auth

package
v8.0.2 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Oct 4, 2024 License: Apache-2.0, BSD-2-Clause, BSD-3-Clause, + 1 more Imports: 30 Imported by: 0

Documentation

Index

Examples

Constants

View Source
const (
	LDAPWithTLS = "ldaps://"
	LDAPNoTLS   = "ldap://"
)
View Source
const CurrentUserKey key = iota
View Source
const KEY_DELIM = ":"
View Source
const PrivLevelAdmin = 30
View Source
const PrivLevelFederation = 15
View Source
const PrivLevelInvalid = -1

PrivLevelInvalid - The Default Priv level

View Source
const PrivLevelOperations = 20
View Source
const PrivLevelPortal = 15
View Source
const PrivLevelReadOnly = 10
View Source
const PrivLevelSteering = 15
View Source
const PrivLevelUnauthenticated = 0
View Source
const TenantIDInvalid = -1

TenantIDInvalid - The default Tenant ID

Variables

View Source
var DefaultParams = SCRYPTComponents{
	Algorithm: "SCRYPT",
	N:         16384,
	R:         8,
	P:         1,
	SaltLen:   16,
	DKLen:     64}

The SCRYPT functionality defined in this package is derived based upon the following references: https://pkg.go.dev/golang.org/x/crypto/scrypt https://www.tarsnap.com/scrypt/scrypt.pdf

Functions

func AuthenticateUserDN

func AuthenticateUserDN(userDN string, password string, cfg *config.ConfigLDAP) (bool, error)

func CheckLDAPUser

func CheckLDAPUser(form PasswordForm, cfg *config.ConfigLDAP) (bool, error)

func CheckLocalUserIsAllowed

func CheckLocalUserIsAllowed(username string, db *sqlx.DB, ctx context.Context) (bool, error, error)

func CheckLocalUserPassword

func CheckLocalUserPassword(form PasswordForm, db *sqlx.DB, ctx context.Context) (bool, error, error)

func CheckLocalUserToken

func CheckLocalUserToken(token string, db *sqlx.DB, timeout time.Duration) (bool, string, error)

CheckLocalUserToken checks the passed token against the records in the db for a match, up to a maximum duration of timeout.

func ConnectToLDAP

func ConnectToLDAP(cfg *config.ConfigLDAP) (*ldap.Conn, error)

func DerivePassword

func DerivePassword(password string) (string, error)

DerivePassword uses the https://pkg.go.dev/golang.org/x/crypto/scrypt package to return an encrypted password that is compatible with the Perl CPAN library Crypt::ScryptKDF for backward compatibility to authenticate through the Perl API the same way. See: http://cpansearch.perl.org/src/MIK/Crypt-ScryptKDF-0.010/lib/Crypt/ScryptKDF.pm

func GetUserUcdn

func GetUserUcdn(form PasswordForm, db *sqlx.DB, ctx context.Context) (string, error)

GetUserUcdn returns the Upstream CDN to which the user belongs for CDNi operations.

func InitUsersCache

func InitUsersCache(interval time.Duration, db *sql.DB, timeout time.Duration)

InitUsersCache attempts to initialize the in-memory users data (if enabled) then starts a goroutine to periodically refresh the in-memory data from the database.

func IsCommonPassword

func IsCommonPassword(pw string) bool

func IsGoodLoginPair

func IsGoodLoginPair(username string, password string) (bool, error)

func IsGoodPassword

func IsGoodPassword(password string) (bool, error)

func LoadPasswordBlacklist

func LoadPasswordBlacklist(filePath string) error

Expects a relative path from the traffic_ops directory

func LookupUserDN

func LookupUserDN(username string, cfg *config.ConfigLDAP) (string, bool, error)

func ParseClientCertificateUID

func ParseClientCertificateUID(cert *x509.Certificate) (string, error)

ParseClientCertificateUID takes an x509 Certificate and loops through the Names in the Subject. If it finds an asn.ObjectIdentifier that matches UID, it returns the corresponding value. Otherwise returns empty string. If more than one UID is present, the first result found to match is returned (order not guaranteed).

func VerifyClientCertificate

func VerifyClientCertificate(r *http.Request, rootCertsDirPath string, insecureSkipVerify bool) error

VerifyClientCertificate takes a http.Request, pulls the (optionally) provided client TLS certificates and attempts to verify them against the directory of provided Root CA certificates. The Root CA certificates can be different than those utilized by the http.Server. Returns an error if the verification process fails

func VerifySCRYPTPassword

func VerifySCRYPTPassword(password string, scryptPassword string) error

VerifySCRYPTPassword parses the original Derived Key (DK) from the SCRYPT password so that it can compare that with the password/scriptPassword param

Types

type CurrentUser

type CurrentUser struct {
	UserName     string         `json:"userName" db:"username"`
	ID           int            `json:"id" db:"id"`
	PrivLevel    int            `json:"privLevel" db:"priv_level"`
	TenantID     int            `json:"tenantId" db:"tenant_id"`
	Role         int            `json:"role" db:"role"`
	RoleName     string         `json:"roleName" db:"role_name"`
	Capabilities pq.StringArray `json:"capabilities" db:"capabilities"`
	UCDN         string         `json:"ucdn" db:"ucdn"`
	// contains filtered or unexported fields
}

func GetCurrentUser

func GetCurrentUser(ctx context.Context) (*CurrentUser, error)

func GetCurrentUserFromDB

func GetCurrentUserFromDB(DB *sqlx.DB, user string, timeout time.Duration) (CurrentUser, error, error, int)

GetCurrentUserFromDB - returns the id and privilege level of the given user along with the username, or -1 as the id, - as the userName and PrivLevelInvalid if the user doesn't exist, along with a user facing error, a system error to log, and an error code to return

func (CurrentUser) Can

func (cu CurrentUser) Can(permission string) bool

Can returns whether or not the user has the specified Permission, i.e. whether or not they "can" do something.

Example
cu := CurrentUser{}
fmt.Println(cu.Can("anything"))
Output:

false

func (CurrentUser) MissingPermissions

func (cu CurrentUser) MissingPermissions(permissions ...string) []string

MissingPermissions returns all of the passed Permissions that the user does not have.

Example
cu := CurrentUser{}
missingPerms := cu.MissingPermissions("do something", "do anything")
fmt.Println(strings.Join(missingPerms, ", "))
Output:

do something, do anything

type PasswordForm

type PasswordForm struct {
	Username string `json:"u"`
	Password string `json:"p"`
}

type SCRYPTComponents

type SCRYPTComponents struct {
	Algorithm string // The SCRYPT algorithm prefix
	N         int    // CPU/memory cost parameter (logN)
	R         int    // block size parameter (octets)
	P         int    // parallelization parameter (positive int)
	Salt      []byte // salt value
	SaltLen   int    // bytes to use as salt (octets)
	DK        []byte // derived key value
	DKLen     int    // length of the derived key (octets)
}

SCRYPTComponents the input parameters to the Scrypt encryption key format

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL