authn

package
v0.0.0-...-69aa630 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jun 10, 2024 License: Apache-2.0 Imports: 37 Imported by: 10

Documentation

Index

Constants

This section is empty.

Variables

View Source
var (
	EnableSQLite3 = false
)
View Source
var ExpiredToken = errors.New("expired token")

Functions

func NewExtAuth

func NewExtAuth(cfg *ExtAuthConfig) *extAuth

func NewStaticUserAuth

func NewStaticUserAuth(users map[string]*Requirements) *staticUsersAuth

Types

type CodeToGitlabTokenResponse

type CodeToGitlabTokenResponse struct {
	AccessToken  string `json:"access_token,omitempty"`
	TokenType    string `json:"token_type,omitempty"`
	ExpiresIn    int64  `json:"expires_in,omitempty"`
	RefreshToken string `json:"refresh_token,omitempty"`
	CreatedAt    int64  `json:"created_at,omitempty"`

	// Returned in case of error.
	Error            string `json:"error,omitempty"`
	ErrorDescription string `json:"error_description,omitempty"`
}

type CodeToTokenResponse

type CodeToTokenResponse struct {
	IDToken      string `json:"id_token,omitempty"`
	AccessToken  string `json:"access_token,omitempty"`
	RefreshToken string `json:"refresh_token,omitempty"`
	ExpiresIn    int64  `json:"expires_in,omitempty"`
	TokenType    string `json:"token_type,omitempty"`

	// Returned in case of error.
	Error            string `json:"error,omitempty"`
	ErrorDescription string `json:"error_description,omitempty"`
}

CodeToTokenResponse is sent by Google servers in response to the grant_type=authorization_code request.

type ExtAuthConfig

type ExtAuthConfig struct {
	Command string   `yaml:"command"`
	Args    []string `yaml:"args"`
}

func (*ExtAuthConfig) Validate

func (c *ExtAuthConfig) Validate() error

type ExtAuthResponse

type ExtAuthResponse struct {
	Labels api.Labels `json:"labels,omitempty"`
}

type ExtAuthStatus

type ExtAuthStatus int
const (
	ExtAuthAllowed ExtAuthStatus = 0
	ExtAuthDenied  ExtAuthStatus = 1
	ExtAuthNoMatch ExtAuthStatus = 2
	ExtAuthError   ExtAuthStatus = 3
)

type GCSStoreConfig

type GCSStoreConfig struct {
	Bucket           string `yaml:"bucket,omitempty"`
	ClientSecretFile string `yaml:"client_secret_file,omitempty"`
	TokenHashCost    int    `yaml:"token_hash_cost,omitempty"`
}

type GitHubAuth

type GitHubAuth struct {
	// contains filtered or unexported fields
}

func NewGitHubAuth

func NewGitHubAuth(c *GitHubAuthConfig) (*GitHubAuth, error)

func (*GitHubAuth) Authenticate

func (gha *GitHubAuth) Authenticate(user string, password api.PasswordString) (bool, api.Labels, error)

func (*GitHubAuth) DoGitHubAuth

func (gha *GitHubAuth) DoGitHubAuth(rw http.ResponseWriter, req *http.Request)

func (*GitHubAuth) Name

func (gha *GitHubAuth) Name() string

func (*GitHubAuth) Stop

func (gha *GitHubAuth) Stop()

type GitHubAuthConfig

type GitHubAuthConfig struct {
	Organization     string              `yaml:"organization,omitempty"`
	ClientId         string              `yaml:"client_id,omitempty"`
	ClientSecret     string              `yaml:"client_secret,omitempty"`
	ClientSecretFile string              `yaml:"client_secret_file,omitempty"`
	LevelTokenDB     *LevelDBStoreConfig `yaml:"level_token_db,omitempty"`
	GCSTokenDB       *GCSStoreConfig     `yaml:"gcs_token_db,omitempty"`
	RedisTokenDB     *RedisStoreConfig   `yaml:"redis_token_db,omitempty"`
	HTTPTimeout      time.Duration       `yaml:"http_timeout,omitempty"`
	RevalidateAfter  time.Duration       `yaml:"revalidate_after,omitempty"`
	GithubWebUri     string              `yaml:"github_web_uri,omitempty"`
	GithubApiUri     string              `yaml:"github_api_uri,omitempty"`
	RegistryUrl      string              `yaml:"registry_url,omitempty"`
}

type GitHubAuthRequest

type GitHubAuthRequest struct {
	Action string `json:"action,omitempty"`
	Code   string `json:"code,omitempty"`
	Token  string `json:"token,omitempty"`
}

type GitHubOrganization

type GitHubOrganization struct {
	Login string `json:"login"`
	Id    int64  `json:"id,omitempty"`
}

type GitHubTeam

type GitHubTeam struct {
	Id           int64               `json:"id"`
	Url          string              `json:"url,omitempty"`
	Name         string              `json:"name,omitempty"`
	Slug         string              `json:"slug,omitempty"`
	Organization *GitHubOrganization `json:"organization"`
	Parent       *ParentGitHubTeam   `json:"parent,omitempty"`
}

type GitHubTeamCollection

type GitHubTeamCollection []GitHubTeam

type GitHubTokenUser

type GitHubTokenUser struct {
	Login string `json:"login,omitempty"`
	Email string `json:"email,omitempty"`
}

type GitlabAuth

type GitlabAuth struct {
	// contains filtered or unexported fields
}

func NewGitlabAuth

func NewGitlabAuth(c *GitlabAuthConfig) (*GitlabAuth, error)

func (*GitlabAuth) Authenticate

func (glab *GitlabAuth) Authenticate(user string, password api.PasswordString) (bool, api.Labels, error)

func (*GitlabAuth) DoGitlabAuth

func (glab *GitlabAuth) DoGitlabAuth(rw http.ResponseWriter, req *http.Request)

func (*GitlabAuth) Name

func (glab *GitlabAuth) Name() string

func (*GitlabAuth) Stop

func (glab *GitlabAuth) Stop()

type GitlabAuthConfig

type GitlabAuthConfig struct {
	Organization     string              `yaml:"organization,omitempty"`
	ClientId         string              `yaml:"client_id,omitempty"`
	ClientSecret     string              `yaml:"client_secret,omitempty"`
	ClientSecretFile string              `yaml:"client_secret_file,omitempty"`
	LevelTokenDB     *LevelDBStoreConfig `yaml:"level_token_db,omitempty"`
	GCSTokenDB       *GCSStoreConfig     `yaml:"gcs_token_db,omitempty"`
	RedisTokenDB     *RedisStoreConfig   `yaml:"redis_token_db,omitempty"`
	HTTPTimeout      time.Duration       `yaml:"http_timeout,omitempty"`
	RevalidateAfter  time.Duration       `yaml:"revalidate_after,omitempty"`
	GitlabWebUri     string              `yaml:"gitlab_web_uri,omitempty"`
	GitlabApiUri     string              `yaml:"gitlab_api_uri,omitempty"`
	RegistryUrl      string              `yaml:"registry_url,omitempty"`
	GrantType        string              `yaml:"grant_type,omitempty"`
	RedirectUri      string              `yaml:"redirect_uri,omitempty"`
}

type GitlabAuthRequest

type GitlabAuthRequest struct {
	Action string `json:"action,omitempty"`
	Code   string `json:"code,omitempty"`
	Token  string `json:"token,omitempty"`
}

type GitlabOrganization

type GitlabOrganization struct {
	Login string `json:"login"`
	Id    int64  `json:"id,omitempty"`
}

type GitlabTeam

type GitlabTeam struct {
	Id           int64               `json:"id"`
	Url          string              `json:"url,omitempty"`
	Name         string              `json:"name,omitempty"`
	Slug         string              `json:"slug,omitempty"`
	Organization *GitlabOrganization `json:"organization"`
	Parent       *ParentGitlabTeam   `json:"parent,omitempty"`
}

type GitlabTeamCollection

type GitlabTeamCollection []GitlabTeam

type GitlabTokenUser

type GitlabTokenUser struct {
	Login string `json:"username,omitempty"`
	Email string `json:"email,omitempty"`
}

type GoogleAuth

type GoogleAuth struct {
	// contains filtered or unexported fields
}

func NewGoogleAuth

func NewGoogleAuth(c *GoogleAuthConfig) (*GoogleAuth, error)

func (*GoogleAuth) Authenticate

func (ga *GoogleAuth) Authenticate(user string, password api.PasswordString) (bool, api.Labels, error)

func (*GoogleAuth) DoGoogleAuth

func (ga *GoogleAuth) DoGoogleAuth(rw http.ResponseWriter, req *http.Request)

func (*GoogleAuth) Name

func (ga *GoogleAuth) Name() string

func (*GoogleAuth) Stop

func (ga *GoogleAuth) Stop()

type GoogleAuthConfig

type GoogleAuthConfig struct {
	Domain           string              `yaml:"domain,omitempty"`
	ClientId         string              `yaml:"client_id,omitempty"`
	ClientSecret     string              `yaml:"client_secret,omitempty"`
	ClientSecretFile string              `yaml:"client_secret_file,omitempty"`
	LevelTokenDB     *LevelDBStoreConfig `yaml:"level_token_db,omitempty"`
	GCSTokenDB       *GCSStoreConfig     `yaml:"gcs_token_db,omitempty"`
	RedisTokenDB     *RedisStoreConfig   `yaml:"redis_token_db,omitempty"`
	HTTPTimeout      time.Duration       `yaml:"http_timeout,omitempty"`
}

type GoogleAuthRequest

type GoogleAuthRequest struct {
	Action string `json:"action,omitempty"`
	Code   string `json:"code,omitempty"`
	Token  string `json:"token,omitempty"`
}

type GoogleTokenInfo

type GoogleTokenInfo struct {
	// AccessType: The access type granted with this token. It can be
	// offline or online.
	AccessType string `json:"access_type,omitempty"`

	// Audience: Who is the intended audience for this token. In general the
	// same as issued_to.
	Audience string `json:"audience,omitempty"`

	// Email: The email address of the user. Present only if the email scope
	// is present in the request.
	Email string `json:"email,omitempty"`

	// ExpiresIn: The expiry time of the token, as number of seconds left
	// until expiry.
	ExpiresIn int64 `json:"expires_in,omitempty"`

	// IssuedTo: To whom was the token issued to. In general the same as
	// audience.
	IssuedTo string `json:"issued_to,omitempty"`

	// Scope: The space separated list of scopes granted to this token.
	Scope string `json:"scope,omitempty"`

	// TokenHandle: The token handle associated with this token.
	TokenHandle string `json:"token_handle,omitempty"`

	// UserId: The obfuscated user id.
	UserId string `json:"user_id,omitempty"`

	// VerifiedEmail: Boolean flag which is true if the email address is
	// verified. Present only if the email scope is present in the request.
	VerifiedEmail bool `json:"verified_email,omitempty"`

	// Returned in case of error.
	Error            string `json:"error,omitempty"`
	ErrorDescription string `json:"error_description,omitempty"`
}

From github.com/google-api-go-client/oauth2/v2/oauth2-gen.go

type LDAPAuth

type LDAPAuth struct {
	// contains filtered or unexported fields
}

func NewLDAPAuth

func NewLDAPAuth(c *LDAPAuthConfig) (*LDAPAuth, error)

func (*LDAPAuth) Authenticate

func (la *LDAPAuth) Authenticate(account string, password api.PasswordString) (bool, api.Labels, error)

How to authenticate user, please refer to https://github.com/go-ldap/ldap/blob/master/example_test.go#L166

func (*LDAPAuth) Name

func (la *LDAPAuth) Name() string

func (*LDAPAuth) Stop

func (la *LDAPAuth) Stop()

type LDAPAuthConfig

type LDAPAuthConfig struct {
	Addr                  string              `yaml:"addr,omitempty"`
	TLS                   string              `yaml:"tls,omitempty"`
	InsecureTLSSkipVerify bool                `yaml:"insecure_tls_skip_verify,omitempty"`
	CACertificate         string              `yaml:"ca_certificate,omitempty"`
	Base                  string              `yaml:"base,omitempty"`
	Filter                string              `yaml:"filter,omitempty"`
	BindDN                string              `yaml:"bind_dn,omitempty"`
	BindPasswordFile      string              `yaml:"bind_password_file,omitempty"`
	LabelMaps             map[string]LabelMap `yaml:"labels,omitempty"`
	InitialBindAsUser     bool                `yaml:"initial_bind_as_user,omitempty"`
}

type LabelMap

type LabelMap struct {
	Attribute string `yaml:"attribute,omitempty"`
	ParseCN   bool   `yaml:"parse_cn,omitempty"`
	LowerCase bool   `yaml:"lower_case",omitempty"`
}

type LevelDBStoreConfig

type LevelDBStoreConfig struct {
	Path          string `yaml:"path,omitempty"`
	TokenHashCost int    `yaml:"token_hash_cost,omitempty"`
}

type MongoAuth

type MongoAuth struct {
	Collection string `yaml:"collection,omitempty"`
	// contains filtered or unexported fields
}

func NewMongoAuth

func NewMongoAuth(c *MongoAuthConfig) (*MongoAuth, error)

func (*MongoAuth) Authenticate

func (mauth *MongoAuth) Authenticate(account string, password api.PasswordString) (bool, api.Labels, error)

func (*MongoAuth) Name

func (ga *MongoAuth) Name() string

func (*MongoAuth) Stop

func (ma *MongoAuth) Stop()

type MongoAuthConfig

type MongoAuthConfig struct {
	MongoConfig *mgo_session.Config `yaml:"dial_info,omitempty"`
	Collection  string              `yaml:"collection,omitempty"`
}

func (*MongoAuthConfig) Validate

func (c *MongoAuthConfig) Validate(configKey string) error

Validate ensures that any custom config options in a Config are set correctly.

type OIDCAuth

type OIDCAuth struct {
	// contains filtered or unexported fields
}

The specific OIDC authenticator

func NewOIDCAuth

func NewOIDCAuth(c *OIDCAuthConfig) (*OIDCAuth, error)

Creates everything necessary for OIDC auth.

func (*OIDCAuth) Authenticate

func (ga *OIDCAuth) Authenticate(user string, password api.PasswordString) (bool, api.Labels, error)

Called by server. Authenticates user with credentials that were given in the docker login command. If the token in the DB is expired, the OIDC access token is validated and, if possible, refreshed.

func (*OIDCAuth) DoOIDCAuth

func (ga *OIDCAuth) DoOIDCAuth(rw http.ResponseWriter, req *http.Request)

This function will be used by the server if the OIDC auth method is selected. It starts the page for OIDC login or requests an access token by using the code given by the OIDC provider.

func (*OIDCAuth) Name

func (ga *OIDCAuth) Name() string

func (*OIDCAuth) Stop

func (ga *OIDCAuth) Stop()

type OIDCAuthConfig

type OIDCAuthConfig struct {
	// --- necessary ---
	// URL of the authentication provider. Must be able to serve the /.well-known/openid-configuration
	Issuer string `yaml:"issuer,omitempty"`
	// URL of the auth server. Has to end with /oidc_auth
	RedirectURL string `yaml:"redirect_url,omitempty"`
	// ID and secret, priovided by the OIDC provider after registration of the auth server
	ClientId         string `yaml:"client_id,omitempty"`
	ClientSecret     string `yaml:"client_secret,omitempty"`
	ClientSecretFile string `yaml:"client_secret_file,omitempty"`
	// path where the tokendb should be stored within the container
	LevelTokenDB *LevelDBStoreConfig `yaml:"level_token_db,omitempty"`
	GCSTokenDB   *GCSStoreConfig     `yaml:"gcs_token_db,omitempty"`
	RedisTokenDB *RedisStoreConfig   `yaml:"redis_token_db,omitempty"`
	// --- optional ---
	HTTPTimeout time.Duration `yaml:"http_timeout,omitempty"`
	// the URL of the docker registry. Used to generate a full docker login command after authentication
	RegistryURL string `yaml:"registry_url,omitempty"`
	// --- optional ---
	// String claim to use for the username
	UserClaim string `yaml:"user_claim,omitempty"`
	// --- optional ---
	// []string to add as labels.
	LabelsClaims []string `yaml:"labels_claims,omitempty"`
	// --- optional ---
	Scopes []string `yaml:"scopes,omitempty"`
}

All configuration options

type OIDCRefreshTokenResponse

type OIDCRefreshTokenResponse struct {
	AccessToken  string `json:"access_token,omitempty"`
	ExpiresIn    int64  `json:"expires_in,omitempty"`
	TokenType    string `json:"token_type,omitempty"`
	RefreshToken string `json:"refresh_token,omitempty"`

	// Returned in case of error.
	Error            string `json:"error,omitempty"`
	ErrorDescription string `json:"error_description,omitempty"`
}

OIDCRefreshTokenResponse is sent by OIDC provider in response to the grant_type=refresh_token request.

type ParentGitHubTeam

type ParentGitHubTeam struct {
	Id   int64  `json:"id"`
	Name string `json:"name,omitempty"`
	Slug string `json:"slug,omitempty"`
}

type ParentGitlabTeam

type ParentGitlabTeam struct {
	Id   int64  `json:"id"`
	Name string `json:"name,omitempty"`
	Slug string `json:"slug,omitempty"`
}

type PluginAuthn

type PluginAuthn struct {
	Authn api.Authenticator
	// contains filtered or unexported fields
}

func NewPluginAuthn

func NewPluginAuthn(cfg *PluginAuthnConfig) (*PluginAuthn, error)

func (*PluginAuthn) Authenticate

func (c *PluginAuthn) Authenticate(user string, password api.PasswordString) (bool, api.Labels, error)

func (*PluginAuthn) Name

func (c *PluginAuthn) Name() string

func (*PluginAuthn) Stop

func (c *PluginAuthn) Stop()

type PluginAuthnConfig

type PluginAuthnConfig struct {
	PluginPath string `yaml:"plugin_path"`
}

func (*PluginAuthnConfig) Validate

func (c *PluginAuthnConfig) Validate() error

type ProfileResponse

type ProfileResponse struct {
	Email         string `json:"email,omitempty"`
	VerifiedEmail bool   `json:"verified_email,omitempty"`
}

ProfileResponse is sent by the /userinfo/v2/me endpoint. We use it to validate access token and (re)verify the email address associated with it.

type RedisClient

type RedisClient interface {
	Get(key string) *redis.StringCmd
	Set(key string, value interface{}, expiration time.Duration) *redis.StatusCmd
	Del(keys ...string) *redis.IntCmd
}

type RedisStoreConfig

type RedisStoreConfig struct {
	ClientOptions  *redis.Options        `yaml:"redis_options,omitempty"`
	ClusterOptions *redis.ClusterOptions `yaml:"redis_cluster_options,omitempty"`
	TokenHashCost  int                   `yaml:"token_hash_cost,omitempty"`
}

type RefreshTokenResponse

type RefreshTokenResponse struct {
	AccessToken string `json:"access_token,omitempty"`
	ExpiresIn   int64  `json:"expires_in,omitempty"`
	TokenType   string `json:"token_type,omitempty"`

	// Returned in case of error.
	Error            string `json:"error,omitempty"`
	ErrorDescription string `json:"error_description,omitempty"`
}

CodeToTokenResponse is sent by Google servers in response to the grant_type=refresh_token request.

type Requirements

type Requirements struct {
	Password *api.PasswordString `yaml:"password,omitempty" json:"password,omitempty"`
	Labels   api.Labels          `yaml:"labels,omitempty" json:"labels,omitempty"`
}

func (Requirements) String

func (r Requirements) String() string

type TokenDB

type TokenDB interface {
	// GetValue takes a username returns the corresponding token
	GetValue(string) (*TokenDBValue, error)

	// StoreToken takes a username and token, stores them in the DB
	// and returns a password and error
	StoreToken(string, *TokenDBValue, bool) (string, error)

	// ValidateTOken takes a username and password
	// and returns an error
	ValidateToken(string, api.PasswordString) error

	// DeleteToken takes a username
	// and deletes the corresponding token from the DB
	DeleteToken(string) error

	// Composed from leveldb.DB
	Close() error
}

TokenDB stores tokens using LevelDB

func NewGCSTokenDB

func NewGCSTokenDB(options *GCSStoreConfig) (TokenDB, error)

NewGCSTokenDB return a new TokenDB structure which uses Google Cloud Storage as backend. The created DB uses file-per-user strategy and stores credentials independently for each user.

Note: it's not recomanded bucket to be shared with other apps or services

func NewRedisTokenDB

func NewRedisTokenDB(options *RedisStoreConfig) (TokenDB, error)

NewRedisTokenDB returns a new TokenDB structure which uses Redis as the storage backend.

func NewTokenDB

func NewTokenDB(options *LevelDBStoreConfig) (TokenDB, error)

NewTokenDB returns a new TokenDB structure

type TokenDBImpl

type TokenDBImpl struct {
	*leveldb.DB
}

TokenDB stores tokens using LevelDB

func (*TokenDBImpl) DeleteToken

func (db *TokenDBImpl) DeleteToken(user string) error

func (*TokenDBImpl) GetValue

func (db *TokenDBImpl) GetValue(user string) (*TokenDBValue, error)

func (*TokenDBImpl) StoreToken

func (db *TokenDBImpl) StoreToken(user string, v *TokenDBValue, updatePassword bool) (dp string, err error)

func (*TokenDBImpl) ValidateToken

func (db *TokenDBImpl) ValidateToken(user string, password api.PasswordString) error

type TokenDBValue

type TokenDBValue struct {
	TokenType    string    `json:"token_type,omitempty"` // Usually "Bearer"
	AccessToken  string    `json:"access_token,omitempty"`
	RefreshToken string    `json:"refresh_token,omitempty"`
	ValidUntil   time.Time `json:"valid_until,omitempty"`
	// DockerPassword is the temporary password we use to authenticate Docker users.
	// Generated at the time of token creation, stored here as a BCrypt hash.
	DockerPassword string     `json:"docker_password,omitempty"`
	Labels         api.Labels `json:"labels,omitempty"`
}

TokenDBValue is stored in the database, JSON-serialized.

type XormAuthn

type XormAuthn struct {
	// contains filtered or unexported fields
}

func NewXormAuth

func NewXormAuth(c *XormAuthnConfig) (*XormAuthn, error)

func (*XormAuthn) Authenticate

func (xa *XormAuthn) Authenticate(user string, password api.PasswordString) (bool, api.Labels, error)

func (*XormAuthn) Name

func (xa *XormAuthn) Name() string

func (*XormAuthn) Stop

func (xa *XormAuthn) Stop()

type XormAuthnConfig

type XormAuthnConfig struct {
	DatabaseType string `yaml:"database_type,omitempty"`
	ConnString   string `yaml:"conn_string,omitempty"`
}

func (*XormAuthnConfig) Validate

func (xa *XormAuthnConfig) Validate(configKey string) error

type XormUser

type XormUser struct {
	Id           int64      `xorm:"pk autoincr"`
	Username     string     `xorm:"VARCHAR(128) NOT NULL"`
	PasswordHash string     `xorm:"VARCHAR(128) NOT NULL"`
	Labels       api.Labels `xorm:"JSON"`
}

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL