authn

package
v0.0.0-...-69aa630 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jun 10, 2024 License: Apache-2.0 Imports: 37 Imported by: 10

Documentation

Index

Constants

This section is empty.

Variables

View Source 
var (
	EnableSQLite3 = false
)
View Source 
var ExpiredToken = errors.New("expired token")

Functions

func NewExtAuth 

func NewExtAuth(cfg *ExtAuthConfig) *extAuth

func NewStaticUserAuth 

func NewStaticUserAuth(users map[string]*Requirements) *staticUsersAuth

Types

type CodeToGitlabTokenResponse 

type CodeToGitlabTokenResponse struct {
	AccessToken  string `json:"access_token,omitempty"`
	TokenType    string `json:"token_type,omitempty"`
	ExpiresIn    int64  `json:"expires_in,omitempty"`
	RefreshToken string `json:"refresh_token,omitempty"`
	CreatedAt    int64  `json:"created_at,omitempty"`

	// Returned in case of error.
	Error            string `json:"error,omitempty"`
	ErrorDescription string `json:"error_description,omitempty"`
}

type CodeToTokenResponse 

type CodeToTokenResponse struct {
	IDToken      string `json:"id_token,omitempty"`
	AccessToken  string `json:"access_token,omitempty"`
	RefreshToken string `json:"refresh_token,omitempty"`
	ExpiresIn    int64  `json:"expires_in,omitempty"`
	TokenType    string `json:"token_type,omitempty"`

	// Returned in case of error.
	Error            string `json:"error,omitempty"`
	ErrorDescription string `json:"error_description,omitempty"`
}

CodeToTokenResponse is sent by Google servers in response to the grant_type=authorization_code request.

type ExtAuthConfig 

type ExtAuthConfig struct {
	Command string   `yaml:"command"`
	Args    []string `yaml:"args"`
}

func (*ExtAuthConfig) Validate 

func (c *ExtAuthConfig) Validate() error

type ExtAuthResponse 

type ExtAuthResponse struct {
	Labels api.Labels `json:"labels,omitempty"`
}

type ExtAuthStatus 

type ExtAuthStatus int
const (
	ExtAuthAllowed ExtAuthStatus = 0
	ExtAuthDenied  ExtAuthStatus = 1
	ExtAuthNoMatch ExtAuthStatus = 2
	ExtAuthError   ExtAuthStatus = 3
)

type GCSStoreConfig 

type GCSStoreConfig struct {
	Bucket           string `yaml:"bucket,omitempty"`
	ClientSecretFile string `yaml:"client_secret_file,omitempty"`
	TokenHashCost    int    `yaml:"token_hash_cost,omitempty"`
}

type GitHubAuth 

type GitHubAuth struct {
	// contains filtered or unexported fields
}

func NewGitHubAuth 

func NewGitHubAuth(c *GitHubAuthConfig) (*GitHubAuth, error)

func (*GitHubAuth) Authenticate 

func (gha *GitHubAuth) Authenticate(user string, password api.PasswordString) (bool, api.Labels, error)

func (*GitHubAuth) DoGitHubAuth 

func (gha *GitHubAuth) DoGitHubAuth(rw http.ResponseWriter, req *http.Request)

func (*GitHubAuth) Name 

func (gha *GitHubAuth) Name() string

func (*GitHubAuth) Stop 

func (gha *GitHubAuth) Stop()

type GitHubAuthConfig 

type GitHubAuthConfig struct {
	Organization     string              `yaml:"organization,omitempty"`
	ClientId         string              `yaml:"client_id,omitempty"`
	ClientSecret     string              `yaml:"client_secret,omitempty"`
	ClientSecretFile string              `yaml:"client_secret_file,omitempty"`
	LevelTokenDB     *LevelDBStoreConfig `yaml:"level_token_db,omitempty"`
	GCSTokenDB       *GCSStoreConfig     `yaml:"gcs_token_db,omitempty"`
	RedisTokenDB     *RedisStoreConfig   `yaml:"redis_token_db,omitempty"`
	HTTPTimeout      time.Duration       `yaml:"http_timeout,omitempty"`
	RevalidateAfter  time.Duration       `yaml:"revalidate_after,omitempty"`
	GithubWebUri     string              `yaml:"github_web_uri,omitempty"`
	GithubApiUri     string              `yaml:"github_api_uri,omitempty"`
	RegistryUrl      string              `yaml:"registry_url,omitempty"`
}

type GitHubAuthRequest 

type GitHubAuthRequest struct {
	Action string `json:"action,omitempty"`
	Code   string `json:"code,omitempty"`
	Token  string `json:"token,omitempty"`
}

type GitHubOrganization 

type GitHubOrganization struct {
	Login string `json:"login"`
	Id    int64  `json:"id,omitempty"`
}

type GitHubTeam 

type GitHubTeam struct {
	Id           int64               `json:"id"`
	Url          string              `json:"url,omitempty"`
	Name         string              `json:"name,omitempty"`
	Slug         string              `json:"slug,omitempty"`
	Organization *GitHubOrganization `json:"organization"`
	Parent       *ParentGitHubTeam   `json:"parent,omitempty"`
}

type GitHubTeamCollection 

type GitHubTeamCollection []GitHubTeam

type GitHubTokenUser 

type GitHubTokenUser struct {
	Login string `json:"login,omitempty"`
	Email string `json:"email,omitempty"`
}

type GitlabAuth 

type GitlabAuth struct {
	// contains filtered or unexported fields
}

func NewGitlabAuth 

func NewGitlabAuth(c *GitlabAuthConfig) (*GitlabAuth, error)

func (*GitlabAuth) Authenticate 

func (glab *GitlabAuth) Authenticate(user string, password api.PasswordString) (bool, api.Labels, error)

func (*GitlabAuth) DoGitlabAuth 

func (glab *GitlabAuth) DoGitlabAuth(rw http.ResponseWriter, req *http.Request)

func (*GitlabAuth) Name 

func (glab *GitlabAuth) Name() string

func (*GitlabAuth) Stop 

func (glab *GitlabAuth) Stop()

type GitlabAuthConfig 

type GitlabAuthConfig struct {
	Organization     string              `yaml:"organization,omitempty"`
	ClientId         string              `yaml:"client_id,omitempty"`
	ClientSecret     string              `yaml:"client_secret,omitempty"`
	ClientSecretFile string              `yaml:"client_secret_file,omitempty"`
	LevelTokenDB     *LevelDBStoreConfig `yaml:"level_token_db,omitempty"`
	GCSTokenDB       *GCSStoreConfig     `yaml:"gcs_token_db,omitempty"`
	RedisTokenDB     *RedisStoreConfig   `yaml:"redis_token_db,omitempty"`
	HTTPTimeout      time.Duration       `yaml:"http_timeout,omitempty"`
	RevalidateAfter  time.Duration       `yaml:"revalidate_after,omitempty"`
	GitlabWebUri     string              `yaml:"gitlab_web_uri,omitempty"`
	GitlabApiUri     string              `yaml:"gitlab_api_uri,omitempty"`
	RegistryUrl      string              `yaml:"registry_url,omitempty"`
	GrantType        string              `yaml:"grant_type,omitempty"`
	RedirectUri      string              `yaml:"redirect_uri,omitempty"`
}

type GitlabAuthRequest 

type GitlabAuthRequest struct {
	Action string `json:"action,omitempty"`
	Code   string `json:"code,omitempty"`
	Token  string `json:"token,omitempty"`
}

type GitlabOrganization 

type GitlabOrganization struct {
	Login string `json:"login"`
	Id    int64  `json:"id,omitempty"`
}

type GitlabTeam 

type GitlabTeam struct {
	Id           int64               `json:"id"`
	Url          string              `json:"url,omitempty"`
	Name         string              `json:"name,omitempty"`
	Slug         string              `json:"slug,omitempty"`
	Organization *GitlabOrganization `json:"organization"`
	Parent       *ParentGitlabTeam   `json:"parent,omitempty"`
}

type GitlabTeamCollection 

type GitlabTeamCollection []GitlabTeam

type GitlabTokenUser 

type GitlabTokenUser struct {
	Login string `json:"username,omitempty"`
	Email string `json:"email,omitempty"`
}

type GoogleAuth 

type GoogleAuth struct {
	// contains filtered or unexported fields
}

func NewGoogleAuth 

func NewGoogleAuth(c *GoogleAuthConfig) (*GoogleAuth, error)

func (*GoogleAuth) Authenticate 

func (ga *GoogleAuth) Authenticate(user string, password api.PasswordString) (bool, api.Labels, error)

func (*GoogleAuth) DoGoogleAuth 

func (ga *GoogleAuth) DoGoogleAuth(rw http.ResponseWriter, req *http.Request)

func (*GoogleAuth) Name 

func (ga *GoogleAuth) Name() string

func (*GoogleAuth) Stop 

func (ga *GoogleAuth) Stop()

type GoogleAuthConfig 

type GoogleAuthConfig struct {
	Domain           string              `yaml:"domain,omitempty"`
	ClientId         string              `yaml:"client_id,omitempty"`
	ClientSecret     string              `yaml:"client_secret,omitempty"`
	ClientSecretFile string              `yaml:"client_secret_file,omitempty"`
	LevelTokenDB     *LevelDBStoreConfig `yaml:"level_token_db,omitempty"`
	GCSTokenDB       *GCSStoreConfig     `yaml:"gcs_token_db,omitempty"`
	RedisTokenDB     *RedisStoreConfig   `yaml:"redis_token_db,omitempty"`
	HTTPTimeout      time.Duration       `yaml:"http_timeout,omitempty"`
}

type GoogleAuthRequest 

type GoogleAuthRequest struct {
	Action string `json:"action,omitempty"`
	Code   string `json:"code,omitempty"`
	Token  string `json:"token,omitempty"`
}

type GoogleTokenInfo 

type GoogleTokenInfo struct {
	// AccessType: The access type granted with this token. It can be
	// offline or online.
	AccessType string `json:"access_type,omitempty"`

	// Audience: Who is the intended audience for this token. In general the
	// same as issued_to.
	Audience string `json:"audience,omitempty"`

	// Email: The email address of the user. Present only if the email scope
	// is present in the request.
	Email string `json:"email,omitempty"`

	// ExpiresIn: The expiry time of the token, as number of seconds left
	// until expiry.
	ExpiresIn int64 `json:"expires_in,omitempty"`

	// IssuedTo: To whom was the token issued to. In general the same as
	// audience.
	IssuedTo string `json:"issued_to,omitempty"`

	// Scope: The space separated list of scopes granted to this token.
	Scope string `json:"scope,omitempty"`

	// TokenHandle: The token handle associated with this token.
	TokenHandle string `json:"token_handle,omitempty"`

	// UserId: The obfuscated user id.
	UserId string `json:"user_id,omitempty"`

	// VerifiedEmail: Boolean flag which is true if the email address is
	// verified. Present only if the email scope is present in the request.
	VerifiedEmail bool `json:"verified_email,omitempty"`

	// Returned in case of error.
	Error            string `json:"error,omitempty"`
	ErrorDescription string `json:"error_description,omitempty"`
}

From github.com/google-api-go-client/oauth2/v2/oauth2-gen.go

type LDAPAuth 

type LDAPAuth struct {
	// contains filtered or unexported fields
}

func NewLDAPAuth 

func NewLDAPAuth(c *LDAPAuthConfig) (*LDAPAuth, error)

func (*LDAPAuth) Authenticate 

func (la *LDAPAuth) Authenticate(account string, password api.PasswordString) (bool, api.Labels, error)

How to authenticate user, please refer to https://github.com/go-ldap/ldap/blob/master/example_test.go#L166

func (*LDAPAuth) Name 

func (la *LDAPAuth) Name() string

func (*LDAPAuth) Stop 

func (la *LDAPAuth) Stop()

type LDAPAuthConfig 

type LDAPAuthConfig struct {
	Addr                  string              `yaml:"addr,omitempty"`
	TLS                   string              `yaml:"tls,omitempty"`
	InsecureTLSSkipVerify bool                `yaml:"insecure_tls_skip_verify,omitempty"`
	CACertificate         string              `yaml:"ca_certificate,omitempty"`
	Base                  string              `yaml:"base,omitempty"`
	Filter                string              `yaml:"filter,omitempty"`
	BindDN                string              `yaml:"bind_dn,omitempty"`
	BindPasswordFile      string              `yaml:"bind_password_file,omitempty"`
	LabelMaps             map[string]LabelMap `yaml:"labels,omitempty"`
	InitialBindAsUser     bool                `yaml:"initial_bind_as_user,omitempty"`
}

type LabelMap 

type LabelMap struct {
	Attribute string `yaml:"attribute,omitempty"`
	ParseCN   bool   `yaml:"parse_cn,omitempty"`
	LowerCase bool   `yaml:"lower_case",omitempty"`
}

type LevelDBStoreConfig 

type LevelDBStoreConfig struct {
	Path          string `yaml:"path,omitempty"`
	TokenHashCost int    `yaml:"token_hash_cost,omitempty"`
}

type MongoAuth 

type MongoAuth struct {
	Collection string `yaml:"collection,omitempty"`
	// contains filtered or unexported fields
}

func NewMongoAuth 

func NewMongoAuth(c *MongoAuthConfig) (*MongoAuth, error)

func (*MongoAuth) Authenticate 

func (mauth *MongoAuth) Authenticate(account string, password api.PasswordString) (bool, api.Labels, error)

func (*MongoAuth) Name 

func (ga *MongoAuth) Name() string

func (*MongoAuth) Stop 

func (ma *MongoAuth) Stop()

type MongoAuthConfig 

type MongoAuthConfig struct {
	MongoConfig *mgo_session.Config `yaml:"dial_info,omitempty"`
	Collection  string              `yaml:"collection,omitempty"`
}

func (*MongoAuthConfig) Validate 

func (c *MongoAuthConfig) Validate(configKey string) error

Validate ensures that any custom config options in a Config are set correctly.

type OIDCAuth 

type OIDCAuth struct {
	// contains filtered or unexported fields
}

The specific OIDC authenticator

func NewOIDCAuth 

func NewOIDCAuth(c *OIDCAuthConfig) (*OIDCAuth, error)

Creates everything necessary for OIDC auth.

func (*OIDCAuth) Authenticate 

func (ga *OIDCAuth) Authenticate(user string, password api.PasswordString) (bool, api.Labels, error)

Called by server. Authenticates user with credentials that were given in the docker login command. If the token in the DB is expired, the OIDC access token is validated and, if possible, refreshed.

func (*OIDCAuth) DoOIDCAuth 

func (ga *OIDCAuth) DoOIDCAuth(rw http.ResponseWriter, req *http.Request)

This function will be used by the server if the OIDC auth method is selected. It starts the page for OIDC login or requests an access token by using the code given by the OIDC provider.

func (*OIDCAuth) Name 

func (ga *OIDCAuth) Name() string

func (*OIDCAuth) Stop 

func (ga *OIDCAuth) Stop()

type OIDCAuthConfig 

type OIDCAuthConfig struct {
	// --- necessary ---
	// URL of the authentication provider. Must be able to serve the /.well-known/openid-configuration
	Issuer string `yaml:"issuer,omitempty"`
	// URL of the auth server. Has to end with /oidc_auth
	RedirectURL string `yaml:"redirect_url,omitempty"`
	// ID and secret, priovided by the OIDC provider after registration of the auth server
	ClientId         string `yaml:"client_id,omitempty"`
	ClientSecret     string `yaml:"client_secret,omitempty"`
	ClientSecretFile string `yaml:"client_secret_file,omitempty"`
	// path where the tokendb should be stored within the container
	LevelTokenDB *LevelDBStoreConfig `yaml:"level_token_db,omitempty"`
	GCSTokenDB   *GCSStoreConfig     `yaml:"gcs_token_db,omitempty"`
	RedisTokenDB *RedisStoreConfig   `yaml:"redis_token_db,omitempty"`
	// --- optional ---
	HTTPTimeout time.Duration `yaml:"http_timeout,omitempty"`
	// the URL of the docker registry. Used to generate a full docker login command after authentication
	RegistryURL string `yaml:"registry_url,omitempty"`
	// --- optional ---
	// String claim to use for the username
	UserClaim string `yaml:"user_claim,omitempty"`
	// --- optional ---
	// []string to add as labels.
	LabelsClaims []string `yaml:"labels_claims,omitempty"`
	// --- optional ---
	Scopes []string `yaml:"scopes,omitempty"`
}

All configuration options

type OIDCRefreshTokenResponse 

type OIDCRefreshTokenResponse struct {
	AccessToken  string `json:"access_token,omitempty"`
	ExpiresIn    int64  `json:"expires_in,omitempty"`
	TokenType    string `json:"token_type,omitempty"`
	RefreshToken string `json:"refresh_token,omitempty"`

	// Returned in case of error.
	Error            string `json:"error,omitempty"`
	ErrorDescription string `json:"error_description,omitempty"`
}

OIDCRefreshTokenResponse is sent by OIDC provider in response to the grant_type=refresh_token request.

type ParentGitHubTeam 

type ParentGitHubTeam struct {
	Id   int64  `json:"id"`
	Name string `json:"name,omitempty"`
	Slug string `json:"slug,omitempty"`
}

type ParentGitlabTeam 

type ParentGitlabTeam struct {
	Id   int64  `json:"id"`
	Name string `json:"name,omitempty"`
	Slug string `json:"slug,omitempty"`
}

type PluginAuthn 

type PluginAuthn struct {
	Authn api.Authenticator
	// contains filtered or unexported fields
}

func NewPluginAuthn 

func NewPluginAuthn(cfg *PluginAuthnConfig) (*PluginAuthn, error)

func (*PluginAuthn) Authenticate 

func (c *PluginAuthn) Authenticate(user string, password api.PasswordString) (bool, api.Labels, error)

func (*PluginAuthn) Name 

func (c *PluginAuthn) Name() string

func (*PluginAuthn) Stop 

func (c *PluginAuthn) Stop()

type PluginAuthnConfig 

type PluginAuthnConfig struct {
	PluginPath string `yaml:"plugin_path"`
}

func (*PluginAuthnConfig) Validate 

func (c *PluginAuthnConfig) Validate() error

type ProfileResponse 

type ProfileResponse struct {
	Email         string `json:"email,omitempty"`
	VerifiedEmail bool   `json:"verified_email,omitempty"`
}

ProfileResponse is sent by the /userinfo/v2/me endpoint. We use it to validate access token and (re)verify the email address associated with it.

type RedisClient 

type RedisClient interface {
	Get(key string) *redis.StringCmd
	Set(key string, value interface{}, expiration time.Duration) *redis.StatusCmd
	Del(keys ...string) *redis.IntCmd
}

type RedisStoreConfig 

type RedisStoreConfig struct {
	ClientOptions  *redis.Options        `yaml:"redis_options,omitempty"`
	ClusterOptions *redis.ClusterOptions `yaml:"redis_cluster_options,omitempty"`
	TokenHashCost  int                   `yaml:"token_hash_cost,omitempty"`
}

type RefreshTokenResponse 

type RefreshTokenResponse struct {
	AccessToken string `json:"access_token,omitempty"`
	ExpiresIn   int64  `json:"expires_in,omitempty"`
	TokenType   string `json:"token_type,omitempty"`

	// Returned in case of error.
	Error            string `json:"error,omitempty"`
	ErrorDescription string `json:"error_description,omitempty"`
}

CodeToTokenResponse is sent by Google servers in response to the grant_type=refresh_token request.

type Requirements 

type Requirements struct {
	Password *api.PasswordString `yaml:"password,omitempty" json:"password,omitempty"`
	Labels   api.Labels          `yaml:"labels,omitempty" json:"labels,omitempty"`
}

func (Requirements) String 

func (r Requirements) String() string

type TokenDB 

type TokenDB interface {
	// GetValue takes a username returns the corresponding token
	GetValue(string) (*TokenDBValue, error)

	// StoreToken takes a username and token, stores them in the DB
	// and returns a password and error
	StoreToken(string, *TokenDBValue, bool) (string, error)

	// ValidateTOken takes a username and password
	// and returns an error
	ValidateToken(string, api.PasswordString) error

	// DeleteToken takes a username
	// and deletes the corresponding token from the DB
	DeleteToken(string) error

	// Composed from leveldb.DB
	Close() error
}

TokenDB stores tokens using LevelDB

func NewGCSTokenDB 

func NewGCSTokenDB(options *GCSStoreConfig) (TokenDB, error)

NewGCSTokenDB return a new TokenDB structure which uses Google Cloud Storage as backend. The created DB uses file-per-user strategy and stores credentials independently for each user.

Note: it's not recomanded bucket to be shared with other apps or services

func NewRedisTokenDB 

func NewRedisTokenDB(options *RedisStoreConfig) (TokenDB, error)

NewRedisTokenDB returns a new TokenDB structure which uses Redis as the storage backend.

func NewTokenDB 

func NewTokenDB(options *LevelDBStoreConfig) (TokenDB, error)

NewTokenDB returns a new TokenDB structure

type TokenDBImpl 

type TokenDBImpl struct {
	*leveldb.DB
}

TokenDB stores tokens using LevelDB

func (*TokenDBImpl) DeleteToken 

func (db *TokenDBImpl) DeleteToken(user string) error

func (*TokenDBImpl) GetValue 

func (db *TokenDBImpl) GetValue(user string) (*TokenDBValue, error)

func (*TokenDBImpl) StoreToken 

func (db *TokenDBImpl) StoreToken(user string, v *TokenDBValue, updatePassword bool) (dp string, err error)

func (*TokenDBImpl) ValidateToken 

func (db *TokenDBImpl) ValidateToken(user string, password api.PasswordString) error

type TokenDBValue 

type TokenDBValue struct {
	TokenType    string    `json:"token_type,omitempty"` // Usually "Bearer"
	AccessToken  string    `json:"access_token,omitempty"`
	RefreshToken string    `json:"refresh_token,omitempty"`
	ValidUntil   time.Time `json:"valid_until,omitempty"`
	// DockerPassword is the temporary password we use to authenticate Docker users.
	// Generated at the time of token creation, stored here as a BCrypt hash.
	DockerPassword string     `json:"docker_password,omitempty"`
	Labels         api.Labels `json:"labels,omitempty"`
}

TokenDBValue is stored in the database, JSON-serialized.

type XormAuthn 

type XormAuthn struct {
	// contains filtered or unexported fields
}

func NewXormAuth 

func NewXormAuth(c *XormAuthnConfig) (*XormAuthn, error)

func (*XormAuthn) Authenticate 

func (xa *XormAuthn) Authenticate(user string, password api.PasswordString) (bool, api.Labels, error)

func (*XormAuthn) Name 

func (xa *XormAuthn) Name() string

func (*XormAuthn) Stop 

func (xa *XormAuthn) Stop()

type XormAuthnConfig 

type XormAuthnConfig struct {
	DatabaseType string `yaml:"database_type,omitempty"`
	ConnString   string `yaml:"conn_string,omitempty"`
}

func (*XormAuthnConfig) Validate 

func (xa *XormAuthnConfig) Validate(configKey string) error

type XormUser 

type XormUser struct {
	Id           int64      `xorm:"pk autoincr"`
	Username     string     `xorm:"VARCHAR(128) NOT NULL"`
	PasswordHash string     `xorm:"VARCHAR(128) NOT NULL"`
	Labels       api.Labels `xorm:"JSON"`
}

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.