auth

package
v1.17.0-rc1 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jun 20, 2022 License: MIT Imports: 24 Imported by: 32

Documentation

Index

Constants

This section is empty.

Variables

View Source
var Names = map[Type]string{
	LDAP:   "LDAP (via BindDN)",
	DLDAP:  "LDAP (simple auth)",
	SMTP:   "SMTP",
	PAM:    "PAM",
	OAuth2: "OAuth2",
	SSPI:   "SPNEGO with SSPI",
}

Names contains the name of LoginType values.

Functions

func CleanupSessions

func CleanupSessions(maxLifetime int64) error

CleanupSessions cleans up expired sessions

func CountSessions

func CountSessions() (int64, error)

CountSessions returns the number of sessions

func CountSources

func CountSources() int64

CountSources returns number of login sources.

func CreateSource

func CreateSource(source *Source) error

CreateSource inserts a AuthSource in the DB if not already existing with the given name.

func DeleteCredential

func DeleteCredential(id, userID int64) (bool, error)

DeleteCredential will delete WebAuthnCredential

func DeleteOAuth2Application

func DeleteOAuth2Application(id, userid int64) error

DeleteOAuth2Application deletes the application with the given id and the grants and auth codes related to it. It checks if the userid was the creator of the app.

func DeleteOAuth2RelictsByUserID added in v1.17.0

func DeleteOAuth2RelictsByUserID(ctx context.Context, userID int64) error

func DeleteTwoFactorByID

func DeleteTwoFactorByID(id, userID int64) error

DeleteTwoFactorByID deletes two-factor authentication token by given ID.

func DestroySession

func DestroySession(key string) error

DestroySession destroys a session

func ExistSession

func ExistSession(key string) (bool, error)

ExistSession checks if a session exists

func ExistsWebAuthnCredentialsForUID

func ExistsWebAuthnCredentialsForUID(uid int64) (bool, error)

ExistsWebAuthnCredentialsForUID returns if the given user has credentials

func HasTwoFactorByUID

func HasTwoFactorByUID(uid int64) (bool, error)

HasTwoFactorByUID returns the two-factor authentication token associated with the user, if any.

func HasWebAuthnRegistrationsByUID

func HasWebAuthnRegistrationsByUID(uid int64) (bool, error)

HasWebAuthnRegistrationsByUID returns whether a given user has WebAuthn registrations

func HashToken

func HashToken(token, salt string) string

HashToken return the hashable salt

func IsErrOAuthApplicationNotFound

func IsErrOAuthApplicationNotFound(err error) bool

IsErrOAuthApplicationNotFound checks if an error is a ErrReviewNotExist.

func IsErrOauthClientIDInvalid

func IsErrOauthClientIDInvalid(err error) bool

IsErrOauthClientIDInvalid checks if an error is a ErrReviewNotExist.

func IsErrSourceAlreadyExist

func IsErrSourceAlreadyExist(err error) bool

IsErrSourceAlreadyExist checks if an error is a ErrSourceAlreadyExist.

func IsErrSourceInUse

func IsErrSourceInUse(err error) bool

IsErrSourceInUse checks if an error is a ErrSourceInUse.

func IsErrSourceNotExist

func IsErrSourceNotExist(err error) bool

IsErrSourceNotExist checks if an error is a ErrSourceNotExist.

func IsErrTwoFactorNotEnrolled

func IsErrTwoFactorNotEnrolled(err error) bool

IsErrTwoFactorNotEnrolled checks if an error is a ErrTwoFactorNotEnrolled.

func IsErrWebAuthnCredentialNotExist

func IsErrWebAuthnCredentialNotExist(err error) bool

IsErrWebAuthnCredentialNotExist checks if an error is a ErrWebAuthnCredentialNotExist.

func IsSSPIEnabled

func IsSSPIEnabled() bool

IsSSPIEnabled returns true if there is at least one activated login source of type LoginSSPI

func NewTwoFactor

func NewTwoFactor(t *TwoFactor) error

NewTwoFactor creates a new two-factor authentication token.

func RegisterTypeConfig

func RegisterTypeConfig(typ Type, exemplar Config)

RegisterTypeConfig register a config for a provided type

func RevokeOAuth2Grant

func RevokeOAuth2Grant(ctx context.Context, grantID, userID int64) error

RevokeOAuth2Grant deletes the grant with grantID and userID

func UpdateSession

func UpdateSession(key string, data []byte) error

UpdateSession updates the session with provided id

func UpdateSource

func UpdateSource(source *Source) error

UpdateSource updates a Source record in DB.

func UpdateTwoFactor

func UpdateTwoFactor(t *TwoFactor) error

UpdateTwoFactor updates a two-factor authentication token.

func WebAuthnCredentials

func WebAuthnCredentials(userID int64) ([]webauthn.Credential, error)

WebAuthnCredentials implementns the webauthn.User interface

Types

type Config

type Config interface {
	convert.Conversion
}

Config represents login config as far as the db is concerned

type CreateOAuth2ApplicationOptions

type CreateOAuth2ApplicationOptions struct {
	Name         string
	UserID       int64
	RedirectURIs []string
}

CreateOAuth2ApplicationOptions holds options to create an oauth2 application

type ErrOAuthApplicationNotFound

type ErrOAuthApplicationNotFound struct {
	ID int64
}

ErrOAuthApplicationNotFound will be thrown if id cannot be found

func (ErrOAuthApplicationNotFound) Error

func (err ErrOAuthApplicationNotFound) Error() string

Error returns the error message

type ErrOAuthClientIDInvalid

type ErrOAuthClientIDInvalid struct {
	ClientID string
}

ErrOAuthClientIDInvalid will be thrown if client id cannot be found

func (ErrOAuthClientIDInvalid) Error

func (err ErrOAuthClientIDInvalid) Error() string

Error returns the error message

type ErrSourceAlreadyExist

type ErrSourceAlreadyExist struct {
	Name string
}

ErrSourceAlreadyExist represents a "SourceAlreadyExist" kind of error.

func (ErrSourceAlreadyExist) Error

func (err ErrSourceAlreadyExist) Error() string

type ErrSourceInUse

type ErrSourceInUse struct {
	ID int64
}

ErrSourceInUse represents a "SourceInUse" kind of error.

func (ErrSourceInUse) Error

func (err ErrSourceInUse) Error() string

type ErrSourceNotExist

type ErrSourceNotExist struct {
	ID int64
}

ErrSourceNotExist represents a "SourceNotExist" kind of error.

func (ErrSourceNotExist) Error

func (err ErrSourceNotExist) Error() string

type ErrTwoFactorNotEnrolled

type ErrTwoFactorNotEnrolled struct {
	UID int64
}

ErrTwoFactorNotEnrolled indicates that a user is not enrolled in two-factor authentication.

func (ErrTwoFactorNotEnrolled) Error

func (err ErrTwoFactorNotEnrolled) Error() string

type ErrWebAuthnCredentialNotExist

type ErrWebAuthnCredentialNotExist struct {
	ID           int64
	CredentialID string
}

ErrWebAuthnCredentialNotExist represents a "ErrWebAuthnCRedentialNotExist" kind of error.

func (ErrWebAuthnCredentialNotExist) Error

type HasTLSer

type HasTLSer interface {
	HasTLS() bool
}

HasTLSer configurations provide a HasTLS to check if TLS can be enabled

type OAuth2Application

type OAuth2Application struct {
	ID           int64 `xorm:"pk autoincr"`
	UID          int64 `xorm:"INDEX"`
	Name         string
	ClientID     string `xorm:"unique"`
	ClientSecret string
	RedirectURIs []string           `xorm:"redirect_uris JSON TEXT"`
	CreatedUnix  timeutil.TimeStamp `xorm:"INDEX created"`
	UpdatedUnix  timeutil.TimeStamp `xorm:"INDEX updated"`
}

OAuth2Application represents an OAuth2 client (RFC 6749)

func CreateOAuth2Application

func CreateOAuth2Application(ctx context.Context, opts CreateOAuth2ApplicationOptions) (*OAuth2Application, error)

CreateOAuth2Application inserts a new oauth2 application

func GetOAuth2ApplicationByClientID

func GetOAuth2ApplicationByClientID(ctx context.Context, clientID string) (app *OAuth2Application, err error)

GetOAuth2ApplicationByClientID returns the oauth2 application with the given client_id. Returns an error if not found.

func GetOAuth2ApplicationByID

func GetOAuth2ApplicationByID(ctx context.Context, id int64) (app *OAuth2Application, err error)

GetOAuth2ApplicationByID returns the oauth2 application with the given id. Returns an error if not found.

func GetOAuth2ApplicationsByUserID

func GetOAuth2ApplicationsByUserID(ctx context.Context, userID int64) (apps []*OAuth2Application, err error)

GetOAuth2ApplicationsByUserID returns all oauth2 applications owned by the user

func ListOAuth2Applications

func ListOAuth2Applications(uid int64, listOptions db.ListOptions) ([]*OAuth2Application, int64, error)

ListOAuth2Applications returns a list of oauth2 applications belongs to given user.

func UpdateOAuth2Application

func UpdateOAuth2Application(opts UpdateOAuth2ApplicationOptions) (*OAuth2Application, error)

UpdateOAuth2Application updates an oauth2 application

func (*OAuth2Application) ContainsRedirectURI

func (app *OAuth2Application) ContainsRedirectURI(redirectURI string) bool

ContainsRedirectURI checks if redirectURI is allowed for app

func (*OAuth2Application) CreateGrant

func (app *OAuth2Application) CreateGrant(ctx context.Context, userID int64, scope string) (*OAuth2Grant, error)

CreateGrant generates a grant for an user

func (*OAuth2Application) GenerateClientSecret

func (app *OAuth2Application) GenerateClientSecret() (string, error)

GenerateClientSecret will generate the client secret and returns the plaintext and saves the hash at the database

func (*OAuth2Application) GetGrantByUserID

func (app *OAuth2Application) GetGrantByUserID(ctx context.Context, userID int64) (grant *OAuth2Grant, err error)

GetGrantByUserID returns a OAuth2Grant by its user and application ID

func (*OAuth2Application) PrimaryRedirectURI

func (app *OAuth2Application) PrimaryRedirectURI() string

PrimaryRedirectURI returns the first redirect uri or an empty string if empty

func (*OAuth2Application) TableName

func (app *OAuth2Application) TableName() string

TableName sets the table name to `oauth2_application`

func (*OAuth2Application) ValidateClientSecret

func (app *OAuth2Application) ValidateClientSecret(secret []byte) bool

ValidateClientSecret validates the given secret by the hash saved in database

type OAuth2AuthorizationCode

type OAuth2AuthorizationCode struct {
	ID                  int64        `xorm:"pk autoincr"`
	Grant               *OAuth2Grant `xorm:"-"`
	GrantID             int64
	Code                string `xorm:"INDEX unique"`
	CodeChallenge       string
	CodeChallengeMethod string
	RedirectURI         string
	ValidUntil          timeutil.TimeStamp `xorm:"index"`
}

OAuth2AuthorizationCode is a code to obtain an access token in combination with the client secret once. It has a limited lifetime.

func GetOAuth2AuthorizationByCode

func GetOAuth2AuthorizationByCode(ctx context.Context, code string) (auth *OAuth2AuthorizationCode, err error)

GetOAuth2AuthorizationByCode returns an authorization by its code

func (*OAuth2AuthorizationCode) GenerateRedirectURI

func (code *OAuth2AuthorizationCode) GenerateRedirectURI(state string) (redirect *url.URL, err error)

GenerateRedirectURI generates a redirect URI for a successful authorization request. State will be used if not empty.

func (*OAuth2AuthorizationCode) Invalidate

func (code *OAuth2AuthorizationCode) Invalidate(ctx context.Context) error

Invalidate deletes the auth code from the database to invalidate this code

func (*OAuth2AuthorizationCode) TableName

func (code *OAuth2AuthorizationCode) TableName() string

TableName sets the table name to `oauth2_authorization_code`

func (*OAuth2AuthorizationCode) ValidateCodeChallenge

func (code *OAuth2AuthorizationCode) ValidateCodeChallenge(verifier string) bool

ValidateCodeChallenge validates the given verifier against the saved code challenge. This is part of the PKCE implementation.

type OAuth2Grant

type OAuth2Grant struct {
	ID            int64              `xorm:"pk autoincr"`
	UserID        int64              `xorm:"INDEX unique(user_application)"`
	Application   *OAuth2Application `xorm:"-"`
	ApplicationID int64              `xorm:"INDEX unique(user_application)"`
	Counter       int64              `xorm:"NOT NULL DEFAULT 1"`
	Scope         string             `xorm:"TEXT"`
	Nonce         string             `xorm:"TEXT"`
	CreatedUnix   timeutil.TimeStamp `xorm:"created"`
	UpdatedUnix   timeutil.TimeStamp `xorm:"updated"`
}

OAuth2Grant represents the permission of an user for a specific application to access resources

func GetOAuth2GrantByID

func GetOAuth2GrantByID(ctx context.Context, id int64) (grant *OAuth2Grant, err error)

GetOAuth2GrantByID returns the grant with the given ID

func GetOAuth2GrantsByUserID

func GetOAuth2GrantsByUserID(ctx context.Context, uid int64) ([]*OAuth2Grant, error)

GetOAuth2GrantsByUserID lists all grants of a certain user

func (*OAuth2Grant) GenerateNewAuthorizationCode

func (grant *OAuth2Grant) GenerateNewAuthorizationCode(ctx context.Context, redirectURI, codeChallenge, codeChallengeMethod string) (code *OAuth2AuthorizationCode, err error)

GenerateNewAuthorizationCode generates a new authorization code for a grant and saves it to the database

func (*OAuth2Grant) IncreaseCounter

func (grant *OAuth2Grant) IncreaseCounter(ctx context.Context) error

IncreaseCounter increases the counter and updates the grant

func (*OAuth2Grant) ScopeContains

func (grant *OAuth2Grant) ScopeContains(scope string) bool

ScopeContains returns true if the grant scope contains the specified scope

func (*OAuth2Grant) SetNonce

func (grant *OAuth2Grant) SetNonce(ctx context.Context, nonce string) error

SetNonce updates the current nonce value of a grant

func (*OAuth2Grant) TableName

func (grant *OAuth2Grant) TableName() string

TableName sets the table name to `oauth2_grant`

type RegisterableSource

type RegisterableSource interface {
	RegisterSource() error
	UnregisterSource() error
}

RegisterableSource configurations provide RegisterSource which needs to be run on creation

type SSHKeyProvider

type SSHKeyProvider interface {
	ProvidesSSHKeys() bool
}

SSHKeyProvider configurations provide ProvidesSSHKeys to check if they provide SSHKeys

type Session

type Session struct {
	Key    string             `xorm:"pk CHAR(16)"` // has to be Key to match with go-chi/session
	Data   []byte             `xorm:"BLOB"`        // on MySQL this has a maximum size of 64Kb - this may need to be increased
	Expiry timeutil.TimeStamp // has to be Expiry to match with go-chi/session
}

Session represents a session compatible for go-chi session

func ReadSession

func ReadSession(key string) (*Session, error)

ReadSession reads the data for the provided session

func RegenerateSession

func RegenerateSession(oldKey, newKey string) (*Session, error)

RegenerateSession regenerates a session from the old id

type SkipVerifiable

type SkipVerifiable interface {
	IsSkipVerify() bool
}

SkipVerifiable configurations provide a IsSkipVerify to check if SkipVerify is set

type Source

type Source struct {
	ID            int64 `xorm:"pk autoincr"`
	Type          Type
	Name          string             `xorm:"UNIQUE"`
	IsActive      bool               `xorm:"INDEX NOT NULL DEFAULT false"`
	IsSyncEnabled bool               `xorm:"INDEX NOT NULL DEFAULT false"`
	Cfg           convert.Conversion `xorm:"TEXT"`

	CreatedUnix timeutil.TimeStamp `xorm:"INDEX created"`
	UpdatedUnix timeutil.TimeStamp `xorm:"INDEX updated"`
}

Source represents an external way for authorizing users.

func ActiveSources

func ActiveSources(tp Type) ([]*Source, error)

ActiveSources returns all active sources of the specified type

func AllActiveSources

func AllActiveSources() ([]*Source, error)

AllActiveSources returns all active sources

func GetActiveOAuth2ProviderSources

func GetActiveOAuth2ProviderSources() ([]*Source, error)

GetActiveOAuth2ProviderSources returns all actived LoginOAuth2 sources

func GetActiveOAuth2SourceByName

func GetActiveOAuth2SourceByName(name string) (*Source, error)

GetActiveOAuth2SourceByName returns a OAuth2 AuthSource based on the given name

func GetSourceByID

func GetSourceByID(id int64) (*Source, error)

GetSourceByID returns login source by given ID.

func Sources

func Sources() ([]*Source, error)

Sources returns a slice of all login sources found in DB.

func SourcesByType

func SourcesByType(loginType Type) ([]*Source, error)

SourcesByType returns all sources of the specified type

func (*Source) BeforeSet

func (source *Source) BeforeSet(colName string, val xorm.Cell)

BeforeSet is invoked from XORM before setting the value of a field of this object.

func (*Source) HasTLS

func (source *Source) HasTLS() bool

HasTLS returns true of this source supports TLS.

func (*Source) IsDLDAP

func (source *Source) IsDLDAP() bool

IsDLDAP returns true of this source is of the DLDAP type.

func (*Source) IsLDAP

func (source *Source) IsLDAP() bool

IsLDAP returns true of this source is of the LDAP type.

func (*Source) IsOAuth2

func (source *Source) IsOAuth2() bool

IsOAuth2 returns true of this source is of the OAuth2 type.

func (*Source) IsPAM

func (source *Source) IsPAM() bool

IsPAM returns true of this source is of the PAM type.

func (*Source) IsSMTP

func (source *Source) IsSMTP() bool

IsSMTP returns true of this source is of the SMTP type.

func (*Source) IsSSPI

func (source *Source) IsSSPI() bool

IsSSPI returns true of this source is of the SSPI type.

func (*Source) SkipVerify

func (source *Source) SkipVerify() bool

SkipVerify returns true if this source is configured to skip SSL verification.

func (Source) TableName

func (Source) TableName() string

TableName xorm will read the table name from this method

func (*Source) TypeName

func (source *Source) TypeName() string

TypeName return name of this login source type.

func (*Source) UseTLS

func (source *Source) UseTLS() bool

UseTLS returns true of this source is configured to use TLS.

type SourceSettable

type SourceSettable interface {
	SetAuthSource(*Source)
}

SourceSettable configurations can have their authSource set on them

type TwoFactor

type TwoFactor struct {
	ID               int64 `xorm:"pk autoincr"`
	UID              int64 `xorm:"UNIQUE"`
	Secret           string
	ScratchSalt      string
	ScratchHash      string
	LastUsedPasscode string             `xorm:"VARCHAR(10)"`
	CreatedUnix      timeutil.TimeStamp `xorm:"INDEX created"`
	UpdatedUnix      timeutil.TimeStamp `xorm:"INDEX updated"`
}

TwoFactor represents a two-factor authentication token.

func GetTwoFactorByUID

func GetTwoFactorByUID(uid int64) (*TwoFactor, error)

GetTwoFactorByUID returns the two-factor authentication token associated with the user, if any.

func (*TwoFactor) GenerateScratchToken

func (t *TwoFactor) GenerateScratchToken() (string, error)

GenerateScratchToken recreates the scratch token the user is using.

func (*TwoFactor) SetSecret

func (t *TwoFactor) SetSecret(secretString string) error

SetSecret sets the 2FA secret.

func (*TwoFactor) ValidateTOTP

func (t *TwoFactor) ValidateTOTP(passcode string) (bool, error)

ValidateTOTP validates the provided passcode.

func (*TwoFactor) VerifyScratchToken

func (t *TwoFactor) VerifyScratchToken(token string) bool

VerifyScratchToken verifies if the specified scratch token is valid.

type Type

type Type int

Type represents an login type.

const (
	NoType Type = iota
	Plain       // 1
	LDAP        // 2
	SMTP        // 3
	PAM         // 4
	DLDAP       // 5
	OAuth2      // 6
	SSPI        // 7
)

Note: new type must append to the end of list to maintain compatibility.

func (Type) Int

func (typ Type) Int() int

Int returns the int value of the LoginType

func (Type) String

func (typ Type) String() string

String returns the string name of the LoginType

type UpdateOAuth2ApplicationOptions

type UpdateOAuth2ApplicationOptions struct {
	ID           int64
	Name         string
	UserID       int64
	RedirectURIs []string
}

UpdateOAuth2ApplicationOptions holds options to update an oauth2 application

type UseTLSer

type UseTLSer interface {
	UseTLS() bool
}

UseTLSer configurations provide a HasTLS to check if TLS is enabled

type WebAuthnCredential

type WebAuthnCredential struct {
	ID              int64 `xorm:"pk autoincr"`
	Name            string
	LowerName       string `xorm:"unique(s)"`
	UserID          int64  `xorm:"INDEX unique(s)"`
	CredentialID    string `xorm:"INDEX VARCHAR(410)"`
	PublicKey       []byte
	AttestationType string
	AAGUID          []byte
	SignCount       uint32 `xorm:"BIGINT"`
	CloneWarning    bool
	CreatedUnix     timeutil.TimeStamp `xorm:"INDEX created"`
	UpdatedUnix     timeutil.TimeStamp `xorm:"INDEX updated"`
}

WebAuthnCredential represents the WebAuthn credential data for a public-key credential conformant to WebAuthn Level 1

func CreateCredential

func CreateCredential(userID int64, name string, cred *webauthn.Credential) (*WebAuthnCredential, error)

CreateCredential will create a new WebAuthnCredential from the given Credential

func GetWebAuthnCredentialByCredID

func GetWebAuthnCredentialByCredID(userID int64, credID string) (*WebAuthnCredential, error)

GetWebAuthnCredentialByCredID returns WebAuthn credential by credential ID

func GetWebAuthnCredentialByID

func GetWebAuthnCredentialByID(id int64) (*WebAuthnCredential, error)

GetWebAuthnCredentialByID returns WebAuthn credential by id

func GetWebAuthnCredentialByName

func GetWebAuthnCredentialByName(uid int64, name string) (*WebAuthnCredential, error)

GetWebAuthnCredentialByName returns WebAuthn credential by id

func (*WebAuthnCredential) AfterLoad

func (cred *WebAuthnCredential) AfterLoad(session *xorm.Session)

AfterLoad is invoked from XORM after setting the values of all fields of this object.

func (*WebAuthnCredential) BeforeInsert

func (cred *WebAuthnCredential) BeforeInsert()

BeforeInsert will be invoked by XORM before updating a record

func (*WebAuthnCredential) BeforeUpdate

func (cred *WebAuthnCredential) BeforeUpdate()

BeforeUpdate will be invoked by XORM before updating a record

func (WebAuthnCredential) TableName

func (cred WebAuthnCredential) TableName() string

TableName returns a better table name for WebAuthnCredential

func (*WebAuthnCredential) UpdateSignCount

func (cred *WebAuthnCredential) UpdateSignCount() error

UpdateSignCount will update the database value of SignCount

type WebAuthnCredentialList

type WebAuthnCredentialList []*WebAuthnCredential

WebAuthnCredentialList is a list of *WebAuthnCredential

func GetWebAuthnCredentialsByUID

func GetWebAuthnCredentialsByUID(uid int64) (WebAuthnCredentialList, error)

GetWebAuthnCredentialsByUID returns all WebAuthn credentials of the given user

func (WebAuthnCredentialList) ToCredentials

func (list WebAuthnCredentialList) ToCredentials() []webauthn.Credential

ToCredentials will convert all WebAuthnCredentials to webauthn.Credentials

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL