auth

package
v0.0.0-...-267b159 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Dec 17, 2023 License: Apache-2.0 Imports: 52 Imported by: 0

Documentation

Overview

Contains types needed to start up a standalone OAuth2 Authorization Server or delegate authentication to an external provider. It supports OpenId connect for user authentication.

Index

Constants

View Source 
const (
	IdpConnectionTimeout = 10 * time.Second

	ErrauthCtx        errors.ErrorCode = "AUTH_CONTEXT_SETUP_FAILED"
	ErrConfigFileRead errors.ErrorCode = "CONFIG_OPTION_FILE_READ_FAILED"
)
View Source 
const (
	// OAuth2 Parameters
	CsrfFormKey                   = "state"
	AuthorizationResponseCodeType = "code"
	DefaultAuthorizationHeader    = "authorization"
	BearerScheme                  = "Bearer"
	IDTokenScheme                 = "IDToken"
	// Add the -bin suffix so that the header value is automatically base64 encoded
	UserInfoMDKey = "UserInfo-bin"

	// https://tools.ietf.org/html/rfc8414
	// This should be defined without a leading slash. If there is one, the url library's ResolveReference will make it a root path
	OAuth2MetadataEndpoint = ".well-known/oauth-authorization-server"

	// https://openid.net/specs/openid-connect-discovery-1_0.html
	// This should be defined without a leading slash. If there is one, the url library's ResolveReference will make it a root path
	OIdCMetadataEndpoint = ".well-known/openid-configuration"

	ContextKeyIdentityContext = contextutils.Key("identity_context")
	ScopeAll                  = "all"
)
View Source 
const (
	ErrSecureCookie errors.ErrorCode = "SECURE_COOKIE_ERROR"
	// #nosec
	ErrInvalidCsrfToken errors.ErrorCode = "CSRF_TOKEN_VALIDATION_FAILED"
)
View Source 
const (
	ErrB64Decoding errors.ErrorCode = "BINARY_DECODING_FAILED"
	// #nosec
	ErrTokenNil errors.ErrorCode = "EMPTY_OAUTH_TOKEN"
	// #nosec
	ErrNoIDToken errors.ErrorCode = "NO_ID_TOKEN_IN_RESPONSE"
)
View Source 
const (
	RedirectURLParameter = "redirect_url"
	FromHTTPKey          = "from_http"
	FromHTTPVal          = "true"
)
View Source 
const (
	SymmetricKeyLength   = 32
	CookieHashKeyLength  = 64
	CookieBlockKeyLength = 32
)
View Source 
const (
	ErrRefreshingToken errors.ErrorCode = "TOKEN_REFRESH_FAILURE"
	ErrTokenExpired    errors.ErrorCode = "JWT_EXPIRED"
	ErrJwtValidation   errors.ErrorCode = "JWT_VERIFICATION_FAILED"
)
View Source 
const (
	PodNamespaceEnvVar = "POD_NAMESPACE"
)

Variables

View Source 
var AllowedChars = []rune("abcdefghijklmnopqrstuvwxyz1234567890")

Functions

func AuthenticationLoggingInterceptor 

func AuthenticationLoggingInterceptor(ctx context.Context, req interface{}, info *grpc.UnaryServerInfo, handler grpc.UnaryHandler) (interface{}, error)

func BlanketAuthorization 

func BlanketAuthorization(ctx context.Context, req interface{}, _ *grpc.UnaryServerInfo, handler grpc.UnaryHandler) (
	resp interface{}, err error)

func ExecutionUserIdentifierInterceptor 

func ExecutionUserIdentifierInterceptor(ctx context.Context, req interface{}, _ *grpc.UnaryServerInfo, handler grpc.UnaryHandler) (
	resp interface{}, err error)

ExecutionUserIdentifierInterceptor injects identityContext.UserID() to identityContext.executionIdentity

func FirstURL 

func FirstURL(urls ...*url.URL) *url.URL

FirstURL gets the first non-nil url from a list of given urls.

func GRPCGetIdentityFromAccessToken 

func GRPCGetIdentityFromAccessToken(ctx context.Context, authCtx interfaces.AuthenticationContext) (
	interfaces.IdentityContext, error)

GRPCGetIdentityFromAccessToken attempts to extract a token from the context, and will then call the validation function, passing up any errors.

func GRPCGetIdentityFromIDToken 

func GRPCGetIdentityFromIDToken(ctx context.Context, clientID string, provider *oidc.Provider) (
	interfaces.IdentityContext, error)

GRPCGetIdentityFromIDToken attempts to extract a token from the context, and will then call the validation function, passing up any errors.

func GetAuthFlowEndRedirect 

func GetAuthFlowEndRedirect(ctx context.Context, authCtx interfaces.AuthenticationContext, request *http.Request) string

GetAuthFlowEndRedirect returns the redirect URI according to data in request. At the end of the OAuth flow, the server needs to send the user somewhere. This should have been stored as a cookie during the initial /login call. If that cookie is missing from the request, it will default to the one configured in this package's Config object.

func GetAuthenticationCustomMetadataInterceptor 

func GetAuthenticationCustomMetadataInterceptor(authCtx interfaces.AuthenticationContext) grpc.UnaryServerInterceptor

GetAuthenticationCustomMetadataInterceptor produces a gRPC middleware interceptor intended to be used when running authentication with non-default gRPC headers (metadata). Because the default `authorization` header is reserved for use by Envoy, clients wishing to pass tokens to Admin will need to use a different string, specified in this package's Config object. This interceptor will scan for that arbitrary string, and then rename it to the default string, which the downstream auth/auditing interceptors will detect and validate.

func GetAuthenticationInterceptor 

func GetAuthenticationInterceptor(authCtx interfaces.AuthenticationContext) func(context.Context) (context.Context, error)

GetAuthenticationInterceptor chooses to enforce or not enforce authentication. It will attempt to get the token from the incoming context, validate it, and decide whether or not to let the request through.

func GetCallbackHandler 

func GetCallbackHandler(ctx context.Context, authCtx interfaces.AuthenticationContext, pluginRegistry *plugins.Registry) http.HandlerFunc

GetCallbackHandler returns a handler that is called by the OIdC provider with the authorization code to complete the user authentication flow.

func GetCreateSecretsCommand 

func GetCreateSecretsCommand() *cobra.Command

func GetInitSecretsCommand 

func GetInitSecretsCommand() *cobra.Command

GetInitSecretsCommand creates a command to issue secrets to be used for Auth settings. It writes the secrets to the working directory. The expectation is that they are put in a location and made available to the serve command later. To configure where the serve command looks for secrets, update this config: 

secrets:
  secrets-prefix: <my custom path>

func GetLoginHandler 

func GetLoginHandler(ctx context.Context, authCtx interfaces.AuthenticationContext) http.HandlerFunc

GetLoginHandler builds an http handler that handles authentication calls. Before redirecting to the authentication provider, it saves a cookie that contains the redirect url for after the authentication flow is done.

func GetLogoutEndpointHandler 

func GetLogoutEndpointHandler(ctx context.Context, authCtx interfaces.AuthenticationContext, pluginRegistry *plugins.Registry) http.HandlerFunc

func GetOAuth2ClientConfig 

func GetOAuth2ClientConfig(ctx context.Context, options config.OpenIDOptions, providerEndpoints oauth2.Endpoint, sm core.SecretManager) (cfg oauth2.Config, err error)

This creates a oauth2 library config object, with values from the Nebula Admin config

func GetOIdCMetadataEndpointRedirectHandler 

func GetOIdCMetadataEndpointRedirectHandler(ctx context.Context, authCtx interfaces.AuthenticationContext) http.HandlerFunc

This returns a handler that will redirect (303) to the well-known metadata endpoint for the OAuth2 authorization server See https://tools.ietf.org/html/rfc8414 for more information.

func GetPublicURL 

func GetPublicURL(ctx context.Context, req *http.Request, cfg *config.Config) *url.URL

GetPublicURL attempts to retrieve the public url of the service. If httpPublicUri is set in the config, it takes precedence. If the request is not nil and has a host set, it comes second and lastly it attempts to retrieve the url from context if set (e.g. by gRPC gateway).

func GetRefreshedToken 

func GetRefreshedToken(ctx context.Context, oauth *oauth2.Config, accessToken, refreshToken string) (*oauth2.Token, error)

Refresh a JWT

func HashCsrfState 

func HashCsrfState(csrf string) string

func IdentityContextFromIDTokenToken 

func IdentityContextFromIDTokenToken(ctx context.Context, tokenStr, clientID string, provider *oidc.Provider,
	userInfo *service.UserInfoResponse) (interfaces.IdentityContext, error)

func IdentityContextFromRequest 

func IdentityContextFromRequest(ctx context.Context, req *http.Request, authCtx interfaces.AuthenticationContext) (
	interfaces.IdentityContext, error)

func NewCsrfCookie 

func NewCsrfCookie() http.Cookie

func NewCsrfToken 

func NewCsrfToken(seed int64) string

func NewRedirectCookie 

func NewRedirectCookie(ctx context.Context, redirectURL string) *http.Cookie

This function takes in a string and returns a cookie that's used to keep track of where to send the user after the OAuth2 login flow is complete.

func NewSecureCookie 

func NewSecureCookie(cookieName, value string, hashKey, blockKey []byte, domain string, sameSiteMode http.SameSite) (http.Cookie, error)

func ParseIDTokenAndValidate 

func ParseIDTokenAndValidate(ctx context.Context, clientID, rawIDToken string, provider *oidc.Provider) (*oidc.IDToken, error)

func QueryUserInfo 

func QueryUserInfo(ctx context.Context, identityContext interfaces.IdentityContext, request *http.Request,
	authCtx interfaces.AuthenticationContext) (*service.UserInfoResponse, error)

func QueryUserInfoUsingAccessToken 

func QueryUserInfoUsingAccessToken(ctx context.Context, originalRequest *http.Request, authCtx interfaces.AuthenticationContext, accessToken string) (
	*service.UserInfoResponse, error)

Extract User info from access token for HTTP request

func ReadSecureCookie 

func ReadSecureCookie(ctx context.Context, cookie http.Cookie, hashKey, blockKey []byte) (string, error)

func RefreshTokensIfExists 

func RefreshTokensIfExists(ctx context.Context, authCtx interfaces.AuthenticationContext, authHandler http.HandlerFunc) http.HandlerFunc

Look for access token and refresh token, if both are present and the access token is expired, then attempt to refresh. Otherwise do nothing and proceed to the next handler. If successfully refreshed, proceed to the landing page.

func RegisterHandlers 

func RegisterHandlers(ctx context.Context, handler interfaces.HandlerRegisterer, authCtx interfaces.AuthenticationContext, pluginRegistry *plugins.Registry)

func SetContextForIdentity 

func SetContextForIdentity(ctx context.Context, identityContext interfaces.IdentityContext) context.Context

func URLFromContext 

func URLFromContext(ctx context.Context) *url.URL

URLFromContext attempts to retrieve the original url from context. gRPC gateway sets metadata in context that refers to the original host. Or nil if metadata isn't set.

func URLFromRequest 

func URLFromRequest(req *http.Request) *url.URL

URLFromRequest attempts to reconstruct the url from the request object. Or nil if not possible

func VerifyCsrfCookie 

func VerifyCsrfCookie(ctx context.Context, request *http.Request) error

func WithAuditFields 

func WithAuditFields(ctx context.Context, subject string, clientIds []string, tokenIssuedAt time.Time) context.Context

func WithUserEmail 

func WithUserEmail(ctx context.Context, email string) context.Context

Types

type AuthenticatedClientMeta 

type AuthenticatedClientMeta struct {
	ClientIds     []string
	TokenIssuedAt time.Time
	ClientIP      string
	Subject       string
}

type Context 

type Context struct {
	// contains filtered or unexported fields
}

Please see the comment on the corresponding AuthenticationContext for more information.

func NewAuthenticationContext 

func NewAuthenticationContext(ctx context.Context, sm core.SecretManager, oauth2Provider interfaces.OAuth2Provider,
	oauth2ResourceServer interfaces.OAuth2ResourceServer, authMetadataService service.AuthMetadataServiceServer,
	identityService service.IdentityServiceServer, options *config.Config) (Context, error)

func (Context) AuthMetadataService 

func (c Context) AuthMetadataService() service.AuthMetadataServiceServer

func (Context) CookieManager 

func (c Context) CookieManager() interfaces.CookieHandler

func (Context) GetHTTPClient 

func (c Context) GetHTTPClient() *http.Client

func (Context) GetOAuth2MetadataURL 

func (c Context) GetOAuth2MetadataURL() *url.URL

func (Context) GetOIdCMetadataURL 

func (c Context) GetOIdCMetadataURL() *url.URL

func (Context) GetUserInfoURL 

func (c Context) GetUserInfoURL() *url.URL

func (Context) IdentityService 

func (c Context) IdentityService() service.IdentityServiceServer

func (Context) OAuth2ClientConfig 

func (c Context) OAuth2ClientConfig(requestURL *url.URL) *oauth2.Config

func (Context) OAuth2Provider 

func (c Context) OAuth2Provider() interfaces.OAuth2Provider

func (Context) OAuth2ResourceServer 

func (c Context) OAuth2ResourceServer() interfaces.OAuth2ResourceServer

func (Context) OidcProvider 

func (c Context) OidcProvider() *oidc.Provider

func (Context) Options 

func (c Context) Options() *config.Config

type CookieManager 

type CookieManager struct {
	// contains filtered or unexported fields
}

func NewCookieManager 

func NewCookieManager(ctx context.Context, hashKeyEncoded, blockKeyEncoded string, cookieSettings config.CookieSettings) (CookieManager, error)

func (CookieManager) DeleteCookies 

func (c CookieManager) DeleteCookies(_ context.Context, writer http.ResponseWriter)

func (CookieManager) RetrieveAuthCodeRequest 

func (c CookieManager) RetrieveAuthCodeRequest(ctx context.Context, request *http.Request) (authRequestURL string, err error)

func (CookieManager) RetrieveTokenValues 

func (c CookieManager) RetrieveTokenValues(ctx context.Context, request *http.Request) (idToken, accessToken,
	refreshToken string, err error)

TODO: Separate refresh token from access token, remove named returns, and use stdlib errors. RetrieveTokenValues retrieves id, access and refresh tokens from cookies if they exist. The existence of a refresh token in a cookie is optional and hence failure to find or read that cookie is tolerated. An error is returned in case of failure to retrieve and read either the id or the access tokens.

func (CookieManager) RetrieveUserInfo 

func (c CookieManager) RetrieveUserInfo(ctx context.Context, request *http.Request) (*service.UserInfoResponse, error)

func (CookieManager) SetAuthCodeCookie 

func (c CookieManager) SetAuthCodeCookie(ctx context.Context, writer http.ResponseWriter, authRequestURL string) error

func (CookieManager) SetTokenCookies 

func (c CookieManager) SetTokenCookies(ctx context.Context, writer http.ResponseWriter, token *oauth2.Token) error

func (CookieManager) SetUserInfoCookie 

func (c CookieManager) SetUserInfoCookie(ctx context.Context, writer http.ResponseWriter, userInfo *service.UserInfoResponse) error

type HTTPRequestToMetadataAnnotator 

type HTTPRequestToMetadataAnnotator func(ctx context.Context, request *http.Request) metadata.MD

func GetHTTPMetadataTaggingHandler 

func GetHTTPMetadataTaggingHandler() HTTPRequestToMetadataAnnotator

Intercepts the incoming HTTP requests and marks it as such so that the downstream code can use it to enforce auth. See the enforceHTTP/Grpc options for more information.

func GetHTTPRequestCookieToMetadataHandler 

func GetHTTPRequestCookieToMetadataHandler(authCtx interfaces.AuthenticationContext) HTTPRequestToMetadataAnnotator

This is effectively middleware for the grpc gateway, it allows us to modify the translation between HTTP request and gRPC request. There are two potential sources for bearer tokens, it can come from an authorization header (not yet implemented), or encrypted cookies. Note that when deploying behind Envoy, you have the option to look for a configurable, non-standard header name. The token is extracted and turned into a metadata object which is then attached to the request, from which the token is extracted later for verification.

type IdentityContext 

type IdentityContext struct {
	// contains filtered or unexported fields
}

IdentityContext is an abstract entity to enclose the authenticated identity of the user/app. Both gRPC and HTTP servers have interceptors to set the IdentityContext on the context.Context. To retrieve the current IdentityContext call auth.IdentityContextFromContext(ctx). To check whether there is an identity set, call auth.IdentityContextFromContext(ctx).IsEmpty()

func IdentityContextFromContext 

func IdentityContextFromContext(ctx context.Context) IdentityContext

IdentityContextFromContext retrieves the authenticated identity from context.Context.

func NewIdentityContext 

func NewIdentityContext(audience, userID, appID string, authenticatedAt time.Time, scopes sets.String, userInfo *service.UserInfoResponse, claims map[string]interface{}) (
	IdentityContext, error)

NewIdentityContext creates a new IdentityContext.

func (IdentityContext) AppID 

func (c IdentityContext) AppID() string

func (IdentityContext) Audience 

func (c IdentityContext) Audience() string

func (IdentityContext) AuthenticatedAt 

func (c IdentityContext) AuthenticatedAt() time.Time

func (IdentityContext) Claims 

func (c IdentityContext) Claims() map[string]interface{}

func (IdentityContext) ExecutionIdentity 

func (c IdentityContext) ExecutionIdentity() string

func (IdentityContext) IsEmpty 

func (c IdentityContext) IsEmpty() bool

func (IdentityContext) Scopes 

func (c IdentityContext) Scopes() sets.String

func (IdentityContext) UserID 

func (c IdentityContext) UserID() string

func (IdentityContext) UserInfo 

func (c IdentityContext) UserInfo() *service.UserInfoResponse

func (IdentityContext) WithContext 

func (c IdentityContext) WithContext(ctx context.Context) context.Context

func (IdentityContext) WithExecutionUserIdentifier 

func (c IdentityContext) WithExecutionUserIdentifier(euid string) IdentityContext

WithExecutionUserIdentifier creates a copy of the original identity context and attach ExecutionIdentity

type LogoutHookFunc 

type LogoutHookFunc func(ctx context.Context, authCtx interfaces.AuthenticationContext, request *http.Request, w http.ResponseWriter) error

type PreRedirectHookError 

type PreRedirectHookError struct {
	Message string
	Code    int
}

func (*PreRedirectHookError) Error 

func (e *PreRedirectHookError) Error() string

type PreRedirectHookFunc 

type PreRedirectHookFunc func(ctx context.Context, authCtx interfaces.AuthenticationContext, request *http.Request, w http.ResponseWriter) *PreRedirectHookError

PreRedirectHookFunc Interface used for running custom code before the redirect happens during a successful auth flow. This might be useful in cases where the auth flow allows the user to login since the IDP has been configured for eg: to allow all users from a particular domain to login but you want to restrict access to only a particular set of user ids. eg : users@domain.com are allowed to login but user user1@domain.com, user2@domain.com should only be allowed PreRedirectHookError is the error interface which allows the user to set correct http status code and Message to be set in case the function returns an error without which the current usage in GetCallbackHandler will set this to InternalServerError

type SecretsSet 

type SecretsSet struct {
	TokenHashKey              []byte
	TokenSigningRSAPrivateKey *rsa.PrivateKey
	CookieHashKey             []byte
	CookieBlockKey            []byte
}

func NewSecrets 

func NewSecrets() (SecretsSet, error)

type UserInfoForwardResponseHandler 

type UserInfoForwardResponseHandler func(ctx context.Context, w http.ResponseWriter, m protoiface.MessageV1) error

func GetUserInfoForwardResponseHandler 

func GetUserInfoForwardResponseHandler() UserInfoForwardResponseHandler

type UserInfoProvider 

type UserInfoProvider struct {
}

func NewUserInfoProvider 

func NewUserInfoProvider() UserInfoProvider

func (UserInfoProvider) UserInfo 

func (s UserInfoProvider) UserInfo(ctx context.Context, _ *service.UserInfoRequest) (*service.UserInfoResponse, error)

UserInfo returns user_info claims about the currently logged in user. See the OpenID Connect spec at https://openid.net/specs/openid-connect-core-1_0.html#UserInfoResponse for more information.

Source Files

View all Source files

Directories

Path Synopsis
OAuthServer implementation that serve oauth2 authorize and client_credentials flows.
 OAuthServer implementation that serve oauth2 authorize and client_credentials flows.
mocks

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.