{"id":13841733,"url":"https://github.com/contiv/auth_proxy","last_synced_at":"2025-04-11T22:58:26.806Z","repository":{"id":144292652,"uuid":"72787691","full_name":"contiv/auth_proxy","owner":"contiv","description":"A proxy + UI server for Contiv which handles authentication (local users/LDAP/AD) + authorization (RBAC)","archived":false,"fork":false,"pushed_at":"2018-06-21T08:01:42.000Z","size":74553,"stargazers_count":15,"open_issues_count":2,"forks_count":16,"subscribers_count":22,"default_branch":"master","last_synced_at":"2025-04-11T22:58:14.988Z","etag":null,"topics":["contiv","rbac","tenant","tls","ui"],"latest_commit_sha":null,"homepage":"","language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/contiv.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":"GOVERNANCE.md","roadmap":null,"authors":null}},"created_at":"2016-11-03T21:17:10.000Z","updated_at":"2022-07-28T09:04:33.000Z","dependencies_parsed_at":null,"dependency_job_id":"a74f9fff-8e54-4c80-9bae-bbcacbc38563","html_url":"https://github.com/contiv/auth_proxy","commit_stats":null,"previous_names":[],"tags_count":25,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/contiv%2Fauth_proxy","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/contiv%2Fauth_proxy/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/contiv%2Fauth_proxy/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/contiv%2Fauth_proxy/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/contiv","download_url":"https://codeload.github.com/contiv/auth_proxy/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248492898,"owners_count":21113162,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["contiv","rbac","tenant","tls","ui"],"created_at":"2024-08-04T17:01:19.414Z","updated_at":"2025-04-11T22:58:26.783Z","avatar_url":"https://github.com/contiv.png","language":"JavaScript","funding_links":[],"categories":["JavaScript","JavaScript (485)"],"sub_categories":[],"readme":"# Auth Proxy\n\n`auth_proxy` provides authentication (local users/LDAP/AD) and authorization\n(RBAC) before forwarding requests to an upstream `netmaster`. It is TLS-only,\nand it will only talk to a non-TLS `netmaster`.  Future versions will allow\nor potentially require TLS-only communication with `netmaster`.\n\n`auth_proxy` also hosts the Contiv UI (see the [contiv-ui repo](https://github.com/contiv/contiv-ui)).\nThe UI is baked into the container and lives at the `/ui` directory. It is served\nfrom the root of the proxy, e.g., if you run with `--listen-address=localhost:10000`,\nyou can see the UI at https://localhost:10000\n\nA custom version of the UI can be bindmounted over the baked-in version. Note that\nyou need to bind in the `/app` directory under the `contiv-ui` repo, not the base\ndirectory (e.g., `-v /your/contiv-ui/repo/app:/ui:ro`)\n\n## Building\n\nRunning `make` will generate a `contiv/auth_proxy:devbuild` image using the current\ncode you have checked out and `HEAD` from the `master` branch in the `contiv-ui` repo.\n\nYou can also specify a version, e.g., `BUILD_VERSION=0.1 make`.  This will\ngenerate a `contiv/auth_proxy:0.1` image using current code you have checked out\nand whatever commit is tagged as `0.1` in the `contiv-ui` repo.\n\n## Version Checking\n\n`auth_proxy` will check the version of the `netmaster` it's pointed to at startup.\nWe require that the major versions are the same and that the minor version of\n`netmaster` is \u003e= the minor version of `auth_proxy`.\n\nFor example, version `1.2.3` of `auth_proxy`  will only talk to a `netmaster` build\nversion of `1.x.y` where `x` is \u003e= 2 and `y` can be anything.\n\n## Running Tests\n\nTests currently run against the `contiv/auth_proxy:devbuild` image.  Make sure you\nhave built this image before running tests.\n\nJust run `make test` to run the systemtests and unit tests.  The tests are fully\ncontainerized and will spawn everything they require as part of the test run\n(note that this does NOT currently include an AD server, and we are still using a\nhardcoded one).\n\nThere is also a `MockServer` available in the `systemtests`\ndirectory which can pretend to be `netmaster` for the purposes of testing.  This\nallows us to mock the parts of `netmaster` we need (mainly that a given endpoint\nreturns some expected JSON response) without the burden of actually compiling\nand running a full `netmaster` binary and all of its dependencies plus creating\nthe necessary networks, tenants, etc. to get realistic responses from it.\n\nFor a complete e2e setup involving auth_proxy + UI + netmaster, please see\n[contiv/install](https://github.com/contiv/install).\n\n## Local Development\n\nYou will need a certificate and key to start `auth_proxy`.  You can run\n`make generate-certificate` to generate a self-signed certificate and key under\n`./local_certs` if you don't already have them.\n\nTo test auth_proxy in isolation, use `make run` to start it using the compose file.\n\n## Architecture Overview\n\nBefore anything else, a prospective user must authenticate and get a token.\nAuthentication requires passing a username and password to the\n`/api/v1/auth_proxy/login/` endpoint:\n\n```\nlogin request ---\u003e auth_proxy ---\u003e authentication\n                                                \\\n                                                 local user *or* LDAP / Active Directory\n                                                /\n\u003c---- token sent to client \u003c---- auth_proxy ----\n```\n\nSubsequent requests must pass this token along in a `X-Auth-Token` request\nheader.  All non-login requests are simply passed on to the `netmaster` if\nauthentication and authorization are both successful.\n\n### Example of a full request cycle:\n\n1. A request for `/api/v1/networks/` is sent in with a token in the `X-Auth-Token` header\n1. The user represented by the token is authenticated against a local DB or LDAP / Active Directory\n1. An authorization check is performed to see if the user is allowed to access the resource in question (networks)\n1. If both authentication and authorization are successful, the request is proxied to `netmaster`\n1. If the user is not an admin **and** the endpoint returns data for multiple tenants, the response from `netmaster` will be filtered to only return what the current user is allowed to see\n\n```\nrequest w. token ---\u003e auth_proxy ---\u003e authorization ----\u003e request forwarded to netmaster\n                                                                                        \\\n                                                                                         netmaster\n                                                                                        /\n\u003c----- results filtered based on token and returned to client \u003c----- auth_proxy --------\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcontiv%2Fauth_proxy","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcontiv%2Fauth_proxy","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcontiv%2Fauth_proxy/lists"}