Documentation ¶
Index ¶
- Constants
- func IsPublicRoute(u *url.URL, publicRoutes []string) bool
- func JSONError(log logr.Logger, w http.ResponseWriter, errStr string, code int)
- func RegisterAuthServer(mux *http.ServeMux, prefix string, srv *AuthServer, ...) error
- func WithAPIAuth(next http.Handler, srv *AuthServer, publicRoutes []string) http.Handler
- func WithPrincipal(ctx context.Context, p *UserPrincipal) context.Context
- type AdminClaims
- type AuthConfig
- type AuthServer
- type HMACTokenSignerVerifier
- type JWTAdminCookiePrincipalGetter
- type JWTAuthorizationHeaderPrincipalGetter
- type JWTCookiePrincipalGetter
- type LoginRequest
- type MultiAuthPrincipal
- type OIDCConfig
- type PrincipalGetter
- func NewJWTAdminCookiePrincipalGetter(log logr.Logger, verifier TokenSignerVerifier, cookieName string) PrincipalGetter
- func NewJWTAuthorizationHeaderPrincipalGetter(log logr.Logger, verifier *oidc.IDTokenVerifier) PrincipalGetter
- func NewJWTCookiePrincipalGetter(log logr.Logger, verifier *oidc.IDTokenVerifier, cookieName string) PrincipalGetter
- type SessionState
- type TokenSigner
- type TokenSignerVerifier
- type TokenVerifier
- type UserInfo
- type UserPrincipal
Constants ¶
const ( // StateCookieName is the name of the cookie that holds state during auth flow. StateCookieName = "state" // IDTokenCookieName is the name of the cookie that holds the ID Token once // the user has authenticated successfully with the OIDC Provider. IDTokenCookieName = "id_token" // RefreshTokenCookieName is the name of the cookie that holds the refresh // token. RefreshTokenCookieName = "refresh_token" )
const ( LoginOIDC string = "oidc" LoginUsername string = "username" ClusterUserAuthSecretName string = "cluster-user-auth" OIDCAuthSecretName string = "oidc-auth" )
Variables ¶
This section is empty.
Functions ¶
func RegisterAuthServer ¶
func RegisterAuthServer(mux *http.ServeMux, prefix string, srv *AuthServer, loginRequestRateLimit uint64) error
RegisterAuthServer registers the /callback route under a specified prefix. This route is called by the OIDC Provider in order to pass back state after the authentication flow completes.
func WithAPIAuth ¶
WithAPIAuth middleware adds auth validation to API handlers.
Unauthorized requests will be denied with a 401 status code.
func WithPrincipal ¶
func WithPrincipal(ctx context.Context, p *UserPrincipal) context.Context
WithPrincipal sets the principal into the context.
Types ¶
type AdminClaims ¶ added in v0.7.0
type AdminClaims struct {
jwt.StandardClaims
}
type AuthConfig ¶
AuthConfig is used to configure an AuthServer.
func NewAuthServerConfig ¶ added in v0.7.0
func NewAuthServerConfig(log logr.Logger, oidcCfg OIDCConfig, kubernetesClient ctrlclient.Client, tsv TokenSignerVerifier) (AuthConfig, error)
type AuthServer ¶
type AuthServer struct { AuthConfig // contains filtered or unexported fields }
AuthServer interacts with an OIDC issuer to handle the OAuth2 process flow.
func NewAuthServer ¶
func NewAuthServer(ctx context.Context, cfg AuthConfig) (*AuthServer, error)
NewAuthServer creates a new AuthServer object.
func (*AuthServer) Callback ¶ added in v0.7.0
func (s *AuthServer) Callback() http.HandlerFunc
func (*AuthServer) Logout ¶ added in v0.7.0
func (s *AuthServer) Logout() http.HandlerFunc
func (*AuthServer) OAuth2Flow ¶ added in v0.7.0
func (s *AuthServer) OAuth2Flow() http.HandlerFunc
func (*AuthServer) SetRedirectURL ¶
func (s *AuthServer) SetRedirectURL(url string)
SetRedirectURL is used to set the redirect URL. This is meant to be used in unit tests only.
func (*AuthServer) SignIn ¶ added in v0.7.0
func (s *AuthServer) SignIn() http.HandlerFunc
func (*AuthServer) UserInfo ¶ added in v0.7.0
func (s *AuthServer) UserInfo() http.HandlerFunc
UserInfo inspects the cookie and attempts to verify it as an admin token. If successful, it returns a UserInfo object with the email set to the admin token subject. Otherwise it uses the token to query the OIDC provider's user info endpoint and return a UserInfo object back or a 401 status in any other case.
type HMACTokenSignerVerifier ¶ added in v0.7.0
type HMACTokenSignerVerifier struct {
// contains filtered or unexported fields
}
func (*HMACTokenSignerVerifier) Sign ¶ added in v0.7.0
func (sv *HMACTokenSignerVerifier) Sign() (string, error)
func (*HMACTokenSignerVerifier) Verify ¶ added in v0.7.0
func (sv *HMACTokenSignerVerifier) Verify(tokenString string) (*AdminClaims, error)
type JWTAdminCookiePrincipalGetter ¶ added in v0.7.0
type JWTAdminCookiePrincipalGetter struct {
// contains filtered or unexported fields
}
func (*JWTAdminCookiePrincipalGetter) Principal ¶ added in v0.7.0
func (pg *JWTAdminCookiePrincipalGetter) Principal(r *http.Request) (*UserPrincipal, error)
type JWTAuthorizationHeaderPrincipalGetter ¶
type JWTAuthorizationHeaderPrincipalGetter struct {
// contains filtered or unexported fields
}
JWTAuthorizationHeaderPrincipalGetter inspects the Authorization header (bearer token) for a JWT token and returns a principal object.
func (*JWTAuthorizationHeaderPrincipalGetter) Principal ¶
func (pg *JWTAuthorizationHeaderPrincipalGetter) Principal(r *http.Request) (*UserPrincipal, error)
type JWTCookiePrincipalGetter ¶
type JWTCookiePrincipalGetter struct {
// contains filtered or unexported fields
}
JWTCookiePrincipalGetter inspects a cookie for a JWT token and returns a principal object.
func (*JWTCookiePrincipalGetter) Principal ¶
func (pg *JWTCookiePrincipalGetter) Principal(r *http.Request) (*UserPrincipal, error)
type LoginRequest ¶ added in v0.7.0
LoginRequest represents the data submitted by client when the auth flow (non-OIDC) is used.
type MultiAuthPrincipal ¶
type MultiAuthPrincipal []PrincipalGetter
MultiAuthPrincipal looks for a principal in an array of principal getters and if it finds an error or a principal it returns, otherwise it returns (nil,nil).
func (MultiAuthPrincipal) Principal ¶
func (m MultiAuthPrincipal) Principal(r *http.Request) (*UserPrincipal, error)
type OIDCConfig ¶
type OIDCConfig struct { IssuerURL string ClientID string ClientSecret string RedirectURL string TokenDuration time.Duration }
OIDCConfig is used to configure an AuthServer to interact with an OIDC issuer.
func NewOIDCConfigFromSecret ¶ added in v0.7.0
func NewOIDCConfigFromSecret(secret corev1.Secret) OIDCConfig
type PrincipalGetter ¶
type PrincipalGetter interface { // Principal extracts a principal from the http.Request. // It's not an error for there to be no principal in the request. Principal(r *http.Request) (*UserPrincipal, error) }
PrincipalGetter implementations are responsible for extracting a named principal from an HTTP request.
func NewJWTAdminCookiePrincipalGetter ¶ added in v0.7.0
func NewJWTAdminCookiePrincipalGetter(log logr.Logger, verifier TokenSignerVerifier, cookieName string) PrincipalGetter
func NewJWTAuthorizationHeaderPrincipalGetter ¶
func NewJWTAuthorizationHeaderPrincipalGetter(log logr.Logger, verifier *oidc.IDTokenVerifier) PrincipalGetter
func NewJWTCookiePrincipalGetter ¶
func NewJWTCookiePrincipalGetter(log logr.Logger, verifier *oidc.IDTokenVerifier, cookieName string) PrincipalGetter
type SessionState ¶
SessionState represents the state that needs to be persisted between the AuthN request from the Relying Party (RP) to the authorization endpoint of the OpenID Provider (OP) and the AuthN response back from the OP to the RP's callback URL. This state could be persisted server-side in a data store such as Redis but we prefer to operate stateless so we store this in a cookie instead. The cookie value and the value of the "state" parameter passed in the AuthN request are identical and set to the base64-encoded, JSON serialised state.
https://openid.net/specs/openid-connect-core-1_0.html#Overview https://auth0.com/docs/configure/attack-protection/state-parameters#alternate-redirect-method https://community.auth0.com/t/state-parameter-and-user-redirection/8387/2
type TokenSigner ¶ added in v0.7.0
type TokenSignerVerifier ¶ added in v0.7.0
type TokenSignerVerifier interface { TokenSigner TokenVerifier }
func NewHMACTokenSignerVerifier ¶ added in v0.7.0
func NewHMACTokenSignerVerifier(expireAfter time.Duration) (TokenSignerVerifier, error)
type TokenVerifier ¶ added in v0.7.0
type TokenVerifier interface {
Verify(token string) (*AdminClaims, error)
}
type UserInfo ¶ added in v0.7.0
UserInfo represents the response returned from the user info handler.
type UserPrincipal ¶
UserPrincipal is a simple model for the user, including their ID and Groups.
func Principal ¶
func Principal(ctx context.Context) *UserPrincipal
Principal gets the principal from the context.