Documentation
¶
Index ¶
- Variables
- func NewExtAuth(cfg *ExtAuthConfig) *extAuth
- func NewStaticUserAuth(users map[string]*Requirements) *staticUsersAuth
- type CodeToGitlabTokenResponse
- type CodeToTokenResponse
- type ExtAuthConfig
- type ExtAuthResponse
- type ExtAuthStatus
- type GCSStoreConfig
- type GitHubAuth
- type GitHubAuthConfig
- type GitHubAuthRequest
- type GitHubOrganization
- type GitHubTeam
- type GitHubTeamCollection
- type GitHubTokenUser
- type GitlabAuth
- type GitlabAuthConfig
- type GitlabAuthRequest
- type GitlabOrganization
- type GitlabTeam
- type GitlabTeamCollection
- type GitlabTokenUser
- type GoogleAuth
- type GoogleAuthConfig
- type GoogleAuthRequest
- type GoogleTokenInfo
- type LDAPAuth
- type LDAPAuthConfig
- type LabelMap
- type LevelDBStoreConfig
- type MongoAuth
- type MongoAuthConfig
- type OIDCAuth
- type OIDCAuthConfig
- type OIDCRefreshTokenResponse
- type ParentGitHubTeam
- type ParentGitlabTeam
- type PluginAuthn
- type PluginAuthnConfig
- type ProfileResponse
- type RedisClient
- type RedisStoreConfig
- type RefreshTokenResponse
- type Requirements
- type TokenDB
- type TokenDBImpl
- func (db *TokenDBImpl) DeleteToken(user string) error
- func (db *TokenDBImpl) GetValue(user string) (*TokenDBValue, error)
- func (db *TokenDBImpl) StoreToken(user string, v *TokenDBValue, updatePassword bool) (dp string, err error)
- func (db *TokenDBImpl) ValidateToken(user string, password api.PasswordString) error
- type TokenDBValue
- type XormAuthn
- type XormAuthnConfig
- type XormUser
Constants ¶
This section is empty.
Variables ¶
View Source
var (
EnableSQLite3 = false
)
View Source
var ExpiredToken = errors.New("expired token")
Functions ¶
func NewExtAuth ¶
func NewExtAuth(cfg *ExtAuthConfig) *extAuth
func NewStaticUserAuth ¶
func NewStaticUserAuth(users map[string]*Requirements) *staticUsersAuth
Types ¶
type CodeToGitlabTokenResponse ¶
type CodeToGitlabTokenResponse struct {
AccessToken string `json:"access_token,omitempty"`
TokenType string `json:"token_type,omitempty"`
ExpiresIn int64 `json:"expires_in,omitempty"`
RefreshToken string `json:"refresh_token,omitempty"`
CreatedAt int64 `json:"created_at,omitempty"`
// Returned in case of error.
Error string `json:"error,omitempty"`
ErrorDescription string `json:"error_description,omitempty"`
}
type CodeToTokenResponse ¶
type CodeToTokenResponse struct {
IDToken string `json:"id_token,omitempty"`
AccessToken string `json:"access_token,omitempty"`
RefreshToken string `json:"refresh_token,omitempty"`
ExpiresIn int64 `json:"expires_in,omitempty"`
TokenType string `json:"token_type,omitempty"`
// Returned in case of error.
Error string `json:"error,omitempty"`
ErrorDescription string `json:"error_description,omitempty"`
}
CodeToTokenResponse is sent by Google servers in response to the grant_type=authorization_code request.
type ExtAuthConfig ¶
func (*ExtAuthConfig) Validate ¶
func (c *ExtAuthConfig) Validate() error
type ExtAuthResponse ¶
type ExtAuthStatus ¶
type ExtAuthStatus int
const ( ExtAuthAllowed ExtAuthStatus = 0 ExtAuthDenied ExtAuthStatus = 1 ExtAuthNoMatch ExtAuthStatus = 2 ExtAuthError ExtAuthStatus = 3 )
type GCSStoreConfig ¶
type GitHubAuth ¶
type GitHubAuth struct {
// contains filtered or unexported fields
}
func NewGitHubAuth ¶
func NewGitHubAuth(c *GitHubAuthConfig) (*GitHubAuth, error)
func (*GitHubAuth) Authenticate ¶
func (gha *GitHubAuth) Authenticate(user string, password api.PasswordString) (bool, api.Labels, error)
func (*GitHubAuth) DoGitHubAuth ¶
func (gha *GitHubAuth) DoGitHubAuth(rw http.ResponseWriter, req *http.Request)
func (*GitHubAuth) Name ¶
func (gha *GitHubAuth) Name() string
func (*GitHubAuth) Stop ¶
func (gha *GitHubAuth) Stop()
type GitHubAuthConfig ¶
type GitHubAuthConfig struct {
Organization string `yaml:"organization,omitempty"`
ClientId string `yaml:"client_id,omitempty"`
ClientSecret string `yaml:"client_secret,omitempty"`
ClientSecretFile string `yaml:"client_secret_file,omitempty"`
LevelTokenDB *LevelDBStoreConfig `yaml:"level_token_db,omitempty"`
GCSTokenDB *GCSStoreConfig `yaml:"gcs_token_db,omitempty"`
RedisTokenDB *RedisStoreConfig `yaml:"redis_token_db,omitempty"`
HTTPTimeout time.Duration `yaml:"http_timeout,omitempty"`
RevalidateAfter time.Duration `yaml:"revalidate_after,omitempty"`
GithubWebUri string `yaml:"github_web_uri,omitempty"`
GithubApiUri string `yaml:"github_api_uri,omitempty"`
RegistryUrl string `yaml:"registry_url,omitempty"`
}
type GitHubAuthRequest ¶
type GitHubOrganization ¶
type GitHubTeam ¶
type GitHubTeam struct {
Id int64 `json:"id"`
Url string `json:"url,omitempty"`
Name string `json:"name,omitempty"`
Slug string `json:"slug,omitempty"`
Organization *GitHubOrganization `json:"organization"`
Parent *ParentGitHubTeam `json:"parent,omitempty"`
}
type GitHubTeamCollection ¶
type GitHubTeamCollection []GitHubTeam
type GitHubTokenUser ¶
type GitlabAuth ¶
type GitlabAuth struct {
// contains filtered or unexported fields
}
func NewGitlabAuth ¶
func NewGitlabAuth(c *GitlabAuthConfig) (*GitlabAuth, error)
func (*GitlabAuth) Authenticate ¶
func (glab *GitlabAuth) Authenticate(user string, password api.PasswordString) (bool, api.Labels, error)
func (*GitlabAuth) DoGitlabAuth ¶
func (glab *GitlabAuth) DoGitlabAuth(rw http.ResponseWriter, req *http.Request)
func (*GitlabAuth) Name ¶
func (glab *GitlabAuth) Name() string
func (*GitlabAuth) Stop ¶
func (glab *GitlabAuth) Stop()
type GitlabAuthConfig ¶
type GitlabAuthConfig struct {
Organization string `yaml:"organization,omitempty"`
ClientId string `yaml:"client_id,omitempty"`
ClientSecret string `yaml:"client_secret,omitempty"`
ClientSecretFile string `yaml:"client_secret_file,omitempty"`
LevelTokenDB *LevelDBStoreConfig `yaml:"level_token_db,omitempty"`
GCSTokenDB *GCSStoreConfig `yaml:"gcs_token_db,omitempty"`
RedisTokenDB *RedisStoreConfig `yaml:"redis_token_db,omitempty"`
HTTPTimeout time.Duration `yaml:"http_timeout,omitempty"`
RevalidateAfter time.Duration `yaml:"revalidate_after,omitempty"`
GitlabWebUri string `yaml:"gitlab_web_uri,omitempty"`
GitlabApiUri string `yaml:"gitlab_api_uri,omitempty"`
RegistryUrl string `yaml:"registry_url,omitempty"`
GrantType string `yaml:"grant_type,omitempty"`
RedirectUri string `yaml:"redirect_uri,omitempty"`
}
type GitlabAuthRequest ¶
type GitlabOrganization ¶
type GitlabTeam ¶
type GitlabTeam struct {
Id int64 `json:"id"`
Url string `json:"url,omitempty"`
Name string `json:"name,omitempty"`
Slug string `json:"slug,omitempty"`
Organization *GitlabOrganization `json:"organization"`
Parent *ParentGitlabTeam `json:"parent,omitempty"`
}
type GitlabTeamCollection ¶
type GitlabTeamCollection []GitlabTeam
type GitlabTokenUser ¶
type GoogleAuth ¶
type GoogleAuth struct {
// contains filtered or unexported fields
}
func NewGoogleAuth ¶
func NewGoogleAuth(c *GoogleAuthConfig) (*GoogleAuth, error)
func (*GoogleAuth) Authenticate ¶
func (ga *GoogleAuth) Authenticate(user string, password api.PasswordString) (bool, api.Labels, error)
func (*GoogleAuth) DoGoogleAuth ¶
func (ga *GoogleAuth) DoGoogleAuth(rw http.ResponseWriter, req *http.Request)
func (*GoogleAuth) Name ¶
func (ga *GoogleAuth) Name() string
func (*GoogleAuth) Stop ¶
func (ga *GoogleAuth) Stop()
type GoogleAuthConfig ¶
type GoogleAuthConfig struct {
Domain string `yaml:"domain,omitempty"`
ClientId string `yaml:"client_id,omitempty"`
ClientSecret string `yaml:"client_secret,omitempty"`
ClientSecretFile string `yaml:"client_secret_file,omitempty"`
LevelTokenDB *LevelDBStoreConfig `yaml:"level_token_db,omitempty"`
GCSTokenDB *GCSStoreConfig `yaml:"gcs_token_db,omitempty"`
RedisTokenDB *RedisStoreConfig `yaml:"redis_token_db,omitempty"`
HTTPTimeout time.Duration `yaml:"http_timeout,omitempty"`
}
type GoogleAuthRequest ¶
type GoogleTokenInfo ¶
type GoogleTokenInfo struct {
// AccessType: The access type granted with this token. It can be
// offline or online.
AccessType string `json:"access_type,omitempty"`
// Audience: Who is the intended audience for this token. In general the
// same as issued_to.
Audience string `json:"audience,omitempty"`
// Email: The email address of the user. Present only if the email scope
// is present in the request.
Email string `json:"email,omitempty"`
// ExpiresIn: The expiry time of the token, as number of seconds left
// until expiry.
ExpiresIn int64 `json:"expires_in,omitempty"`
// IssuedTo: To whom was the token issued to. In general the same as
// audience.
IssuedTo string `json:"issued_to,omitempty"`
// Scope: The space separated list of scopes granted to this token.
Scope string `json:"scope,omitempty"`
// TokenHandle: The token handle associated with this token.
TokenHandle string `json:"token_handle,omitempty"`
// UserId: The obfuscated user id.
UserId string `json:"user_id,omitempty"`
// VerifiedEmail: Boolean flag which is true if the email address is
// verified. Present only if the email scope is present in the request.
VerifiedEmail bool `json:"verified_email,omitempty"`
// Returned in case of error.
Error string `json:"error,omitempty"`
ErrorDescription string `json:"error_description,omitempty"`
}
From github.com/google-api-go-client/oauth2/v2/oauth2-gen.go
type LDAPAuth ¶
type LDAPAuth struct {
// contains filtered or unexported fields
}
func NewLDAPAuth ¶
func NewLDAPAuth(c *LDAPAuthConfig) (*LDAPAuth, error)
func (*LDAPAuth) Authenticate ¶
func (la *LDAPAuth) Authenticate(account string, password api.PasswordString) (bool, api.Labels, error)
How to authenticate user, please refer to https://github.com/go-ldap/ldap/blob/master/example_test.go#L166
type LDAPAuthConfig ¶
type LDAPAuthConfig struct {
Addr string `yaml:"addr,omitempty"`
TLS string `yaml:"tls,omitempty"`
InsecureTLSSkipVerify bool `yaml:"insecure_tls_skip_verify,omitempty"`
CACertificate string `yaml:"ca_certificate,omitempty"`
Base string `yaml:"base,omitempty"`
Filter string `yaml:"filter,omitempty"`
BindDN string `yaml:"bind_dn,omitempty"`
BindPasswordFile string `yaml:"bind_password_file,omitempty"`
LabelMaps map[string]LabelMap `yaml:"labels,omitempty"`
InitialBindAsUser bool `yaml:"initial_bind_as_user,omitempty"`
}
type LevelDBStoreConfig ¶
type MongoAuth ¶
type MongoAuth struct {
Collection string `yaml:"collection,omitempty"`
// contains filtered or unexported fields
}
func NewMongoAuth ¶
func NewMongoAuth(c *MongoAuthConfig) (*MongoAuth, error)
func (*MongoAuth) Authenticate ¶
type MongoAuthConfig ¶
type MongoAuthConfig struct {
MongoConfig *mgo_session.Config `yaml:"dial_info,omitempty"`
Collection string `yaml:"collection,omitempty"`
}
func (*MongoAuthConfig) Validate ¶
func (c *MongoAuthConfig) Validate(configKey string) error
Validate ensures that any custom config options in a Config are set correctly.
type OIDCAuth ¶
type OIDCAuth struct {
// contains filtered or unexported fields
}
The specific OIDC authenticator
func NewOIDCAuth ¶
func NewOIDCAuth(c *OIDCAuthConfig) (*OIDCAuth, error)
Creates everything necessary for OIDC auth.
func (*OIDCAuth) Authenticate ¶
func (ga *OIDCAuth) Authenticate(user string, password api.PasswordString) (bool, api.Labels, error)
Called by server. Authenticates user with credentials that were given in the docker login command. If the token in the DB is expired, the OIDC access token is validated and, if possible, refreshed.
func (*OIDCAuth) DoOIDCAuth ¶
func (ga *OIDCAuth) DoOIDCAuth(rw http.ResponseWriter, req *http.Request)
This function will be used by the server if the OIDC auth method is selected. It starts the page for OIDC login or requests an access token by using the code given by the OIDC provider.
type OIDCAuthConfig ¶
type OIDCAuthConfig struct {
// --- necessary ---
// URL of the authentication provider. Must be able to serve the /.well-known/openid-configuration
Issuer string `yaml:"issuer,omitempty"`
// URL of the auth server. Has to end with /oidc_auth
RedirectURL string `yaml:"redirect_url,omitempty"`
// ID and secret, priovided by the OIDC provider after registration of the auth server
ClientId string `yaml:"client_id,omitempty"`
ClientSecret string `yaml:"client_secret,omitempty"`
ClientSecretFile string `yaml:"client_secret_file,omitempty"`
// path where the tokendb should be stored within the container
LevelTokenDB *LevelDBStoreConfig `yaml:"level_token_db,omitempty"`
GCSTokenDB *GCSStoreConfig `yaml:"gcs_token_db,omitempty"`
RedisTokenDB *RedisStoreConfig `yaml:"redis_token_db,omitempty"`
// --- optional ---
HTTPTimeout time.Duration `yaml:"http_timeout,omitempty"`
// the URL of the docker registry. Used to generate a full docker login command after authentication
RegistryURL string `yaml:"registry_url,omitempty"`
// --- optional ---
// String claim to use for the username
UserClaim string `yaml:"user_claim,omitempty"`
// --- optional ---
// []string to add as labels.
LabelsClaims []string `yaml:"labels_claims,omitempty"`
// --- optional ---
Scopes []string `yaml:"scopes,omitempty"`
}
All configuration options
type OIDCRefreshTokenResponse ¶
type OIDCRefreshTokenResponse struct {
AccessToken string `json:"access_token,omitempty"`
ExpiresIn int64 `json:"expires_in,omitempty"`
TokenType string `json:"token_type,omitempty"`
RefreshToken string `json:"refresh_token,omitempty"`
// Returned in case of error.
Error string `json:"error,omitempty"`
ErrorDescription string `json:"error_description,omitempty"`
}
OIDCRefreshTokenResponse is sent by OIDC provider in response to the grant_type=refresh_token request.
type ParentGitHubTeam ¶
type ParentGitlabTeam ¶
type PluginAuthn ¶
type PluginAuthn struct {
Authn api.Authenticator
// contains filtered or unexported fields
}
func NewPluginAuthn ¶
func NewPluginAuthn(cfg *PluginAuthnConfig) (*PluginAuthn, error)
func (*PluginAuthn) Authenticate ¶
func (c *PluginAuthn) Authenticate(user string, password api.PasswordString) (bool, api.Labels, error)
func (*PluginAuthn) Name ¶
func (c *PluginAuthn) Name() string
func (*PluginAuthn) Stop ¶
func (c *PluginAuthn) Stop()
type PluginAuthnConfig ¶
type PluginAuthnConfig struct {
PluginPath string `yaml:"plugin_path"`
}
func (*PluginAuthnConfig) Validate ¶
func (c *PluginAuthnConfig) Validate() error
type ProfileResponse ¶
type ProfileResponse struct {
Email string `json:"email,omitempty"`
VerifiedEmail bool `json:"verified_email,omitempty"`
}
ProfileResponse is sent by the /userinfo/v2/me endpoint. We use it to validate access token and (re)verify the email address associated with it.
type RedisClient ¶
type RedisStoreConfig ¶
type RedisStoreConfig struct {
ClientOptions *redis.Options `yaml:"redis_options,omitempty"`
ClusterOptions *redis.ClusterOptions `yaml:"redis_cluster_options,omitempty"`
TokenHashCost int `yaml:"token_hash_cost,omitempty"`
}
type RefreshTokenResponse ¶
type RefreshTokenResponse struct {
AccessToken string `json:"access_token,omitempty"`
ExpiresIn int64 `json:"expires_in,omitempty"`
TokenType string `json:"token_type,omitempty"`
// Returned in case of error.
Error string `json:"error,omitempty"`
ErrorDescription string `json:"error_description,omitempty"`
}
CodeToTokenResponse is sent by Google servers in response to the grant_type=refresh_token request.
type Requirements ¶
type Requirements struct {
Password *api.PasswordString `yaml:"password,omitempty" json:"password,omitempty"`
Labels api.Labels `yaml:"labels,omitempty" json:"labels,omitempty"`
}
func (Requirements) String ¶
func (r Requirements) String() string
type TokenDB ¶
type TokenDB interface {
// GetValue takes a username returns the corresponding token
GetValue(string) (*TokenDBValue, error)
// StoreToken takes a username and token, stores them in the DB
// and returns a password and error
StoreToken(string, *TokenDBValue, bool) (string, error)
// ValidateTOken takes a username and password
// and returns an error
ValidateToken(string, api.PasswordString) error
// DeleteToken takes a username
// and deletes the corresponding token from the DB
DeleteToken(string) error
// Composed from leveldb.DB
Close() error
}
TokenDB stores tokens using LevelDB
func NewGCSTokenDB ¶
func NewGCSTokenDB(options *GCSStoreConfig) (TokenDB, error)
NewGCSTokenDB return a new TokenDB structure which uses Google Cloud Storage as backend. The created DB uses file-per-user strategy and stores credentials independently for each user.
Note: it's not recomanded bucket to be shared with other apps or services
func NewRedisTokenDB ¶
func NewRedisTokenDB(options *RedisStoreConfig) (TokenDB, error)
NewRedisTokenDB returns a new TokenDB structure which uses Redis as the storage backend.
func NewTokenDB ¶
func NewTokenDB(options *LevelDBStoreConfig) (TokenDB, error)
NewTokenDB returns a new TokenDB structure
type TokenDBImpl ¶
TokenDB stores tokens using LevelDB
func (*TokenDBImpl) DeleteToken ¶
func (db *TokenDBImpl) DeleteToken(user string) error
func (*TokenDBImpl) GetValue ¶
func (db *TokenDBImpl) GetValue(user string) (*TokenDBValue, error)
func (*TokenDBImpl) StoreToken ¶
func (db *TokenDBImpl) StoreToken(user string, v *TokenDBValue, updatePassword bool) (dp string, err error)
func (*TokenDBImpl) ValidateToken ¶
func (db *TokenDBImpl) ValidateToken(user string, password api.PasswordString) error
type TokenDBValue ¶
type TokenDBValue struct {
TokenType string `json:"token_type,omitempty"` // Usually "Bearer"
AccessToken string `json:"access_token,omitempty"`
RefreshToken string `json:"refresh_token,omitempty"`
ValidUntil time.Time `json:"valid_until,omitempty"`
// DockerPassword is the temporary password we use to authenticate Docker users.
// Generated at the time of token creation, stored here as a BCrypt hash.
DockerPassword string `json:"docker_password,omitempty"`
Labels api.Labels `json:"labels,omitempty"`
}
TokenDBValue is stored in the database, JSON-serialized.
type XormAuthn ¶
type XormAuthn struct {
// contains filtered or unexported fields
}
func NewXormAuth ¶
func NewXormAuth(c *XormAuthnConfig) (*XormAuthn, error)
func (*XormAuthn) Authenticate ¶
type XormAuthnConfig ¶
type XormAuthnConfig struct {
DatabaseType string `yaml:"database_type,omitempty"`
ConnString string `yaml:"conn_string,omitempty"`
}
func (*XormAuthnConfig) Validate ¶
func (xa *XormAuthnConfig) Validate(configKey string) error
Source Files
Click to show internal directories.
Click to hide internal directories.