extauth

package
v1.9.10 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Mar 15, 2022 License: Apache-2.0 Imports: 19 Imported by: 1

Documentation

Index

Constants

View Source
const (
	DefaultAuthHeader = "x-user-id"
	HttpServerUri     = "http://not-used.example.com/"
	ExtensionName     = "ext_authz"
)
View Source
const JWTFilterName = "envoy.filters.http.jwt_authn"

Variables

View Source
var (
	DefaultTimeout = prototime.DurationToProto(200 * time.Millisecond)
	NoServerRefErr = eris.New("no extauth server reference configured")
	ServerNotFound = func(usRef *core.ResourceRef) error {
		return eris.Errorf("extauth server upstream not found %s", usRef.String())
	}
	InvalidStatusOnErrorErr = func(code uint32) error {
		return eris.Errorf("invalid statusOnError code: %d", code)
	}
)

Note that although this configures the "envoy.filters.http.ext_authz" filter, we still want the ordering to be within the AuthNStage because we are using this filter for authentication purposes

Functions

func BuildStagedHttpFilters added in v1.8.0

func BuildStagedHttpFilters(configurationGenerator func() ([]*envoyauth.ExtAuthz, error), stage plugins.FilterStage) ([]plugins.StagedHttpFilter, error)

func GenerateEnvoyConfigForFilter added in v1.8.0

func GenerateEnvoyConfigForFilter(settings *extauthv1.Settings, upstreams v1.UpstreamList) (*envoyauth.ExtAuthz, error)

func GetDisabledAuth added in v1.8.0

func GetDisabledAuth() *envoyauth.ExtAuthzPerRoute

Types

type DefaultConfigGenerator added in v1.8.0

type DefaultConfigGenerator struct {
	// contains filtered or unexported fields
}

func NewDefaultConfigGenerator added in v1.8.0

func NewDefaultConfigGenerator(defaultSettings *extauthv1.Settings) *DefaultConfigGenerator

func (*DefaultConfigGenerator) GenerateListenerExtAuthzConfig added in v1.8.0

func (d *DefaultConfigGenerator) GenerateListenerExtAuthzConfig(listener *v1.HttpListener, upstreams v1.UpstreamList) ([]*envoyauth.ExtAuthz, error)

func (*DefaultConfigGenerator) GenerateRouteExtAuthzConfig added in v1.8.0

func (d *DefaultConfigGenerator) GenerateRouteExtAuthzConfig(route *v1.Route) (*envoyauth.ExtAuthzPerRoute, error)

func (*DefaultConfigGenerator) GenerateVirtualHostExtAuthzConfig added in v1.8.0

func (d *DefaultConfigGenerator) GenerateVirtualHostExtAuthzConfig(virtualHost *v1.VirtualHost, params plugins.VirtualHostParams) (*envoyauth.ExtAuthzPerRoute, error)

func (*DefaultConfigGenerator) GenerateWeightedDestinationExtAuthzConfig added in v1.8.0

func (d *DefaultConfigGenerator) GenerateWeightedDestinationExtAuthzConfig(weightedDestination *v1.WeightedDestination) (*envoyauth.ExtAuthzPerRoute, error)

func (*DefaultConfigGenerator) IsMulti added in v1.8.0

func (d *DefaultConfigGenerator) IsMulti() bool

type ExtAuthzConfigGenerator added in v1.8.0

type ExtAuthzConfigGenerator interface {
	IsMulti() bool
	GenerateListenerExtAuthzConfig(listener *v1.HttpListener, upstreams v1.UpstreamList) ([]*envoyauth.ExtAuthz, error)
	GenerateVirtualHostExtAuthzConfig(virtualHost *v1.VirtualHost, params plugins.VirtualHostParams) (*envoyauth.ExtAuthzPerRoute, error)
	GenerateRouteExtAuthzConfig(route *v1.Route) (*envoyauth.ExtAuthzPerRoute, error)
	GenerateWeightedDestinationExtAuthzConfig(weightedDestination *v1.WeightedDestination) (*envoyauth.ExtAuthzPerRoute, error)
}

type MultiConfigGenerator added in v1.8.0

type MultiConfigGenerator struct {
	*DefaultConfigGenerator
}

func NewMultiConfigGenerator added in v1.8.0

func NewMultiConfigGenerator() *MultiConfigGenerator

func (*MultiConfigGenerator) GenerateListenerExtAuthzConfig added in v1.8.0

func (m *MultiConfigGenerator) GenerateListenerExtAuthzConfig(listener *v1.HttpListener, upstreams v1.UpstreamList) ([]*envoyauth.ExtAuthz, error)

func (*MultiConfigGenerator) IsMulti added in v1.8.0

func (m *MultiConfigGenerator) IsMulti() bool

type Plugin

type Plugin struct {
	// contains filtered or unexported fields
}

func NewCustomAuthPlugin

func NewCustomAuthPlugin() *Plugin

func (*Plugin) HttpFilters

func (p *Plugin) HttpFilters(params plugins.Params, listener *v1.HttpListener) ([]plugins.StagedHttpFilter, error)

func (*Plugin) Init

func (p *Plugin) Init(params plugins.InitParams) error

func (*Plugin) IsUpgrade added in v1.8.0

func (p *Plugin) IsUpgrade() bool

func (*Plugin) PluginName added in v1.8.0

func (p *Plugin) PluginName() string

func (*Plugin) ProcessRoute

func (p *Plugin) ProcessRoute(params plugins.RouteParams, in *v1.Route, out *envoy_config_route_v3.Route) error

This function generates the ext_authz TypedPerFilterConfig for this route: - if the route defines custom auth configuration, set the filter correspondingly; - if auth is explicitly disabled, disable the filter (will apply by default also to WeightedDestinations); - else, do nothing (will inherit config from parent virtual host).

func (*Plugin) ProcessVirtualHost

func (p *Plugin) ProcessVirtualHost(
	params plugins.VirtualHostParams,
	in *v1.VirtualHost,
	out *envoy_config_route_v3.VirtualHost,
) error

This function generates the ext_authz TypedPerFilterConfig for this virtual host. If the ext_authz filter was not configured on the listener, do nothing. If the filter is configured and the virtual host does not define an extauth configuration OR explicitly disables extauth, we disable the ext_authz filter. This is done to disable authentication by default on a virtual host and its child resources (routes, weighted destinations). Extauth is currently opt-in.

func (*Plugin) ProcessWeightedDestination

func (p *Plugin) ProcessWeightedDestination(
	params plugins.RouteParams,
	in *v1.WeightedDestination,
	out *envoy_config_route_v3.WeightedCluster_ClusterWeight,
) error

This function generates the ext_authz TypedPerFilterConfig for this weightedDestination: - if the weightedDestination defines custom auth configuration, set the filter correspondingly; - if auth is explicitly disabled, disable the filter; - else, do nothing (will inherit config from parent virtual host and/or route).

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL