auth

package

v8.0.0-rc3 Latest Latest Go to latest Published: Oct 3, 2023 License: Apache-2.0, BSD-2-Clause, BSD-3-Clause, + 1 more Imports: 30 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/apache/trafficcontrol

Documentation ¶

Index ¶

Constants
Variables
func AuthenticateUserDN(userDN string, password string, cfg *config.ConfigLDAP) (bool, error)
func CheckLDAPUser(form PasswordForm, cfg *config.ConfigLDAP) (bool, error)
func CheckLocalUserIsAllowed(username string, db *sqlx.DB, ctx context.Context) (bool, error, error)
func CheckLocalUserPassword(form PasswordForm, db *sqlx.DB, ctx context.Context) (bool, error, error)
func CheckLocalUserToken(token string, db *sqlx.DB, timeout time.Duration) (bool, string, error)
func ConnectToLDAP(cfg *config.ConfigLDAP) (*ldap.Conn, error)
func DerivePassword(password string) (string, error)
func GetUserUcdn(form PasswordForm, db *sqlx.DB, ctx context.Context) (string, error)
func InitUsersCache(interval time.Duration, db *sql.DB, timeout time.Duration)
func IsCommonPassword(pw string) bool
func IsGoodLoginPair(username string, password string) (bool, error)
func IsGoodPassword(password string) (bool, error)
func LoadPasswordBlacklist(filePath string) error
func LookupUserDN(username string, cfg *config.ConfigLDAP) (string, bool, error)
func ParseClientCertificateUID(cert *x509.Certificate) (string, error)
func VerifyClientCertificate(r *http.Request, rootCertsDirPath string, insecureSkipVerify bool) error
func VerifySCRYPTPassword(password string, scryptPassword string) error
type CurrentUser
- func GetCurrentUser(ctx context.Context) (*CurrentUser, error)
- func GetCurrentUserFromDB(DB *sqlx.DB, user string, timeout time.Duration) (CurrentUser, error, error, int)
- func (cu CurrentUser) Can(permission string) bool
- func (cu CurrentUser) MissingPermissions(permissions ...string) []string
type PasswordForm
type SCRYPTComponents

Constants ¶

View Source

const (
	LDAPWithTLS = "ldaps://"
	LDAPNoTLS   = "ldap://"
)

View Source

const CurrentUserKey key = iota

View Source

const KEY_DELIM = ":"

View Source

const PrivLevelAdmin = 30

View Source

const PrivLevelFederation = 15

View Source

const PrivLevelInvalid = -1

PrivLevelInvalid - The Default Priv level

View Source

const PrivLevelOperations = 20

View Source

const PrivLevelPortal = 15

View Source

const PrivLevelReadOnly = 10

View Source

const PrivLevelSteering = 15

View Source

const PrivLevelUnauthenticated = 0

View Source

const TenantIDInvalid = -1

TenantIDInvalid - The default Tenant ID

Variables ¶

View Source

var DefaultParams = SCRYPTComponents{
	Algorithm: "SCRYPT",
	N:         16384,
	R:         8,
	P:         1,
	SaltLen:   16,
	DKLen:     64}

The SCRYPT functionality defined in this package is derived based upon the following references: https://pkg.go.dev/golang.org/x/crypto/scrypt https://www.tarsnap.com/scrypt/scrypt.pdf

Functions ¶

func AuthenticateUserDN ¶

func AuthenticateUserDN(userDN string, password string, cfg *config.ConfigLDAP) (bool, error)

func CheckLDAPUser ¶

func CheckLDAPUser(form PasswordForm, cfg *config.ConfigLDAP) (bool, error)

func CheckLocalUserIsAllowed ¶

func CheckLocalUserIsAllowed(username string, db *sqlx.DB, ctx context.Context) (bool, error, error)

func CheckLocalUserPassword ¶

func CheckLocalUserPassword(form PasswordForm, db *sqlx.DB, ctx context.Context) (bool, error, error)

func CheckLocalUserToken ¶

func CheckLocalUserToken(token string, db *sqlx.DB, timeout time.Duration) (bool, string, error)

CheckLocalUserToken checks the passed token against the records in the db for a match, up to a maximum duration of timeout.

func ConnectToLDAP ¶

func ConnectToLDAP(cfg *config.ConfigLDAP) (*ldap.Conn, error)

func DerivePassword ¶

func DerivePassword(password string) (string, error)

DerivePassword uses the https://pkg.go.dev/golang.org/x/crypto/scrypt package to return an encrypted password that is compatible with the Perl CPAN library Crypt::ScryptKDF for backward compatibility to authenticate through the Perl API the same way. See: http://cpansearch.perl.org/src/MIK/Crypt-ScryptKDF-0.010/lib/Crypt/ScryptKDF.pm

func GetUserUcdn ¶

func GetUserUcdn(form PasswordForm, db *sqlx.DB, ctx context.Context) (string, error)

GetUserUcdn returns the Upstream CDN to which the user belongs for CDNi operations.

func InitUsersCache ¶

func InitUsersCache(interval time.Duration, db *sql.DB, timeout time.Duration)

InitUsersCache attempts to initialize the in-memory users data (if enabled) then starts a goroutine to periodically refresh the in-memory data from the database.

func IsCommonPassword ¶

func IsCommonPassword(pw string) bool

func IsGoodLoginPair ¶

func IsGoodLoginPair(username string, password string) (bool, error)

func IsGoodPassword ¶

func IsGoodPassword(password string) (bool, error)

func LoadPasswordBlacklist ¶

func LoadPasswordBlacklist(filePath string) error

Expects a relative path from the traffic_ops directory

func LookupUserDN ¶

func LookupUserDN(username string, cfg *config.ConfigLDAP) (string, bool, error)

func ParseClientCertificateUID ¶

func ParseClientCertificateUID(cert *x509.Certificate) (string, error)

ParseClientCertificateUID takes an x509 Certificate and loops through the Names in the Subject. If it finds an asn.ObjectIdentifier that matches UID, it returns the corresponding value. Otherwise returns empty string. If more than one UID is present, the first result found to match is returned (order not guaranteed).

func VerifyClientCertificate ¶

func VerifyClientCertificate(r *http.Request, rootCertsDirPath string, insecureSkipVerify bool) error

VerifyClientCertificate takes a http.Request, pulls the (optionally) provided client TLS certificates and attempts to verify them against the directory of provided Root CA certificates. The Root CA certificates can be different than those utilized by the http.Server. Returns an error if the verification process fails

func VerifySCRYPTPassword ¶

func VerifySCRYPTPassword(password string, scryptPassword string) error

VerifySCRYPTPassword parses the original Derived Key (DK) from the SCRYPT password so that it can compare that with the password/scriptPassword param

Types ¶

type CurrentUser ¶

type CurrentUser struct {
	UserName     string         `json:"userName" db:"username"`
	ID           int            `json:"id" db:"id"`
	PrivLevel    int            `json:"privLevel" db:"priv_level"`
	TenantID     int            `json:"tenantId" db:"tenant_id"`
	Role         int            `json:"role" db:"role"`
	RoleName     string         `json:"roleName" db:"role_name"`
	Capabilities pq.StringArray `json:"capabilities" db:"capabilities"`
	UCDN         string         `json:"ucdn" db:"ucdn"`
	// contains filtered or unexported fields
}

func GetCurrentUser ¶

func GetCurrentUser(ctx context.Context) (*CurrentUser, error)

func GetCurrentUserFromDB ¶

func GetCurrentUserFromDB(DB *sqlx.DB, user string, timeout time.Duration) (CurrentUser, error, error, int)

GetCurrentUserFromDB - returns the id and privilege level of the given user along with the username, or -1 as the id, - as the userName and PrivLevelInvalid if the user doesn't exist, along with a user facing error, a system error to log, and an error code to return

func (CurrentUser) Can ¶

func (cu CurrentUser) Can(permission string) bool

Can returns whether or not the user has the specified Permission, i.e. whether or not they "can" do something.

Example ¶

cu := CurrentUser{}
fmt.Println(cu.Can("anything"))

Output:

false

func (CurrentUser) MissingPermissions ¶

func (cu CurrentUser) MissingPermissions(permissions ...string) []string

MissingPermissions returns all of the passed Permissions that the user does not have.

Example ¶

cu := CurrentUser{}
missingPerms := cu.MissingPermissions("do something", "do anything")
fmt.Println(strings.Join(missingPerms, ", "))

Output:

do something, do anything

type PasswordForm ¶

type PasswordForm struct {
	Username string `json:"u"`
	Password string `json:"p"`
}

type SCRYPTComponents ¶

type SCRYPTComponents struct {
	Algorithm string // The SCRYPT algorithm prefix
	N         int    // CPU/memory cost parameter (logN)
	R         int    // block size parameter (octets)
	P         int    // parallelization parameter (positive int)
	Salt      []byte // salt value
	SaltLen   int    // bytes to use as salt (octets)
	DK        []byte // derived key value
	DKLen     int    // length of the derived key (octets)
}

SCRYPTComponents the input parameters to the Scrypt encryption key format

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL