Documentation ¶
Index ¶
- Variables
- func MustParseURL(rawURL string) *url.URL
- type AuthorizationServer
- type AuthorizationServerType
- type Config
- type CookieSettings
- type ExternalAuthorizationServer
- type NebulaClientConfig
- type OAuth2Options
- type OpenIDOptions
- type SameSite
- type SecretName
- type ThirdPartyConfigOptions
- type UserAuthConfig
Constants ¶
This section is empty.
Variables ¶
var ( DefaultConfig = &Config{ HTTPAuthorizationHeader: "nebula-authorization", GrpcAuthorizationHeader: "nebula-authorization", UserAuth: UserAuthConfig{ RedirectURL: config.URL{URL: *MustParseURL("/console")}, CookieHashKeySecretName: SecretNameCookieHashKey, CookieBlockKeySecretName: SecretNameCookieBlockKey, OpenID: OpenIDOptions{ ClientSecretName: SecretNameOIdCClientSecret, Scopes: []string{ "openid", "profile", }, }, CookieSetting: CookieSettings{ Domain: "", SameSitePolicy: SameSiteDefaultMode, }, }, AppAuth: OAuth2Options{ ExternalAuthServer: ExternalAuthorizationServer{ RetryAttempts: 5, RetryDelay: config.Duration{Duration: 1 * time.Second}, }, AuthServerType: AuthorizationServerTypeSelf, ThirdParty: ThirdPartyConfigOptions{ NebulaClientConfig: NebulaClientConfig{ ClientID: "nebulactl", RedirectURI: "http://localhost:53593/callback", Scopes: []string{"all", "offline"}, }, }, SelfAuthServer: AuthorizationServer{ AccessTokenLifespan: config.Duration{Duration: 30 * time.Minute}, RefreshTokenLifespan: config.Duration{Duration: 60 * time.Minute}, AuthorizationCodeLifespan: config.Duration{Duration: 5 * time.Minute}, ClaimSymmetricEncryptionKeySecretName: SecretNameClaimSymmetricKey, TokenSigningRSAKeySecretName: SecretNameTokenSigningRSAKey, OldTokenSigningRSAKeySecretName: SecretNameOldTokenSigningRSAKey, StaticClients: map[string]*fosite.DefaultClient{ "nebula-cli": { ID: "nebula-cli", RedirectURIs: []string{"http://localhost:53593/callback", "http://localhost:12345/callback"}, ResponseTypes: []string{"code", "token"}, GrantTypes: []string{"refresh_token", "authorization_code"}, Scopes: []string{"all", "offline", "access_token"}, Public: true, }, "nebulactl": { ID: "nebulactl", RedirectURIs: []string{"http://localhost:53593/callback", "http://localhost:12345/callback"}, ResponseTypes: []string{"code", "token"}, GrantTypes: []string{"refresh_token", "authorization_code"}, Scopes: []string{"all", "offline", "access_token"}, Public: true, }, "nebulapropeller": { ID: "nebulapropeller", Secret: []byte(`$2a$06$d6PQn2QAFU3cL5V8MDkeuuk63xubqUxNxjtfPw.Fc9MgV6vpmyOIy`), RedirectURIs: []string{"http://localhost:3846/callback"}, ResponseTypes: []string{"token"}, GrantTypes: []string{"refresh_token", "client_credentials"}, Scopes: []string{"all", "offline", "access_token"}, }, }, }, }, } )
Functions ¶
func MustParseURL ¶
MustParseURL panics if the provided url fails parsing. Should only be used in package initialization or tests.
Types ¶
type AuthorizationServer ¶
type AuthorizationServer struct { // Defines the issuer to use when issuing and validating tokens. The default value is https://<requestUri.HostAndPort>/ Issuer string `` /* 139-byte string literal not displayed */ // Defines the lifespan of issued access tokens. AccessTokenLifespan config.Duration `json:"accessTokenLifespan" pflag:",Defines the lifespan of issued access tokens."` // Defines the lifespan of issued access tokens. RefreshTokenLifespan config.Duration `json:"refreshTokenLifespan" pflag:",Defines the lifespan of issued access tokens."` // Defines the lifespan of issued access tokens. AuthorizationCodeLifespan config.Duration `json:"authorizationCodeLifespan" pflag:",Defines the lifespan of issued access tokens."` // Secret names, defaults are set in DefaultConfig variable above but are possible to override through configs. ClaimSymmetricEncryptionKeySecretName string `json:"claimSymmetricEncryptionKeySecretName" pflag:",OPTIONAL: Secret name to use to encrypt claims in authcode token."` TokenSigningRSAKeySecretName string `json:"tokenSigningRSAKeySecretName" pflag:",OPTIONAL: Secret name to use to retrieve RSA Signing Key."` OldTokenSigningRSAKeySecretName string `` /* 184-byte string literal not displayed */ // A list of clients to grant access to. StaticClients map[string]*fosite.DefaultClient `json:"staticClients" pflag:"-,Defines statically defined list of clients to allow."` }
type AuthorizationServerType ¶
type AuthorizationServerType int
AuthorizationServerType defines the type of Authorization Server to use.
const ( // AuthorizationServerTypeSelf determines that NebulaAdmin should act as the authorization server to serve // OAuth2 token requests AuthorizationServerTypeSelf AuthorizationServerType = iota // AuthorizationServerTypeExternal determines that NebulaAdmin should rely on an external authorization server (e.g. // Okta) to serve OAuth2 token requests AuthorizationServerTypeExternal )
func AuthorizationServerTypeString ¶
func AuthorizationServerTypeString(s string) (AuthorizationServerType, error)
AuthorizationServerTypeString retrieves an enum value from the enum constants string name. Throws an error if the param is not part of the enum.
func AuthorizationServerTypeValues ¶
func AuthorizationServerTypeValues() []AuthorizationServerType
AuthorizationServerTypeValues returns all values of the enum
func (AuthorizationServerType) IsAAuthorizationServerType ¶
func (i AuthorizationServerType) IsAAuthorizationServerType() bool
IsAAuthorizationServerType returns "true" if the value is listed in the enum definition. "false" otherwise
func (AuthorizationServerType) MarshalJSON ¶
func (i AuthorizationServerType) MarshalJSON() ([]byte, error)
MarshalJSON implements the json.Marshaler interface for AuthorizationServerType
func (AuthorizationServerType) String ¶
func (i AuthorizationServerType) String() string
func (*AuthorizationServerType) UnmarshalJSON ¶
func (i *AuthorizationServerType) UnmarshalJSON(data []byte) error
UnmarshalJSON implements the json.Unmarshaler interface for AuthorizationServerType
type Config ¶
type Config struct { // These settings are for non-SSL authentication modes, where Envoy is handling SSL termination // This is not yet used, but this is the HTTP variant of the setting below. HTTPAuthorizationHeader string `json:"httpAuthorizationHeader"` // In order to support deployments of this Admin service where Envoy is terminating SSL connections, the metadata // header name cannot be "authorization", which is the standard metadata name. Envoy has special handling for that // name. Instead, there is a gRPC interceptor, GetAuthenticationCustomMetadataInterceptor, that will translate // incoming metadata headers with this config setting's name, into that standard header GrpcAuthorizationHeader string `json:"grpcAuthorizationHeader"` // To help ease migration, it was helpful to be able to only selectively enforce authentication. The // dimension that made the most sense to cut by at time of writing is HTTP vs gRPC as the web UI mainly used HTTP // and the backend used mostly gRPC. Cutting by individual endpoints is another option but it possibly falls more // into the realm of authorization rather than authentication. DisableForHTTP bool `json:"disableForHttp" pflag:",Disables auth enforcement on HTTP Endpoints."` DisableForGrpc bool `json:"disableForGrpc" pflag:",Disables auth enforcement on Grpc Endpoints."` // AuthorizedURIs is optional and defines the set of URIs that clients are allowed to visit the service on. If set, // the system will attempt to match the incoming host to the first authorized URIs and use that (including the scheme) // when generating metadata endpoints and when validating audience and issuer claims. If no matching authorizedUri // is found, it'll default to the first one. If not provided, the urls will be deduced based on the request url and // the `secure` setting. AuthorizedURIs []config.URL `` /* 415-byte string literal not displayed */ // HTTPProxyURL allows operators to access external OAuth2 servers using an external HTTP Proxy HTTPProxyURL config.URL `json:"httpProxyURL" pflag:",OPTIONAL: HTTP Proxy to be used for OAuth requests."` // UserAuth settings used to authenticate end users in web-browsers. UserAuth UserAuthConfig `json:"userAuth" pflag:",Defines Auth options for users."` // AppAuth settings used to authenticate and control/limit access scopes for apps. AppAuth OAuth2Options `json:"appAuth" pflag:",Defines Auth options for apps. UserAuth must be enabled for AppAuth to work."` }
type CookieSettings ¶
type ExternalAuthorizationServer ¶
type ExternalAuthorizationServer struct { // BaseURL should be the base url of the authorization server that you are trying to hit. With Okta for instance, it will look something like https://company.okta.com/oauth2/abcdef123456789/ // If not provided, the OpenID.BaseURL will be assumed instead. BaseURL config.URL `` /* 208-byte string literal not displayed */ AllowedAudience []string `` /* 149-byte string literal not displayed */ MetadataEndpointURL config.URL `` /* 149-byte string literal not displayed */ // HTTPProxyURL allows operators to access external OAuth2 servers using an external HTTP Proxy HTTPProxyURL config.URL `json:"httpProxyURL" pflag:",OPTIONAL: HTTP Proxy to be used for OAuth requests."` RetryAttempts int `json:"retryAttempts" pflag:", Optional: The number of attempted retries on a transient failure to get the OAuth metadata"` RetryDelay config.Duration `json:"retryDelay" pflag:", Optional, Duration to wait between retries"` }
type NebulaClientConfig ¶
type NebulaClientConfig struct { ClientID string `json:"clientId" pflag:",public identifier for the app which handles authorization for a Nebula deployment"` RedirectURI string `` /* 128-byte string literal not displayed */ Scopes []string `json:"scopes" pflag:",Recommended scopes for the client to request."` Audience string `json:"audience" pflag:",Audience to use when initiating OAuth2 authorization requests."` }
type OAuth2Options ¶
type OAuth2Options struct { // AuthServerType defines the type of AuthServer to connect to. AuthServerType AuthorizationServerType `` /* 148-byte string literal not displayed */ // SelfAuthServer defines settings for running authorization server locally. SelfAuthServer AuthorizationServer `` /* 164-byte string literal not displayed */ // ExternalAuthServer defines settings for connecting with an external authorization server. ExternalAuthServer ExternalAuthorizationServer `json:"externalAuthServer" pflag:",External Authorization Server config."` // ThirdParty defines settings for the public client nebula-clients (e.g. nebulactl, nebulacli) should use. ThirdParty ThirdPartyConfigOptions `` /* 147-byte string literal not displayed */ }
OAuth2Options defines settings for app auth.
type OpenIDOptions ¶
type OpenIDOptions struct { // The client ID for Admin in your IDP // See https://tools.ietf.org/html/rfc6749#section-2.2 for more information ClientID string `json:"clientId"` // The client secret used in the exchange of the authorization code for the token. // https://tools.ietf.org/html/rfc6749#section-2.3 ClientSecretName string `json:"clientSecretName"` // Deprecated: Please use ClientSecretName instead. DeprecatedClientSecretFile string `json:"clientSecretFile"` // This should be the base url of the authorization server that you are trying to hit. With Okta for instance, it // will look something like https://company.okta.com/oauth2/abcdef123456789/ BaseURL config.URL `json:"baseUrl"` // Provides a list of scopes to request from the IDP when authenticating. Default value requests claims that should // be supported by any OIdC server. Refer to https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims for // a complete list. Other providers might support additional scopes that you can define in a config. Scopes []string `json:"scopes"` }
type SameSite ¶
type SameSite int
func SameSiteString ¶
SameSiteString retrieves an enum value from the enum constants string name. Throws an error if the param is not part of the enum.
func SameSiteValues ¶
func SameSiteValues() []SameSite
SameSiteValues returns all values of the enum
func (SameSite) IsASameSite ¶
IsASameSite returns "true" if the value is listed in the enum definition. "false" otherwise
func (SameSite) MarshalJSON ¶
MarshalJSON implements the json.Marshaler interface for SameSite
func (*SameSite) UnmarshalJSON ¶
UnmarshalJSON implements the json.Unmarshaler interface for SameSite
type SecretName ¶
type SecretName = string
const ( // SecretNameOIdCClientSecret defines the default OIdC client secret name to use. // #nosec SecretNameOIdCClientSecret SecretName = "oidc_client_secret" // SecretNameCookieHashKey defines the default cookie hash key secret name to use. // #nosec SecretNameCookieHashKey SecretName = "cookie_hash_key" // SecretNameCookieBlockKey defines the default cookie block key secret name to use. // #nosec SecretNameCookieBlockKey SecretName = "cookie_block_key" // SecretNameClaimSymmetricKey must be a base64 encoded secret of exactly 32 bytes // #nosec SecretNameClaimSymmetricKey SecretName = "claim_symmetric_key" // SecretNameTokenSigningRSAKey is the privateKey used to sign JWT tokens. The default strategy uses RS256 (RSA Signature with SHA-256) // #nosec SecretNameTokenSigningRSAKey SecretName = "token_rsa_key.pem" // SecretNameOldTokenSigningRSAKey is the privateKey used to sign old JWT tokens. The default strategy uses RS256 (RSA Signature with SHA-256) // This is used to support key rotation. When present, it'll only be used to validate incoming tokens. New tokens // will not be issued using this key. // #nosec SecretNameOldTokenSigningRSAKey SecretName = "token_rsa_key_old.pem" )
type ThirdPartyConfigOptions ¶
type ThirdPartyConfigOptions struct {
NebulaClientConfig NebulaClientConfig `json:"nebulaClient"`
}
This struct encapsulates config options for bootstrapping various Nebula applications with config values For example, NebulaClientConfig contains application-specific values to initialize the config required by nebula client
func (ThirdPartyConfigOptions) IsEmpty ¶
func (o ThirdPartyConfigOptions) IsEmpty() bool
type UserAuthConfig ¶
type UserAuthConfig struct { // This is where the user will be redirected to at the end of the flow, but you should not use it. Instead, // the initial /login handler should be called with a redirect_url parameter, which will get saved to a cookie. // This setting will only be used when that cookie is missing. // See the login handler code for more comments. RedirectURL config.URL `json:"redirectUrl"` // OpenID defines settings for connecting and trusting an OpenIDConnect provider. OpenID OpenIDOptions `json:"openId" pflag:",OpenID Configuration for User Auth"` // HTTPProxyURL allows operators to access external OAuth2 servers using an external HTTP Proxy HTTPProxyURL config.URL `json:"httpProxyURL" pflag:",OPTIONAL: HTTP Proxy to be used for OAuth requests."` // Secret names, defaults are set in DefaultConfig variable above but are possible to override through configs. CookieHashKeySecretName string `json:"cookieHashKeySecretName" pflag:",OPTIONAL: Secret name to use for cookie hash key."` CookieBlockKeySecretName string `json:"cookieBlockKeySecretName" pflag:",OPTIONAL: Secret name to use for cookie block key."` CookieSetting CookieSettings `json:"cookieSetting" pflag:", settings used by cookies created for user auth"` }