helpers¶
-
aws_alb_oauth_proxy.helpers.
_aws_region
()¶ Attempts to query the AWS region where this instance is running.
Returns None if endpoint is not available, which means we’re probably not running on AWS.
Return type: Optional
[str
]
-
aws_alb_oauth_proxy.helpers.
_instance_document
()¶ This is a wrapper around
aiohttp.request
to make it usable in a synchronous way.As only one request is done per proxy, there normally is no need to use a session. There is however a bug (#3628) in
aiohttp
that leaks the session when an exception is raised. The manual session handling for only one request is a workaround while waiting for PR #3640 to be merged.Return type: Optional
[str
]Returns: The region name as a string
-
aws_alb_oauth_proxy.helpers.
clean_response_headers
(request)¶ Removes HTTP headers from an upstream response and add auth header if present.
Parameters: request ( Request
) – A web.Request containing the request whose headers are to be cleaned.Return type: CIMultiDictProxy
Returns: A CIMultiDictProxy containing the clean headers.
server¶
-
class
aws_alb_oauth_proxy.server.
Proxy
(upstream, aws_region, header_name='X-WEBAUTH-USER', header_property='email', ignore_auth=False)¶ Bases:
object
This is basically a reverse proxy that translates some headers. We don’t care about cookies or sessions.
This takes the OIDC data from the load balancer, validates it, and adds new headers as expected by Grafana. Some form of key caching may be useful and will be implemented later.
-
_add_auth_info
(request)¶ Adds the authentication information, if any, to the request.
Catches exceptions from decoding the payload and converts them to HTTP exceptions to be propagated. If authentication is disabled via
_ignore_auth
doesn’t do anything.Headers are kept in a CIMultiDictProxy so case of the header is not important.
-
_decode_payload
(oidc_data)¶ Returns the payload of the OIDC data sent by the ALB
Parameters: oidc_data ( str
) – OIDC data from albReturn type: Mapping
[str
,str
]Returns: payload Raise: jwt.exceptions.ExpiredSignatureError: If the token is not longer valid
-
auth_middleware
(request, handler)¶
-
handle_request
(request)¶ Return type: StreamResponse
-
runner
()¶
-