A cloud native Identity & Access Proxy / API (IAP) and Access Control Decision API

Overview

Heimdall

CI Security-Scan codecov Go Report Card License

Heimdall is inspired by Ory's OAthkeeper, tries however to resolve the functional limitations of that product by also building on a more modern technology stack resulting in a much simpler and faster implementation.

Heimdall authenticates and authorizes incoming HTTP requests as well as enriches these with further information and transforms resulting subject information to a format, both required by the upstream services. It is supposed to be used either as a Reverse Proxy in front of your upstream API or web server that rejects unauthorized requests and forwards authorized ones to your end points, or as a Decision API, which integrates with your API Gateway (Kong, NGNIX, Envoy, Traefik, etc) and then acts as a Policy Decision Point.

The current implementation is a pre alpha version, but already supports

  • Decision API
  • Loading rules from the file system
  • Authenticator types (anonymous, basic-auth, generic, jwt, noop, oauth2 introspection, unauthorized)
  • Authorizers (allow, deny, subject attributes & remote)
  • Hydrators (generic) - to enrich the subject information retrieved from the authenticator
  • Mutators (opaque cookie, opaque header, jwt in the Authorization header, noop) to transform the subject information
  • Error Handlers (default, redirect, www-authenticate), which support accept type negotiation as well
  • Opentracing support (jaeger & instana)
  • Key store in pem format for rsa-pss and ecdsa keys (pkcs#1 - plain only & pkcs#8 - plain and encrypted)
  • Rules URL matching
  • Flexible pipeline definition: authenticators+ -> any order(authorizer+, hydrator*) -> mutator+ -> error_handler+
  • Optional default rule taking effect if no rule matches
  • If Default rule is configured, the actual rule definition can reuse it (less yaml code)
  • Typical execution time if caches are active is around 300µs (on my laptop)

Features to come are (more or less in this sequence):

  • Not really a feature - but tests, tests, tests ;)
  • Use the defined JSON schema to validate the configuration.
  • Documentation
  • X.509 certificates in key store
  • jwks endpoint to let the upstream service verify the jwt signatures
  • Health & Readiness Probes
  • k8s CRDs to load rules from.
  • Reverse Proxy
Owner
Dimitrij Drus
Dimitrij Drus
Graph Role-Based Access Control by Animeshon

gRBAC - Graph Role-Based Access Control A cloud-native graph implementation of the Role-Based Access Control (RBAC) authorization architecture powered

gRBAC 15 Apr 27, 2022
Cloud governance reports from native services in a clear and readable digest

cloudig, or Cloudigest, is a simple CLI tool for creating reports from various cloud sources with user-provided comments. It is written in Go and curr

Optum 18 Feb 18, 2022
rpCheckup is an AWS resource policy security checkup tool that identifies public, external account access, intra-org account access, and private resources.

rpCheckup - Catch AWS resource policy backdoors like Endgame rpCheckup is an AWS resource policy security checkup tool that identifies public, externa

Gold Fig Labs Inc. 142 Feb 27, 2022
Breaking Cloud Native Web APIs in their natural habitat.

cnfuzz - Cloud Native Web API Fuzzer "Breaking Cloud Native Web APIs in their natural habitat." Fuzzing web APIs in their fully converged Cloud Native

Sue B.V. - Cloud Native 27 May 10, 2022
Command line interface to windows clipboard over KiTTY remote-control printing

kclip Command line interface to windows clipboard over KiTTY remote-control printing About This tool behaves like the cat command, it just tries to pa

Jacob Alberty 0 Dec 12, 2021
lambda-go-api-proxy makes it easy to port APIs written with Go frameworks such as Gin to AWS Lambda and Amazon API Gateway.

aws-lambda-go-api-proxy makes it easy to run Golang APIs written with frameworks such as Gin with AWS Lambda and Amazon API Gateway.

Amazon Web Services - Labs 648 May 12, 2022
Clusterpedia-client - clusterpedia-client supports the use of native client-go mode to call the clusterpedia API

clusterpedia-client supports the use of native client-go mode to call the cluste

Calvin Chen 4 Jan 7, 2022
Client-go - Clusterpedia-client supports the use of native client-go mode to call the clusterpedia API

clusterpedia-client supports the use of native client-go mode to call the cluste

clusterpedia.io 7 Apr 19, 2022
SDK to provide access to JUNO API (Open Banking) (2.0.0)

Juno API - Golang SDK Juno API (Open Banking) (2.0.0) Why? This project is part of my personal portfolio, so, I'll be happy if you could provide me an

Vinícius Boscardin 4 Aug 9, 2021
A simple Kubernetes-native CI system for the Bhojpur.NET Platform.

Bhojpur Piro - Kubernetes-native CI A simple Kubernetes-native CI system applied by the Bhojpur.NET Platform. It knows no pipelines, just the jobs and

Bhojpur Consulting 2 Apr 28, 2022
Go library to access geocoding and reverse geocoding APIs

GeoService in Go Code Coverage A geocoding service developed in Go's way, idiomatic and elegant, not just in golang. This product is designed to open

Jerry Zhao 429 May 17, 2022
Automatically roll your AWS IAM access key (aws_access_key_id) and secret key (aws_secret_access_key).

roll-it Keep your AWS Credentials fresh ?? on Windows, Mac, Linux (arm or x86)! What it Does Programmatically rotate your AWS IAM access keys and secr

Patrick Kilgore 3 Apr 8, 2022
A note taking app, that you can draw in, syncs to the cloud, and is on most platforms!

About NotDraw About · How to contribute · How to run · Trello · FAQ This is achived because I dont want to work on it anymore Structure Codebase Descr

YummyOreo 1 Dec 26, 2021
Useful AWS access key attribution tool

whodunnit Working towards this: https://twitter.com/__steele/status/1410437278489477120. Dumping code now to validate if it's useful or not before inv

Glass Echidna 7 Jan 1, 2022
A package for access aws service using AWS SDK for Golang

goaws ?? A package for access aws service using AWS SDK for Golang Advantage with goaws package Example for get user list IAM with AWS SDK for Golang

Muhammad Ichsanul Fadhil 1 Nov 25, 2021
Access to C's sigqueue from Go

sigqueue-go This is a small module which provides an interface to C's sigqueue (via the rt_sigqueueinfo system call) in Go, which allows passing value

Patrick Reader 1 May 1, 2022
Package figtree provides a multi-paradigm SDK for sophisticated configuration file access

Package figtree provides a multi-paradigm SDK for sophisticated configuration file access. Motivation Figtree syntax is based on classic key/value pai

Read Write Pro 0 Dec 31, 2021
Unofficial SDK to access for Open Threat Exchange (OTX) in Go

gotx Unofficial SDK to access for Open Threat Exchange (OTX) API in Go. Usage package main import ( "context" "fmt" "os" "github.com/m-mizutani/

Masayoshi Mizutani 0 Feb 12, 2022
Firebase Cloud Messaging for application servers implemented using the Go programming language.

Firebase Cloud Notifications Client Firebase Cloud Messaging for application servers implemented using the Go programming language. It's designed for

Mad Devs 46 May 5, 2022