ykval

package
v0.0.0-...-72724d7 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jun 8, 2020 License: Apache-2.0 Imports: 15 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	RelTolerance = 0.3
	AbsTolerance = 20

	SyncTimeout = 2

	SyncFast    SyncValue = 1
	SyncSecure  SyncValue = 40
	SyncDefault SyncValue = 60

	KeyClockFreq = float64(1) / float64(8)
)

https://github.com/Yubico/yubikey-val/blob/a850489d245c01c0f232db56af8ff0bfaa93fb21/ykval-config.php#L97

View Source 
const (
	// SyncResp is the format of the standard synchronize response from a YKVal module
	SyncResp = "OK counter=%d use=%d high=%d low=%d"
)

Variables

View Source 
var (
	// ErrInvalidTimeout is propagated when parsing of timeout fails or is invalid
	ErrInvalidTimeout = fmt.Errorf("invalid timeout string")

	// ErrInvalidSync  is propagated when parsing of sync fails or is invalid
	ErrInvalidSync = fmt.Errorf("invalid sync string")
)
View Source 
var (

	// ErrNoID is returned when no identifier is provided
	ErrNoID = fmt.Errorf("no ID provided")
	// ErrInvalidID is returned when the identifier is invalid
	ErrInvalidID = fmt.Errorf("invalid ID format")
	// ErrNoNonce is returned when nonce string is not provided
	ErrNoNonce = errors.New("no nonce provided")
	// ErrInvalidNonce is returned when the nonce string format is invalid
	ErrInvalidNonce = errors.New("invalid nonce format")

	// ErrNoClient is returned when no matching client can be found
	ErrNoClient = fmt.Errorf("no matching client")
	// ErrInvalidSignature is returned when the HMAC signature is invalid
	ErrInvalidSignature = fmt.Errorf("invalid signature")

	// ErrDelayedOTP is returned when OTP is out of date
	ErrDelayedOTP = fmt.Errorf("delayed OTP")
	// ErrReplayedOTP is returned when OTP as already been seen
	ErrReplayedOTP = fmt.Errorf("replayed OTP")

	// ErrReplayedRequest is returned when the request as already been seen
	ErrReplayedRequest = fmt.Errorf("replayed request")
	// ErrNotEnoughAnswers is returned when there is not enough answers for consensus
	ErrNotEnoughAnswers = fmt.Errorf("not enough answers")
	// ErrMissingParameter is returned when we miss one or more parameter
	ErrMissingParameter = fmt.Errorf("parameter missing")
	// ErrOperationNotAllowed is returned when something forbidden is requested
	ErrOperationNotAllowed = fmt.Errorf("operation not allowed")
	// ErrBackend is returned when some of the backend return an internal error
	ErrBackend = fmt.Errorf("backend error")
	// ErrUnknown is returned when something unexpected occurs
	ErrUnknown = fmt.Errorf("unknown error")
)

Functions

func ParseTimeoutString 

func ParseTimeoutString(timeout string) (int, error)

ParseTimeoutString parse timeout as a string to an int

func SyncClientTimeoutOpt 

func SyncClientTimeoutOpt(timeout int) func(*SyncClient)

SyncClientTimeoutOpt setter for private fields used at initialization

func ValidateID 

func ValidateID(str string) (uint64, error)

ValidateID checks the string identifier format

func ValidateNonce 

func ValidateNonce(nonce string) error

ValidateNonce checks the nonce string format

func ValidateSignature 

func ValidateSignature(hash, cipher string, key []byte) error

ValidateSignature checks if the signature is valid with the given key

Types

type BaseRequest 

type BaseRequest struct {
	ID    uint64
	OTP   string
	Hash  string
	Nonce string
	Key   []byte
}

BaseRequest structure represents the common fields of the Yubico validation protocol https://developers.yubico.com/yubikey-val/Validation_Protocol_V2.0.html#_request

func ParseBaseRequest 

func ParseBaseRequest(logger zerolog.Logger, loader yubico.ClientLoader, values url.Values) (req BaseRequest, err error)

ParseBaseRequest parse a url.Values structure and return a BaseRequest object

type HTTPDoer 

type HTTPDoer interface {
	Do(*http.Request) (*http.Response, error)
}

HTTPDoer is an interface abstracting the Do function allowing us to plug alternative flows

type HTTPDoerFunc 

type HTTPDoerFunc func(*http.Request) (*http.Response, error)

HTTPDoerFunc is a wrapper for a function to implement the HttpDoer interface

func (HTTPDoerFunc) Do 

func (df HTTPDoerFunc) Do(req *http.Request) (*http.Response, error)

Do wraps a function to implement HTTPDoer interface

type Status 

type Status int

Status is the binding to a status code 

const (
	// UnknownStatus is the default base status
	UnknownStatus Status = iota
	// Ok the OTP is valid
	Ok
	// BadOTP the OTP is invalid format
	BadOTP
	// ReplayedOTP the OTP has already been seen by the service.
	ReplayedOTP
	// BadSignature the HMAC signature verification failed.
	BadSignature
	// MissingParameter the request lacks a parameter.
	MissingParameter
	// NoSuchClient the request id does not exist.
	NoSuchClient
	// OperationNotAllowed the request id is not allowed to verify OTPs.
	OperationNotAllowed
	// BackendError unexpected error in our server. Please contact us if you see this error.
	BackendError
	// NotEnoughAnswers server could not get requested number of syncs during before timeout
	NotEnoughAnswers
	// ReplayedRequest server has seen the OTP/Nonce combination before
	ReplayedRequest
)

func NewStatus 

func NewStatus(str string) Status

NewStatus create a Status out of an error string

func (Status) Error 

func (s Status) Error() error

Error handle the mapping between a status code and a Go error

func (Status) String 

func (s Status) String() string

String handle the mapping between a status code and its string representation

type SyncClient 

type SyncClient struct {
	zerolog.Logger
	HTTPDoer
	SyncRequest
	// contains filtered or unexported fields
}

SyncClient is responsible to handle sync request lifecycle

func NewSyncClient 

func NewSyncClient(options ...func(*SyncClient)) *SyncClient

NewSyncClient creates a new instance of the SyncClient structure by passing options you can set up some internal fields

func (*SyncClient) Cancel 

func (sc *SyncClient) Cancel()

Cancel propagate the cancellation to the internal http.Client

func (*SyncClient) Context 

func (sc *SyncClient) Context() context.Context

Context is a getter of the internal context.Context

func (*SyncClient) Send 

func (sc *SyncClient) Send(uri string) *yubico.Yubikey

Send is sending the internal SyncRequest, parse the response and return nil if something bad happen

type SyncRequest 

type SyncRequest struct {
	BaseRequest
	Counter  uint
	Use      uint
	Low      uint
	High     uint
	Modified int64
}

SyncRequest structure represents the fields of a synchronization request

func CreateSync 

func CreateSync(req VerifyRequest, ykey *yubico.Yubikey) SyncRequest

CreateSync creates a new SyncRequest with proper fields setup

func ParseSyncRequest 

func ParseSyncRequest(logger zerolog.Logger, loader yubico.ClientLoader, values url.Values) (req SyncRequest, err error)

ParseSyncRequest parse url.Values structure and return a SyncRequest object

func (SyncRequest) String 

func (sr SyncRequest) String() string

String dump a SyncRequest into a readable string

func (SyncRequest) Token 

func (sr SyncRequest) Token() *yubico.Token

Token creates a token out of a SyncRequest

func (SyncRequest) Values 

func (sr SyncRequest) Values() url.Values

Values transform a SyncRequest into a url.Values structure

type SyncValue 

type SyncValue int

SyncValue is the synchronization percentage we need to reach to validate synchronization

func ParseSyncString 

func ParseSyncString(sync string) (SyncValue, error)

ParseSyncString parses synch string to an int

type Synchronizer 

type Synchronizer interface {
	Synchronize(request SyncRequest) (*yubico.Yubikey, error)
}

Synchronizer interface abstract the handling of a synchronize request

type SynchronizerFactory 

type SynchronizerFactory func(zerolog.Logger) Synchronizer

SynchronizerFactory is currying a Synchronizer to inject a logger on each request

type SynchronizerFunc 

type SynchronizerFunc func(SyncRequest) (*yubico.Yubikey, error)

SynchronizerFunc is a wrapper for a function to implement the Synchronizer interface

func (SynchronizerFunc) Synchronize 

func (sf SynchronizerFunc) Synchronize(r SyncRequest) (*yubico.Yubikey, error)

Synchronize wraps a function to implement Synchronizer interface

type Verifier 

type Verifier interface {
	Verify(VerifyRequest) (*yubico.Yubikey, error)
}

Verifier interface abstracts the verification of the token over network clients

type VerifierFactory 

type VerifierFactory func(zerolog.Logger) Verifier

VerifierFactory is currying a Verifier to inject a logger on each request

type VerifierFunc 

type VerifierFunc func(VerifyRequest) (*yubico.Yubikey, error)

VerifierFunc is a wrapper for a function to implement the Verifier interface

func (VerifierFunc) Verify 

func (vf VerifierFunc) Verify(r VerifyRequest) (*yubico.Yubikey, error)

Verify wraps a function to implement Verify interface

type VerifyRequest 

type VerifyRequest struct {
	BaseRequest
	Timestamp bool
	Sl        SyncValue
	Timeout   int
}

VerifyRequest structure represents the fields of a verification request

func ParseVerifyRequest 

func ParseVerifyRequest(logger zerolog.Logger, loader yubico.ClientLoader, values url.Values) (req VerifyRequest, err error)

ParseVerifyRequest parse url.Values structure and return a VerifyRequest object

func (VerifyRequest) String 

func (vr VerifyRequest) String() string

String dump a VerifyRequest into a readable string

type YKVal 

type YKVal struct {
	zerolog.Logger
	ykksm.DecrypterFactory
	YubikeyDBMapperFactory
	Servers        []string
	SyncClientOpts []func(*SyncClient)
}

YKVal struct handles the features of the yubico YKVal module

func NewYKVal 

func NewYKVal(mapper YubikeyDBMapperFactory, options ...func(*YKVal)) *YKVal

NewYKVal creates a new instance of YKVal with sensible default

func (*YKVal) Check 

func (y *YKVal) Check(req VerifyRequest) (*yubico.Token, *yubico.Yubikey, error)

Check perform basic checks against the verify request

func (*YKVal) Phishing 

func (y *YKVal) Phishing(ytoken *yubico.Token, ykey *yubico.Yubikey) bool

Phishing performs some time check in order to detect potential interception of a token

func (*YKVal) Synchronize 

func (y *YKVal) Synchronize(req SyncRequest) (*yubico.Yubikey, error)

Synchronize handle the synchronize request and check against internal state

func (*YKVal) Verify 

func (y *YKVal) Verify(req VerifyRequest) (*yubico.Yubikey, error)

Verify implements the Verifier interface and perform an otp validation over the network.

type YubikeyDBMapperFactory 

type YubikeyDBMapperFactory func(zerolog.Logger) yubico.YubikeyDBMapper

YubikeyDBMapperFactory is currying a YubikeyDBMapper to inject a logger on each request

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.