borderpatrol
Wraps any object with a toFuture method
Wraps any object with a toFuture method
object type
An identifier for Border Patrol to determine by subdomain which service a request
should be routed to
Derive a custom healthCheck from this trait and register with the registry
Health Check status
Health Check status
Message in string format
Message in JSON format
Internal authentication, that merely redirects user to internal service that does the authentication
Internal authentication, that merely redirects user to internal service that does the authentication
name of the proto manager
path intercepted by bordetpatrol and internal authentication service posts the authentication response on this path
path of the internal authentication service where client is redirected
Login Manager defines various collections of the identity manager, access manager and proto manager.
Login Manager defines various collections of the identity manager, access manager and proto manager. The customerIdentifier configuration picks the login manager appropriate for their cloud.
name of the login manager
identity manager used by the given login manager
access manager
protocol used by the login manager
Manager represents upstream access and identity managers
Manager represents upstream access and identity managers
name of the manager
path to the manager
endpoints for the manager
OAuth code framework, that redirects user to OAuth2 server.
OAuth code framework, that redirects user to OAuth2 server.
name of the proto manager
path intercepted by borderpatrol and OAuth2 server posts the oAuth2 code on this path
URL of the OAuth2 service where client is redirected for authenticaiton
URL of the OAuth2 server to convert OAuth2 code to OAuth2 token
URL of the OAuth2 server to fetch the certificate for verifying token signature
Id used for communicating with OAuth2 server
Secret used for communicating with OAuth2 server
ProtoManager defines parameters specific to the protocol
An identifier for Border Patrol to determine by path which service a request
should be routed to
An identifier for Border Patrol to determine by path which service a request
should be routed to
The name that can be used to refer to a com.twitter.finagle.Name
The list of URLs to upstream service
The external url path prefix that routes to the internal service
The (optional) internal url path prefix to the internal service. If present, it replaces the external path in the Request URI
The service is protected or unprotected (i.e. does not go through access issuer)
Wraps any Throwable with a toFutureException method
Abstraction for those that are directing requests directly to the Identity Provider
Binder object defines methods and shells used to bind to upstream endpoints
This provides the specification contracts for doing auth in the form of Type Classes in auth.Access and auth.Identity
This provides the specification contracts for doing auth in the form of Type Classes in auth.Access and auth.Identity
Taking SAML 2.0 and OAuth2 as example flows, we have defined a set of contracts and abstractions on those contracts to allow users of this library to implement instances of their specific authentication/authorization.
The flow for a typical SAML/OAuth2 involves a protected resource, a client (web browser), and an Identity Provider. Border Patrol can act as a translation layer for external representation of access and internal representation so that services behind it do not need to implement SAML/OAuth2.
The primary abstractions are:
Identity the external identity provider and types, e.g. SAML IdPAccess the internal access provider and types, e.g. api tokens, jwt etc
The crypto module includes primitives for:
The crypto module includes primitives for:
It also includes Type Classes for interfacing with backends that would like to encrypt data at rest.
This introduces types and functions that enable identifying, fetching, and storing web session data.
This introduces types and functions that enable identifying, fetching, and storing web session data. This
is accomplished by a set of types that will be used by consumers of this library: Session, Store, and Secret.
A Secret is a cryptographically verifiable signing key used to sign a
SignedId. Creating a Secret is simple. It defaults to expire at
Secret.lifetime
val secret = Secret() // default secret expiry val expiringSecret = Secret(Time.now) val randomBytes = EntropyGenerator(16) // 16 bytes of randomness val randomId = EntropyGenerator(1).head // 1 byte of randomness for an id val expiry = Time.from(0) // very expired val constructedSecret = Secret(randomId, randomBytes, expiry) log(s"secret has expired: ${constructedSecret.expired == true}") val signedMsg = secret.sign("message to by signed".getBytes)
A SignedId is a cryptographically signed identifier for a Session, it consists of entropy, expiry, secret,and signature of those items. This is meant to be used as the com.twitter.finagle.http.Cookie value, so we provide serializing to String.
val id: SignedId = Await.result(SignedId.next) val cookieValue: String = id.asBase64 SignedId.from[String](cookieValue) == id
A Session is product type of a cryptographically verifiable
identifier SignedId and an arbitrary data type
A. The only requirement for a SessionStore[B,M] to store/fetch
a Session[A] is that there be some implicit injective views from A => B and B => Try[A].
We have provided default encodings for: http.Request => Buf, String => Buf and their injective views.
// set up secret/session stores implicit val secretStore = SecretStores.InMemorySecretStore(Secrets(Secret(), Secret())) val sessionStore = SessionStore.InMemoryStore() // create a Session[http.Request] val newSessionFuture = Session(Request("http://localhost/api/stuff")) // entropy is blocking on the JVM val newSession = Await.result(newSessionFuture) // see if the session expired (checks the [[SignedId.expires]]) log(s"Session has expired? ${newSession.expired}") // store the session and then fetch it sessionStore.update(newSession).onFailure(log) sessionStore.get(newSession.id).onSuccess(s => s match { case Some(s) => log(s"Same session?: ${newSession == s}") case None => log("hrm, where did the session go?") })
Let's say you have a Session.data type that doesn't have the injective that you need, that's OK! Assuming you are storing it in memcached, which requires a type of Buf for the value:
trait Foo { val value: Int } implicit val enc = SessionDataEncoder[Foo]( foo => Buf.U32BE(foo.value), buf => new Foo { override val value = Buf.U32BE.unapply(buf) } ) val foo1 = new Foo { override val value = 1 } val fooSession = Session(foo1) sessionStore.update(fooSession)
This is the root package of borderpatrol-core which provides a functional approach to web sessions and authentication built on top of Finagle. It contains two main packages: com.lookout.borderpatrol.sessionx and com.lookout.borderpatrol.auth which contain types and functions to interact with HTTP services.