Documentation
¶
Index ¶
- func AuditLog(ctx context.Context) logr.Logger
- func AuditLogWithTokenInfo(ctx context.Context, msg string, namespace string, token string, ...)
- func AugmentConfiguration(config *rest.Config)
- func CallbackErrorHandler(w http.ResponseWriter, r *http.Request)
- func CallbackSuccessHandler(w http.ResponseWriter, r *http.Request)
- func ExtractTokenFromAuthorizationHeader(authHeader string) string
- func HandleUpload(uploader TokenUploader) func(http.ResponseWriter, *http.Request)
- func LogDebugAndWriteResponse(ctx context.Context, w http.ResponseWriter, status int, msg string, ...)
- func LogErrorAndWriteResponse(ctx context.Context, w http.ResponseWriter, status int, msg string, err error)
- func MiddlewareHandler(allowedOrigins []string, h http.Handler) http.Handler
- func OkHandler(w http.ResponseWriter, _ *http.Request)
- func WithAuthFromRequestIntoContext(r *http.Request, ctx context.Context) (context.Context, error)
- func WithAuthIntoContext(bearerToken string, ctx context.Context) context.Context
- type AuthenticatingClient
- type Authenticator
- type Controller
- type OAuthServiceCliArgs
- type OAuthServiceConfiguration
- type SpiTokenUploader
- type StateStorage
- type TokenUploader
- type UploadFunc
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func AuditLogWithTokenInfo ¶
func AuditLogWithTokenInfo(ctx context.Context, msg string, namespace string, token string, keysAndValues ...interface{})
AuditLogWithTokenInfo logs message related to particular SPIAccessToken into audit logger
func AugmentConfiguration ¶
AugmentConfiguration modifies the provided Kubernetes client configuration such that it uses bearer tokens stored in the context using the WithAuthFromRequestIntoContext or WithAuthIntoContext functions.
func CallbackErrorHandler ¶
func CallbackErrorHandler(w http.ResponseWriter, r *http.Request)
CallbackErrorHandler is a Handler implementation that responds with HTML page This page is a landing page after unsuccessfully completing the OAuth flow. Resource file location is prefixed with `../` to be compatible with tests running locally.
func CallbackSuccessHandler ¶
func CallbackSuccessHandler(w http.ResponseWriter, r *http.Request)
CallbackSuccessHandler is a Handler implementation that responds with HTML page This page is a landing page after successfully completing the OAuth flow. Resource file location is prefixed with `../` to be compatible with tests running locally.
func ExtractTokenFromAuthorizationHeader ¶
ExtractTokenFromAuthorizationHeader extracts the token value from the authorization header assumed to be formatted as a bearer token.
func HandleUpload ¶
func HandleUpload(uploader TokenUploader) func(http.ResponseWriter, *http.Request)
HandleUpload returns Handler implementation that is relied on provided TokenUploader to persist provided credentials for some concrete SPIAccessToken.
func MiddlewareHandler ¶
MiddlewareHandler is a Handler that composed couple of different responsibilities. Like: - Request logging - CORS processing
func OkHandler ¶
func OkHandler(w http.ResponseWriter, _ *http.Request)
OkHandler is a Handler implementation that responds only with http.StatusOK. Typically, used for liveness and readiness probes
func WithAuthFromRequestIntoContext ¶
WithAuthFromRequestIntoContext looks into the provided HTTP request and stores the bearer token from that request's Authorization header into the returned context which is based on the provided context. If used with a client constructed from configuration augmented using the AugmentConfiguration function, the requests to the Kubernetes API will be authenticated using this token.
To link the contexts, you can reuse the context of the provided request: WithAuthFromRequestIntoContext(req, req.Context())
func WithAuthIntoContext ¶
WithAuthIntoContext stores the provided bearer token into the returned context which is based on the provided context. If used with a client constructed from configuration augmented using the AugmentConfiguration function, the requests to the Kubernetes API will be authenticated using this token.
Types ¶
type AuthenticatingClient ¶
AuthenticatingClient is just a typedef that advertises that it is safe to use the WithAuthIntoContext or WithAuthFromRequestIntoContext functions with clients having this type.
func CreateClient ¶
CreateClient creates a new client based on the provided configuration. Note that configuration is potentially modified during the call.
type Authenticator ¶
type Authenticator struct {
K8sClient AuthenticatingClient
SessionManager *scs.SessionManager
}
func NewAuthenticator ¶
func NewAuthenticator(sessionManager *scs.SessionManager, cl AuthenticatingClient) *Authenticator
func (Authenticator) Login ¶
func (a Authenticator) Login(w http.ResponseWriter, r *http.Request)
type Controller ¶
type Controller interface {
// Authenticate handles the initial OAuth request. It should validate that the request is authenticated in Kubernetes
// compose the authenticated OAuth state and return a redirect to the service-provider OAuth endpoint with the state.
Authenticate(w http.ResponseWriter, r *http.Request)
// Callback finishes the OAuth flow. It handles the final redirect from the OAuth flow of the service provider.
Callback(ctx context.Context, w http.ResponseWriter, r *http.Request)
}
Controller implements the OAuth flow. There are specific implementations for each service provider type. These are usually instances of the commonController with service-provider-specific configuration.
func FromConfiguration ¶
func FromConfiguration(fullConfig OAuthServiceConfiguration, spConfig config.ServiceProviderConfiguration, authenticator *Authenticator, stateStorage *StateStorage, cl AuthenticatingClient, storage tokenstorage.TokenStorage, redirectTemplate *template.Template) (Controller, error)
FromConfiguration is a factory function to create instances of the Controller based on the service provider configuration.
type OAuthServiceCliArgs ¶
type OAuthServiceCliArgs struct {
config.CommonCliArgs
config.LoggingCliArgs
tokenstorage.VaultCliArgs
ServiceAddr string `arg:"--service-addr, env" default:"0.0.0.0:8000" help:"Service address to listen on"`
AllowedOrigins string `` /* 175-byte string literal not displayed */
KubeConfig string `arg:"--kubeconfig, env" default:"" help:""`
KubeInsecureTLS bool `arg:"--kube-insecure-tls, env" default:"false" help:"Whether is allowed or not insecure kubernetes tls connection."`
ApiServer string `` /* 126-byte string literal not displayed */
ApiServerCAPath string `` /* 140-byte string literal not displayed */
}
type OAuthServiceConfiguration ¶
type OAuthServiceConfiguration struct {
}
func LoadOAuthServiceConfiguration ¶
func LoadOAuthServiceConfiguration(args OAuthServiceCliArgs) (OAuthServiceConfiguration, error)
type SpiTokenUploader ¶
type SpiTokenUploader struct {
K8sClient client.Client
Storage tokenstorage.TokenStorage
}
type StateStorage ¶
type StateStorage struct {
// contains filtered or unexported fields
}
func NewStateStorage ¶
func NewStateStorage(sessionManager *scs.SessionManager) *StateStorage
func (StateStorage) UnveilState ¶
func (StateStorage) VeilRealState ¶
func (s StateStorage) VeilRealState(req *http.Request) (string, error)
type TokenUploader ¶
type TokenUploader interface {
Upload(ctx context.Context, tokenObjectName string, tokenObjectNamespace string, data *api.Token) error
}
TokenUploader is used to permanently persist credentials for the given token.
type UploadFunc ¶
type UploadFunc func(ctx context.Context, tokenObjectName string, tokenObjectNamespace string, data *api.Token) error
UploadFunc used to provide anonymous implementation of TokenUploader. Example:
uploader := UploadFunc(func(ctx context.Context, tokenObjectName string, tokenObjectNamespace string, data *api.Token) error {
return fmt.Errorf("failed to store the token data into storage")
})
Source Files