auth

package
v0.2.9 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jun 18, 2020 License: Apache-2.0 Imports: 29 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	ErrAuthContext    errors.ErrorCode = "AUTH_CONTEXT_SETUP_FAILED"
	ErrConfigFileRead errors.ErrorCode = "CONFIG_OPTION_FILE_READ_FAILED"
)
View Source 
const (
	ErrSecureCookie errors.ErrorCode = "SECURE_COOKIE_ERROR"
	// #nosec
	ErrInvalidCsrfToken errors.ErrorCode = "CSRF_TOKEN_VALIDATION_FAILED"
)
View Source 
const (
	ErrB64Decoding errors.ErrorCode = "BINARY_DECODING_FAILED"
	// #nosec
	ErrTokenNil errors.ErrorCode = "EMPTY_OAUTH_TOKEN"
)
View Source 
const (
	RedirectURLParameter = "redirect_url"
	FromHTTPKey          = "from_http"
	FromHTTPVal          = "true"

	PrincipalContextKey contextutils.Key = "principal"
)
View Source 
const (
	ErrRefreshingToken errors.ErrorCode = "TOKEN_REFRESH_FAILURE"
	ErrTokenExpired    errors.ErrorCode = "JWT_EXPIRED"
	ErrJwtValidation   errors.ErrorCode = "JWT_VERIFICATION_FAILED"
)
View Source 
const AuthorizationResponseCodeType = "code"
View Source 
const BearerScheme = "Bearer"
View Source 
const CsrfFormKey = "state"

OAuth2 Parameters

View Source 
const DefaultAuthorizationHeader = "authorization"
View Source 
const (
	ErrIdpClient errors.ErrorCode = "IDP_REQUEST_FAILED"
)
View Source 
const (
	IdpConnectionTimeout = 10 * time.Second
)
View Source 
const MetadataEndpoint = ".well-known/oauth-authorization-server"

https://tools.ietf.org/html/rfc8414 This should be defined without a leading slash. If there is one, the url library's ResolveReference will make it a root path

View Source 
const OfflineAccessType = "offline_access"

IDP specific

View Source 
const OidcScope = "openid"
View Source 
const ProfileScope = "profile"
View Source 
const RefreshToken = "refresh_token"

Variables

View Source 
var AllowedChars = []rune("abcdefghijklmnopqrstuvwxyz1234567890")

Functions

func AuthenticationLoggingInterceptor 

func AuthenticationLoggingInterceptor(ctx context.Context, req interface{}, info *grpc.UnaryServerInfo, handler grpc.UnaryHandler) (interface{}, error)

func GetAndValidateTokenObjectFromContext added in v0.1.7 

func GetAndValidateTokenObjectFromContext(ctx context.Context, claims config.Claims,
	provider *oidc.Provider) (*oidc.IDToken, error)

This function attempts to extract a token from the context, and will then call the validation function, passing up any errors.

func GetAuthenticationCustomMetadataInterceptor 

func GetAuthenticationCustomMetadataInterceptor(authCtx interfaces.AuthenticationContext) grpc.UnaryServerInterceptor

This function produces a gRPC middleware interceptor intended to be used when running authentication with non-default gRPC headers (metadata). Because the default `authorization` header is reserved for use by Envoy, clients wishing to pass tokens to Admin will need to use a different string, specified in this package's Config object. This interceptor will scan for that arbitrary string, and then rename it to the default string, which the downstream auth/auditing interceptors will detect and validate.

func GetAuthenticationInterceptor 

func GetAuthenticationInterceptor(authContext interfaces.AuthenticationContext) func(context.Context) (context.Context, error)

This is the function that chooses to enforce or not enforce authentication. It will attempt to get the token from the incoming context, validate it, and decide whether or not to let the request through.

func GetCallbackHandler 

func GetCallbackHandler(ctx context.Context, authContext interfaces.AuthenticationContext) http.HandlerFunc

func GetLoginHandler 

func GetLoginHandler(ctx context.Context, authContext interfaces.AuthenticationContext) http.HandlerFunc

func GetLogoutEndpointHandler added in v0.1.7 

func GetLogoutEndpointHandler(ctx context.Context, authCtx interfaces.AuthenticationContext) http.HandlerFunc

func GetMeEndpointHandler 

func GetMeEndpointHandler(ctx context.Context, authCtx interfaces.AuthenticationContext) http.HandlerFunc

TODO: Add this to the Admin service IDL in Flyte IDL so that this can be exposed from gRPC as well. This returns a handler that will retrieve user info, from the OAuth2 authorization server. See the OpenID Connect spec at https://openid.net/specs/openid-connect-core-1_0.html#UserInfoResponse for more information.

func GetMetadataEndpointRedirectHandler 

func GetMetadataEndpointRedirectHandler(ctx context.Context, authCtx interfaces.AuthenticationContext) http.HandlerFunc

This returns a handler that will redirect (303) to the well-known metadata endpoint for the OAuth2 authorization server See https://tools.ietf.org/html/rfc8414 for more information.

func GetOauth2Config 

func GetOauth2Config(options config.OAuthOptions) (oauth2.Config, error)

This creates a oauth2 library config object, with values from the Flyte Admin config

func GetRefreshedToken 

func GetRefreshedToken(ctx context.Context, oauth *oauth2.Config, accessToken, refreshToken string) (*oauth2.Token, error)

Refresh a JWT

func HashCsrfState 

func HashCsrfState(csrf string) string

func NewCsrfCookie 

func NewCsrfCookie() http.Cookie

func NewCsrfToken 

func NewCsrfToken(seed int64) string

func NewRedirectCookie 

func NewRedirectCookie(ctx context.Context, redirectURL string) *http.Cookie

This function takes in a string and returns a cookie that's used to keep track of where to send the user after the OAuth2 login flow is complete.

func NewSecureCookie 

func NewSecureCookie(cookieName, value string, hashKey, blockKey []byte) (http.Cookie, error)

func ParseAndValidate 

func ParseAndValidate(ctx context.Context, claims config.Claims, accessToken string,
	provider *oidc.Provider) (*oidc.IDToken, error)

func ReadSecureCookie 

func ReadSecureCookie(ctx context.Context, cookie http.Cookie, hashKey, blockKey []byte) (string, error)

func RefreshTokensIfExists 

func RefreshTokensIfExists(ctx context.Context, authContext interfaces.AuthenticationContext, handlerFunc http.HandlerFunc) http.HandlerFunc

Look for access token and refresh token, if both are present and the access token is expired, then attempt to refresh. Otherwise do nothing and proceed to the next handler. If successfully refreshed, proceed to the landing page.

func VerifyCsrfCookie 

func VerifyCsrfCookie(ctx context.Context, request *http.Request) error

func WithAuditFields added in v0.2.0 

func WithAuditFields(ctx context.Context, clientIds []string, tokenIssuedAt time.Time) context.Context

func WithUserEmail 

func WithUserEmail(ctx context.Context, email string) context.Context

Types

type Context 

type Context struct {
	// contains filtered or unexported fields
}

Please see the comment on the corresponding AuthenticationContext for more information.

func NewAuthenticationContext 

func NewAuthenticationContext(ctx context.Context, options config.OAuthOptions) (Context, error)

func (Context) Claims 

func (c Context) Claims() config.Claims

func (Context) CookieManager 

func (c Context) CookieManager() interfaces.CookieHandler

func (Context) GetBaseURL 

func (c Context) GetBaseURL() *url.URL

func (Context) GetHTTPClient 

func (c Context) GetHTTPClient() *http.Client

func (Context) GetMetadataURL 

func (c Context) GetMetadataURL() *url.URL

func (Context) GetUserInfoURL 

func (c Context) GetUserInfoURL() *url.URL

func (Context) OAuth2Config 

func (c Context) OAuth2Config() *oauth2.Config

func (Context) OidcProvider 

func (c Context) OidcProvider() *oidc.Provider

func (Context) Options 

func (c Context) Options() config.OAuthOptions

type CookieManager 

type CookieManager struct {
	// contains filtered or unexported fields
}

func NewCookieManager 

func NewCookieManager(ctx context.Context, hashKeyEncoded, blockKeyEncoded string) (CookieManager, error)

func (CookieManager) DeleteCookies added in v0.1.7 

func (c CookieManager) DeleteCookies(ctx context.Context, writer http.ResponseWriter)

func (CookieManager) RetrieveTokenValues 

func (c CookieManager) RetrieveTokenValues(ctx context.Context, request *http.Request) (accessToken string,
	refreshToken string, err error)

TODO: Separate refresh token from access token, remove named returns, and use stdlib errors.

func (CookieManager) SetTokenCookies 

func (c CookieManager) SetTokenCookies(ctx context.Context, writer http.ResponseWriter, token *oauth2.Token) error

type HTTPRequestToMetadataAnnotator 

type HTTPRequestToMetadataAnnotator func(ctx context.Context, request *http.Request) metadata.MD

func GetHTTPMetadataTaggingHandler added in v0.1.7 

func GetHTTPMetadataTaggingHandler(authContext interfaces.AuthenticationContext) HTTPRequestToMetadataAnnotator

Intercepts the incoming HTTP requests and marks it as such so that the downstream code can use it to enforce auth. See the enforceHTTP/Grpc options for more information.

func GetHTTPRequestCookieToMetadataHandler 

func GetHTTPRequestCookieToMetadataHandler(authContext interfaces.AuthenticationContext) HTTPRequestToMetadataAnnotator

This is effectively middleware for the grpc gateway, it allows us to modify the translation between HTTP request and gRPC request. There are two potential sources for bearer tokens, it can come from an authorization header (not yet implemented), or encrypted cookies. Note that when deploying behind Envoy, you have the option to look for a configurable, non-standard header name. The token is extracted and turned into a metadata object which is then attached to the request, from which the token is extracted later for verification.

type UserInfoResponse 

type UserInfoResponse struct {
	Sub               string `json:"sub"`
	Name              string `json:"name"`
	PreferredUsername string `json:"preferred_username"`
	GivenName         string `json:"given_name"`
	FamilyName        string `json:"family_name"`
	Email             string `json:"email"`
	Picture           string `json:"picture"`
}

This struct represents what should be returned by an IDP according to the specification at 

https://openid.net/specs/openid-connect-core-1_0.html#UserInfoResponse

Keep in mind that not all fields are necessarily populated, and additional fields may be present as well. This is a sample response object returned from Okta for instance 

{
  "sub": "abc123",
  "name": "John Smith",
  "locale": "US",
  "preferred_username": "jsmith123@company.com",
  "given_name": "John",
  "family_name": "Smith",
  "zoneinfo": "America/Los_Angeles",
  "updated_at": 1568750854
}

Source Files

View all Source files

Directories

Path Synopsis
mocks

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.