proxy

package

v0.0.0-...-988bcbc Latest Latest Go to latest Published: Apr 24, 2024 License: Apache-2.0 Imports: 55 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/gogatekeeper/gatekeeper

Links

Open Source Insights

Documentation ¶

Index ¶

Variables
func GetAccessCookieExpiration(logger *zap.Logger, accessTokenDuration time.Duration, refresh string) time.Duration
func GetIdentity(logger *zap.Logger, skipAuthorizationHeaderIdentity bool, ...) ...
func GetRefreshTokenFromStore(ctx context.Context, store storage.Storage, token string) (string, error)
func WithOAuthURI(baseURI string, oauthURI string) func(uri string) string
func WithUMAIdentity(req *http.Request, targetPath string, user *UserContext, cookieUMAName string, ...) (authorization.AuthzDecision, error)
type DiscoveryResponse
type OauthProxy
- func NewProxy(config *config.Config, log *zap.Logger, upstream reverseProxy) (*OauthProxy, error)
- func (r *OauthProxy) CreateReverseProxy() error
- func (r *OauthProxy) NewOpenIDProvider() (*oidc3.Provider, *gocloak.GoCloak, error)
- func (r *OauthProxy) Run() error
type OpenIDRoundTripper
- func NewOpenIDRoundTripper(rt http.RoundTripper) OpenIDRoundTripper
- func (r OpenIDRoundTripper) RoundTrip(req *http.Request) (*http.Response, error)
type PAT
type RPT
type RealmRoles
type RequestScope
type TokenResponse
type UserContext
- func ExtractIdentity(token *jwt.JSONWebToken) (*UserContext, error)
- func (r *UserContext) IsExpired() bool
- func (r *UserContext) String() string

Constants ¶

This section is empty.

Variables ¶

View Source

var ErrHostNotConfigured = errors.New("acme/autocert: host not configured")

ErrHostNotConfigured indicates the hostname was not configured

Functions ¶

func GetAccessCookieExpiration ¶

func GetAccessCookieExpiration(
	logger *zap.Logger,
	accessTokenDuration time.Duration,
	refresh string,
) time.Duration

GetAccessCookieExpiration calculates the expiration of the access token cookie

func GetIdentity ¶

func GetIdentity(
	logger *zap.Logger,
	skipAuthorizationHeaderIdentity bool,
	enableEncryptedToken bool,
	forceEncryptedCookie bool,
	encKey string,
) func(req *http.Request, tokenCookie string, tokenHeader string) (*UserContext, error)

GetIdentity retrieves the user identity from a request, either from a session cookie or a bearer token

func GetRefreshTokenFromStore ¶

func GetRefreshTokenFromStore(
	ctx context.Context,
	store storage.Storage,
	token string,
) (string, error)

Get retrieves a token from the store, the key we are using here is the access token

func WithOAuthURI ¶

func WithOAuthURI(baseURI string, oauthURI string) func(uri string) string

WithOAuthURI returns the oauth uri

func WithUMAIdentity ¶

func WithUMAIdentity(
	req *http.Request,
	targetPath string,
	user *UserContext,
	cookieUMAName string,
	provider *oidc3.Provider,
	clientID string,
	skipClientIDCheck bool,
	skipIssuerCheck bool,
	getIdentity func(req *http.Request, tokenCookie string, tokenHeader string) (*UserContext, error),
	authzFunc func(targetPath string, userPerms authorization.Permissions) (authorization.AuthzDecision, error),
) (authorization.AuthzDecision, error)

Types ¶

type DiscoveryResponse ¶

type DiscoveryResponse struct {
	ExpiredURL string `json:"expired_endpoint"`
	LogoutURL  string `json:"logout_endpoint"`
	TokenURL   string `json:"token_endpoint"`
	LoginURL   string `json:"login_endpoint"`
}

type OauthProxy ¶

type OauthProxy struct {
	Provider  *oidc3.Provider
	Config    *config.Config
	Endpoint  *url.URL
	IdpClient *gocloak.GoCloak
	Listener  net.Listener
	Log       *zap.Logger

	Router http.Handler

	Server   *http.Server
	Store    storage.Storage
	Upstream reverseProxy

	GetIdentity  func(req *http.Request, tokenCookie string, tokenHeader string) (*UserContext, error)
	Cm           *cookie.Manager
	WithOAuthURI func(uri string) string
	// contains filtered or unexported fields
}

func NewProxy ¶

func NewProxy(config *config.Config, log *zap.Logger, upstream reverseProxy) (*OauthProxy, error)

NewProxy create's a new proxy from configuration

func (*OauthProxy) CreateReverseProxy ¶

func (r *OauthProxy) CreateReverseProxy() error

createReverseProxy creates a reverse proxy

func (*OauthProxy) NewOpenIDProvider ¶

func (r *OauthProxy) NewOpenIDProvider() (*oidc3.Provider, *gocloak.GoCloak, error)

newOpenIDProvider initializes the openID configuration, note: the redirection url is deliberately left blank in order to retrieve it from the host header on request

func (*OauthProxy) Run ¶

func (r *OauthProxy) Run() error

Run starts the proxy service

type OpenIDRoundTripper ¶

type OpenIDRoundTripper struct {
	http.Header
	// contains filtered or unexported fields
}

func NewOpenIDRoundTripper ¶

func NewOpenIDRoundTripper(rt http.RoundTripper) OpenIDRoundTripper

func (OpenIDRoundTripper) RoundTrip ¶

func (r OpenIDRoundTripper) RoundTrip(req *http.Request) (*http.Response, error)

type PAT ¶

type PAT struct {
	Token *gocloak.JWT
	// contains filtered or unexported fields
}

type RPT ¶

type RPT struct {
	Token string
	// contains filtered or unexported fields
}

type RealmRoles ¶

type RealmRoles struct {
	Roles []string `json:"roles"`
}

type RequestScope ¶

type RequestScope struct {
	// AccessDenied indicates the request should not be proxied on
	AccessDenied bool
	// Identity is the user Identity of the request
	Identity *UserContext
	// The parsed (unescaped) value of the request path
	Path string
	// Preserve the original request path: KEYCLOAK-10864, KEYCLOAK-11276, KEYCLOAK-13315
	// The exact path received in the request, if different than Path
	RawPath string
	Logger  *zap.Logger
}

RequestScope is a request level context scope passed between middleware

type TokenResponse ¶

type TokenResponse struct {
	TokenType    string  `json:"token_type"`
	AccessToken  string  `json:"access_token"`
	IDToken      string  `json:"id_token"`
	RefreshToken string  `json:"refresh_token,omitempty"`
	ExpiresIn    float64 `json:"expires_in"`
	Scope        string  `json:"scope,omitempty"`
}

TokenResponse

type UserContext ¶

type UserContext struct {
	// the id of the user
	ID string
	// the audience for the token
	Audiences []string
	// whether the context is from a session cookie or authorization header
	BearerToken bool
	// the email associated to the user
	Email string
	// the expiration of the access token
	ExpiresAt time.Time
	// groups is a collection of groups where user is member
	Groups []string
	// a name of the user
	Name string
	// preferredName is the name of the user
	PreferredName string
	// roles is a collection of roles the users holds
	Roles []string
	// rawToken
	RawToken string
	// claims
	Claims map[string]interface{}
	// permissions
	Permissions authorization.Permissions
}

userContext holds the information extracted the token

func ExtractIdentity ¶

func ExtractIdentity(token *jwt.JSONWebToken) (*UserContext, error)

ExtractIdentity parse the jwt token and extracts the various elements is order to construct

func (*UserContext) IsExpired ¶

func (r *UserContext) IsExpired() bool

isExpired checks if the token has expired

func (*UserContext) String ¶

func (r *UserContext) String() string

String returns a string representation of the user context

Source Files ¶

View all Source files

Directories ¶

Path	Synopsis
core

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL