Documentation
¶
Index ¶
- Constants
- func NewConfigHandler(cfg Config) http.Handler
- type Config
- type DryRun
- type FieldConfig
- type ForwardAuthConfig
- type JSONDuration
- type JWT
- type MailConfig
- type Overwrite
- type Policy
- type PolicyConfig
- type PossibleValue
- type RegistrationMode
- type Role
- type Server
- type Twilio
- type UserInterface
- type WebPush
Constants ¶
View Source
const ( RegistrationModePublic = RegistrationMode("public") RegistrationModeToken = RegistrationMode("token") RegistrationModeDisabled = RegistrationMode("disabled") )
View Source
const ( FieldTypeString = "string" FieldTypeNumber = "number" FieldTypeBool = "bool" FieldTypeDate = "date" FieldTypeTime = "time" FieldTypeObject = "object" FieldTypeList = "list" FieldTypeAny = "any" )
Available field types.
View Source
const ( FieldVisibilityPublic = "public" FieldVisibilitySelf = "self" FieldVisibilityPrivate = "private" FieldVisibilityAuthenticated = "authenticated" )
Variables ¶
This section is empty.
Functions ¶
func NewConfigHandler ¶
Types ¶
type Config ¶
type Config struct {
// LogLevel defines the log level to use.
LogLevel string `json:"log_level" hcl:"log_level,optional"`
// PolicyConfig holds the configuration for rego policies.
PolicyConfig PolicyConfig `json:"policy" hcl:"policies,block"`
// ForwardAuth provides forward auth configuration.
ForwardAuth ForwardAuthConfig `json:"forward_auth" hcl:"forward_auth,block"`
// Server holds the server configuration block include CORS, listen addresses
// and cookie settings.
Server *Server `hcl:"server,block" json:"server"`
// JWT holds the JWT configuration.
JWT *JWT `hcl:"jwt,block" json:"jwt"`
// UserInterface configures settings for user facing interfaces like the built-in
// Web-Interface or mail/SMS templates.
UserInterface *UserInterface `hcl:"ui,block" json:"ui"`
// DryRun may be set to enable dry-run mode which allows overwriting
// notification targets.
DryRun *DryRun `json:"dry_run" hcl:"dry_run,block"`
DatabaseURL string `json:"database_url" hcl:"database_url"`
// Roles holds a list of role name that should be automatically
// created when cisidm is started. Those roles are created with deleteProtection
// enabled.
// Use this if you want to ensure cisidm has a set of roles that other services
// rely upon.
Roles []Role `json:"roles" hcl:"role,block"`
// Overwrites may hold configuration overwrites per user or role.
Overwrites []*Overwrite `json:"overwrite" hcl:"overwrite,block"`
// EnableDynamicRoles controles whether or not roles can be created/updated/deleted
// via the tkd.idm.v1.RoleService API.
// This defaults to true if no roles are configured in the configuration file, otherwise,
// if roles are pre-configured, this defaults to false.
// To have config defined roles while still allowing role management via the API you need
// to explicitly set EnableDynamicRoles to true.
//
// Note that even if this is enabled, roles configured via the configuration file cannot
// be modified or deleted.
EnableDynamicRoles *bool `json:"enable_dynamic_roles" hcl:"enable_dynamic_roles,optional"`
// PermissionTrees may be set to true to enable permission trees.
PermissionTrees bool `json:"permission_trees" hcl:"permission_trees,optional"`
// Permissions defines the hierarchical set of available permissions.
// Note that the specified permission tree will be merged into the default set of permissions
// that are built into cisidm.
Permissions []string `json:"permissions" hcl:"permissions,optional"`
// RegistrationMode defines whether or not users are allowed to sign
// up without a registration token.
RegistrationMode RegistrationMode `json:"registration" hcl:"registration,optional"`
// AllowUsernameChange may be set to true if users are allowed to change their username.
AllowUsernameChange bool `json:"allow_username_change" hcl:"allow_username_change,optional"`
// DisableUserAddresses may be set to true to disable user addresses.
DisableUserAddresses bool `json:"disable_user_addresses" hcl:"disable_user_addresses,optional"`
// DisablePhoneNumbers may be set to true if phone number support should be disabled.
DisablePhoneNumbers bool `json:"disable_phone_numbers" hcl:"disable_phone_numbers,optional"`
// Twilio is required for all SMS related features.
// TODO(ppacher): print a warning when a SMS feature is enabled
// but twilio is not confiugred.
Twilio *Twilio `json:"twilio" hcl:"twilio,block"`
// MailConfig is required for all email related features.
MailConfig *MailConfig `json:"mail" hcl:"mail,block"`
// ExtraDataConfig defines the schema and visibility for the user extra data.
ExtraDataConfig []*FieldConfig `json:"field" hcl:"field,block"`
// WebPush holds VAPID keys for web-push integration.
WebPush *WebPush `json:"webpush" hcl:"webpush,block"`
// contains filtered or unexported fields
}
func (Config) DynamicRolesEnabled ¶ added in v0.11.0
func (*Config) PermissionTree ¶ added in v0.9.0
func (file *Config) PermissionTree() permission.Resolver
func (*Config) RefreshTTL ¶ added in v0.9.0
type FieldConfig ¶
type FieldConfig struct {
Type string `json:"type" hcl:"type,label"`
Name string `json:"name" hcl:"name,label"`
Visibility string `json:"visibility" hcl:"visibility,optional"`
Writeable *bool `json:"writeable" hcl:"writeable,optional"`
Description string `json:"description" hcl:"description,optional"`
DisplayName string `json:"display_name" hcl:"display_name,optional"`
Properties []*FieldConfig `json:"property" hcl:"property,block"`
ElementType *FieldConfig `json:"element_type" hcl:"element_type,block"`
PossibleValues []PossibleValue `json:"possible_value" hcl:"value,block"`
}
FieldConfig describes how user-extra data looks like.
func (*FieldConfig) ApplyVisibility ¶
func (*FieldConfig) ValidateConfig ¶
func (fc *FieldConfig) ValidateConfig(fieldVisibility string, writeable bool) error
type ForwardAuthConfig ¶ added in v0.11.0
type ForwardAuthConfig struct {
// RegoQuery is the rego policy query that cis-idm should perform
// when evaluating forward auth policies.
// Defaults to "data.cisidm.forward_auth"
RegoQuery string `json:"rego_query" hcl:"rego_query,optional"`
// Default holds the default policy for forward auth queries.
// This may either be set to "allow" or "deny" (default).
//
// Depending on the value of Default cisidm will look for different rules
// when evaluating policies.
// If Default is set to "allow", cisidm will evaluate any "deny" rule.
// If Default is set to "deny", cisidm will evaluate any "allow" rule.
Default string `json:"default" hcl:"default,optional"`
// AllowCORSPreflight might be set to enable or disable automatic pass-through of
// CORS preflight requests.
// Defaults to true.
AllowCORSPreflight *bool `json:"allow_cors_preflight" hcl:"allow_cors_preflight,optional"`
UserIDHeader *string `json:"user_id_header" hcl:"user_id_header,optional"`
UsernameHeader *string `json:"username_header" hcl:"username_header,optional"`
MailHeader *string `json:"mail_header" hcl:"mail_header,optional"`
RoleHeader *string `json:"role_header" hcl:"role_header,optional"`
AvatarURLHeader *string `json:"avatar_url_header" hcl:"avatar_url_header,optional"`
DisplayNameHeader *string `json:"display_name_header" hcl:"display_name_header,optional"`
ResolvedPermissionHeader *string `json:"permission_header" hcl:"permission_header,optional"`
}
func (*ForwardAuthConfig) ApplyDefaultsAndValidate ¶ added in v0.11.0
func (cfg *ForwardAuthConfig) ApplyDefaultsAndValidate() error
type JSONDuration ¶
func (*JSONDuration) AsDuration ¶
func (d *JSONDuration) AsDuration() time.Duration
func (*JSONDuration) MarshalJSON ¶
func (d *JSONDuration) MarshalJSON() ([]byte, error)
func (*JSONDuration) UnmarshalJSON ¶
func (d *JSONDuration) UnmarshalJSON(blob []byte) error
type JWT ¶ added in v0.9.0
type JWT struct {
// Audience is the JWT audience that should be used when issuing access tokens.
Audience string `json:"audience" hcl:"audience,optional"`
// Secret is the secret that is used to sign access and refresh tokens.
// Chaning this value during production will invalidate all issued tokens and
// require all users to re-login.
Secret string `json:"secret" hcl:"secret"`
// AccessTokenTTL defines the maximum lifetime for issued access tokens.
// This defaults to 24h. Users or services requesting an access token
// may specify a shorter lifetime.
AccessTokenTTL string `json:"access_token_ttl" hcl:"access_token_ttl,optional"`
// RefreshTokenTTL defines the lifetime for issued refresh tokens.
// This defaults to 720h (~1 month)
RefreshTokenTTL string `json:"refresh_token_ttl" hcl:"refresh_token_ttl,optional"`
// AccessTokenCookieName is the name of the cookie used to store the
// access-token for browser requests. This defaults to cis_idm_access.
AccessTokenCookieName string `json:"access_token_cookie_name" hcl:"access_token_cookie_name,optional"`
// RefreshTokenCookieName is the name of the cookie used to store the
// refresh-token for browser requests. This defaults to cis_idm_refresh.
RefreshTokenCookieName string `json:"refresh_token_cookie_name" hcl:"refresh_token_cookie_name,optional"`
// contains filtered or unexported fields
}
func (*JWT) ApplyDefaultsAndValidate ¶ added in v0.9.0
type MailConfig ¶
type MailConfig struct {
Host string `json:"host" hcl:"host"`
Port int `json:"port" hcl:"port"`
Username string `json:"user" hcl:"user"`
Password string `json:"password" hcl:"password"`
From string `json:"from" hcl:"from"`
AllowInsecure bool `json:"allow_insecure" hcl:"allow_insecure,optional"`
UseSSL *bool `json:"use_tls" hcl:"use_tls,optional"`
}
type Overwrite ¶ added in v0.9.0
type Overwrite struct {
Type string `json:"type" hcl:"type,label"` // role or user
ID string `json:"id" hcl:"id,label"`
AccessTokenTTL string `json:"access_token_ttl" hcl:"access_token_ttl,optional"`
RefreshTokenTTL string `json:"refresh_token_ttl" hcl:"refresh_token_ttl,optional"`
// contains filtered or unexported fields
}
func (*Overwrite) RefreshTTL ¶ added in v0.11.0
type PolicyConfig ¶ added in v0.9.0
type PolicyConfig struct {
Directories []string `json:"directories" hcl:"directories,optional"`
Debug bool `json:"debug" hcl:"debug,optional"`
Policies []Policy `json:"policy" hcl:"policy,block"`
}
func (*PolicyConfig) ApplyDefaultsAndValidate ¶ added in v0.9.0
func (cfg *PolicyConfig) ApplyDefaultsAndValidate() error
type PossibleValue ¶ added in v0.11.0
type RegistrationMode ¶ added in v0.9.0
type RegistrationMode string
type Server ¶ added in v0.9.0
type Server struct {
// SecureCookie defines whether or not cookies should be set with the
// Secure attribute. If left empty, SecureCookie will be automatically
// set depending on the PublicURL field.
SecureCookie *bool `json:"secure_cookies" hcl:"secure_cookies,optional"`
// PublicListenAddr defines the listen address for the public listener. This
// listener requires proper authentication for all endpoints where authentication
// is specified as required in the protobuf definition.
// This defaults to :8080
PublicListenAddr string `json:"public_listener" hcl:"public_listener,optional"`
// AdminListenAddr defines the listen address for the admin listener.
// All requests received on this listener will automatically get the idm_superuser
// role assigned. Be careful to not expose this listener to the public!
// This defaults to :8081
AdminListenAddr string `json:"admin_listener" hcl:"admin_listener,optional"`
// StaticFiles defines where cisidm should serve it's user interface from.
// If left empty, the UI is served from the embedded file-system. If set to
// a file path than all files from within that directory will be served (see http.Dir
// for possible security implications). If set to a URL (i.e. starting with "http"),
// a simple one-host reverse proxy is created.
// During development, you might want to use `ng serve` from the ui/ folder
// and set StaticFiles to "http://localhost:4200/"
StaticFiles string `json:"static_files" hcl:"static_files,optional"`
// ExtraAssetsDirectory can be set to a directory (or HTTP URL)
// that will be used to serve additional files at the /files endpoint.
ExtraAssetsDirectory string `json:"extra_assets" hcl:"extra_assets,optional"`
// AllowedOrigins configures a list of allowed origins for Cross-Origin-Requests.
// This defaults to the PublicURL as well as http(s)://{{ Domain }}
AllowedOrigins []string `json:"allowed_origins" hcl:"allowed_origins,optional"`
// Domain is the parent domain for which cisidm handles authentication. If you
// have multiple sub-domains hosting your services you want to set this to the
// parent domain.
//
// I.e. if cisidm is running on account.example.com and you have services on
// foo.example.com and bar.example.com you want to set the Domain field to "example.com"
Domain string `json:"domain" hcl:"domain"`
// TrustedNetworks is a list of CIDR network addresses that are considered
// trusted. Any X-Forwareded-For header from these networks will be parsed
// and applied.
TrustedNetworks []string `json:"trusted_networks" hcl:"trusted_networks,optional"`
// AllowedDomainRedirects is a list of domain names to which cisidm will allow
// redirection after login/refresh.
AllowedDomainRedirects []string `json:"allowed_redirects" hcl:"allowed_redirects,optional"`
}
func (*Server) ApplyDefaultsAndValidate ¶ added in v0.9.0
type UserInterface ¶ added in v0.9.0
type UserInterface struct {
// SiteName can be used to specify the name of the cisidm instance and will be displayed
// at the login screen and throughout the user interface. This defaults to Example
// so will likely want to set this field as well.
SiteName string `json:"site_name" hcl:"site_name"`
// SiteNameURL can be set to a URL that will be used to create a HTML link on the login
// page.
SiteNameURL string `json:"site_name_url" hcl:"site_name_url,optional"`
// LoginRedirectURL defines the format string to build the redirect URL in the /validate
// endpoint in case a user needs to authentication.
// If left empty, it defaults to {{ PublicURL }}/login?redirect=%s
LoginRedirectURL string `json:"login_url" hcl:"login_url,optional"`
// RefreshRedirectURL defines the format string to build the redirect URL in the /validate
// endpoint in case a user needs to request a new access token.
// If left empty, it defaults to {{ PublicURL }}/refresh?redirect=%s
RefreshRedirectURL string `json:"refresh_url" hcl:"refresh_url,optional"`
// PasswordResetURL defines the format string to build the password reset URL.
// If left empty, it defaults to {{ PublicURL }}/password/reset?token=%s
PasswordResetURL string `json:"password_reset_url" hcl:"password_reset_url,optional"`
// VerifyMailURL defines the format string to build the verify-email address URL.
// If left empty, it defaults to {{ PublicURL }}/verify-mail?token=%s
VerifyMailURL string `json:"verify_mail_url" hcl:"verify_mail_url,optional"`
// RegistrationURL defines the format string to build the invitation address URL.
// If left empty, it defaults to {{ PublicURL }}/registration?token=%s
RegistrationURL string `json:"registration_url" hcl:"registration_url,optional"`
// LogoURL may be set to a path or HTTP resource that should be displayed as the
// application logo on the login screen.
LogoURL string `json:"logo_url" hcl:"logo_url,optional"`
// PublicURL defines the public URL at which cisidm is reachable from the outside.
// This value MUST be set.
PublicURL string `json:"public_url" hcl:"public_url"`
}
func (*UserInterface) ApplyDefaultsAndValidate ¶ added in v0.9.0
func (ui *UserInterface) ApplyDefaultsAndValidate() error
Source Files
Click to show internal directories.
Click to hide internal directories.