config

package
v1.1.2 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Dec 20, 2023 License: MIT Imports: 23 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	FieldTypeString = FieldType("string")
	FieldTypeNumber = FieldType("number")
	FieldTypeBool   = FieldType("bool")
	FieldTypeObject = FieldType("object")
	FieldTypeList   = FieldType("list")
)
View Source 
const (
	FieldVisibilityPublic        = FieldVisibility("public")
	FieldVisibilitySelf          = FieldVisibility("self")
	FieldVisibilityPrivate       = FieldVisibility("private")
	FieldVisibilityAuthenticated = FieldVisibility("authenticated")
)
View Source 
const (
	FeatureAll                 = "all"
	FeatureAddresses           = "addresses"
	FeatureEMails              = "emails"
	FeaturePhoneNumbers        = "phoneNumbers"
	FeatureEMailInvite         = "emailInvite"
	FeatureLoginByMail         = "loginByMail"
	FeatureAllowUsernameChange = "allowUsernameChange"
	FeatureSelfRegistration    = "registration"
)

Variables

View Source 
var AllFeatures = []Feature{
	FeatureAddresses,
	FeatureEMails,
	FeaturePhoneNumbers,
	FeatureEMailInvite,
	FeatureLoginByMail,
	FeatureAllowUsernameChange,
	FeatureSelfRegistration,
}
View Source 
var (
	ErrFeatureDisabled = errors.New("requested feature has been disabled")
)
View Source 
var (
	ErrNotAllowed = errors.New("not allowed")
)

Functions

func NewConfigHandler 

func NewConfigHandler(cfg Config) http.Handler

Types

type Config 

type Config struct {
	// LogLevel defines the log level to use.
	LogLevel string `json:"logLevel"`

	// ForwardAuth configures domains and URLs that require authentication
	// when passed to the /validate endpoint.
	ForwardAuth []*ForwardAuthEntry `json:"forwardAuth"`

	// DryRun may be set to enable dry-run mode which allows overwriting
	// notification targets.
	DryRun *DryRun `json:"dryRun"`

	// TrustedNetworks is a list of CIDR network addresses that are considered
	// trusted. Any X-Forwareded-For header from these networks will be parsed
	// and applied.
	TrustedNetworks []string `json:"trustedNetworks"`

	// Audience is the JWT audience that should be used when issuing access tokens.
	Audience string `json:"audience"`

	// JWTSecret is the secret that is used to sign access and refresh tokens.
	// Chaning this value during production will invalidate all issued tokens and
	// require all users to re-login.
	JWTSecret string `json:"jwtSecret"`

	// DatabaseURL is the URL to one of the rqlite cluster members.
	// It should have the format of
	//   http://rqlite:4001/
	DatabaseURL string `json:"rqliteURL"`

	// SecureCookie defines whether or not cookies should be set with the
	// Secure attribute. If left empty, SecureCookie will be automatically
	// set depending on the PublicURL field.
	SecureCookie *bool `json:"secureCookie"`

	// AccessTokenTTL defines the maximum lifetime for issued access tokens.
	// This defaults to 24h. Users or services requesting an access token
	// may specify a shorter lifetime.
	AccessTokenTTL JSONDuration `json:"accessTokenTTL"`

	// RefreshTokenTTL defines the lifetime for issued refresh tokens.
	// This defaults to 720h (~1 month)
	RefreshTokenTTL JSONDuration `json:"refreshTokenTTL"`

	// AccessTokenCookieName is the name of the cookie used to store the
	// access-token for browser requests. This defaults to cis_idm_access.
	AccessTokenCookieName string `json:"accessTokenCookieName"`

	// RefreshTokenCookieName is the name of the cookie used to store the
	// refresh-token for browser requests. This defaults to cis_idm_refresh.
	RefreshTokenCookieName string `json:"refreshTokenCookieName"`

	// Overwrites may hold configuration overwrites per user or role.
	Overwrites []Overwrite `json:"overwrites"`

	// BootstrapRoles holds a list of role name that should be automatically
	// created when cisidm is started. Those roles are created with deleteProtection
	// enabled.
	// Use this if you want to ensure cisidm has a set of roles that other services
	// rely upon.
	BootstrapRoles []string `json:"bootstrapRoles"`

	// AllowedDomainRedirects is a list of domain names to which cisidm will allow
	// redirection after login/refresh.
	AllowedDomainRedirects []string `json:"allowedRedirects"`

	// FeatureSet is a list of features that should be enabled. See the AllFeatures
	// global variable for a list of available features. This defaults to "all"
	FeatureSet []Feature `json:"features"`

	// PublicListenAddr defines the listen address for the public listener. This
	// listener requires proper authentication for all endpoints where authentication
	// is specified as required in the protobuf definition.
	// This defaults to :8080
	PublicListenAddr string `json:"publicListener"`

	// AdminListenAddr defines the listen address for the admin listener.
	// All requests received on this listener will automatically get the idm_superuser
	// role assigned. Be careful to not expose this listener to the public!
	// This defaults to :8081
	AdminListenAddr string `json:"adminListener"`

	// AllowedOrigins configures a list of allowed origins for Cross-Origin-Requests.
	// This defaults to the PublicURL as well as http(s)://{{ Domain }}
	AllowedOrigins []string `json:"allowedOrigins"`

	// PublicURL defines the public URL at which cisidm is reachable from the outside.
	// This value MUST be set.
	PublicURL string `json:"publicURL"`

	// StaticFiles defines where cisidm should serve it's user interface from.
	// If left empty, the UI is served from the embedded file-system. If set to
	// a file path than all files from within that directory will be served (see http.Dir
	// for possible security implications). If set to a URL (i.e. starting with "http"),
	// a simple one-host reverse proxy is created.
	// During development, you might want to use `ng serve` from the ui/ folder
	// and set StaticFiles to "http://localhost:4200/"
	StaticFiles string `json:"staticFiles"`

	// ExtraAssetsDirectory can be set to a directory (or HTTP URL)
	// that will be used to serve additional files at the /files endpoint.
	ExtraAssetsDirectory string `json:"extraAssets"`

	// LogoURL may be set to a path or HTTP resource that should be displayed as the
	// application logo on the login screen.
	LogoURL string `json:"logoURL"`

	// RegistrationRequiresToken defines whether or not users are allowed to sign
	// up without a registration token.
	RegistrationRequiresToken bool `json:"registrationRequiresToken"`

	// Domain is the parent domain for which cisidm handles authentication. If you
	// have multiple sub-domains hosting your services you want to set this to the
	// parent domain.
	//
	// I.e. if cisidm is running on account.example.com and you have services on
	// foo.example.com and bar.example.com you want to set the Domain field to "example.com"
	Domain string `json:"domain"`

	// LoginRedirectURL defines the format string to build the redirect URL in the /validate
	// endpoint in case a user needs to authentication.
	// If left empty, it defaults to {{ PublicURL }}/login?redirect=%s
	LoginRedirectURL string `json:"loginURL"`

	// RefreshRedirectURL defines the format string to build the redirect URL in the /validate
	// endpoint in case a user needs to request a new access token.
	// If left empty, it defaults to {{ PublicURL }}/refresh?redirect=%s
	RefreshRedirectURL string `json:"refreshURL"`

	// PasswordResetURL defines the format string to build the password reset URL.
	// If left empty, it defaults to {{ PublicURL }}/password/reset?token=%s
	PasswordResetURL string `json:"passwordResetURL"`

	// VerifyMailURL defines the format string to build the verify-email address URL.
	// If left empty, it defaults to {{ PublicURL }}/verify-mail?token=%s
	VerifyMailURL string `json:"verifyMailURL"`

	// RegistrationURL defines the format string to build the invitation address URL.
	// If left empty, it defaults to {{ PublicURL }}/registration?token=%s
	RegistrationURL string `json:"registrationURL"`

	// SiteName can be used to specify the name of the cisidm instance and will be displayed
	// at the login screen and throughout the user interface. This defaults to Example
	// so will likely want to set this field as well.
	SiteName string `json:"siteName"`

	// SiteNameURL can be set to a URL that will be used to create a HTML link on the login
	// page.
	SiteNameURL string `json:"siteNameUrl"`

	// Twilio is required for all SMS related features.
	// TODO(ppacher): print a warning when a SMS feature is enabled
	// but twilio is not confiugred.
	Twilio *Twilio `json:"twilio" envPrefix:"TWILIO__"`

	// MailConfig is required for all email related features.
	MailConfig *MailConfig `json:"mail" envPrefix:"MAIL__"`

	// ExtraDataConfig defines the schema and visibility for the user extra data.
	ExtraDataConfig map[string]*FieldConfig `json:"extraData"`

	// WebPush holds VAPID keys for web-push integration.
	WebPush *WebPush `json:"webpush"`
	// contains filtered or unexported fields
}

func FromEnvironment 

func FromEnvironment(ctx context.Context, cfgFilePath string) (cfg Config, err error)

FromEnvironment returns a Config object parsed from environment variables.

func LoadFile 

func LoadFile(path string) (*Config, error)

func (Config) AuthRequiredForURL 

func (file Config) AuthRequiredForURL(ctx context.Context, method string, url string) (*ForwardAuthEntry, bool, error)

func (*Config) FeatureEnabled 

func (cfg *Config) FeatureEnabled(feature Feature) bool

type DryRun 

type DryRun struct {
	MailTarget string `json:"mail"`
	SMSTarget  string `json:"sms"`
}

type Feature 

type Feature string

type FieldConfig 

type FieldConfig struct {
	Type        FieldType               `json:"type"`
	Visibility  FieldVisibility         `json:"visibility"`
	Writeable   bool                    `json:"writeable"`
	Description string                  `json:"description"`
	DisplayName string                  `json:"displayName"`
	Properties  map[string]*FieldConfig `json:"properties"`
	ElementType *FieldConfig            `json:"elementType"`
}

FieldConfig describes how user-extra data looks like.

func (*FieldConfig) ApplyVisibility 

func (fc *FieldConfig) ApplyVisibility(current FieldVisibility, value *structpb.Value) *structpb.Value

func (FieldConfig) Validate 

func (fc FieldConfig) Validate(data *structpb.Value) error

func (*FieldConfig) ValidateConfig 

func (fc *FieldConfig) ValidateConfig(fieldVisiblity FieldVisibility) error

type FieldType 

type FieldType string

type FieldVisibility 

type FieldVisibility string

type ForwardAuthEntry 

type ForwardAuthEntry struct {
	Required *bool    `json:"required,omitempty" yaml:"required,omitempty"`
	URL      string   `json:"url" yaml:"url"`
	Methods  []string `json:"methods,omitempty" yaml:"methods,omitempty"`
	Rules    []*Rule  `json:"rules"`
	// contains filtered or unexported fields
}

func (*ForwardAuthEntry) Allowed 

func (fae *ForwardAuthEntry) Allowed(req *http.Request) (string, bool, error)

func (*ForwardAuthEntry) IsRequired 

func (fae *ForwardAuthEntry) IsRequired() bool

IsRequired returns true if authentication is required for this entry.

func (*ForwardAuthEntry) Matches 

func (fae *ForwardAuthEntry) Matches(method, url string) (bool, error)

Matches checks if fae matches url.

type JSONDuration 

type JSONDuration time.Duration

func (*JSONDuration) AsDuration 

func (d *JSONDuration) AsDuration() time.Duration

func (*JSONDuration) MarshalJSON 

func (d *JSONDuration) MarshalJSON() ([]byte, error)

func (*JSONDuration) UnmarshalJSON 

func (d *JSONDuration) UnmarshalJSON(blob []byte) error

type MailConfig 

type MailConfig struct {
	Host          string `json:"host" env:"HOST"`
	Port          int    `json:"port" env:"PORT"`
	Username      string `json:"user" env:"USER"`
	Password      string `json:"password" env:"PASSWORD"`
	From          string `json:"from" env:"FROM"`
	AllowInsecure bool   `json:"allowInsecure" env:"ALLOW_INSECURE"`
	UseSSL        *bool  `json:"useTLS" env:"USE_TLS"`
}

type Overwrite added in v0.9.0 

type Overwrite struct {
	UserIDs []string `json:"users"`
	RoleIDs []string `json:"roles"`

	AccessTokenTTL  JSONDuration `json:"accessTokenTTL"`
	RefreshTokenTTL JSONDuration `json:"refreshTokenTTL"`
}

type Rule 

type Rule struct {
	IP        string `json:"ip"`
	Network   string `json:"network"`
	Token     string `json:"token"`
	Deny      bool   `json:"deny"`
	SubjectID string `json:"subject"`
	// contains filtered or unexported fields
}

func (*Rule) Matches 

func (r *Rule) Matches(req *http.Request) (bool, error)

func (*Rule) String 

func (r *Rule) String() string

type Twilio 

type Twilio struct {
	From        string `json:"from" env:"FROM"`
	AccountSid  string `json:"sid" env:"SID"`
	AccessToken string `json:"token" env:"TOKEN"`
}

type WebPush added in v0.9.0 

type WebPush struct {
	Admin           string `json:"admin"`
	VAPIDpublicKey  string `json:"vapidPublicKey"`
	VAPIDprivateKey string `json:"vapidPrivateKey"`
}

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.