config

package
v1.0.1 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Feb 21, 2024 License: Apache-2.0 Imports: 8 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

View Source
var (
	DefaultConfig = &Config{

		HTTPAuthorizationHeader: "kozmo-authorization",
		GrpcAuthorizationHeader: "kozmo-authorization",
		UserAuth: UserAuthConfig{
			RedirectURL:              config.URL{URL: *MustParseURL("/console")},
			CookieHashKeySecretName:  SecretNameCookieHashKey,
			CookieBlockKeySecretName: SecretNameCookieBlockKey,
			OpenID: OpenIDOptions{
				ClientSecretName: SecretNameOIdCClientSecret,

				Scopes: []string{
					"openid",
					"profile",
				},
			},
			CookieSetting: CookieSettings{
				Domain:         "",
				SameSitePolicy: SameSiteDefaultMode,
			},
		},
		AppAuth: OAuth2Options{
			ExternalAuthServer: ExternalAuthorizationServer{
				RetryAttempts: 5,
				RetryDelay:    config.Duration{Duration: 1 * time.Second},
			},
			AuthServerType: AuthorizationServerTypeSelf,
			ThirdParty: ThirdPartyConfigOptions{
				KozmoClientConfig: KozmoClientConfig{
					ClientID:    "kozmoctl",
					RedirectURI: "http://localhost:53593/callback",
					Scopes:      []string{"all", "offline"},
				},
			},
			SelfAuthServer: AuthorizationServer{
				AccessTokenLifespan:                   config.Duration{Duration: 30 * time.Minute},
				RefreshTokenLifespan:                  config.Duration{Duration: 60 * time.Minute},
				AuthorizationCodeLifespan:             config.Duration{Duration: 5 * time.Minute},
				ClaimSymmetricEncryptionKeySecretName: SecretNameClaimSymmetricKey,
				TokenSigningRSAKeySecretName:          SecretNameTokenSigningRSAKey,
				OldTokenSigningRSAKeySecretName:       SecretNameOldTokenSigningRSAKey,
				StaticClients: map[string]*fosite.DefaultClient{
					"kozmo-cli": {
						ID:            "kozmo-cli",
						RedirectURIs:  []string{"http://localhost:53593/callback", "http://localhost:12345/callback"},
						ResponseTypes: []string{"code", "token"},
						GrantTypes:    []string{"refresh_token", "authorization_code"},
						Scopes:        []string{"all", "offline", "access_token"},
						Public:        true,
					},
					"kozmoctl": {
						ID:            "kozmoctl",
						RedirectURIs:  []string{"http://localhost:53593/callback", "http://localhost:12345/callback"},
						ResponseTypes: []string{"code", "token"},
						GrantTypes:    []string{"refresh_token", "authorization_code"},
						Scopes:        []string{"all", "offline", "access_token"},
						Public:        true,
					},
					"kozmopropeller": {
						ID:            "kozmopropeller",
						Secret:        []byte(`$2a$06$d6PQn2QAFU3cL5V8MDkeuuk63xubqUxNxjtfPw.Fc9MgV6vpmyOIy`),
						RedirectURIs:  []string{"http://localhost:3846/callback"},
						ResponseTypes: []string{"token"},
						GrantTypes:    []string{"refresh_token", "client_credentials"},
						Scopes:        []string{"all", "offline", "access_token"},
					},
				},
			},
		},
	}
)

Functions

func MustParseURL

func MustParseURL(rawURL string) *url.URL

MustParseURL panics if the provided url fails parsing. Should only be used in package initialization or tests.

Types

type AuthorizationServer

type AuthorizationServer struct {
	// Defines the issuer to use when issuing and validating tokens. The default value is https://<requestUri.HostAndPort>/
	Issuer string `` /* 139-byte string literal not displayed */

	// Defines the lifespan of issued access tokens.
	AccessTokenLifespan config.Duration `json:"accessTokenLifespan" pflag:",Defines the lifespan of issued access tokens."`

	// Defines the lifespan of issued access tokens.
	RefreshTokenLifespan config.Duration `json:"refreshTokenLifespan" pflag:",Defines the lifespan of issued access tokens."`

	// Defines the lifespan of issued access tokens.
	AuthorizationCodeLifespan config.Duration `json:"authorizationCodeLifespan" pflag:",Defines the lifespan of issued access tokens."`

	// Secret names, defaults are set in DefaultConfig variable above but are possible to override through configs.
	ClaimSymmetricEncryptionKeySecretName string `json:"claimSymmetricEncryptionKeySecretName" pflag:",OPTIONAL: Secret name to use to encrypt claims in authcode token."`
	TokenSigningRSAKeySecretName          string `json:"tokenSigningRSAKeySecretName" pflag:",OPTIONAL: Secret name to use to retrieve RSA Signing Key."`
	OldTokenSigningRSAKeySecretName       string `` /* 184-byte string literal not displayed */

	// A list of clients to grant access to.
	StaticClients map[string]*fosite.DefaultClient `json:"staticClients" pflag:"-,Defines statically defined list of clients to allow."`
}

type AuthorizationServerType

type AuthorizationServerType int

AuthorizationServerType defines the type of Authorization Server to use.

const (
	// AuthorizationServerTypeSelf determines that KozmoAdmin should act as the authorization server to serve
	// OAuth2 token requests
	AuthorizationServerTypeSelf AuthorizationServerType = iota

	// AuthorizationServerTypeExternal determines that KozmoAdmin should rely on an external authorization server (e.g.
	// Okta) to serve OAuth2 token requests
	AuthorizationServerTypeExternal
)

func AuthorizationServerTypeString

func AuthorizationServerTypeString(s string) (AuthorizationServerType, error)

AuthorizationServerTypeString retrieves an enum value from the enum constants string name. Throws an error if the param is not part of the enum.

func AuthorizationServerTypeValues

func AuthorizationServerTypeValues() []AuthorizationServerType

AuthorizationServerTypeValues returns all values of the enum

func (AuthorizationServerType) IsAAuthorizationServerType

func (i AuthorizationServerType) IsAAuthorizationServerType() bool

IsAAuthorizationServerType returns "true" if the value is listed in the enum definition. "false" otherwise

func (AuthorizationServerType) MarshalJSON

func (i AuthorizationServerType) MarshalJSON() ([]byte, error)

MarshalJSON implements the json.Marshaler interface for AuthorizationServerType

func (AuthorizationServerType) String

func (i AuthorizationServerType) String() string

func (*AuthorizationServerType) UnmarshalJSON

func (i *AuthorizationServerType) UnmarshalJSON(data []byte) error

UnmarshalJSON implements the json.Unmarshaler interface for AuthorizationServerType

type Config

type Config struct {
	// These settings are for non-SSL authentication modes, where Envoy is handling SSL termination
	// This is not yet used, but this is the HTTP variant of the setting below.
	HTTPAuthorizationHeader string `json:"httpAuthorizationHeader"`

	// In order to support deployments of this Admin service where Envoy is terminating SSL connections, the metadata
	// header name cannot be "authorization", which is the standard metadata name. Envoy has special handling for that
	// name. Instead, there is a gRPC interceptor, GetAuthenticationCustomMetadataInterceptor, that will translate
	// incoming metadata headers with this config setting's name, into that standard header
	GrpcAuthorizationHeader string `json:"grpcAuthorizationHeader"`

	// To help ease migration, it was helpful to be able to only selectively enforce authentication.  The
	// dimension that made the most sense to cut by at time of writing is HTTP vs gRPC as the web UI mainly used HTTP
	// and the backend used mostly gRPC.  Cutting by individual endpoints is another option but it possibly falls more
	// into the realm of authorization rather than authentication.
	DisableForHTTP bool `json:"disableForHttp" pflag:",Disables auth enforcement on HTTP Endpoints."`
	DisableForGrpc bool `json:"disableForGrpc" pflag:",Disables auth enforcement on Grpc Endpoints."`

	// AuthorizedURIs is optional and defines the set of URIs that clients are allowed to visit the service on. If set,
	// the system will attempt to match the incoming host to the first authorized URIs and use that (including the scheme)
	// when generating metadata endpoints and when validating audience and issuer claims. If no matching authorizedUri
	// is found, it'll default to the first one. If not provided, the urls will be deduced based on the request url and
	// the `secure` setting.
	AuthorizedURIs []config.URL `` /* 415-byte string literal not displayed */

	// HTTPProxyURL allows operators to access external OAuth2 servers using an external HTTP Proxy
	HTTPProxyURL config.URL `json:"httpProxyURL" pflag:",OPTIONAL: HTTP Proxy to be used for OAuth requests."`

	// UserAuth settings used to authenticate end users in web-browsers.
	UserAuth UserAuthConfig `json:"userAuth" pflag:",Defines Auth options for users."`

	// AppAuth settings used to authenticate and control/limit access scopes for apps.
	AppAuth OAuth2Options `json:"appAuth" pflag:",Defines Auth options for apps. UserAuth must be enabled for AppAuth to work."`
}

func GetConfig

func GetConfig() *Config

func (Config) GetPFlagSet

func (cfg Config) GetPFlagSet(prefix string) *pflag.FlagSet

GetPFlagSet will return strongly types pflags for all fields in Config and its nested types. The format of the flags is json-name.json-sub-name... etc.

type CookieSettings

type CookieSettings struct {
	SameSitePolicy SameSite `` /* 166-byte string literal not displayed */
	Domain         string   `json:"domain" pflag:",OPTIONAL: Allows you to set the domain attribute on the auth cookies."`
}

type ExternalAuthorizationServer

type ExternalAuthorizationServer struct {
	// BaseURL should be the base url of the authorization server that you are trying to hit. With Okta for instance, it will look something like https://company.okta.com/oauth2/abcdef123456789/
	// If not provided, the OpenID.BaseURL will be assumed instead.
	BaseURL             config.URL `` /* 208-byte string literal not displayed */
	AllowedAudience     []string   `` /* 149-byte string literal not displayed */
	MetadataEndpointURL config.URL `` /* 149-byte string literal not displayed */
	// HTTPProxyURL allows operators to access external OAuth2 servers using an external HTTP Proxy
	HTTPProxyURL  config.URL      `json:"httpProxyURL" pflag:",OPTIONAL: HTTP Proxy to be used for OAuth requests."`
	RetryAttempts int             `json:"retryAttempts" pflag:", Optional: The number of attempted retries on a transient failure to get the OAuth metadata"`
	RetryDelay    config.Duration `json:"retryDelay" pflag:", Optional, Duration to wait between retries"`
}

type KozmoClientConfig

type KozmoClientConfig struct {
	ClientID    string   `json:"clientId" pflag:",public identifier for the app which handles authorization for a Kozmo deployment"`
	RedirectURI string   `` /* 127-byte string literal not displayed */
	Scopes      []string `json:"scopes" pflag:",Recommended scopes for the client to request."`
	Audience    string   `json:"audience" pflag:",Audience to use when initiating OAuth2 authorization requests."`
}

type OAuth2Options

type OAuth2Options struct {
	// AuthServerType defines the type of AuthServer to connect to.
	AuthServerType AuthorizationServerType `` /* 148-byte string literal not displayed */

	// SelfAuthServer defines settings for running authorization server locally.
	SelfAuthServer AuthorizationServer `` /* 164-byte string literal not displayed */

	// ExternalAuthServer defines settings for connecting with an external authorization server.
	ExternalAuthServer ExternalAuthorizationServer `json:"externalAuthServer" pflag:",External Authorization Server config."`

	// ThirdParty defines settings for the public client kozmo-clients (e.g. kozmoctl, kozmocli) should use.
	ThirdParty ThirdPartyConfigOptions `` /* 146-byte string literal not displayed */
}

OAuth2Options defines settings for app auth.

type OpenIDOptions

type OpenIDOptions struct {
	// The client ID for Admin in your IDP
	// See https://tools.ietf.org/html/rfc6749#section-2.2 for more information
	ClientID string `json:"clientId"`

	// The client secret used in the exchange of the authorization code for the token.
	// https://tools.ietf.org/html/rfc6749#section-2.3
	ClientSecretName string `json:"clientSecretName"`

	// Deprecated: Please use ClientSecretName instead.
	DeprecatedClientSecretFile string `json:"clientSecretFile"`

	// This should be the base url of the authorization server that you are trying to hit. With Okta for instance, it
	// will look something like https://company.okta.com/oauth2/abcdef123456789/
	BaseURL config.URL `json:"baseUrl"`

	// Provides a list of scopes to request from the IDP when authenticating. Default value requests claims that should
	// be supported by any OIdC server. Refer to https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims for
	// a complete list. Other providers might support additional scopes that you can define in a config.
	Scopes []string `json:"scopes"`
}

type SameSite

type SameSite int
const (
	SameSiteDefaultMode SameSite = iota
	SameSiteLaxMode
	SameSiteStrictMode
	SameSiteNoneMode
)

func SameSiteString

func SameSiteString(s string) (SameSite, error)

SameSiteString retrieves an enum value from the enum constants string name. Throws an error if the param is not part of the enum.

func SameSiteValues

func SameSiteValues() []SameSite

SameSiteValues returns all values of the enum

func (SameSite) IsASameSite

func (i SameSite) IsASameSite() bool

IsASameSite returns "true" if the value is listed in the enum definition. "false" otherwise

func (SameSite) MarshalJSON

func (i SameSite) MarshalJSON() ([]byte, error)

MarshalJSON implements the json.Marshaler interface for SameSite

func (SameSite) String

func (i SameSite) String() string

func (*SameSite) UnmarshalJSON

func (i *SameSite) UnmarshalJSON(data []byte) error

UnmarshalJSON implements the json.Unmarshaler interface for SameSite

type SecretName

type SecretName = string
const (
	// SecretNameOIdCClientSecret defines the default OIdC client secret name to use.
	// #nosec
	SecretNameOIdCClientSecret SecretName = "oidc_client_secret"

	// SecretNameCookieHashKey defines the default cookie hash key secret name to use.
	// #nosec
	SecretNameCookieHashKey SecretName = "cookie_hash_key"

	// SecretNameCookieBlockKey defines the default cookie block key secret name to use.
	// #nosec
	SecretNameCookieBlockKey SecretName = "cookie_block_key"

	// SecretNameClaimSymmetricKey must be a base64 encoded secret of exactly 32 bytes
	// #nosec
	SecretNameClaimSymmetricKey SecretName = "claim_symmetric_key"

	// SecretNameTokenSigningRSAKey is the privateKey used to sign JWT tokens. The default strategy uses RS256 (RSA Signature with SHA-256)
	// #nosec
	SecretNameTokenSigningRSAKey SecretName = "token_rsa_key.pem"

	// SecretNameOldTokenSigningRSAKey is the privateKey used to sign old JWT tokens. The default strategy uses RS256 (RSA Signature with SHA-256)
	// This is used to support key rotation. When present, it'll only be used to validate incoming tokens. New tokens
	// will not be issued using this key.
	// #nosec
	SecretNameOldTokenSigningRSAKey SecretName = "token_rsa_key_old.pem"
)

type ThirdPartyConfigOptions

type ThirdPartyConfigOptions struct {
	KozmoClientConfig KozmoClientConfig `json:"kozmoClient"`
}

This struct encapsulates config options for bootstrapping various Kozmo applications with config values For example, KozmoClientConfig contains application-specific values to initialize the config required by kozmo client

func (ThirdPartyConfigOptions) IsEmpty

func (o ThirdPartyConfigOptions) IsEmpty() bool

type UserAuthConfig

type UserAuthConfig struct {
	// This is where the user will be redirected to at the end of the flow, but you should not use it. Instead,
	// the initial /login handler should be called with a redirect_url parameter, which will get saved to a cookie.
	// This setting will only be used when that cookie is missing.
	// See the login handler code for more comments.
	RedirectURL config.URL `json:"redirectUrl"`

	// OpenID defines settings for connecting and trusting an OpenIDConnect provider.
	OpenID OpenIDOptions `json:"openId" pflag:",OpenID Configuration for User Auth"`

	// HTTPProxyURL allows operators to access external OAuth2 servers using an external HTTP Proxy
	HTTPProxyURL config.URL `json:"httpProxyURL" pflag:",OPTIONAL: HTTP Proxy to be used for OAuth requests."`

	// Secret names, defaults are set in DefaultConfig variable above but are possible to override through configs.
	CookieHashKeySecretName  string         `json:"cookieHashKeySecretName" pflag:",OPTIONAL: Secret name to use for cookie hash key."`
	CookieBlockKeySecretName string         `json:"cookieBlockKeySecretName" pflag:",OPTIONAL: Secret name to use for cookie block key."`
	CookieSetting            CookieSettings `json:"cookieSetting" pflag:", settings used by cookies created for user auth"`
	IDPQueryParameter        string         `` /* 203-byte string literal not displayed */
}

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL