authproxy

package
v0.0.0-...-f3bf748 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Nov 27, 2024 License: BSD-3-Clause Imports: 29 Imported by: 0

Documentation

Overview

Package authproxy is a reverse proxy that runs in front of applications and takes care of authentication.

This is useful for applications like Promentheus that doesn't handle authentication itself, so we can run it behind auth-proxy to restrict access.

The auth-proxy application also adds the X-WEBAUTH-USER header to each authenticated request and gives it the value of the logged in users email address, which can be used for audit logging. The application running behind auth-proxy should then use:

https://pkg.go.dev/go.skia.org/infra/go/alogin/proxylogin

When using --cria_group this application should be run using work-load identity with a service account that as read access to CRIA, such as:

skia-auth-proxy-cria-reader@skia-public.iam.gserviceaccount.com

See also:

https://chrome-infra-auth.appspot.com/auth/groups/project-skia-auth-service-access

https://grafana.com/blog/2015/12/07/grafana-authproxy-have-it-your-way/

Index

Constants

View Source
const (

	// WebAuthHeaderName is the name of the header sent to the application that
	// contains the users email address.
	WebAuthHeaderName = "X-WEBAUTH-USER"

	// WebAuthRoleHeaderName is the name of the header sent to the application
	// that contains the users Roles.
	WebAuthRoleHeaderName = "X-WEBAUTH-ROLES"
)

Variables

View Source
var AllValidAuthTypes = []AuthType{OAuth2, ProtoHeader, Mocked}

AllValidAuthTypes is a list of all valid AuthTypes.

Functions

func Main

func Main() error

Main constructs and runs the application. This function will only return on failure.

Types

type App

type App struct {
	// contains filtered or unexported fields
}

App is the auth-proxy application.

func New

func New(ctx context.Context) (*App, error)

New returns a new *App.

func (*App) Flagset

func (a *App) Flagset() *flag.FlagSet

Flagset constructs a flag.FlagSet for the App.

func (*App) Run

func (a *App) Run(ctx context.Context) error

Run starts the application serving, it does not return unless there is an error or the passed in context is cancelled.

type AuthType

type AuthType string

AuthType represents the types of authentication auth-proxy can handle.

const (
	// OAuth2 uses the legacy OAuth 2.0 flow.
	OAuth2 AuthType = "oauth2"

	// ProtoHeader uses an incoming HTTP header with a serialized proto.
	ProtoHeader AuthType = "protoheader"

	// Mocked uses a string provided on the command line for the user identity
	Mocked AuthType = "mocked"

	// Invalid represents an invalid authentication scheme.
	Invalid AuthType = ""
)

func ToAuthType

func ToAuthType(s string) AuthType

ToAuthType converts a string to AuthType, returning Invalid if it is not a valid type.

Directories

Path Synopsis
Package auth provides an interface for handling authenticated users.
Package auth provides an interface for handling authenticated users.
package mockedauth is intended for use with local development use cases.
package mockedauth is intended for use with local development use cases.
Package header supports extracting the email of an authorized user from a protobuf in an HTTP Header.
Package header supports extracting the email of an authorized user from a protobuf in an HTTP Header.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL