tfa

package
v0.0.0-...-e43f98d Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Nov 6, 2023 License: MIT Imports: 21 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func ClearCSRFCookie 

func ClearCSRFCookie(r *http.Request, c *http.Cookie) *http.Cookie

ClearCSRFCookie makes an expired csrf cookie to clear csrf cookie

func ClearCookie 

func ClearCookie(r *http.Request) *http.Cookie

ClearCookie clears the auth cookie

func FindCSRFCookie 

func FindCSRFCookie(r *http.Request, state string) (c *http.Cookie, err error)

FindCSRFCookie extracts the CSRF cookie from the request based on state.

func MakeCSRFCookie 

func MakeCSRFCookie(r *http.Request, nonce string) *http.Cookie

MakeCSRFCookie makes a csrf cookie (used during login only)

Note, CSRF cookies live shorter than auth cookies, a fixed 1h. That's because some CSRF cookies may belong to auth flows that don't complete and thus may not get cleared by ClearCookie.

func MakeCookie 

func MakeCookie(r *http.Request, email string) *http.Cookie

MakeCookie creates an auth cookie

func MakeState 

func MakeState(r *http.Request, p provider.Provider, nonce string) string

MakeState generates a state value

func NewDefaultLogger 

func NewDefaultLogger() *logrus.Logger

NewDefaultLogger creates a new logger based on the current configuration

func Nonce 

func Nonce() (error, string)

Nonce generates a random nonce

func ValidateCSRFCookie 

func ValidateCSRFCookie(c *http.Cookie, state string) (valid bool, provider string, redirect string, err error)

ValidateCSRFCookie validates the csrf cookie against state

func ValidateCookie 

func ValidateCookie(r *http.Request, c *http.Cookie) (string, error)

ValidateCookie verifies that a cookie matches the expected format of: Cookie = hash(secret, cookie domain, email, expires)|expires|email

func ValidateDomains 

func ValidateDomains(email string, domains CommaSeparatedList) bool

ValidateDomains checks if the email matches a whitelisted domain

func ValidateEmail 

func ValidateEmail(email, ruleName string) bool

ValidateEmail checks if the given email address matches either a whitelisted email address, as defined by the "whitelist" config parameter. Or is part of a permitted domain, as defined by the "domains" config parameter

func ValidateState 

func ValidateState(state string) error

ValidateState checks whether the state is of right length.

func ValidateWhitelist 

func ValidateWhitelist(email string, whitelist CommaSeparatedList) bool

ValidateWhitelist checks if the email is in whitelist

Types

type CommaSeparatedList 

type CommaSeparatedList []string

CommaSeparatedList provides legacy support for config values provided as csv

func (*CommaSeparatedList) MarshalFlag 

func (c *CommaSeparatedList) MarshalFlag() (string, error)

MarshalFlag converts an array back to a comma separated list

func (*CommaSeparatedList) UnmarshalFlag 

func (c *CommaSeparatedList) UnmarshalFlag(value string) error

UnmarshalFlag converts a comma separated list to an array

type Config 

type Config struct {
	LogLevel  string `` /* 174-byte string literal not displayed */
	LogFormat string `long:"log-format"  env:"LOG_FORMAT" default:"text" choice:"text" choice:"json" choice:"pretty" description:"Log format"`

	AuthHost               string               `long:"auth-host" env:"AUTH_HOST" description:"Single host to use when returning from 3rd party auth"`
	Config                 func(s string) error `long:"config" env:"CONFIG" description:"Path to config file" json:"-"`
	CookieDomains          []CookieDomain       `long:"cookie-domain" env:"COOKIE_DOMAIN" env-delim:"," description:"Domain to set auth cookie on, can be set multiple times"`
	InsecureCookie         bool                 `long:"insecure-cookie" env:"INSECURE_COOKIE" description:"Use insecure cookies"`
	CookieName             string               `long:"cookie-name" env:"COOKIE_NAME" default:"_forward_auth" description:"Cookie Name"`
	CSRFCookieName         string               `long:"csrf-cookie-name" env:"CSRF_COOKIE_NAME" default:"_forward_auth_csrf" description:"CSRF Cookie Name"`
	DefaultAction          string               `long:"default-action" env:"DEFAULT_ACTION" default:"auth" choice:"auth" choice:"allow" description:"Default action"`
	DefaultProvider        string               `` /* 147-byte string literal not displayed */
	Domains                CommaSeparatedList   `long:"domain" env:"DOMAIN" env-delim:"," description:"Only allow given email domains, can be set multiple times"`
	LifetimeString         int                  `long:"lifetime" env:"LIFETIME" default:"43200" description:"Lifetime in seconds"`
	LogoutRedirect         string               `long:"logout-redirect" env:"LOGOUT_REDIRECT" description:"URL to redirect to following logout"`
	MatchWhitelistOrDomain bool                 `` /* 157-byte string literal not displayed */
	Path                   string               `long:"url-path" env:"URL_PATH" default:"/_oauth" description:"Callback URL Path"`
	SecretString           string               `long:"secret" env:"SECRET" description:"Secret used for signing (required)" json:"-"`
	Whitelist              CommaSeparatedList   `long:"whitelist" env:"WHITELIST" env-delim:"," description:"Only allow given email addresses, can be set multiple times"`
	Port                   int                  `long:"port" env:"PORT" default:"4181" description:"Port to listen on"`

	Providers provider.Providers `group:"providers" namespace:"providers" env-namespace:"PROVIDERS"`
	Rules     map[string]*Rule   `long:"rule.<name>.<param>" description:"Rule definitions, param can be: \"action\", \"rule\" or \"provider\""`

	// Filled during transformations
	Secret   []byte `json:"-"`
	Lifetime time.Duration

	// Legacy
	CookieDomainsLegacy CookieDomains `long:"cookie-domains" env:"COOKIE_DOMAINS" description:"DEPRECATED - Use \"cookie-domain\""`
	CookieSecretLegacy  string        `long:"cookie-secret" env:"COOKIE_SECRET" description:"DEPRECATED - Use \"secret\""  json:"-"`
	CookieSecureLegacy  string        `long:"cookie-secure" env:"COOKIE_SECURE" description:"DEPRECATED - Use \"insecure-cookie\""`
	ClientIdLegacy      string        `long:"client-id" env:"CLIENT_ID" description:"DEPRECATED - Use \"providers.google.client-id\""`
	ClientSecretLegacy  string        `long:"client-secret" env:"CLIENT_SECRET" description:"DEPRECATED - Use \"providers.google.client-id\""  json:"-"`
	PromptLegacy        string        `long:"prompt" env:"PROMPT" description:"DEPRECATED - Use \"providers.google.prompt\""`
}

Config holds the runtime application config

func NewConfig 

func NewConfig(args []string) (*Config, error)

NewConfig parses and validates provided configuration into a config object

func NewGlobalConfig 

func NewGlobalConfig() *Config

NewGlobalConfig creates a new global config, parsed from command arguments

func (*Config) GetConfiguredProvider 

func (c *Config) GetConfiguredProvider(name string) (provider.Provider, error)

GetConfiguredProvider returns the provider of the given name, if it has been configured. Returns an error if the provider is unknown, or hasn't been configured

func (*Config) GetProvider 

func (c *Config) GetProvider(name string) (provider.Provider, error)

GetProvider returns the provider of the given name

func (Config) String 

func (c Config) String() string

func (*Config) Validate 

func (c *Config) Validate()

Validate validates a config object

type CookieDomain 

type CookieDomain struct {
	Domain       string
	DomainLen    int
	SubDomain    string
	SubDomainLen int
}

CookieDomain holds cookie domain info

func NewCookieDomain 

func NewCookieDomain(domain string) *CookieDomain

NewCookieDomain creates a new CookieDomain from the given domain string

func (*CookieDomain) MarshalFlag 

func (c *CookieDomain) MarshalFlag() (string, error)

MarshalFlag converts a CookieDomain to a string

func (*CookieDomain) Match 

func (c *CookieDomain) Match(host string) bool

Match checks if the given host matches this CookieDomain

func (*CookieDomain) UnmarshalFlag 

func (c *CookieDomain) UnmarshalFlag(value string) error

UnmarshalFlag converts a string to a CookieDomain

type CookieDomains 

type CookieDomains []CookieDomain

CookieDomains provides legacy sypport for comma separated list of cookie domains

func (*CookieDomains) MarshalFlag 

func (c *CookieDomains) MarshalFlag() (string, error)

MarshalFlag converts an array of CookieDomain to a comma seperated list

func (*CookieDomains) UnmarshalFlag 

func (c *CookieDomains) UnmarshalFlag(value string) error

UnmarshalFlag converts a comma separated list of cookie domains to an array of CookieDomains

type Rule 

type Rule struct {
	Action    string
	Rule      string
	Provider  string
	Whitelist CommaSeparatedList
	Domains   CommaSeparatedList
}

Rule holds defined rules

func NewRule 

func NewRule() *Rule

NewRule creates a new rule object

func (*Rule) Validate 

func (r *Rule) Validate(c *Config) error

Validate validates a rule

type Server 

type Server struct {
	// contains filtered or unexported fields
}

Server contains router and handler methods

func NewServer 

func NewServer() *Server

NewServer creates a new server object and builds router

func (*Server) AllowHandler 

func (s *Server) AllowHandler(rule string) http.HandlerFunc

AllowHandler Allows requests

func (*Server) AuthCallbackHandler 

func (s *Server) AuthCallbackHandler() http.HandlerFunc

AuthCallbackHandler Handles auth callback request

func (*Server) AuthHandler 

func (s *Server) AuthHandler(providerName, rule string) http.HandlerFunc

AuthHandler Authenticates requests

func (*Server) LogoutHandler 

func (s *Server) LogoutHandler() http.HandlerFunc

LogoutHandler logs a user out

func (*Server) RootHandler 

func (s *Server) RootHandler(w http.ResponseWriter, r *http.Request)

RootHandler Overwrites the request method, host and URL with those from the forwarded request so it's correctly routed by mux

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.