auth

package
v0.18.2 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Sep 4, 2024 License: MIT Imports: 27 Imported by: 5

Documentation

Index

Constants

View Source
const (
	RecommendedConfigPathEnvVar = "KUBECONFIG"
	RecommendedHomeDir          = ".kube"
	RecommendedFileName         = "config"
)

Variables

View Source
var (
	RecommendedConfigDir = path.Join(HomeDir(), RecommendedHomeDir)
	RecommendedHomeFile  = path.Join(RecommendedConfigDir, RecommendedFileName)
)
View Source
var DexScopes = []string{"groups", "openid", "profile", "email", "federated:id"}
View Source
var GenericScopes = []string{"openid", "profile", "email"}

Functions

func AddCluster added in v0.8.2

func AddCluster(cfg map[interface{}]interface{}, clusterName string, clusterData map[string]interface{}) error

AddCluster adds or replaces the given cluster with given clusterName and data.

func AddContext

func AddContext(cfg map[interface{}]interface{}, contextName string, clusterName string, userName string) error

AddContext adds or replaces the given context with given clusterName and userName.

func AddUser

func AddUser(kubecfg map[interface{}]interface{}, authCtx AuthContext) error

AddUser adds the given user-authconfig to the kubecfg or replaces an already existing user

func AddUserConfigMap

func AddUserConfigMap(kubecfg map[interface{}]interface{}, userName string, configMap map[string]string) error

AddUserConfigMap adds the given user-auth-configMap to the kubecfg or replaces an already existing user

func CreateFromTemplate

func CreateFromTemplate(cfg *map[interface{}]interface{}) error

CreateFromTemplate returns a minimal kubeconfig

func EncodeKubeconfig

func EncodeKubeconfig(kubeconfig map[interface{}]interface{}) (bytes.Buffer, error)

EncodeKubeconfig serializes the given kubeconfig

func ExtractEMail

func ExtractEMail(tokenInfo TokenInfo) string

func ExtractName

func ExtractName(tokenInfo TokenInfo) string

func GetClusterNames

func GetClusterNames(cfg map[interface{}]interface{}) ([]string, error)

GetClusterNames returns all clusternames

func HomeDir

func HomeDir() string

HomeDir returns the home directory for the current user

func LoadKubeConfig

func LoadKubeConfig(kubeConfig string) (content map[interface{}]interface{}, filename string, isDefaultLocation bool, e error)

LoadKubeConfig loads the kube-config from the given location, if kubeConfig is "" the default location will be used. If kubeconfig is explicitly given and no file exists at the location, an error is returned. If the default location is used and no file exists, the contents of the kubeconfigTemplate are returned. returns map, filename, isDefaultLocation and error

func Logout added in v0.9.2

func Logout(params *LogoutParams) error

func OIDCFlow

func OIDCFlow(config Config) error

OIDCFlow validates the given config and starts the OIDC-Flow "response_type=code" (see https://medium.com/@darutk/diagrams-of-all-the-openid-connect-flows-6968e3990660 or https://connect2id.com/learn/openid-connect).

A local webserver is started to receive the callbacks from the oidc-endpoint.

1. OpenID Discovery --> gather info about OIDC Provider 2. open browser for login --> build url with scopes --> redirect to OIDC-Login-Flow (oidc-provider: auth with ldap, read groups, return signed jwt) 3. receive Callback, extract token and redirect to Success-Page 4. call TokenHandler

func SetCurrentContext

func SetCurrentContext(cfg map[interface{}]interface{}, contextName string)

SetCurrentContext sets the current context to the given name

func UpdateKubeConfig deprecated

func UpdateKubeConfig(kubeConfig string, tokenInfo TokenInfo, userIDExtractor UserIDExtractor) (string, error)

UpdateKubeConfig saves the given tokenInfo in the given kubeConfig. The given path to kubeconfig is preferred, otherwise the location of the kubeconfig is determined from env KUBECONFIG or default location.

we modify/append a user with auth-provider from given tokenInfo. we modify/append a context with name cloudctl that references the user.

returns filename the config got written to or error if any

Deprecated: use UpdateKubeConfigContext instead

func UpdateKubeConfigContext added in v0.4.0

func UpdateKubeConfigContext(kubeConfig string, tokenInfo TokenInfo, userIDExtractor UserIDExtractor, contextName string) (string, error)

UpdateKubeConfig saves the given tokenInfo in the given kubeConfig. The given path to kubeconfig is preferred, otherwise the location of the kubeconfig is determined from env KUBECONFIG or default location.

we modify/append a user with auth-provider from given tokenInfo. we modify/append the given context that references the user.

returns filename the config got written to or error if any

Types

type AuthContext

type AuthContext struct {
	// Name of the context for metalctl auth
	Ctx string
	// Name of the user in the active context
	User string
	// Name of the authProvider in the active context
	AuthProviderName string
	// Flag if the AuthProvider is oidc, i.e. valid for our usecases
	AuthProviderOidc bool

	// IDToken, only if AuthProviderOidc is true
	IDToken string

	// RefreshToken
	RefreshToken string

	IssuerConfig
}

AuthContext models the data in the kubeconfig user/auth-provider/config/oidc-config-map

func CurrentAuthContext

func CurrentAuthContext(kubeConfig string) (AuthContext, error)

returns the AuthContext for the default contextName Deprecated: use GetAuthContext instead

func GetAuthContext added in v0.4.0

func GetAuthContext(kubeConfig string, contextName string) (AuthContext, error)

GetAuthContext returns the AuthContext for the given contextName from the given kubeConfig

type Claims added in v0.7.1

type Claims struct {
	Id              string            `json:"jti,omitempty"`
	ExpiresAt       int64             `json:"exp,omitempty"`
	IssuedAt        int64             `json:"iat,omitempty"`
	NotBefore       int64             `json:"nbf,omitempty"`
	Issuer          string            `json:"iss,omitempty"`
	Subject         string            `json:"sub,omitempty"`
	Audience        interface{}       `json:"aud,omitempty"`
	Groups          []string          `json:"groups"`
	EMail           string            `json:"email"`
	Name            string            `json:"name"`
	FederatedClaims map[string]string `json:"federated_claims"`

	PreferredUsername string `json:"preferred_username"`
	// added for parsing of "new" style tokens
	Roles []string `json:"roles"`
}

func (Claims) Username added in v0.7.1

func (c Claims) Username() string

Username returns the username, taken from preferredUsername or name.

type Config

type Config struct {
	// url of the oidc endpoint
	IssuerURL     string `required:"true"`
	SkipTLSVerify bool
	IssuerRootCA  string

	// client identification
	ClientID     string `required:"true"`
	ClientSecret string `required:"true"`

	// requested scopes
	Scopes []string

	TLSCert string
	TLSKey  string

	// should a refresh token be requested if the server supports it?
	RequestRefreshToken bool

	TokenHandler TokenHandlerFunc `required:"true"`

	// Message shown on the success page after login flow
	SuccessMessage string

	Log *slog.Logger

	// Console if you want the library to write messages, may be nil
	Console io.Writer

	Debug bool
}

Config for parametrization

type IssuerConfig

type IssuerConfig struct {
	// Client-ID
	ClientID string
	// ClientSecret
	ClientSecret string
	// Issuer-URL
	IssuerURL string
	// IssuerCA if any
	IssuerCA string
}

IssuerConfig holds the config for openID connect issuer

type KubeConfigHandlerOption added in v0.4.0

type KubeConfigHandlerOption func(c *updateKubeConfig)

KubeConfigHandlerOption func for specifying options

func WithContextName added in v0.4.0

func WithContextName(contextName string) KubeConfigHandlerOption

WithContextName sets the context-name

type LogoutParams added in v0.9.2

type LogoutParams struct {
	IssuerURL string
	Logger    *slog.Logger
}

func (*LogoutParams) Validate added in v0.9.2

func (l *LogoutParams) Validate() error

type TokenHandlerFunc

type TokenHandlerFunc func(tokenInfo TokenInfo) error

TokenHandlerFunc function to handle the received token, e.g. write to file

func NewUpdateKubeConfigHandler

func NewUpdateKubeConfigHandler(kubeConfig string, writer io.Writer, opts ...KubeConfigHandlerOption) TokenHandlerFunc

NewUpdateKubeConfigHandler writes the TokenInfo to file and prints a message to the given writer, may be nil

type TokenInfo

type TokenInfo struct {
	IDToken      string
	RefreshToken string
	TokenClaims  Claims

	IssuerConfig
}

type UserIDExtractor

type UserIDExtractor func(tokenInfo TokenInfo) string

UserIDExtractor extractor to make the source of the "userid" customizable

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL