Documentation ¶
Index ¶
- Constants
- Variables
- func NewGrantCheck(check GrantChecker, handler GrantHandler, errorHandler GrantErrorHandler) osinserver.AuthorizeHandler
- type AccessAuthenticator
- type AuthenticationChallenger
- type AuthenticationErrorHandler
- type AuthenticationErrorHandlers
- type AuthenticationHandler
- type AuthenticationRedirector
- type AuthenticationRedirectors
- type AuthenticationSelectionHandler
- type AuthenticationSuccessHandler
- type AuthenticationSuccessHandlers
- type AuthorizeAuthenticator
- type EmptyAuth
- type EmptyError
- type EmptySuccess
- type GrantCheck
- type GrantChecker
- type GrantErrorHandler
- type GrantHandler
- type ProviderInfo
- type TokenMaxAgeSeconds
Constants ¶
const ( // WarningHeaderMiscCode is the code for "Miscellaneous warning", which may be displayed to human users WarningHeaderMiscCode = "199" // WarningHeaderOpenShiftSource is the name of the agent adding the warning header WarningHeaderOpenShiftSource = "Origin" )
Variables ¶
var Allow = &fixedAuthenticator{true}
Allow implements Password, Assertion, and Client authentication to allow all requests
var Deny = &fixedAuthenticator{false}
Deny implements Password, Assertion, and Client authentication to deny all requests
Functions ¶
func NewGrantCheck ¶
func NewGrantCheck(check GrantChecker, handler GrantHandler, errorHandler GrantErrorHandler) osinserver.AuthorizeHandler
NewGrantCheck returns a new GrantCheck
Types ¶
type AccessAuthenticator ¶
type AccessAuthenticator struct {
// contains filtered or unexported fields
}
AccessAuthenticator implements osinserver.AccessHandler to ensure non-token requests are authenticated
func NewAccessAuthenticator ¶
func NewAccessAuthenticator(password authenticator.Password, assertion openshiftauthenticator.Assertion, client openshiftauthenticator.Client) *AccessAuthenticator
NewAccessAuthenticator returns a new AccessAuthenticator
func NewDenyAccessAuthenticator ¶
func NewDenyAccessAuthenticator() *AccessAuthenticator
NewDenyAccessAuthenticator returns an AccessAuthenticator which rejects all non-token access requests
func (*AccessAuthenticator) HandleAccess ¶
func (h *AccessAuthenticator) HandleAccess(ar *osin.AccessRequest, w http.ResponseWriter) error
HandleAccess implements osinserver.AccessHandler
type AuthenticationChallenger ¶
type AuthenticationChallenger interface { // AuthenticationChallenge take a request and return whatever challenge headers are appropriate. If none are appropriate, it should return an empty map, not nil. AuthenticationChallenge(req *http.Request) (header http.Header, err error) }
AuthenticationChallenger reacts to unauthenticated requests with challenges
type AuthenticationErrorHandler ¶
type AuthenticationErrorHandler interface { // AuthenticationError reacts to authentication errors, returns true if the response was written, // and returns any unhandled error (which should be the original error in most cases) AuthenticationError(error, http.ResponseWriter, *http.Request) (handled bool, err error) }
AuthenticationErrorHandler reacts to authentication errors
type AuthenticationErrorHandlers ¶
type AuthenticationErrorHandlers []AuthenticationErrorHandler
AuthenticationErrorHandlers combines multiple AuthenticationErrorHandler objects into a chain. Each handler is called in turn. If any handler writes the response, the chain is aborted. Otherwise, the next handler is called with the error returned from the previous handler.
func (AuthenticationErrorHandlers) AuthenticationError ¶
func (all AuthenticationErrorHandlers) AuthenticationError(err error, w http.ResponseWriter, req *http.Request) (bool, error)
type AuthenticationHandler ¶
type AuthenticationHandler interface { // AuthenticationNeeded reacts to unauthenticated requests, and returns true if the response was written, AuthenticationNeeded(client api.Client, w http.ResponseWriter, req *http.Request) (handled bool, err error) }
AuthenticationHandler reacts to unauthenticated requests
func NewUnionAuthenticationHandler ¶
func NewUnionAuthenticationHandler(passedChallengers map[string]AuthenticationChallenger, passedRedirectors *AuthenticationRedirectors, errorHandler AuthenticationErrorHandler, selectionHandler AuthenticationSelectionHandler, requestContextMapper request.RequestContextMapper) AuthenticationHandler
NewUnionAuthenticationHandler returns an oauth.AuthenticationHandler that muxes multiple challenge handlers and redirect handlers
type AuthenticationRedirector ¶
type AuthenticationRedirector interface { // AuthenticationRedirect is expected to write a redirect to the ResponseWriter or to return an error. AuthenticationRedirect(w http.ResponseWriter, req *http.Request) (err error) }
AuthenticationRedirector reacts to unauthenticated requests with redirects
type AuthenticationRedirectors ¶ added in v1.1.6
type AuthenticationRedirectors struct {
// contains filtered or unexported fields
}
AuthenticationRedirectors is a collection that provides a list of acceptable authentication mechanisms
func (*AuthenticationRedirectors) Add ¶ added in v1.1.6
func (ar *AuthenticationRedirectors) Add(name string, redirector AuthenticationRedirector)
Add a name and a matching redirection routine to the list The entries added here will be retained in FIFO ordering.
func (*AuthenticationRedirectors) Count ¶ added in v1.1.6
func (ar *AuthenticationRedirectors) Count() int
Get a count of the AuthenticationRedirectors
func (*AuthenticationRedirectors) Get ¶ added in v1.1.6
func (ar *AuthenticationRedirectors) Get(name string) (AuthenticationRedirector, bool)
Get the AuthenticationRedirector associated with a name. Also returns a boolean indicating whether the name matched
func (*AuthenticationRedirectors) GetNames ¶ added in v1.1.6
func (ar *AuthenticationRedirectors) GetNames() []string
Get the ordered list of names
type AuthenticationSelectionHandler ¶ added in v1.1.2
type AuthenticationSelectionHandler interface { // SelectAuthentication will choose which identity provider to use for login or handle the request // If the request is being handled, such as rendering a login provider selection page, then handled will // be true and selected will be nil. If the request is not handled then a provider may be selected, // if a provider could not be selected then selected will be nil. SelectAuthentication([]ProviderInfo, http.ResponseWriter, *http.Request) (selected *ProviderInfo, handled bool, err error) }
AuthenticationSelectionHandler is responsible for selecting which identity provider to use for login
type AuthenticationSuccessHandler ¶
type AuthenticationSuccessHandler interface { // AuthenticationSucceeded reacts to a user authenticating, returns true if the response was written, // and returns false if the response was not written. AuthenticationSucceeded(user user.Info, state string, w http.ResponseWriter, req *http.Request) (bool, error) }
AuthenticationSuccessHandler reacts to a user authenticating
type AuthenticationSuccessHandlers ¶
type AuthenticationSuccessHandlers []AuthenticationSuccessHandler
AuthenticationSuccessHandlers combines multiple AuthenticationSuccessHandler objects into a chain. On success, each handler is called. If any handler writes the response or returns an error, the chain is aborted.
func (AuthenticationSuccessHandlers) AuthenticationSucceeded ¶
func (all AuthenticationSuccessHandlers) AuthenticationSucceeded(user user.Info, state string, w http.ResponseWriter, req *http.Request) (bool, error)
type AuthorizeAuthenticator ¶
type AuthorizeAuthenticator struct {
// contains filtered or unexported fields
}
AuthorizeAuthenticator implements osinserver.AuthorizeHandler to ensure requests are authenticated
func NewAuthorizeAuthenticator ¶
func NewAuthorizeAuthenticator(request authenticator.Request, handler AuthenticationHandler, errorHandler AuthenticationErrorHandler) *AuthorizeAuthenticator
NewAuthorizeAuthenticator returns a new Authenticator
func (*AuthorizeAuthenticator) HandleAuthorize ¶
func (h *AuthorizeAuthenticator) HandleAuthorize(ar *osin.AuthorizeRequest, resp *osin.Response, w http.ResponseWriter) (bool, error)
HandleAuthorize implements osinserver.AuthorizeHandler to ensure the AuthorizeRequest is authenticated. If the request is authenticated, UserData and Authorized are set and false is returned. If the request is not authenticated, the auth handler is called and the request is not authorized
type EmptyError ¶
type EmptyError struct{}
func (EmptyError) AuthenticationError ¶
func (EmptyError) AuthenticationError(err error, w http.ResponseWriter, req *http.Request) (bool, error)
func (EmptyError) GrantError ¶
func (EmptyError) GrantError(err error, w http.ResponseWriter, req *http.Request) (bool, error)
type EmptySuccess ¶
type EmptySuccess struct{}
func (EmptySuccess) AuthenticationSucceeded ¶
func (EmptySuccess) AuthenticationSucceeded(user user.Info, state string, w http.ResponseWriter, req *http.Request) (bool, error)
type GrantCheck ¶
type GrantCheck struct {
// contains filtered or unexported fields
}
GrantCheck implements osinserver.AuthorizeHandler to ensure requested scopes have been authorized
func (*GrantCheck) HandleAuthorize ¶
func (h *GrantCheck) HandleAuthorize(ar *osin.AuthorizeRequest, resp *osin.Response, w http.ResponseWriter) (bool, error)
HandleAuthorize implements osinserver.AuthorizeHandler to ensure the requested scopes have been authorized. The AuthorizeRequest.Authorized field must already be set to true for the grant check to occur. If the requested scopes are authorized, the AuthorizeRequest is unchanged. If the requested scopes are not authorized, or an error occurs, AuthorizeRequest.Authorized is set to false. If the response is written, true is returned. If the response is not written, false is returned.
type GrantChecker ¶
type GrantChecker interface { // HasAuthorizedClient returns true if the user has authorized the client for the requested grant HasAuthorizedClient(user user.Info, grant *api.Grant) (bool, error) }
GrantChecker is responsible for determining if a user has authorized a client for a requested grant
type GrantErrorHandler ¶
type GrantErrorHandler interface { // GrantError reacts to grant errors, returns true if the response was written, // and returns any unhandled error (which could be the original error) GrantError(error, http.ResponseWriter, *http.Request) (handled bool, err error) }
GrantErrorHandler reacts to grant errors
type GrantHandler ¶
type GrantHandler interface { // GrantNeeded reacts when a client requests an unauthorized grant, and returns true if the response was written // granted is true if authorization was granted // handled is true if the response was already written GrantNeeded(user user.Info, grant *api.Grant, w http.ResponseWriter, req *http.Request) (granted, handled bool, err error) }
GrantHandler handles errors during the grant process, or the client requests an unauthorized grant
func NewAutoGrant ¶
func NewAutoGrant() GrantHandler
NewAutoGrant returns a grant handler that automatically approves client authorizations
func NewPerClientGrant ¶ added in v1.3.0
func NewPerClientGrant(prompt GrantHandler, defaultMethod oauthapi.GrantHandlerType) GrantHandler
NewPerClientGrant returns a grant handler that determines what to do based on the grant method in the client
func NewRedirectGrant ¶
func NewRedirectGrant(subpath string) GrantHandler
NewRedirectGrant returns a grant handler that redirects to the given subpath when a grant is needed. The following query parameters are added to the URL:
then - original request URL client_id - requesting client's ID scopes - grant scope requested redirect_uri - original authorize request redirect_uri
type ProviderInfo ¶ added in v1.1.2
type ProviderInfo struct { // Name is unique and corresponds to the name of the identity provider in the oauth configuration Name string // URL to login using this identity provider URL string }
ProviderInfo represents display information for an oauth identity provider. This is used by the selection provider template to render links to login using different identity providers.
type TokenMaxAgeSeconds ¶
type TokenMaxAgeSeconds interface { // GetTokenMaxAgeSeconds returns the max age of the token in seconds. // 0 means no expiration. // nil means to use the default expiration. GetTokenMaxAgeSeconds() *int32 }