index
	Timeout                time.Duration
	MaxHttpRequestBodySize int64
}

AuthService is the server API for the authorization service.

func NewAuthService added in v0.10.0 

func NewAuthService(index index.Index, timeout time.Duration, maxHttpRequestBodySize int64) *AuthService

func (*AuthService) Check 

func (a *AuthService) Check(parentContext gocontext.Context, req *envoy_auth.CheckRequest) (*envoy_auth.CheckResponse, error)

Check performs authorization check based on the attributes associated with the incoming request, and returns status `OK` or not `OK`.

func (*AuthService) ServeHTTP added in v0.9.0 

func (a *AuthService) ServeHTTP(resp http.ResponseWriter, req *http.Request)

ServeHTTP invokes authorization check for a simple GET/POST HTTP authorization request Content-Type header must be 'application/json' The body can be any JSON object; in case the input is a Kubernetes AdmissionReview resource, the response is compatible with the Dynamic Admission API

type DestinationAttributes added in v0.15.0 

type DestinationAttributes struct {
	// Downstream connection local address
	Address string `json:"address,omitempty"`
	// Downstream connection local port e.g. 9090
	Port int32 `json:"port,omitempty"`
	// The canonical service name of the peer e.g. “foo.default.svc.cluster.local”
	Service string `json:"service,omitempty"`
	// The labels associated with the peer. These could be pod labels for Kubernetes or tags for VMs. The source of the
	// labels could be an X.509 certificate or other configuration.
	Labels map[string]string `json:"labels,omitempty"`
	// The authenticated identity of this peer. If an X.509 certificate is used to assert the identity in the proxy, this
	// field is sourced from "URI Subject Alternative Names", "DNS Subject Alternate Names" or "Subject" in that order.
	// The format is issuer specific – e.g. SPIFFE format is spiffe://trust-domain/path, Google account format is https://accounts.google.com/{userid}.
	Principal string `json:"principal,omitempty"`
	// The X.509 certificate used to authenticate the identity of this peer. When present, the certificate contents are encoded in URL and PEM format.
	Certificate string `json:"certificate,omitempty"`
}

type EvaluationResponse 

type EvaluationResponse struct {
	Evaluator auth.AuthConfigEvaluator
	Object    interface{}
	Error     error
}

func (*EvaluationResponse) GetErrorMessage 

func (evresp *EvaluationResponse) GetErrorMessage() string

func (*EvaluationResponse) Success 

func (evresp *EvaluationResponse) Success() bool

type HealthService 

type HealthService struct{}

HealthService is the server API for the gRPC health service

func (*HealthService) Check 

func (hs *HealthService) Check(ctx context.Context, in *healthpb.HealthCheckRequest) (*healthpb.HealthCheckResponse, error)

Check performs a health of the gRPC service

func (*HealthService) Watch 

func (hs *HealthService) Watch(in *healthpb.HealthCheckRequest, srv healthpb.Health_WatchServer) error

Watch is for streaming health-check (not yet implemented)

type OidcService added in v0.2.0 

type OidcService struct {
	Index index.Index
}

OidcService implements an HTTP server for OpenID Connect Discovery

func (*OidcService) ServeHTTP added in v0.2.0 

func (o *OidcService) ServeHTTP(writer http.ResponseWriter, req *http.Request)

type RequestAttributes added in v0.15.0 

type RequestAttributes struct {
	// Request ID corresponding to x-request-id header value
	Id string `json:"id,omitempty"`
	// Time of the first byte received
	Time *timestamp.Timestamp `json:"time,omitempty"`
	// Request protocol (“HTTP/1.0”, “HTTP/1.1”, “HTTP/2”, or “HTTP/3”)
	Protocol string `json:"protocol,omitempty"`
	// The scheme portion of the URL e.g. “http”
	Scheme string `json:"scheme,omitempty"`
	// The host portion of the URL e.g. “example.com”
	Host string `json:"host,omitempty"`
	// Request method e.g. “GET”
	Method string `json:"method,omitempty"`
	// The path portion of the URL e.g. “/foo?bar=baz”
	Path string `json:"path,omitempty"`
	// The path portion of the URL without the query string e.g. “/foo”
	URLPath string `json:"url_path,omitempty"`
	// The query portion of the URL in the format of “name1=value1&name2=value2”
	Query string `json:"query,omitempty"`
	// All request headers indexed by the lower-cased header name e.g. “accept-encoding”: “gzip”
	Headers map[string]string `json:"headers,omitempty"`
	// Referer request header e.g. “https://www.kuadrant.io/
	Referer string `json:"referer,omitempty"`
	// User agent request header e.g. “Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/…”
	UserAgent string `json:"user_agent,omitempty"`
	// The HTTP request size in bytes. If unknown, it must be -1 e.g. 1234
	Size int64 `json:"size,omitempty"`
	// The HTTP request body. (Disabled by default. Requires additional proxy configuration to enabled it.) e.g. “…”
	Body string `json:"body,omitempty"`
	// The HTTP request body in bytes. This is sometimes used instead of body depending on the proxy configuration. e.g. 1234
	RawBody []byte `json:"raw_body,omitempty"`
	// This is analogous to request.headers, however these contents are not sent to the upstream server. It provides an
	// extension mechanism for sending additional information to the auth service without modifying the proto definition.
	// It maps to the internal opaque context in the proxy filter chain. (Requires additional configuration in the proxy.)
	ContextExtensions map[string]string `json:"context_extensions,omitempty"`
}

type SourceAttributes added in v0.15.0 

type SourceAttributes struct {
	// Downstream connection remote address
	Address string `json:"address,omitempty"`
	// Downstream connection remote port e.g. 8080
	Port int32 `json:"port,omitempty"`
	// The canonical service name of the peer e.g. “foo.default.svc.cluster.local”
	Service string `json:"service,omitempty"`
	// The labels associated with the peer. These could be pod labels for Kubernetes or tags for VMs. The source of the
	// labels could be an X.509 certificate or other configuration.
	Labels map[string]string `json:"labels,omitempty"`
	// The authenticated identity of this peer. If an X.509 certificate is used to assert the identity in the proxy, this
	// field is sourced from "URI Subject Alternative Names", "DNS Subject Alternate Names" or "Subject" in that order.
	// The format is issuer specific – e.g. SPIFFE format is spiffe://trust-domain/path, Google account format is https://accounts.google.com/{userid}.
	Principal string `json:"principal,omitempty"`
	// The X.509 certificate used to authenticate the identity of this peer. When present, the certificate contents are encoded in URL and PEM format.
	Certificate string `json:"certificate,omitempty"`
}

type WellKnownAttributes added in v0.15.0 

type WellKnownAttributes struct {
	// Dynamic request metadata
	Metadata *envoycore.Metadata `json:"metadata,omitempty"`
	// Request attributes
	Request *RequestAttributes `json:"request,omitempty"`
	// Source attributes
	Source *SourceAttributes `json:"source,omitempty"`
	// Destination attributes
	Destination *DestinationAttributes `json:"destination,omitempty"`
	// Auth attributes
	Auth *AuthAttributes `json:"auth,omitempty"`
}

func NewWellKnownAttributes added in v0.15.0 

func NewWellKnownAttributes(attributes *envoyauth.AttributeContext, authData map[string]any) *WellKnownAttributes

NewWellKnownAttributes creates a new WellKnownAttributes object from an envoyauth.AttributeContext

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.