mystiq
/
dex
Archived
4
0
Fork 1
Code Issues Pull Requests Packages Projects Releases Wiki Activity
This repository has been archived on 2022-08-17. You can view files and clone it, but cannot push or open issues or pull requests.
dex/cmd/dex/config.go

249 lines
7.1 KiB
Go
Raw Normal View History

initial commit
2016-07-26 01:30:28 +05:30
package main
import (
cmd/dex: accept raw bcrypt'd hash as well as base64'd version of hash
2016-11-04 03:53:56 +05:30
"encoding/base64"
*: switch to github.com/ghodss/yaml for more consistent YAML parsing ghodss/yaml converts from YAML to JSON before attempting to unmarshal. This allows us to: * Get the correct behavor when decoding base64'd []byte slices. * Use *json.RawMessage. * Not have to support extravagant YAML features. * Let our structs use `json:` tags
2016-11-04 03:02:23 +05:30
"encoding/json"
initial commit
2016-07-26 01:30:28 +05:30
"fmt"
cmd/dex: only expand from env for storages and connectors Bcrypt'd hashes have "$" characters in them. This means that #667 (accepting actually bcrypted values) combined with #627 (expanding config with environment variables) broke the example config. For now, allow storages and connectors to expand their configs from the environment, but don't do this anywhere else.
2016-11-04 09:38:50 +05:30
"os"
initial commit
2016-07-26 01:30:28 +05:30
: update {S->s}irupsen/logrus
2017-07-26 02:15:17 +05:30
"github.com/sirupsen/logrus"
cmd/dex: accept raw bcrypt'd hash as well as base64'd version of hash
2016-11-04 03:53:56 +05:30
"golang.org/x/crypto/bcrypt"
*: github.com/coreos/dex -> github.com/dexidp/dex Signed-off-by: Stephan Renatus <srenatus@chef.io>
2018-09-03 12:14:44 +05:30
"github.com/dexidp/dex/server"
"github.com/dexidp/dex/storage"
"github.com/dexidp/dex/storage/etcd"
"github.com/dexidp/dex/storage/kubernetes"
"github.com/dexidp/dex/storage/memory"
"github.com/dexidp/dex/storage/sql"
initial commit
2016-07-26 01:30:28 +05:30
)
// Config is the config format for the main application.
type Config struct {
*: Add go runtime, process, HTTP and gRPC metrics
2017-12-20 20:33:32 +05:30
Issuer string `json:"issuer"`
Storage Storage `json:"storage"`
Web Web `json:"web"`
Telemetry Telemetry `json:"telemetry"`
OAuth2 OAuth2 `json:"oauth2"`
GRPC GRPC `json:"grpc"`
Expiry Expiry `json:"expiry"`
Logger Logger `json:"logger"`
*: load static clients from config file
2016-08-05 22:20:22 +05:30
*: add theme based frontend configuration This PR reworks the web layout so static files can be provided and a "themes" directory to allow a certain degree of control over logos, styles, etc. This PR does NOT add general support for frontend customization, only enough to allow us to start exploring theming internally. The dex binary also must now be run from the root directory since templates are no longer "compiled into" the binary. The docker image has been updated with frontend assets.
2016-12-01 03:56:54 +05:30
Frontend server.WebConfig `json:"frontend"`
*: switch dex to the ported templates
2016-08-26 01:40:19 +05:30
server: account for dynamically changing connector object in storage.
2017-04-18 04:11:41 +05:30
// StaticConnectors are user defined connectors specified in the ConfigMap
// Write operations, like updating a connector, will fail.
StaticConnectors []Connector `json:"connectors"`
*: add the ability to define passwords statically
2016-10-06 05:20:02 +05:30
// StaticClients cause the server to use this list of clients rather than
// querying the storage. Write operations, like creating a client, will fail.
*: switch to github.com/ghodss/yaml for more consistent YAML parsing ghodss/yaml converts from YAML to JSON before attempting to unmarshal. This allows us to: * Get the correct behavor when decoding base64'd []byte slices. * Use *json.RawMessage. * Not have to support extravagant YAML features. * Let our structs use `json:` tags
2016-11-04 03:02:23 +05:30
StaticClients []storage.Client `json:"staticClients"`
*: add the ability to define passwords statically
2016-10-06 05:20:02 +05:30
// If enabled, the server will maintain a list of passwords which can be used
// to identify a user.
*: switch to github.com/ghodss/yaml for more consistent YAML parsing ghodss/yaml converts from YAML to JSON before attempting to unmarshal. This allows us to: * Get the correct behavor when decoding base64'd []byte slices. * Use *json.RawMessage. * Not have to support extravagant YAML features. * Let our structs use `json:` tags
2016-11-04 03:02:23 +05:30
EnablePasswordDB bool `json:"enablePasswordDB"`
*: add the ability to define passwords statically
2016-10-06 05:20:02 +05:30
// StaticPasswords cause the server use this list of passwords rather than
// querying the storage. Cannot be specified without enabling a passwords
// database.
cmd/dex: accept raw bcrypt'd hash as well as base64'd version of hash
2016-11-04 03:53:56 +05:30
StaticPasswords []password `json:"staticPasswords"`
}
type password storage.Password
func (p *password) UnmarshalJSON(b []byte) error {
var data struct {
Email string `json:"email"`
Username string `json:"username"`
UserID string `json:"userID"`
Hash string `json:"hash"`
}
if err := json.Unmarshal(b, &data); err != nil {
return err
}
*p = password(storage.Password{
Email: data.Email,
Username: data.Username,
UserID: data.UserID,
})
if len(data.Hash) == 0 {
return fmt.Errorf("no password hash provided")
}
// If this value is a valid bcrypt, use it.
_, bcryptErr := bcrypt.Cost([]byte(data.Hash))
if bcryptErr == nil {
p.Hash = []byte(data.Hash)
return nil
}
// For backwards compatibility try to base64 decode this value.
hashBytes, err := base64.StdEncoding.DecodeString(data.Hash)
if err != nil {
return fmt.Errorf("malformed bcrypt hash: %v", bcryptErr)
}
if _, err := bcrypt.Cost(hashBytes); err != nil {
return fmt.Errorf("malformed bcrypt hash: %v", err)
}
p.Hash = hashBytes
return nil
initial commit
2016-07-26 01:30:28 +05:30
}
*: support the implicit flow
2016-08-20 05:54:49 +05:30
// OAuth2 describes enabled OAuth2 extensions.
type OAuth2 struct {
*: switch to github.com/ghodss/yaml for more consistent YAML parsing ghodss/yaml converts from YAML to JSON before attempting to unmarshal. This allows us to: * Get the correct behavor when decoding base64'd []byte slices. * Use *json.RawMessage. * Not have to support extravagant YAML features. * Let our structs use `json:` tags
2016-11-04 03:02:23 +05:30
ResponseTypes []string `json:"responseTypes"`
{cmd/dex,server}: expose skip approval screen option
2016-10-08 00:23:01 +05:30
// If specified, do not prompt the user to approve client authorization. The
// act of logging in implies authorization.
*: switch to github.com/ghodss/yaml for more consistent YAML parsing ghodss/yaml converts from YAML to JSON before attempting to unmarshal. This allows us to: * Get the correct behavor when decoding base64'd []byte slices. * Use *json.RawMessage. * Not have to support extravagant YAML features. * Let our structs use `json:` tags
2016-11-04 03:02:23 +05:30
SkipApprovalScreen bool `json:"skipApprovalScreen"`
*: support the implicit flow
2016-08-20 05:54:49 +05:30
}
initial commit
2016-07-26 01:30:28 +05:30
// Web is the config format for the HTTP server.
type Web struct {
Allow CORS on keys and token endpoints
2017-01-14 14:48:48 +05:30
HTTP string `json:"http"`
HTTPS string `json:"https"`
TLSCert string `json:"tlsCert"`
TLSKey string `json:"tlsKey"`
AllowedOrigins []string `json:"allowedOrigins"`
initial commit
2016-07-26 01:30:28 +05:30
}
*: Add go runtime, process, HTTP and gRPC metrics
2017-12-20 20:33:32 +05:30
// Telemetry is the config format for telemetry including the HTTP server config.
type Telemetry struct {
HTTP string `json:"http"`
}
cmd/dex: add config options for gRPC
2016-10-04 12:57:50 +05:30
// GRPC is the config for the gRPC API.
type GRPC struct {
// The port to listen on.
*: switch to github.com/ghodss/yaml for more consistent YAML parsing ghodss/yaml converts from YAML to JSON before attempting to unmarshal. This allows us to: * Get the correct behavor when decoding base64'd []byte slices. * Use *json.RawMessage. * Not have to support extravagant YAML features. * Let our structs use `json:` tags
2016-11-04 03:02:23 +05:30
Addr string `json:"addr"`
TLSCert string `json:"tlsCert"`
TLSKey string `json:"tlsKey"`
TLSClientCA string `json:"tlsClientCA"`
cmd/dex: add config options for gRPC
2016-10-04 12:57:50 +05:30
}
initial commit
2016-07-26 01:30:28 +05:30
// Storage holds app's storage configuration.
type Storage struct {
*: switch to github.com/ghodss/yaml for more consistent YAML parsing ghodss/yaml converts from YAML to JSON before attempting to unmarshal. This allows us to: * Get the correct behavor when decoding base64'd []byte slices. * Use *json.RawMessage. * Not have to support extravagant YAML features. * Let our structs use `json:` tags
2016-11-04 03:02:23 +05:30
Type string `json:"type"`
Config StorageConfig `json:"config"`
initial commit
2016-07-26 01:30:28 +05:30
}
*: switch to github.com/ghodss/yaml for more consistent YAML parsing ghodss/yaml converts from YAML to JSON before attempting to unmarshal. This allows us to: * Get the correct behavor when decoding base64'd []byte slices. * Use *json.RawMessage. * Not have to support extravagant YAML features. * Let our structs use `json:` tags
2016-11-04 03:02:23 +05:30
// StorageConfig is a configuration that can create a storage.
type StorageConfig interface {
cmd/dex: add logging config and serve logger for different modules.
2016-11-23 05:05:46 +05:30
Open(logrus.FieldLogger) (storage.Storage, error)
*: switch to github.com/ghodss/yaml for more consistent YAML parsing ghodss/yaml converts from YAML to JSON before attempting to unmarshal. This allows us to: * Get the correct behavor when decoding base64'd []byte slices. * Use *json.RawMessage. * Not have to support extravagant YAML features. * Let our structs use `json:` tags
2016-11-04 03:02:23 +05:30
}
var storages = map[string]func() StorageConfig{
storage: add etcd storage This patch adds etcd storage implementation. This should be useful in environments where - we dont want to depends on a separate, hard to maintain SQL cluster - we dont want to incur the overhead of talking to kubernetes apiservers - kubernetes is not available yet, or if kubernetes depends on dex to perform authentication and the operator would like to remove any circular dependency if possible.
2017-10-03 19:03:58 +05:30
"etcd": func() StorageConfig { return new(etcd.Etcd) },
*: switch to github.com/ghodss/yaml for more consistent YAML parsing ghodss/yaml converts from YAML to JSON before attempting to unmarshal. This allows us to: * Get the correct behavor when decoding base64'd []byte slices. * Use *json.RawMessage. * Not have to support extravagant YAML features. * Let our structs use `json:` tags
2016-11-04 03:02:23 +05:30
"kubernetes": func() StorageConfig { return new(kubernetes.Config) },
"memory": func() StorageConfig { return new(memory.Config) },
"sqlite3": func() StorageConfig { return new(sql.SQLite3) },
"postgres": func() StorageConfig { return new(sql.Postgres) },
}
// UnmarshalJSON allows Storage to implement the unmarshaler interface to
// dynamically determine the type of the storage config.
func (s *Storage) UnmarshalJSON(b []byte) error {
var store struct {
Type string `json:"type"`
Config json.RawMessage `json:"config"`
initial commit
2016-07-26 01:30:28 +05:30
}
*: switch to github.com/ghodss/yaml for more consistent YAML parsing ghodss/yaml converts from YAML to JSON before attempting to unmarshal. This allows us to: * Get the correct behavor when decoding base64'd []byte slices. * Use *json.RawMessage. * Not have to support extravagant YAML features. * Let our structs use `json:` tags
2016-11-04 03:02:23 +05:30
if err := json.Unmarshal(b, &store); err != nil {
return fmt.Errorf("parse storage: %v", err)
initial commit
2016-07-26 01:30:28 +05:30
}
*: switch to github.com/ghodss/yaml for more consistent YAML parsing ghodss/yaml converts from YAML to JSON before attempting to unmarshal. This allows us to: * Get the correct behavor when decoding base64'd []byte slices. * Use *json.RawMessage. * Not have to support extravagant YAML features. * Let our structs use `json:` tags
2016-11-04 03:02:23 +05:30
f, ok := storages[store.Type]
if !ok {
return fmt.Errorf("unknown storage type %q", store.Type)
initial commit
2016-07-26 01:30:28 +05:30
}
*: switch to github.com/ghodss/yaml for more consistent YAML parsing ghodss/yaml converts from YAML to JSON before attempting to unmarshal. This allows us to: * Get the correct behavor when decoding base64'd []byte slices. * Use *json.RawMessage. * Not have to support extravagant YAML features. * Let our structs use `json:` tags
2016-11-04 03:02:23 +05:30
storageConfig := f()
if len(store.Config) != 0 {
cmd/dex: only expand from env for storages and connectors Bcrypt'd hashes have "$" characters in them. This means that #667 (accepting actually bcrypted values) combined with #627 (expanding config with environment variables) broke the example config. For now, allow storages and connectors to expand their configs from the environment, but don't do this anywhere else.
2016-11-04 09:38:50 +05:30
data := []byte(os.ExpandEnv(string(store.Config)))
if err := json.Unmarshal(data, storageConfig); err != nil {
Fix two typos Signed-off-by: zhuguihua <zhuguihua@cmss.chinamobile.com> Change storace to storage in cmd/dex/config.go, change userSearch to groupSearch in connector/ldap/ldap.go
2017-04-14 09:00:05 +05:30
return fmt.Errorf("parse storage config: %v", err)
*: switch to github.com/ghodss/yaml for more consistent YAML parsing ghodss/yaml converts from YAML to JSON before attempting to unmarshal. This allows us to: * Get the correct behavor when decoding base64'd []byte slices. * Use *json.RawMessage. * Not have to support extravagant YAML features. * Let our structs use `json:` tags
2016-11-04 03:02:23 +05:30
}
}
*s = Storage{
Type: store.Type,
Config: storageConfig,
}
return nil
initial commit
2016-07-26 01:30:28 +05:30
}
// Connector is a magical type that can unmarshal YAML dynamically. The
// Type field determines the connector type, which is then customized for Config.
type Connector struct {
*: switch to github.com/ghodss/yaml for more consistent YAML parsing ghodss/yaml converts from YAML to JSON before attempting to unmarshal. This allows us to: * Get the correct behavor when decoding base64'd []byte slices. * Use *json.RawMessage. * Not have to support extravagant YAML features. * Let our structs use `json:` tags
2016-11-04 03:02:23 +05:30
Type string `json:"type"`
Name string `json:"name"`
ID string `json:"id"`
initial commit
2016-07-26 01:30:28 +05:30
server: account for dynamically changing connector object in storage.
2017-04-18 04:11:41 +05:30
Config server.ConnectorConfig `json:"config"`
*: switch to github.com/ghodss/yaml for more consistent YAML parsing ghodss/yaml converts from YAML to JSON before attempting to unmarshal. This allows us to: * Get the correct behavor when decoding base64'd []byte slices. * Use *json.RawMessage. * Not have to support extravagant YAML features. * Let our structs use `json:` tags
2016-11-04 03:02:23 +05:30
}
// UnmarshalJSON allows Connector to implement the unmarshaler interface to
// dynamically determine the type of the connector config.
func (c *Connector) UnmarshalJSON(b []byte) error {
var conn struct {
Type string `json:"type"`
Name string `json:"name"`
ID string `json:"id"`
Config json.RawMessage `json:"config"`
initial commit
2016-07-26 01:30:28 +05:30
}
*: switch to github.com/ghodss/yaml for more consistent YAML parsing ghodss/yaml converts from YAML to JSON before attempting to unmarshal. This allows us to: * Get the correct behavor when decoding base64'd []byte slices. * Use *json.RawMessage. * Not have to support extravagant YAML features. * Let our structs use `json:` tags
2016-11-04 03:02:23 +05:30
if err := json.Unmarshal(b, &conn); err != nil {
return fmt.Errorf("parse connector: %v", err)
initial commit
2016-07-26 01:30:28 +05:30
}
server: account for dynamically changing connector object in storage.
2017-04-18 04:11:41 +05:30
f, ok := server.ConnectorsConfig[conn.Type]
*: switch to github.com/ghodss/yaml for more consistent YAML parsing ghodss/yaml converts from YAML to JSON before attempting to unmarshal. This allows us to: * Get the correct behavor when decoding base64'd []byte slices. * Use *json.RawMessage. * Not have to support extravagant YAML features. * Let our structs use `json:` tags
2016-11-04 03:02:23 +05:30
if !ok {
return fmt.Errorf("unknown connector type %q", conn.Type)
}
connConfig := f()
if len(conn.Config) != 0 {
cmd/dex: only expand from env for storages and connectors Bcrypt'd hashes have "$" characters in them. This means that #667 (accepting actually bcrypted values) combined with #627 (expanding config with environment variables) broke the example config. For now, allow storages and connectors to expand their configs from the environment, but don't do this anywhere else.
2016-11-04 09:38:50 +05:30
data := []byte(os.ExpandEnv(string(conn.Config)))
if err := json.Unmarshal(data, connConfig); err != nil {
*: switch to github.com/ghodss/yaml for more consistent YAML parsing ghodss/yaml converts from YAML to JSON before attempting to unmarshal. This allows us to: * Get the correct behavor when decoding base64'd []byte slices. * Use *json.RawMessage. * Not have to support extravagant YAML features. * Let our structs use `json:` tags
2016-11-04 03:02:23 +05:30
return fmt.Errorf("parse connector config: %v", err)
initial commit
2016-07-26 01:30:28 +05:30
}
}
*: switch to github.com/ghodss/yaml for more consistent YAML parsing ghodss/yaml converts from YAML to JSON before attempting to unmarshal. This allows us to: * Get the correct behavor when decoding base64'd []byte slices. * Use *json.RawMessage. * Not have to support extravagant YAML features. * Let our structs use `json:` tags
2016-11-04 03:02:23 +05:30
*c = Connector{
Type: conn.Type,
cmd/dex: accept raw bcrypt'd hash as well as base64'd version of hash
2016-11-04 03:53:56 +05:30
Name: conn.Name,
*: switch to github.com/ghodss/yaml for more consistent YAML parsing ghodss/yaml converts from YAML to JSON before attempting to unmarshal. This allows us to: * Get the correct behavor when decoding base64'd []byte slices. * Use *json.RawMessage. * Not have to support extravagant YAML features. * Let our structs use `json:` tags
2016-11-04 03:02:23 +05:30
ID: conn.ID,
Config: connConfig,
}
return nil
initial commit
2016-07-26 01:30:28 +05:30
}
cmd/dex: expose IDTokensValidFor and RotateKeysAfter server options in config.
2016-11-03 06:22:49 +05:30
server: account for dynamically changing connector object in storage.
2017-04-18 04:11:41 +05:30
// ToStorageConnector converts an object to storage connector type.
func ToStorageConnector(c Connector) (storage.Connector, error) {
data, err := json.Marshal(c.Config)
if err != nil {
return storage.Connector{}, fmt.Errorf("failed to marshal connector config: %v", err)
}
return storage.Connector{
ID: c.ID,
Type: c.Type,
Name: c.Name,
Config: data,
}, nil
}
cmd/dex: expose IDTokensValidFor and RotateKeysAfter server options in config.
2016-11-03 06:22:49 +05:30
// Expiry holds configuration for the validity period of components.
type Expiry struct {
// SigningKeys defines the duration of time after which the SigningKeys will be rotated.
SigningKeys string `json:"signingKeys"`
// IdTokens defines the duration of time for which the IdTokens will be valid.
IDTokens string `json:"idTokens"`
Make expiry of auth requests configurable
2018-12-13 16:10:58 +05:30
// AuthRequests defines the duration of time for which the AuthRequests will be valid.
AuthRequests string `json:"authRequests"`
cmd/dex: expose IDTokensValidFor and RotateKeysAfter server options in config.
2016-11-03 06:22:49 +05:30
}
cmd/dex: add logging config and serve logger for different modules.
2016-11-23 05:05:46 +05:30
// Logger holds configuration required to customize logging for dex.
type Logger struct {
// Level sets logging level severity.
Level string `json:"level"`
// Format specifies the format to be used for logging.
Format string `json:"format"`
}