middleware

package
v1.1.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 18, 2025 License: Apache-2.0 Imports: 64 Imported by: 0

Documentation

Index

Constants

View Source 
const DeniedMessage = "Operation denied due to security policies"
View Source 
const (
	// WwwAuthenticate captures the Www-Authenticate header string.
	WwwAuthenticate = "Www-Authenticate"
)

Variables

View Source 
var (
	// SupportedAuthStrategies stores configured challenges.
	SupportedAuthStrategies []string

	// ProxyWwwAuthenticate is a list of endpoints that do not rely on reva underlying authentication, such as ocs.
	// services that fallback to reva authentication are declared in the "frontend" command on OpenCloud. It is a list of
	// regexp.Regexp which are safe to use concurrently.
	ProxyWwwAuthenticate = []regexp.Regexp{*regexp.MustCompile("/ocs/v[12].php/cloud/")}
)

Functions

func AccessLog 

func AccessLog(logger log.Logger) func(http.Handler) http.Handler

AccessLog is a middleware to log http requests at info level logging.

func AccountResolver 

func AccountResolver(optionSetters ...Option) func(next http.Handler) http.Handler

AccountResolver provides a middleware which mints a jwt and adds it to the proxied request based on the oidc-claims

func Authentication 

func Authentication(auths []Authenticator, opts ...Option) func(next http.Handler) http.Handler

Authentication is a higher order authentication middleware.

func ContextLogger 

func ContextLogger(logger log.Logger) func(http.Handler) http.Handler

ContextLogger is a middleware to use a logger associated with the request's context which includes general information of the request.

func CreateHome 

func CreateHome(optionSetters ...Option) func(next http.Handler) http.Handler

CreateHome provides a middleware which sends a CreateHome request to the reva gateway

func HTTPSRedirect 

func HTTPSRedirect(next http.Handler) http.Handler

HTTPSRedirect redirects insecure requests to https

func Instrumenter 

func Instrumenter(m metrics.Metrics) func(next http.Handler) http.Handler

Instrumenter provides a middleware to create metrics

func LoadCSPConfig 

func LoadCSPConfig(proxyCfg *config.Config) (*config.CSP, error)

LoadCSPConfig loads CSP header configuration from a yaml file.

func Policies 

func Policies(qs string, opts ...Option) func(next http.Handler) http.Handler

Policies verifies if a request is granted or not.

func RenderError 

func RenderError(w http.ResponseWriter, r *http.Request, evaluateReq *pService.EvaluateRequest, status int, msg string)

RenderError writes a Policies ErrorObject to the response writer

func Security 

func Security(cspConfig *config.CSP) func(h http.Handler) http.Handler

Security is a middleware to apply security relevant http headers like CSP.

func SelectorCookie 

func SelectorCookie(optionSetters ...Option) func(next http.Handler) http.Handler

SelectorCookie provides a middleware which

func Tracer 

func Tracer(tp trace.TracerProvider) func(next http.Handler) http.Handler

Tracer provides a middleware to start traces

Types

type AppAuthAuthenticator 

type AppAuthAuthenticator struct {
	Logger              log.Logger
	RevaGatewaySelector pool.Selectable[gateway.GatewayAPIClient]
}

AppAuthAuthenticator defines the app auth authenticator

func (AppAuthAuthenticator) Authenticate 

func (m AppAuthAuthenticator) Authenticate(r *http.Request) (*http.Request, bool)

Authenticate implements the authenticator interface to authenticate requests via app auth.

type Authenticator 

type Authenticator interface {
	// Authenticate is used to authenticate incoming HTTP requests.
	// The Authenticator may augment the request with user info or anything related to the
	// authentication and return the augmented request.
	Authenticate(*http.Request) (*http.Request, bool)
}

Authenticator is the common interface implemented by all request authenticators.

type BasicAuthenticator 

type BasicAuthenticator struct {
	Logger        log.Logger
	UserProvider  backend.UserBackend
	UserCS3Claim  string
	UserOIDCClaim string
}

BasicAuthenticator is the authenticator responsible for HTTP Basic authentication.

func (BasicAuthenticator) Authenticate 

func (m BasicAuthenticator) Authenticate(r *http.Request) (*http.Request, bool)

Authenticate implements the authenticator interface to authenticate requests via basic auth.

type OIDCAuthenticator 

type OIDCAuthenticator struct {
	Logger     log.Logger
	HTTPClient *http.Client
	OIDCIss    string

	DefaultTokenCacheTTL time.Duration

	AccessTokenVerifyMethod string

	TimeFunc func() time.Time
	// contains filtered or unexported fields
}

OIDCAuthenticator is an authenticator responsible for OIDC authentication.

func NewOIDCAuthenticator 

func NewOIDCAuthenticator(opts ...Option) *OIDCAuthenticator

NewOIDCAuthenticator returns a ready to use authenticator which can handle OIDC authentication.

func (*OIDCAuthenticator) Authenticate 

func (m *OIDCAuthenticator) Authenticate(r *http.Request) (*http.Request, bool)

Authenticate implements the authenticator interface to authenticate requests via oidc auth.

type Option 

type Option func(o *Options)

Option defines a single option function.

func AccessTokenVerifyMethod 

func AccessTokenVerifyMethod(method string) Option

AccessTokenVerifyMethod set the mechanism for access token verification

func AutoprovisionAccounts 

func AutoprovisionAccounts(val bool) Option

AutoprovisionAccounts provides a function to set the AutoprovisionAccounts config

func CredentialsByUserAgent 

func CredentialsByUserAgent(v map[string]string) Option

CredentialsByUserAgent sets UserAgentChallenges.

func DefaultAccessTokenTTL 

func DefaultAccessTokenTTL(ttl time.Duration) Option

DefaultAccessTokenTTL provides a function to set the DefaultAccessTokenTTL

func EnableBasicAuth 

func EnableBasicAuth(enableBasicAuth bool) Option

EnableBasicAuth provides a function to set the EnableBasicAuth config

func EventsPublisher 

func EventsPublisher(ep events.Publisher) Option

EventsPublisher sets the events publisher.

func HTTPClient 

func HTTPClient(c *http.Client) Option

HTTPClient provides a function to set the http client config option.

func Logger 

func Logger(l log.Logger) Option

Logger provides a function to set the logger option.

func OIDCClient 

func OIDCClient(val oidc.OIDCClient) Option

OIDCClient provides a function to set the oidc client option.

func OIDCIss 

func OIDCIss(iss string) Option

OIDCIss sets the oidcAuth issuer url

func PoliciesProviderService 

func PoliciesProviderService(pps policiessvc.PoliciesProviderService) Option

PoliciesProviderService provides a function to set the policies provider option.

func PolicySelectorConfig 

func PolicySelectorConfig(cfg config.PolicySelector) Option

PolicySelectorConfig provides a function to set the policy selector config option.

func PreSignedURLConfig 

func PreSignedURLConfig(cfg config.PreSignedURL) Option

PreSignedURLConfig provides a function to set the PreSignedURL config

func RoleQuotas 

func RoleQuotas(roleQuotas map[string]uint64) Option

RoleQuotas sets the role quota mapping setting

func SettingsRoleService 

func SettingsRoleService(rc settingssvc.RoleService) Option

SettingsRoleService provides a function to set the role service option.

func SkipUserInfo 

func SkipUserInfo(val bool) Option

SkipUserInfo sets the skipUserInfo flag.

func TraceProvider 

func TraceProvider(tp trace.TracerProvider) Option

TraceProvider sets the tracing provider.

func UserCS3Claim 

func UserCS3Claim(val string) Option

UserCS3Claim provides a function to set the UserClaimType config

func UserInfoCache 

func UserInfoCache(val store.Store) Option

UserInfoCache provides a function to set the UserInfoCache

func UserOIDCClaim 

func UserOIDCClaim(val string) Option

UserOIDCClaim provides a function to set the UserClaim config

func UserProvider 

func UserProvider(up backend.UserBackend) Option

UserProvider sets the accounts user provider

func UserRoleAssigner 

func UserRoleAssigner(ra userroles.UserRoleAssigner) Option

UserRoleAssigner sets the mechanism for assigning the default user roles

func WithRevaGatewaySelector 

func WithRevaGatewaySelector(val pool.Selectable[gateway.GatewayAPIClient]) Option

WithRevaGatewaySelector provides a function to set the reva gateway service selector option.

type Options 

type Options struct {
	// Logger to use for logging, must be set
	Logger log.Logger
	// PolicySelectorConfig for using the policy selector
	PolicySelector config.PolicySelector
	// HTTPClient to use for communication with the oidcAuth provider
	HTTPClient *http.Client
	// UserProvider backend to use for resolving User
	UserProvider backend.UserBackend
	// UserRoleAssigner to user for assign a users default role
	UserRoleAssigner userroles.UserRoleAssigner
	// SettingsRoleService for the roles API in settings
	SettingsRoleService settingssvc.RoleService
	// PoliciesProviderService for policy evaluation
	PoliciesProviderService policiessvc.PoliciesProviderService
	// OIDCClient to fetch user info and verify tokens, must be set for the oidc_auth middleware
	OIDCClient oidc.OIDCClient
	// OIDCIss is the oidcAuth-issuer
	OIDCIss string
	// RevaGatewaySelector to send requests to the reva gateway
	RevaGatewaySelector pool.Selectable[gateway.GatewayAPIClient]
	// PreSignedURLConfig to configure the middleware
	PreSignedURLConfig config.PreSignedURL
	// UserOIDCClaim to read from the oidc claims
	UserOIDCClaim string
	// UserCS3Claim to use when looking up a user in the CS3 API
	UserCS3Claim string
	// AutoprovisionAccounts when an accountResolver does not exist.
	AutoprovisionAccounts bool
	// EnableBasicAuth to allow basic auth
	EnableBasicAuth bool
	// DefaultAccessTokenTTL is used to calculate the expiration when an access token has no expiration set
	DefaultAccessTokenTTL time.Duration
	// UserInfoCache sets the access token cache store
	UserInfoCache store.Store
	// CredentialsByUserAgent sets the auth challenges on a per user-agent basis
	CredentialsByUserAgent map[string]string
	// AccessTokenVerifyMethod configures how access_tokens should be verified but the oidc_auth middleware.
	// Possible values currently: "jwt" and "none"
	AccessTokenVerifyMethod string
	// JWKS sets the options for fetching the JWKS from the IDP
	JWKS config.JWKS
	// RoleQuotas hold userid:quota mappings. These will be used when provisioning new users.
	// The users will get as much quota as is set for their role.
	RoleQuotas map[string]uint64
	// TraceProvider sets the tracing provider.
	TraceProvider trace.TracerProvider
	// SkipUserInfo prevents the oidc middleware from querying the userinfo endpoint and read any claims directly from the access token instead
	SkipUserInfo    bool
	EventsPublisher events.Publisher
}

Options defines the available options for this package.

type PublicShareAuthenticator 

type PublicShareAuthenticator struct {
	Logger              log.Logger
	RevaGatewaySelector pool.Selectable[gateway.GatewayAPIClient]
}

PublicShareAuthenticator is the authenticator which can authenticate public share requests. It will add the share owner into the request context.

func (PublicShareAuthenticator) Authenticate 

func (a PublicShareAuthenticator) Authenticate(r *http.Request) (*http.Request, bool)

Authenticate implements the authenticator interface to authenticate requests via public share auth.

type RequestDenied 

type RequestDenied struct {
	Error RequestDeniedError `json:"error"`
}

RequestDenied struct for OdataErrorMain

type RequestDeniedError 

type RequestDeniedError struct {
	Code    string `json:"code"`
	Message string `json:"message"`
	// The structure of this object is service-specific
	Innererror map[string]interface{} `json:"innererror,omitempty"`
}

RequestDeniedError struct for RequestDenied

type SignedURLAuthenticator 

type SignedURLAuthenticator struct {
	Logger             log.Logger
	PreSignedURLConfig config.PreSignedURL
	UserProvider       backend.UserBackend
	UserRoleAssigner   userroles.UserRoleAssigner
	Store              microstore.Store
	Now                func() time.Time
}

SignedURLAuthenticator is the authenticator responsible for authenticating signed URL requests.

func (SignedURLAuthenticator) Authenticate 

func (m SignedURLAuthenticator) Authenticate(r *http.Request) (*http.Request, bool)

Authenticate implements the authenticator interface to authenticate requests via signed URL auth.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.