dex

package
v0.14.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Oct 12, 2023 License: Apache-2.0 Imports: 18 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	CertsBase = "/etc/dex/ssl"
)

Variables

This section is empty.

Functions

This section is empty.

Types

type ClientBuilder 

type ClientBuilder interface {
	WithReader(reader client.Reader) ClientBuilder
	WithScheme(scheme *runtime.Scheme) ClientBuilder
	WithIdentityProvider(idp *dexv1alpha1.DexIdentityProvider) ClientBuilder
	Build(ctx context.Context) (api.DexClient, error)
}

func NewClientBuilder 

func NewClientBuilder() ClientBuilder

func NewFakeClientBuilder 

func NewFakeClientBuilder(m *mock.Mock) ClientBuilder

type Config 

type Config struct {
	Issuer           string      `yaml:"issuer"`
	Storage          Storage     `yaml:"storage"`
	Web              Web         `yaml:"web"`
	GRPC             GRPC        `yaml:"grpc"`
	OAuth2           *OAuth2     `yaml:"oauth2,omitempty"`
	Expiry           *Expiry     `yaml:"expiry,omitempty"`
	Logger           *Logger     `yaml:"logger,omitempty"`
	Frontend         *Frontend   `yaml:"frontend,omitempty"`
	Telemetry        *Telemetry  `yaml:"telemetry,omitempty"`
	Connectors       []Connector `yaml:"connectors"`
	EnablePasswordDB bool        `yaml:"enablePasswordDB"`
}

Config is the config format for the main application.

func ConfigFromCR 

func ConfigFromCR(ctx context.Context, reader client.Reader, scheme *runtime.Scheme, idp *dexv1alpha1.DexIdentityProvider) (*Config, error)

type Connector 

type Connector struct {
	Type   string          `yaml:"type"`
	Name   string          `yaml:"name"`
	ID     string          `yaml:"id"`
	Config ConnectorConfig `yaml:"config"`
}

Connector is a magical type that can unmarshal YAML dynamically. The Type field determines the connector type, which is then customized for Config.

type ConnectorConfig 

type ConnectorConfig struct {
	LDAP *LDAPConnectorConfig `yaml:"-"`
	OIDC *OIDCConnectorConfig `yaml:"-"`
}

ConnectorConfig is a configuration that can create a connector.

func (ConnectorConfig) MarshalYAML 

func (c ConnectorConfig) MarshalYAML() (any, error)

type Expiry 

type Expiry struct {
	// SigningKeys defines the duration of time after which the SigningKeys will be rotated.
	SigningKeys string `yaml:"signingKeys,omitempty"`
	// IdTokens defines the duration of time for which the IdTokens will be valid.
	IDTokens string `yaml:"idTokens,omitempty"`
	// AuthRequests defines the duration of time for which the AuthRequests will be valid.
	AuthRequests string `yaml:"authRequests,omitempty"`
	// DeviceRequests defines the duration of time for which the DeviceRequests will be valid.
	DeviceRequests string `yaml:"deviceRequests,omitempty"`
	// RefreshTokens defines refresh tokens expiry policy
	RefreshTokens *RefreshToken `yaml:"refreshTokens,omitempty"`
}

Expiry holds configuration for the validity period of components.

type FakeDexClient 

type FakeDexClient struct {
	*mock.Mock
}

func (*FakeDexClient) CreateClient 

func (c *FakeDexClient) CreateClient(ctx context.Context, in *api.CreateClientReq, opts ...grpc.CallOption) (*api.CreateClientResp, error)

CreateClient creates a client.

func (*FakeDexClient) CreatePassword 

func (c *FakeDexClient) CreatePassword(ctx context.Context, in *api.CreatePasswordReq, opts ...grpc.CallOption) (*api.CreatePasswordResp, error)

CreatePassword creates a password.

func (*FakeDexClient) DeleteClient 

func (c *FakeDexClient) DeleteClient(ctx context.Context, in *api.DeleteClientReq, opts ...grpc.CallOption) (*api.DeleteClientResp, error)

DeleteClient deletes the provided client.

func (*FakeDexClient) DeletePassword 

func (c *FakeDexClient) DeletePassword(ctx context.Context, in *api.DeletePasswordReq, opts ...grpc.CallOption) (*api.DeletePasswordResp, error)

DeletePassword deletes the password.

func (*FakeDexClient) GetVersion 

func (c *FakeDexClient) GetVersion(ctx context.Context, in *api.VersionReq, opts ...grpc.CallOption) (*api.VersionResp, error)

GetVersion returns version information of the server.

func (*FakeDexClient) ListPasswords 

func (c *FakeDexClient) ListPasswords(ctx context.Context, in *api.ListPasswordReq, opts ...grpc.CallOption) (*api.ListPasswordResp, error)

ListPassword lists all password entries.

func (*FakeDexClient) ListRefresh 

func (c *FakeDexClient) ListRefresh(ctx context.Context, in *api.ListRefreshReq, opts ...grpc.CallOption) (*api.ListRefreshResp, error)

ListRefresh lists all the refresh token entries for a particular user.

func (*FakeDexClient) RevokeRefresh 

func (c *FakeDexClient) RevokeRefresh(ctx context.Context, in *api.RevokeRefreshReq, opts ...grpc.CallOption) (*api.RevokeRefreshResp, error)

RevokeRefresh revokes the refresh token for the provided user-client pair.

Note that each user-client pair can have only one refresh token at a time.

func (*FakeDexClient) UpdateClient 

func (c *FakeDexClient) UpdateClient(ctx context.Context, in *api.UpdateClientReq, opts ...grpc.CallOption) (*api.UpdateClientResp, error)

UpdateClient updates an existing client

func (*FakeDexClient) UpdatePassword 

func (c *FakeDexClient) UpdatePassword(ctx context.Context, in *api.UpdatePasswordReq, opts ...grpc.CallOption) (*api.UpdatePasswordResp, error)

UpdatePassword modifies existing password.

func (*FakeDexClient) VerifyPassword 

func (c *FakeDexClient) VerifyPassword(ctx context.Context, in *api.VerifyPasswordReq, opts ...grpc.CallOption) (*api.VerifyPasswordResp, error)

VerifyPassword returns whether a password matches a hash for a specific email or not.

type Frontend 

type Frontend struct {
	// A file path to static web assets.
	//
	// It is expected to contain the following directories:
	//
	//   * static - Static static served at "( issuer URL )/static".
	//   * templates - HTML templates controlled by dex.
	//   * themes/(theme) - Static static served at "( issuer URL )/theme".
	Dir string `yaml:"dir,omitempty"`
	// Defaults to "( issuer URL )/theme/logo.png"
	LogoURL string `yaml:"logoURL,omitempty"`
	// Defaults to "dex"
	Issuer string `yaml:"issuer,omitempty"`
	// Defaults to "light"
	Theme string `yaml:"theme,omitempty"`
	// Map of extra values passed into the templates
	Extra map[string]string `yaml:"extra,omitempty"`
}

Frontend holds the server's frontend templates and asset configuration.

type GRPC 

type GRPC struct {
	// The port to listen on.
	Addr        string `yaml:"addr,omitempty"`
	TLSCert     string `yaml:"tlsCert,omitempty"`
	TLSKey      string `yaml:"tlsKey,omitempty"`
	TLSClientCA string `yaml:"tlsClientCA,omitempty"`
	Reflection  bool   `yaml:"reflection,omitempty"`
}

GRPC is the config for the gRPC API.

type LDAPConnectorConfig 

type LDAPConnectorConfig struct {
	// The host and optional port of the LDAP server. If port isn't supplied, it will be
	// guessed based on the TLS configuration. 389 or 636.
	Host string `yaml:"host"`
	// Required if LDAP host does not use TLS.
	InsecureNoSSL bool `yaml:"insecureNoSSL,omitempty"`
	// Don't verify the CA.
	InsecureSkipVerify bool `yaml:"insecureSkipVerify,omitempty"`
	// Connect to the insecure port then issue a StartTLS command to negotiate a
	// secure connection. If unsupplied secure connections will use the LDAPS
	// protocol.
	StartTLS bool `yaml:"startTLS,omitempty"`
	// Path to a trusted root certificate file.
	RootCA string `yaml:"rootCA,omitempty"`
	// Path to a client cert file generated by rootCA.
	ClientCert string `yaml:"clientCert,omitempty"`
	// Path to a client private key file generated by rootCA.
	ClientKey string `yaml:"clientKey,omitempty"`
	// BindDN and BindPW for an application service account. The connector uses these
	// credentials to search for users and groups.
	BindDN string `yaml:"bindDN"`
	BindPW string `yaml:"bindPW"`
	// UsernamePrompt allows users to override the username attribute (displayed
	// in the username/password prompt). If unset, the handler will use
	// "Username".
	UsernamePrompt string `yaml:"usernamePrompt,omitempty"`
	// User entry search configuration.
	UserSearch LDAPConnectorUserSearch `yaml:"userSearch"`
	// Group search configuration.
	GroupSearch LDAPConnectorGroupSearch `yaml:"groupSearch"`
}

LDAPConnectorConfig holds configuration options for LDAP logins.

type LDAPConnectorGroupSearch 

type LDAPConnectorGroupSearch struct {
	// BaseDN to start the search from. For example "cn=groups,dc=example,dc=com"
	BaseDN string `yaml:"baseDN"`
	// Optional filter to apply when searching the directory. For example "(objectClass=posixGroup)"
	Filter string `yaml:"filter,omitempty"`
	Scope  string `yaml:"scope,omitempty"` // Defaults to "sub"
	// The attribute of the group that represents its name.
	NameAttr string `yaml:"nameAttr"`
	// Array of the field pairs used to match a user to a group.
	// See the "UserMatcher" struct for the exact field names
	//
	// Each pair adds an additional requirement to the filter that an attribute in the group
	// match the user's attribute value. For example that the "members" attribute of
	// a group matches the "uid" of the user. The exact filter being added is:
	//
	//   (userMatchers[n].<groupAttr>=userMatchers[n].<userAttr value>)
	//
	UserMatchers []LDAPConnectorUserMatcher `yaml:"userMatchers"`
}

type LDAPConnectorUserMatcher 

type LDAPConnectorUserMatcher struct {
	UserAttr  string `yaml:"userAttr"`
	GroupAttr string `yaml:"groupAttr"`
}

LDAPConnectorUserMatcher holds information about user and group matching.

type LDAPConnectorUserSearch 

type LDAPConnectorUserSearch struct {
	// BaseDN to start the search from. For example "cn=users,dc=example,dc=com"
	BaseDN string `yaml:"baseDN"`
	// Optional filter to apply when searching the directory. For example "(objectClass=person)"
	Filter string `yaml:"filter,omitempty"`
	// Attribute to match against the inputted username. This will be translated and combined
	// with the other filter as "(<attr>=<username>)".
	Username string `yaml:"username"`
	// Can either be:
	// * "sub" - search the whole sub tree
	// * "one" - only search one level
	Scope string `yaml:"scope,omitempty"`
	// A mapping of attributes on the user entry to claims.
	IDAttr                    string `yaml:"idAttr,omitempty"`                // Defaults to "uid"
	EmailAttr                 string `yaml:"emailAttr,omitempty"`             // Defaults to "mail"
	NameAttr                  string `yaml:"nameAttr,omitempty"`              // No default.
	PreferredUsernameAttrAttr string `yaml:"preferredUsernameAttr,omitempty"` // No default.
	// If this is set, the email claim of the id token will be constructed from the idAttr and
	// value of emailSuffix. This should not include the @ character.
	EmailSuffix string `yaml:"emailSuffix,omitempty"` // No default.
}

type Logger 

type Logger struct {
	// Level sets logging level severity.
	Level string `yaml:"level,omitempty"`
	// Format specifies the format to be used for logging.
	Format string `yaml:"format,omitempty"`
}

Logger holds configuration required to customize logging for dex.

type OAuth2 

type OAuth2 struct {
	// list of allowed grant types,
	// defaults to all supported types
	GrantTypes    []string `yaml:"grantTypes,omitempty"`
	ResponseTypes []string `yaml:"responseTypes,omitempty"`
	// If specified, do not prompt the user to approve client authorization. The
	// act of logging in implies authorization.
	SkipApprovalScreen bool `yaml:"skipApprovalScreen,omitempty"`
	// If specified, show the connector selection screen even if there's only one
	AlwaysShowLoginScreen bool `yaml:"alwaysShowLoginScreen,omitempty"`
	// This is the connector that can be used for password grant
	PasswordConnector string `yaml:"passwordConnector,omitempty"`
}

OAuth2 describes enabled OAuth2 extensions.

type OIDCConnectorClaimMapping 

type OIDCConnectorClaimMapping struct {
	// Configurable key which contains the preferred username claims
	PreferredUsernameKey string `yaml:"preferred_username,omitempty"` // defaults to "preferred_username"
	// Configurable key which contains the email claims
	EmailKey string `yaml:"email,omitempty"` // defaults to "email"
	// Configurable key which contains the groups claims
	GroupsKey string `yaml:"groups,omitempty"` // defaults to "groups"
}

type OIDCConnectorConfig 

type OIDCConnectorConfig struct {
	Issuer       string `yaml:"issuer"`
	ClientID     string `yaml:"clientID"`
	ClientSecret string `yaml:"clientSecret"`
	RedirectURI  string `yaml:"redirectURI"`
	// Causes client_secret to be passed as POST parameters instead of basic
	// auth. This is specifically "NOT RECOMMENDED" by the OAuth2 RFC, but some
	// providers require it.
	//
	// https://tools.ietf.org/html/rfc6749#section-2.3.1
	BasicAuthUnsupported *bool    `yaml:"basicAuthUnsupported,omitempty"`
	Scopes               []string `yaml:"scopes,omitempty"` // defaults to "profile" and "email"
	// Certificates for SSL validation
	RootCAs []string `yaml:"rootCAs,omitempty"`
	// Override the value of email_verified to true in the returned claims
	InsecureSkipEmailVerified bool `yaml:"insecureSkipEmailVerified,omitempty"`
	// InsecureEnableGroups enables groups claims. This is disabled by default until https://github.com/dexidp/dex/issues/1065 is resolved
	InsecureEnableGroups bool `yaml:"insecureEnableGroups,omitempty"`
	// AcrValues (Authentication Context Class Reference Values) that specifies the Authentication Context Class Values
	// within the Authentication Request that the Authorization Server is being requested to use for
	// processing requests from this Client, with the values appearing in order of preference.
	AcrValues []string `yaml:"acrValues,omitempty"`
	// Disable certificate verification
	InsecureSkipVerify bool `yaml:"insecureSkipVerify,omitempty"`
	// GetUserInfo uses the userinfo endpoint to get additional claims for
	// the token. This is especially useful where upstreams return "thin"
	// id tokens
	GetUserInfo bool   `yaml:"getUserInfo,omitempty"`
	UserIDKey   string `yaml:"userIDKey,omitempty"`
	UserNameKey string `yaml:"userNameKey,omitempty"`
	// PromptType will be used fot the prompt parameter (when offline_access, by default prompt=consent)
	PromptType string `yaml:"promptType,omitempty"`
	// OverrideClaimMapping will be used to override the options defined in claimMappings.
	// i.e. if there are 'email' and `preferred_email` claims available, by default Dex will always use the `email` claim independent of the ClaimMapping.EmailKey.
	// This setting allows you to override the default behavior of Dex and enforce the mappings defined in `claimMapping`.
	OverrideClaimMapping bool                      `yaml:"overrideClaimMapping,omitempty"` // defaults to false
	ClaimMapping         OIDCConnectorClaimMapping `yaml:"claimMapping"`
}

OIDCConnectorConfig holds configuration options for OpenID Connect logins.

type PostgresConfig 

type PostgresConfig struct {
	Database          string            `yaml:"database"`
	User              string            `yaml:"user"`
	Password          string            `yaml:"password"`
	Host              string            `yaml:"host"`
	Port              int               `yaml:"port"`
	ConnectionTimeout *int              `yaml:"connectionTimeout,omitempty"`
	MaxOpenConns      *int              `yaml:"maxOpenConns,omitempty"`
	MaxIdleConns      *int              `yaml:"maxIdleConns,omitempty"`
	ConnMaxLifetime   *int              `yaml:"connMaxLifetime,omitempty"`
	SSL               *SSLStorageConfig `yaml:"ssl,omitempty"`
}

type RefreshToken 

type RefreshToken struct {
	DisableRotation   bool   `yaml:"disableRotation,omitempty"`
	ReuseInterval     string `yaml:"reuseInterval,omitempty"`
	AbsoluteLifetime  string `yaml:"absoluteLifetime,omitempty"`
	ValidIfNotUsedFor string `yaml:"validIfNotUsedFor,omitempty"`
}

type SQLite3Config 

type SQLite3Config struct {
	// File to use for SQLite3 storage.
	File string `yaml:"file"`
}

type SSLStorageConfig 

type SSLStorageConfig struct {
	Mode   string `yaml:"mode,omitempty"`
	CAFile string `yaml:"caFile,omitempty"`
	// Files for client auth.
	KeyFile  string `yaml:"keyFile,omitempty"`
	CertFile string `yaml:"certFile,omitempty"`
}

SSLStorageConfig represents SSL options for network databases.

type Storage 

type Storage struct {
	Type   string        `yaml:"type"`
	Config StorageConfig `yaml:"config"`
}

Storage holds app's storage configuration.

type StorageConfig 

type StorageConfig struct {
	SQLite3  *SQLite3Config  `yaml:"-"`
	Postgres *PostgresConfig `yaml:"-"`
}

StorageConfig is a configuration that can create a storage.

func (StorageConfig) MarshalYAML 

func (c StorageConfig) MarshalYAML() (any, error)

type Telemetry added in v0.11.0 

type Telemetry struct {
	HTTP string `json:"http"`
}

Telemetry is the config format for telemetry including the HTTP server config.

type Web 

type Web struct {
	HTTP           string   `yaml:"http,omitempty"`
	HTTPS          string   `yaml:"https,omitempty"`
	TLSCert        string   `yaml:"tlsCert,omitempty"`
	TLSKey         string   `yaml:"tlsKey,omitempty"`
	AllowedOrigins []string `yaml:"allowedOrigins,omitempty"`
}

Web is the config format for the HTTP server.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.