web_ui

package
v0.0.0-...-c345e67 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Dec 6, 2024 License: Apache-2.0 Imports: 79 Imported by: 0

README

A short README explaining our authorization permissions, specifically regarding tokens recieved from the URL or Header vs the login cookie.

Tokens that are part of the HTTP Request Header e.g. {"Authorization": "Bearer +"<token>} and that are set in the URL Query via Authz are considered valid if they are signed by either the Federation jwk or the Origin jwk.

However, tokens that are retrieved from the login cookie ctx.Cookie("login") are ONLY valid if the are signed by the Origin jwk. This can be seen in the prometheus code and how it accesses the functions in Authorization.go

Documentation

Index

Constants

This section is empty.

Variables

View Source
var ErrNotReady = errors.New("Scrape manager not ready")

ErrNotReady is returned if the underlying scrape manager is not ready yet.

Functions

func AdminAuthHandler

func AdminAuthHandler(ctx *gin.Context)

adminAuthHandler checks the admin status of a logged-in user. This middleware should be cascaded behind the web_ui.AuthHandler

func AuthHandler

func AuthHandler(ctx *gin.Context)

Check if user is authenticated by checking if the "login" cookie is present and set the user identity to ctx

func CheckAdmin

func CheckAdmin(user string) (isAdmin bool, message string)

checkAdmin checks if a user string has admin privilege. It returns boolean and a message indicating the error message.

Note that by default it only checks if user == "admin". If you have a custom list of admin identifiers to check, you should set Server.UIAdminUsers. See parameters.yaml for details.

func ConfigOAuthClientAPIs

func ConfigOAuthClientAPIs(engine *gin.Engine) error

Configure OAuth2 client and register related authentication endpoints for Web UI

func ConfigureEmbeddedPrometheus

func ConfigureEmbeddedPrometheus(ctx context.Context, engine *gin.Engine) error

func ConfigureServerWebAPI added in v1.0.4

func ConfigureServerWebAPI(ctx context.Context, engine *gin.Engine, egrp *errgroup.Group) error

Configure endpoints for server web APIs. This function does not configure any UI specific paths but just redirect root path to /view.

You need to mount the static resources for UI in a separate function

func GenerateCSRFCookie

func GenerateCSRFCookie(ctx *gin.Context, metadata map[string]string) (string, error)

Generate a 16B random string and set as the value of ctx session key "oauthstate" return a string for OAuth2 "state" query parameter including the random string and other metadata

func GenerateOAuthState

func GenerateOAuthState(metadata map[string]string) string

Generate the state for the authentication request in OAuth2 code flow. The metadata are formatted similar to url query parameters:

key1=val1&key2=val2

where values are url-encoded

func GetEngine

func GetEngine() (*gin.Engine, error)

func GetSessionHandler

func GetSessionHandler() (gin.HandlerFunc, error)

Setup and return the session handler for web UI APIs. Calling mutiple times will only set up the handler once

func GetUserGroups

func GetUserGroups(ctx *gin.Context) (user string, groups []string, err error)

Get the "subject" claim from the JWT that "login" cookie stores, where subject is set to be the username. Return empty string if no "login" cookie is present

func InitServerWebLogin added in v1.0.4

func InitServerWebLogin(ctx context.Context) error

Setup the initial server web login by sending the one-time code to stdout and record health status of the WebUI based on the success of the initialization

func ParseOAuthState

func ParseOAuthState(state string) (metadata map[string]string, err error)

Parse the OAuth2 callback state into a key-val map. Error if keys are duplicated state is the url-decoded value of the query parameter "state" in the the OAuth2 callback request

func RequireAuthMiddleware

func RequireAuthMiddleware(ctx *gin.Context)

Require auth; if missing, redirect to the login endpoint.

The current implementation forces the OAuth2 endpoint; future work may instead use a generic login page.

func RunEngine

func RunEngine(ctx context.Context, engine *gin.Engine, egrp *errgroup.Group) error

Run the gin engine in the current goroutine.

Will use a background golang routine to periodically reload the certificate utilized by the UI.

func RunEngineRoutine

func RunEngineRoutine(ctx context.Context, engine *gin.Engine, egrp *errgroup.Group, curRoutine bool) error

Run the gin engine; if curRoutine is false, it will run in a background goroutine.

func RunEngineRoutineWithListener

func RunEngineRoutineWithListener(ctx context.Context, engine *gin.Engine, egrp *errgroup.Group, curRoutine bool, ln net.Listener) error

Run the web engine connected to a provided listener `ln`.

func WritePasswordEntry added in v1.0.4

func WritePasswordEntry(user, password string) error

Types

type InitLogin added in v1.0.4

type InitLogin struct {
	Code string `form:"code"`
}

type Login added in v1.0.4

type Login struct {
	User     string `form:"user"`
	Password string `form:"password"`
}

type LogrusAdapter added in v1.0.4

type LogrusAdapter struct {
	*logrus.Logger
	// contains filtered or unexported fields
}

func (LogrusAdapter) Log added in v1.0.4

func (a LogrusAdapter) Log(keyvals ...interface{}) error

Log method which satisfies the kitlog.Logger interface. It also propragates field level and field message to top level log

type OIDCEnabledServerRes

type OIDCEnabledServerRes struct {
	ODICEnabledServers []string `json:"oidc_enabled_servers"`
}

type PasswordReset added in v1.0.4

type PasswordReset struct {
	Password string `form:"password"`
}

type ReadyHandler

type ReadyHandler struct {
	// contains filtered or unexported fields
}

func (*ReadyHandler) SetReady

func (h *ReadyHandler) SetReady(v bool)

type UserRole

type UserRole string
const (
	AdminRole    UserRole = "admin"
	NonAdminRole UserRole = "user"
)

type WhoAmIRes

type WhoAmIRes struct {
	Authenticated bool     `json:"authenticated"`
	Role          UserRole `json:"role"`
	User          string   `json:"user"`
}

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL