Struct wasm_oidc_plugin::ConfiguredOidc

source · 
pub(crate) struct ConfiguredOidc {
    pub open_id_config: Arc<OpenIdConfig>,
    pub plugin_config: Arc<PluginConfiguration>,
    pub token_id: Option<u32>,
}
Expand description

The ConfiguredOidc is the main filter struct and responsible for the OIDC authentication flow. Requests arriving are checked for a valid cookie. If the cookie is valid, the request is forwarded. If the cookie is not valid, the request is redirected to the authorization endpoint.

Fields§

§open_id_config: Arc<OpenIdConfig>

The configuration of the filter which mainly contains the open id configuration and the keys to validate the JWT

§plugin_config: Arc<PluginConfiguration>

Plugin configuration parsed from the envoy configuration

§token_id: Option<u32>

Token id of the current request

Implementations§

source§

impl ConfiguredOidc

Helper functions for the ConfiguredOidc struct.

Get the cookie of the HTTP request by name The cookie is searched in the request headers. If the cookie is found, the value is returned. If the cookie is not found, None is returned.

source

pub(crate) fn get_host(&self) -> Option<String>

Get the host of the HTTP request The host is searched in the request headers. If the host is found, the value is returned.

source

pub(crate) fn filter_proxy_cookies(&self)

Filter non proxy cookies by checking the cookie name. This function removes all cookies from the request that do not match the cookie name to prevent the cookie from being forwarded to the upstream service.

Parse the cookie and validate the token. The cookie is parsed into the AuthorizationState struct. The token is validated using the validate_token function. If the token is valid, this function returns Ok(()). If the token is invalid, this function returns Err(String) and redirects the requester to the authorization endpoint.

source

pub(crate) fn validate_token(&self, token: &str) -> Result<(), PluginError>

Validate the token using the JWT library. This function checks for the correct issuer and audience and verifies the signature with the public keys loaded from the JWKs endpoint.

source

pub(crate) fn exchange_code_for_token( &mut self, path: String, ) -> Result<(), PluginError>

Exchange the code for a token using the token endpoint. This function is called when the user is redirected back to the callback URL. The code is extracted from the URL and exchanged for a token using the token endpoint.

  • path - The path of the request

Store the token from the token response in a cookie. Parse the token with the AuthorizationState struct and store it in an encoded and encrypted cookie. Then, redirect the requester to the original URL.

source

pub(crate) fn redirect_to_authorization_endpoint(&self) -> Action

Redirect to the authorization endpoint by sending a HTTP response with a 307 status code. The original path is encoded and stored in a cookie as well as the PKCE code verifier.

Helper function to get the session cookie as a string by getting the cookie from the request headers and concatenating all cookie parts.

source

pub fn get_nonce(&self) -> Result<String, PluginError>

source

pub fn get_number_of_cookies(&self) -> usize

Helper function to get the number of cookies from the request headers.

Trait Implementations§

source§

impl Context for ConfiguredOidc

This context is used to process HTTP responses from the token endpoint.

source§

fn on_http_call_response( &mut self, token_id: u32, _: usize, body_size: usize, _: usize, )

This function catches the response from the token endpoint.

source§

fn get_current_time(&self) -> SystemTime

source§

fn get_property(&self, path: Vec<&str>) -> Option<Vec<u8>>

source§

fn set_property(&self, path: Vec<&str>, value: Option<&[u8]>)

source§

fn get_shared_data(&self, key: &str) -> (Option<Vec<u8>>, Option<u32>)

source§

fn set_shared_data( &self, key: &str, value: Option<&[u8]>, cas: Option<u32>, ) -> Result<(), Status>

source§

fn register_shared_queue(&self, name: &str) -> u32

source§

fn resolve_shared_queue(&self, vm_id: &str, name: &str) -> Option<u32>

source§

fn dequeue_shared_queue(&self, queue_id: u32) -> Result<Option<Vec<u8>>, Status>

source§

fn enqueue_shared_queue( &self, queue_id: u32, value: Option<&[u8]>, ) -> Result<(), Status>

source§

fn dispatch_http_call( &self, upstream: &str, headers: Vec<(&str, &str)>, body: Option<&[u8]>, trailers: Vec<(&str, &str)>, timeout: Duration, ) -> Result<u32, Status>

source§

fn get_http_call_response_headers(&self) -> Vec<(String, String)>

source§

fn get_http_call_response_headers_bytes(&self) -> Vec<(String, Vec<u8>)>

source§

fn get_http_call_response_header(&self, name: &str) -> Option<String>

source§

fn get_http_call_response_header_bytes(&self, name: &str) -> Option<Vec<u8>>

source§

fn get_http_call_response_body( &self, start: usize, max_size: usize, ) -> Option<Vec<u8>>

source§

fn get_http_call_response_trailers(&self) -> Vec<(String, String)>

source§

fn get_http_call_response_trailers_bytes(&self) -> Vec<(String, Vec<u8>)>

source§

fn get_http_call_response_trailer(&self, name: &str) -> Option<String>

source§

fn get_http_call_response_trailer_bytes(&self, name: &str) -> Option<Vec<u8>>

source§

fn dispatch_grpc_call( &self, upstream_name: &str, service_name: &str, method_name: &str, initial_metadata: Vec<(&str, &[u8])>, message: Option<&[u8]>, timeout: Duration, ) -> Result<u32, Status>

source§

fn on_grpc_call_response( &mut self, _token_id: u32, _status_code: u32, _response_size: usize, )

source§

fn get_grpc_call_response_body( &self, start: usize, max_size: usize, ) -> Option<Vec<u8>>

source§

fn cancel_grpc_call(&self, token_id: u32)

source§

fn open_grpc_stream( &self, cluster_name: &str, service_name: &str, method_name: &str, initial_metadata: Vec<(&str, &[u8])>, ) -> Result<u32, Status>

source§

fn on_grpc_stream_initial_metadata( &mut self, _token_id: u32, _num_elements: u32, )

source§

fn get_grpc_stream_initial_metadata(&self) -> Vec<(String, Vec<u8>)>

source§

fn get_grpc_stream_initial_metadata_value(&self, name: &str) -> Option<Vec<u8>>

source§

fn send_grpc_stream_message( &self, token_id: u32, message: Option<&[u8]>, end_stream: bool, )

source§

fn on_grpc_stream_message(&mut self, _token_id: u32, _message_size: usize)

source§

fn get_grpc_stream_message( &mut self, start: usize, max_size: usize, ) -> Option<Vec<u8>>

source§

fn on_grpc_stream_trailing_metadata( &mut self, _token_id: u32, _num_elements: u32, )

source§

fn get_grpc_stream_trailing_metadata(&self) -> Vec<(String, Vec<u8>)>

source§

fn get_grpc_stream_trailing_metadata_value(&self, name: &str) -> Option<Vec<u8>>

source§

fn cancel_grpc_stream(&self, token_id: u32)

source§

fn close_grpc_stream(&self, token_id: u32)

source§

fn on_grpc_stream_close(&mut self, _token_id: u32, _status_code: u32)

source§

fn get_grpc_status(&self) -> (u32, Option<String>)

source§

fn call_foreign_function( &self, function_name: &str, arguments: Option<&[u8]>, ) -> Result<Option<Vec<u8>>, Status>

source§

fn on_done(&mut self) -> bool

source§

fn done(&self)

source§

impl HttpContext for ConfiguredOidc

The context is used to process incoming HTTP requests when the filter is configured.

  1. Check if the request matches any of the exclude hosts, paths, urls. If so, forward the request.
  2. If the request is for the OIDC callback, dispatch the request to the token endpoint.
  3. If the request contains a cookie, validate the cookie and forward the request.
  4. Else, redirect the request to the authorization endpoint.
source§

fn on_http_request_headers(&mut self, _: usize, _: bool) -> Action

This function is called when the request headers are received.

source§

fn get_http_request_headers(&self) -> Vec<(String, String)>

source§

fn get_http_request_headers_bytes(&self) -> Vec<(String, Vec<u8>)>

source§

fn set_http_request_headers(&self, headers: Vec<(&str, &str)>)

source§

fn set_http_request_headers_bytes(&self, headers: Vec<(&str, &[u8])>)

source§

fn get_http_request_header(&self, name: &str) -> Option<String>

source§

fn get_http_request_header_bytes(&self, name: &str) -> Option<Vec<u8>>

source§

fn set_http_request_header(&self, name: &str, value: Option<&str>)

source§

fn set_http_request_header_bytes(&self, name: &str, value: Option<&[u8]>)

source§

fn add_http_request_header(&self, name: &str, value: &str)

source§

fn add_http_request_header_bytes(&self, name: &str, value: &[u8])

source§

fn on_http_request_body( &mut self, _body_size: usize, _end_of_stream: bool, ) -> Action

source§

fn get_http_request_body( &self, start: usize, max_size: usize, ) -> Option<Vec<u8>>

source§

fn set_http_request_body(&self, start: usize, size: usize, value: &[u8])

source§

fn on_http_request_trailers(&mut self, _num_trailers: usize) -> Action

source§

fn get_http_request_trailers(&self) -> Vec<(String, String)>

source§

fn get_http_request_trailers_bytes(&self) -> Vec<(String, Vec<u8>)>

source§

fn set_http_request_trailers(&self, trailers: Vec<(&str, &str)>)

source§

fn set_http_request_trailers_bytes(&self, trailers: Vec<(&str, &[u8])>)

source§

fn get_http_request_trailer(&self, name: &str) -> Option<String>

source§

fn get_http_request_trailer_bytes(&self, name: &str) -> Option<Vec<u8>>

source§

fn set_http_request_trailer(&self, name: &str, value: Option<&str>)

source§

fn set_http_request_trailer_bytes(&self, name: &str, value: Option<&[u8]>)

source§

fn add_http_request_trailer(&self, name: &str, value: &str)

source§

fn add_http_request_trailer_bytes(&self, name: &str, value: &[u8])

source§

fn resume_http_request(&self)

source§

fn reset_http_request(&self)

source§

fn on_http_response_headers( &mut self, _num_headers: usize, _end_of_stream: bool, ) -> Action

source§

fn get_http_response_headers(&self) -> Vec<(String, String)>

source§

fn get_http_response_headers_bytes(&self) -> Vec<(String, Vec<u8>)>

source§

fn set_http_response_headers(&self, headers: Vec<(&str, &str)>)

source§

fn set_http_response_headers_bytes(&self, headers: Vec<(&str, &[u8])>)

source§

fn get_http_response_header(&self, name: &str) -> Option<String>

source§

fn get_http_response_header_bytes(&self, name: &str) -> Option<Vec<u8>>

source§

fn set_http_response_header(&self, name: &str, value: Option<&str>)

source§

fn set_http_response_header_bytes(&self, name: &str, value: Option<&[u8]>)

source§

fn add_http_response_header(&self, name: &str, value: &str)

source§

fn add_http_response_header_bytes(&self, name: &str, value: &[u8])

source§

fn on_http_response_body( &mut self, _body_size: usize, _end_of_stream: bool, ) -> Action

source§

fn get_http_response_body( &self, start: usize, max_size: usize, ) -> Option<Vec<u8>>

source§

fn set_http_response_body(&self, start: usize, size: usize, value: &[u8])

source§

fn on_http_response_trailers(&mut self, _num_trailers: usize) -> Action

source§

fn get_http_response_trailers(&self) -> Vec<(String, String)>

source§

fn get_http_response_trailers_bytes(&self) -> Vec<(String, Vec<u8>)>

source§

fn set_http_response_trailers(&self, trailers: Vec<(&str, &str)>)

source§

fn set_http_response_trailers_bytes(&self, trailers: Vec<(&str, &[u8])>)

source§

fn get_http_response_trailer(&self, name: &str) -> Option<String>

source§

fn get_http_response_trailer_bytes(&self, name: &str) -> Option<Vec<u8>>

source§

fn set_http_response_trailer(&self, name: &str, value: Option<&str>)

source§

fn set_http_response_trailer_bytes(&self, name: &str, value: Option<&[u8]>)

source§

fn add_http_response_trailer(&self, name: &str, value: &str)

source§

fn add_http_response_trailer_bytes(&self, name: &str, value: &[u8])

source§

fn resume_http_response(&self)

source§

fn reset_http_response(&self)

source§

fn send_http_response( &self, status_code: u32, headers: Vec<(&str, &str)>, body: Option<&[u8]>, )

source§

fn send_grpc_response( &self, grpc_status: GrpcStatusCode, grpc_status_message: Option<&str>, custom_metadata: Vec<(&str, &[u8])>, )

source§

fn on_log(&mut self)

Auto Trait Implementations§

Blanket Implementations§

source§

impl<T> Any for T
where T: 'static + ?Sized,

source§

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more
source§

impl<T> Borrow<T> for T
where T: ?Sized,

source§

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more
source§

impl<T> BorrowMut<T> for T
where T: ?Sized,

source§

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more
source§

impl<T> From<T> for T

source§

fn from(t: T) -> T

Returns the argument unchanged.

source§

impl<T, U> Into<U> for T
where U: From<T>,

source§

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

source§

impl<T> Same for T

source§

type Output = T

Should always be Self
source§

impl<T, U> TryFrom<U> for T
where U: Into<T>,

source§

type Error = Infallible

The type returned in the event of a conversion error.
source§

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.
source§

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

source§

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.
source§

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.
source§

impl<V, T> VZip<V> for T
where V: MultiLane<T>,

source§

fn vzip(self) -> V