Documentation ¶
Index ¶
- Constants
- Variables
- func AllUserAuthMethods() []string
- func DefaultAuthMethodStrings() []string
- func Groups(groups []string) func(*UserPrincipal)
- func ID(id string) func(*UserPrincipal)
- func IsPublicRoute(u *url.URL, publicRoutes []string) bool
- func JSONError(log logr.Logger, w http.ResponseWriter, errStr string, code int)
- func ParseAuthMethodArray(authStrings []string) (map[AuthMethod]bool, error)
- func RegisterAuthServer(mux *http.ServeMux, prefix string, srv *AuthServer, ...) error
- func Token(tok string) func(*UserPrincipal)
- func WithAPIAuth(next http.Handler, srv *AuthServer, publicRoutes []string, sm SessionManager) http.Handler
- func WithPrincipal(ctx context.Context, p *UserPrincipal) context.Context
- type AdminClaims
- type AnonymousPrincipalGetter
- type AuthMethod
- type AuthParams
- type AuthServer
- func (s *AuthServer) Callback(rw http.ResponseWriter, r *http.Request)
- func (s *AuthServer) Logout(rw http.ResponseWriter, r *http.Request)
- func (s *AuthServer) OAuth2Flow() http.HandlerFunc
- func (s *AuthServer) Refresh(rw http.ResponseWriter, r *http.Request) (*UserPrincipal, error)
- func (s *AuthServer) RefreshHandler(rw http.ResponseWriter, r *http.Request)
- func (s *AuthServer) SetRedirectURL(url string)
- func (s *AuthServer) SignIn() http.HandlerFunc
- func (s *AuthServer) UserInfo(rw http.ResponseWriter, r *http.Request)
- type AuthServerConfig
- type BearerTokenPassthroughPrincipalGetter
- type ClaimsConfig
- type HMACTokenSignerVerifier
- type JWTAdminCookiePrincipalGetter
- type JWTAuthorizationHeaderPrincipalGetter
- type JWTCookiePrincipalGetter
- type JWTPassthroughCookiePrincipalGetter
- type LoginRequest
- type MultiAuthPrincipal
- type OIDCConfig
- type PrincipalGetter
- func NewAnonymousPrincipalGetter(log logr.Logger, name string) PrincipalGetter
- func NewBearerTokenPassthroughPrincipalGetter(log logr.Logger, verifier *oidc.IDTokenVerifier, headerName string, ...) PrincipalGetter
- func NewJWTAdminCookiePrincipalGetter(log logr.Logger, verifier TokenSignerVerifier, cookieName string, ...) PrincipalGetter
- func NewJWTAuthorizationHeaderPrincipalGetter(log logr.Logger, verifier tokenVerifier, config *ClaimsConfig) PrincipalGetter
- func NewJWTCookiePrincipalGetter(log logr.Logger, verifier tokenVerifier, config *ClaimsConfig, ...) PrincipalGetter
- func NewJWTPassthroughCookiePrincipalGetter(log logr.Logger, verifier *oidc.IDTokenVerifier, cookieName string, ...) PrincipalGetter
- type SessionManager
- type SessionState
- type TokenSigner
- type TokenSignerVerifier
- type TokenVerifier
- type UserInfo
- type UserPrincipal
Constants ¶
const ( // StateCookieName is the name of the cookie that holds state during auth flow. StateCookieName = "state" // IDTokenCookieName is the name of the cookie that holds the ID Token once // the user has authenticated successfully with the OIDC Provider. IDTokenCookieName = "id_token" // AccessTokenCookieName is the name of the cookie that holds the access token once // the user has authenticated successfully with the OIDC Provider. It's used for further // resource requests from the provider. AccessTokenCookieName = "access_token" // RefreshTokenCookieName is the name of the cookie that holds the refresh token once // the user has authenticated successfully with the OIDC Provider. It's used to refresh // the id and access tokens once expired. RefreshTokenCookieName = "refresh_token" // AuthorizationTokenHeaderName is the name of the header that holds the bearer token // used for token passthrough authentication. AuthorizationTokenHeaderName = "Authorization" // ScopeEmail is the "email" scope ScopeEmail = "email" // ScopeGroups is the "groups" scope ScopeGroups = "groups" )
const ( LoginOIDC string = "oidc" LoginUsername string = "username" ClusterUserAuthSecretName string = "cluster-user-auth" DefaultOIDCAuthSecretName string = "oidc-auth" FeatureFlagClusterUser string = "CLUSTER_USER_AUTH" FeatureFlagAnonymousAuth string = "ANONYMOUS_AUTH" FeatureFlagOIDCAuth string = "OIDC_AUTH" FeatureFlagOIDCPassthrough string = "WEAVE_GITOPS_FEATURE_OIDC_AUTH_PASSTHROUGH" // ClaimUsername is the default claim for getting the user from OIDC for // auth ClaimUsername string = "email" // ClaimGroups is the default claim for getting the groups from OIDC for // auth ClaimGroups string = "groups" )
Variables ¶
var DefaultScopes = []string{ oidc.ScopeOpenID, oidc.ScopeOfflineAccess, ScopeEmail, ScopeGroups, }
DefaultScopes is the set of scopes that we require.
Functions ¶
func AllUserAuthMethods ¶ added in v0.31.0
func AllUserAuthMethods() []string
AllUserAuthMethods returns all the auth methods that can be configured via the auth-methods flag. `Anonymous` is not included as it is configured via another --insecure-no-auth flag
func DefaultAuthMethodStrings ¶ added in v0.9.2
func DefaultAuthMethodStrings() []string
func Groups ¶ added in v0.9.4
func Groups(groups []string) func(*UserPrincipal)
Groups is an option func for NewUserPrincipal that configures the groups.
func ID ¶ added in v0.9.4
func ID(id string) func(*UserPrincipal)
ID is an option func for NewUserPrincipal that configures the groups.
func ParseAuthMethodArray ¶ added in v0.9.2
func ParseAuthMethodArray(authStrings []string) (map[AuthMethod]bool, error)
func RegisterAuthServer ¶
func RegisterAuthServer(mux *http.ServeMux, prefix string, srv *AuthServer, loginRequestRateLimit uint64) error
RegisterAuthServer registers the /callback route under a specified prefix. This route is called by the OIDC Provider in order to pass back state after the authentication flow completes.
func Token ¶ added in v0.9.4
func Token(tok string) func(*UserPrincipal)
Token is an option func for NewUserPrincipal that sets the token.
func WithAPIAuth ¶
func WithAPIAuth(next http.Handler, srv *AuthServer, publicRoutes []string, sm SessionManager) http.Handler
WithAPIAuth middleware adds auth validation to API handlers.
Unauthorized requests will be denied with a 401 status code.
func WithPrincipal ¶
func WithPrincipal(ctx context.Context, p *UserPrincipal) context.Context
WithPrincipal sets the principal into the context.
Types ¶
type AdminClaims ¶ added in v0.7.0
type AdminClaims struct {
jwt.RegisteredClaims
}
type AnonymousPrincipalGetter ¶ added in v0.31.0
type AnonymousPrincipalGetter struct {
// contains filtered or unexported fields
}
AnonymousPrincipalGetter will always succeed.
The principal it returns will have the configured name.
func (*AnonymousPrincipalGetter) Principal ¶ added in v0.31.0
func (pg *AnonymousPrincipalGetter) Principal(r *http.Request) (*UserPrincipal, error)
type AuthMethod ¶ added in v0.9.2
type AuthMethod uint8
const ( // User & password read from a secret UserAccount AuthMethod = iota // OIDC authentication (recommended) OIDC // EE CLI tokens TokenPassthrough // Anonymous Anonymous )
func DefaultAuthMethods ¶ added in v0.9.2
func DefaultAuthMethods() []AuthMethod
This is a function to mimic a const slice
func ParseAuthMethod ¶ added in v0.9.2
func ParseAuthMethod(text string) (AuthMethod, error)
func (*AuthMethod) String ¶ added in v0.9.2
func (am *AuthMethod) String() string
func (*AuthMethod) UnmarshalText ¶ added in v0.9.2
func (am *AuthMethod) UnmarshalText(text []byte) error
type AuthParams ¶ added in v0.31.0
type AuthParams struct { OIDCConfig OIDCConfig OIDCSecretName string AuthMethodStrings []string NoAuthUser string Namespace string SessionManager *scs.SessionManager }
AuthParams provides the configuration for the AuthServer.
type AuthServer ¶
type AuthServer struct { AuthServerConfig // contains filtered or unexported fields }
AuthServer interacts with an OIDC issuer to handle the OAuth2 process flow.
func InitAuthServer ¶ added in v0.9.2
func InitAuthServer(ctx context.Context, log logr.Logger, rawKubernetesClient ctrlclient.Client, authParams AuthParams) (*AuthServer, error)
InitAuthServer creates a new AuthServer and configures it for the correct authentication methods.
func NewAuthServer ¶
func NewAuthServer(ctx context.Context, cfg *AuthServerConfig) (*AuthServer, error)
NewAuthServer creates a new AuthServer object.
func (*AuthServer) Callback ¶ added in v0.7.0
func (s *AuthServer) Callback(rw http.ResponseWriter, r *http.Request)
func (*AuthServer) Logout ¶ added in v0.7.0
func (s *AuthServer) Logout(rw http.ResponseWriter, r *http.Request)
func (*AuthServer) OAuth2Flow ¶ added in v0.7.0
func (s *AuthServer) OAuth2Flow() http.HandlerFunc
func (*AuthServer) Refresh ¶ added in v0.15.0
func (s *AuthServer) Refresh(rw http.ResponseWriter, r *http.Request) (*UserPrincipal, error)
Refresh is used to refresh the access token and id token. It updates the cookies on the response with the new tokens. It returns the new user principal.
func (*AuthServer) RefreshHandler ¶ added in v0.30.0
func (s *AuthServer) RefreshHandler(rw http.ResponseWriter, r *http.Request)
func (*AuthServer) SetRedirectURL ¶
func (s *AuthServer) SetRedirectURL(url string)
SetRedirectURL is used to set the redirect URL. This is meant to be used in unit tests only.
func (*AuthServer) SignIn ¶ added in v0.7.0
func (s *AuthServer) SignIn() http.HandlerFunc
func (*AuthServer) UserInfo ¶ added in v0.7.0
func (s *AuthServer) UserInfo(rw http.ResponseWriter, r *http.Request)
UserInfo inspects the cookie and attempts to verify it as an admin token. If successful, it returns a UserInfo object with the email set to the admin token subject. Otherwise it uses the token to query the OIDC provider's user info endpoint and return a UserInfo object back or a 401 status in any other case.
type AuthServerConfig ¶ added in v0.31.0
type AuthServerConfig struct { Log logr.Logger OIDCConfig OIDCConfig SessionManager SessionManager // contains filtered or unexported fields }
AuthServerConfig is used to configure an AuthServer.
func NewAuthServerConfig ¶ added in v0.7.0
func NewAuthServerConfig(log logr.Logger, oidcCfg OIDCConfig, kubernetesClient ctrlclient.Client, tsv TokenSignerVerifier, namespace string, authMethods map[AuthMethod]bool, noAuthUser string, sm SessionManager) (*AuthServerConfig, error)
NewAuthServerConfig creates and returns a new AuthServerConfig.
The oidcCfg.IssuerURL and oidcCfg.RedirectURL are given a light validation to ensure they are valid URLs.
type BearerTokenPassthroughPrincipalGetter ¶ added in v0.9.1
type BearerTokenPassthroughPrincipalGetter struct {
// contains filtered or unexported fields
}
BearerTokenPassthroughPrincipalGetter inspects the Authorization header (bearer token) and returns it within a principal object.
func (*BearerTokenPassthroughPrincipalGetter) Principal ¶ added in v0.9.1
func (pg *BearerTokenPassthroughPrincipalGetter) Principal(r *http.Request) (*UserPrincipal, error)
Principal is an implementation of the PrincipalGetter interface.
Headers of the form Authorization: Bearer <token> are stored within a UserPrincipal. The token is not verified, and no ID or Group information will be available.
type ClaimsConfig ¶ added in v0.12.0
ClaimsConfig provides the keys to extract the details for a Principal from set of JWT claims.
func (*ClaimsConfig) PrincipalFromClaims ¶ added in v0.12.0
func (c *ClaimsConfig) PrincipalFromClaims(token claimsToken) (*UserPrincipal, error)
PrincipalFromClaims takes a token and parses the claims using the configuration and returns a configured UserPrincipal with the details in the claims.
type HMACTokenSignerVerifier ¶ added in v0.7.0
type HMACTokenSignerVerifier struct {
// contains filtered or unexported fields
}
func NewHMACTokenSignerVerifier ¶ added in v0.7.0
func NewHMACTokenSignerVerifier(expireAfter time.Duration) (*HMACTokenSignerVerifier, error)
func (*HMACTokenSignerVerifier) SetDevMode ¶ added in v0.7.0
func (sv *HMACTokenSignerVerifier) SetDevMode(enabled bool)
func (*HMACTokenSignerVerifier) Sign ¶ added in v0.7.0
func (sv *HMACTokenSignerVerifier) Sign(subject string) (string, error)
func (*HMACTokenSignerVerifier) Verify ¶ added in v0.7.0
func (sv *HMACTokenSignerVerifier) Verify(tokenString string) (*AdminClaims, error)
type JWTAdminCookiePrincipalGetter ¶ added in v0.7.0
type JWTAdminCookiePrincipalGetter struct {
// contains filtered or unexported fields
}
func (*JWTAdminCookiePrincipalGetter) Principal ¶ added in v0.7.0
func (pg *JWTAdminCookiePrincipalGetter) Principal(r *http.Request) (*UserPrincipal, error)
type JWTAuthorizationHeaderPrincipalGetter ¶
type JWTAuthorizationHeaderPrincipalGetter struct {
// contains filtered or unexported fields
}
JWTAuthorizationHeaderPrincipalGetter inspects the Authorization header (bearer token) for a JWT token and returns a principal object.
func (*JWTAuthorizationHeaderPrincipalGetter) Principal ¶
func (pg *JWTAuthorizationHeaderPrincipalGetter) Principal(r *http.Request) (*UserPrincipal, error)
type JWTCookiePrincipalGetter ¶
type JWTCookiePrincipalGetter struct {
// contains filtered or unexported fields
}
JWTCookiePrincipalGetter inspects a cookie for a JWT token and returns a principal object.
func (*JWTCookiePrincipalGetter) Principal ¶
func (pg *JWTCookiePrincipalGetter) Principal(r *http.Request) (*UserPrincipal, error)
type JWTPassthroughCookiePrincipalGetter ¶ added in v0.9.4
type JWTPassthroughCookiePrincipalGetter struct {
// contains filtered or unexported fields
}
JWTPassthroughCookiePrincipalGetter inspects a cookie for a JWT token and returns a principal value.
The JWT Token is parsed, and the token and user/groups are available.
func (*JWTPassthroughCookiePrincipalGetter) Principal ¶ added in v0.9.4
func (pg *JWTPassthroughCookiePrincipalGetter) Principal(r *http.Request) (*UserPrincipal, error)
Principal implements the PrincipalGetter by pasing the cookie, and if it's valid, it stores the token and user details on the principal.
type LoginRequest ¶ added in v0.7.0
LoginRequest represents the data submitted by client when the auth flow (non-OIDC) is used.
type MultiAuthPrincipal ¶
type MultiAuthPrincipal struct { Log logr.Logger Getters []PrincipalGetter }
MultiAuthPrincipal looks for a principal in an array of principal getters and if it finds an error or a principal it returns, otherwise it returns (nil,nil).
func (MultiAuthPrincipal) Principal ¶
func (m MultiAuthPrincipal) Principal(r *http.Request) (*UserPrincipal, error)
type OIDCConfig ¶
type OIDCConfig struct { IssuerURL string ClientID string ClientSecret string RedirectURL string TokenDuration time.Duration Scopes []string ClaimsConfig *ClaimsConfig UsernamePrefix string GroupsPrefix string }
OIDCConfig is used to configure an AuthServer to interact with an OIDC issuer.
func NewOIDCConfigFromSecret ¶ added in v0.7.0
func NewOIDCConfigFromSecret(secret corev1.Secret) OIDCConfig
NewOIDCConfigFromSecret takes a corev1.Secret and extracts the fields.
The following keys are required in the secret:
- issuerURL
- clientID
- clientSecret
- redirectURL
The following keys are optional - tokenDuration - defaults to 1 hour. - claimUsername - defaults to "email" - claimGroups - defaults to "groups" - customScopes - defaults to "openid","offline_access","email","groups"
type PrincipalGetter ¶
type PrincipalGetter interface { // Principal extracts a principal from the http.Request. // It's not an error for there to be no principal in the request. Principal(r *http.Request) (*UserPrincipal, error) }
PrincipalGetter implementations are responsible for extracting a named principal from an HTTP request.
func NewAnonymousPrincipalGetter ¶ added in v0.31.0
func NewAnonymousPrincipalGetter(log logr.Logger, name string) PrincipalGetter
func NewBearerTokenPassthroughPrincipalGetter ¶ added in v0.9.1
func NewBearerTokenPassthroughPrincipalGetter(log logr.Logger, verifier *oidc.IDTokenVerifier, headerName string, kubernetesClient client.Client) PrincipalGetter
NewBearerTokenPassthroughPrincipalGetter creates a new implementation of the PrincipalGetter interface that can decode and verify OIDC Bearer tokens from a named request header.
func NewJWTAdminCookiePrincipalGetter ¶ added in v0.7.0
func NewJWTAdminCookiePrincipalGetter(log logr.Logger, verifier TokenSignerVerifier, cookieName string, sm SessionManager) PrincipalGetter
func NewJWTAuthorizationHeaderPrincipalGetter ¶
func NewJWTAuthorizationHeaderPrincipalGetter(log logr.Logger, verifier tokenVerifier, config *ClaimsConfig) PrincipalGetter
func NewJWTCookiePrincipalGetter ¶
func NewJWTCookiePrincipalGetter(log logr.Logger, verifier tokenVerifier, config *ClaimsConfig, cookieName string, sm SessionManager) PrincipalGetter
NewJWTCookiePrincipalGetter looks for a cookie in the provided name and treats that as a JWT token that can be decoded to a Principal.
func NewJWTPassthroughCookiePrincipalGetter ¶ added in v0.9.4
func NewJWTPassthroughCookiePrincipalGetter(log logr.Logger, verifier *oidc.IDTokenVerifier, cookieName string, sm SessionManager) PrincipalGetter
NewJWTPassthroughCookiePrincipalGetter creates and returns a new JWTPassthroughCookiePrincipalGetter.
type SessionManager ¶ added in v0.31.0
type SessionManager interface { LoadAndSave(next http.Handler) http.Handler GetString(context.Context, string) string Remove(context.Context, string) Put(ctx context.Context, key string, val interface{}) Destroy(ctx context.Context) error }
SessionManager implementations provide session storage for requests.
type SessionState ¶
SessionState represents the state that needs to be persisted between the AuthN request from the Relying Party (RP) to the authorization endpoint of the OpenID Provider (OP) and the AuthN response back from the OP to the RP's callback URL. This state could be persisted server-side in a data store such as Redis but we prefer to operate stateless so we store this in a cookie instead. The cookie value and the value of the "state" parameter passed in the AuthN request are identical and set to the base64-encoded, JSON serialised state.
https://openid.net/specs/openid-connect-core-1_0.html#Overview https://auth0.com/docs/configure/attack-protection/state-parameters#alternate-redirect-method https://community.auth0.com/t/state-parameter-and-user-redirection/8387/2
type TokenSigner ¶ added in v0.7.0
type TokenSignerVerifier ¶ added in v0.7.0
type TokenSignerVerifier interface { TokenSigner TokenVerifier }
type TokenVerifier ¶ added in v0.7.0
type TokenVerifier interface {
Verify(token string) (*AdminClaims, error)
}
type UserInfo ¶ added in v0.7.0
type UserInfo struct { Email string `json:"email"` ID string `json:"id"` Groups []string `json:"groups"` }
UserInfo represents the response returned from the user info handler.
type UserPrincipal ¶
type UserPrincipal struct { ID string `json:"id"` Groups []string `json:"groups"` // contains filtered or unexported fields }
UserPrincipal is a simple model for the user, including their ID and Groups.
func NewUserPrincipal ¶ added in v0.9.4
func NewUserPrincipal(opts ...func(*UserPrincipal)) *UserPrincipal
NewUserPrincipal creates a new Principal and applies the configuration options.
func Principal ¶
func Principal(ctx context.Context) *UserPrincipal
Principal gets the principal from the context.
func (*UserPrincipal) Hash ¶ added in v0.15.0
func (p *UserPrincipal) Hash() string
Hash returns a unique string using user id,token and groups.
func (*UserPrincipal) SetToken ¶ added in v0.9.4
func (p *UserPrincipal) SetToken(t string)
SetToken allows setting of the private access token.
func (*UserPrincipal) String ¶ added in v0.9.1
func (p *UserPrincipal) String() string
String returns the Principal ID and Groups as a string.
func (UserPrincipal) Token ¶ added in v0.9.1
func (p UserPrincipal) Token() string
Token returns the private access token for this principal.
func (*UserPrincipal) Valid ¶ added in v0.9.4
func (p *UserPrincipal) Valid() bool