passwd

package
v0.15.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Aug 16, 2024 License: Apache-2.0 Imports: 23 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	SpecialPermissionMFAPending = "MFAPending"
	SpecialPermissionOtpId      = "OtpId"
)
View Source 
const (
	MessageUserNotFound              = "Mismatched Username and Password"
	MessageBadCredential             = "Mismatched Username and Password"
	MessageOtpNotAvailable           = "MFA required but temprorily unavailable"
	MessageAccountStatus             = "Inactive Account"
	MessageInvalidPasscode           = "Bad Verification Code"
	MessagePasscodeExpired           = "Verification Code Expired"
	MessageCannotRefresh             = "Unable to Refresh"
	MessageMaxAttemptsReached        = "No More Verification Attempts Allowed"
	MessageMaxRefreshAttemptsReached = "No More Resend Attempts Allowed"
	MessageInvalidAccountStatus      = "Issue with current account status"
	MessageAccountDisabled           = "Account Disabled"
	MessageAccountLocked             = "Account Locked"
	MessagePasswordLoginNotAllowed   = "Password Login not Allowed"
	MessageLockedDueToBadCredential  = "Mismatched Username and Password. Account locked due to too many failed attempts"
	MessagePasswordExpired           = "User credentials have expired"
)
View Source 
const (
	MFAEventOtpCreate
	MFAEventOtpRefresh
	MFAEventVerificationSuccess
	MFAEventVerificationFailure
)

Variables

View Source 
var Module = &bootstrap.Module{
	Name:       "passwd authenticator",
	Precedence: security.MinSecurityPrecedence + 30,
	Options: []fx.Option{
		fx.Invoke(register),
	},
}
View Source 
var (
	PasswordAuthenticatorFeatureId = security.FeatureId("passwdAuth", security.FeatureOrderAuthenticator)
)

Functions

func GobRegister 

func GobRegister()

func IsSamePrincipal 

func IsSamePrincipal(username string, currentAuth security.Authentication) bool

Types

type AccountLockingPostProcessor 

type AccountLockingPostProcessor struct {
	// contains filtered or unexported fields
}

AccountLockingPostProcessor react on failed authentication. Lock account if necessary

func NewAccountLockingPostProcessor 

func NewAccountLockingPostProcessor(store security.AccountStore) *AccountLockingPostProcessor

func (*AccountLockingPostProcessor) Order 

func (p *AccountLockingPostProcessor) Order() int

Order the processor run between AccountStatusPostProcessor and PersistAccountPostProcessor

func (*AccountLockingPostProcessor) Process 

func (p *AccountLockingPostProcessor) Process(ctx context.Context, acct security.Account, result AuthenticationResult) AuthenticationResult

type AccountStatusChecker 

type AccountStatusChecker struct {
	// contains filtered or unexported fields
}

AccountStatusChecker check account status and also auto unlock account if locking rules allows

func NewAccountStatusChecker 

func NewAccountStatusChecker(store security.AccountStore) *AccountStatusChecker

func (*AccountStatusChecker) Decide 

func (adm *AccountStatusChecker) Decide(ctx context.Context, _ security.Candidate, acct security.Account, _ security.Authentication) error

type AccountStatusPostProcessor 

type AccountStatusPostProcessor struct {
	// contains filtered or unexported fields
}

AccountStatusPostProcessor updates account based on authentication result. It could update last login status, failed login status, etc.

func NewAccountStatusPostProcessor 

func NewAccountStatusPostProcessor(store security.AccountStore) *AccountStatusPostProcessor

func (*AccountStatusPostProcessor) Order 

func (p *AccountStatusPostProcessor) Order() int

Order the processor run first (reversed ordering)

func (*AccountStatusPostProcessor) Process 

func (p *AccountStatusPostProcessor) Process(ctx context.Context, acct security.Account, result AuthenticationResult) AuthenticationResult

type AdditionalDetailsPostProcessor 

type AdditionalDetailsPostProcessor struct{}

AdditionalDetailsPostProcessor populate additional authentication details if the authentication is granted. It's implement order.Ordered Note: post-processors executed in reversed order

func NewAdditionalDetailsPostProcessor 

func NewAdditionalDetailsPostProcessor() *AdditionalDetailsPostProcessor

func (*AdditionalDetailsPostProcessor) Order 

func (p *AdditionalDetailsPostProcessor) Order() int

Order the processor run last

func (*AdditionalDetailsPostProcessor) Process 

func (p *AdditionalDetailsPostProcessor) Process(_ context.Context, _ security.Account, result AuthenticationResult) AuthenticationResult

type AuthenticationDecisionMaker 

type AuthenticationDecisionMaker interface {
	// Decide makes decision on whether the Authenticator should approve the auth request.
	// the returned error indicate the reason of rejection. returns nil when approved
	// 	 - The security.Authentication is nil when credentials has not been validated (pre check)
	// 	 - The security.Authentication is non-nil when credentials has been validated (post check).
	//     The non-nil value is the proposed authentication to be returned by Authenticator
	//
	// If any of input parameters are mutable, AuthenticationDecisionMaker is allowed to change it
	Decide(context.Context, security.Candidate, security.Account, security.Authentication) error
}

AuthenticationDecisionMaker is invoked at various stages of authentication decision making process. If AuthenticationDecisionMaker implement order.Ordered interface, its order is respected using order.OrderedFirstCompare. This means highest priority is executed first and non-ordered decision makers run at last.

Note: each AuthenticationDecisionMaker will get invoked multiple times during the authentication process. 

So implementations should check stage before making desisions. Or use ConditionalDecisionMaker

func FinalCheck 

func FinalCheck(delegate AuthenticationDecisionMaker) AuthenticationDecisionMaker

func PostCredentialsCheck 

func PostCredentialsCheck(delegate AuthenticationDecisionMaker) AuthenticationDecisionMaker

func PreCredentialsCheck 

func PreCredentialsCheck(delegate AuthenticationDecisionMaker) AuthenticationDecisionMaker

type AuthenticationResult 

type AuthenticationResult struct {
	Candidate security.Candidate
	Auth      security.Authentication
	Error     error
}

AuthenticationResult is a values carrier for PostAuthenticationProcessor

type Authenticator 

type Authenticator struct {
	// contains filtered or unexported fields
}

func NewAuthenticator 

func NewAuthenticator(optionFuncs ...AuthenticatorOptionsFunc) *Authenticator

func (*Authenticator) Authenticate 

func (a *Authenticator) Authenticate(ctx context.Context, candidate security.Candidate) (auth security.Authentication, err error)

func (*Authenticator) CreateSuccessAuthentication 

func (a *Authenticator) CreateSuccessAuthentication(candidate *UsernamePasswordPair, account security.Account) (security.Authentication, error)

CreateSuccessAuthentication exported for override posibility

type AuthenticatorBuilder 

type AuthenticatorBuilder struct {
	// contains filtered or unexported fields
}

AuthenticatorBuilder implements security.AuthenticatorBuilder

func NewAuthenticatorBuilder 

func NewAuthenticatorBuilder(f *PasswordAuthFeature, defaults ...*builderDefaults) *AuthenticatorBuilder

func (*AuthenticatorBuilder) Build 

func (b *AuthenticatorBuilder) Build(_ context.Context) (security.Authenticator, error)

type AuthenticatorOptions 

type AuthenticatorOptions struct {
	AccountStore      security.AccountStore
	PasswordEncoder   PasswordEncoder
	OTPManager        OTPManager
	MFAEventListeners []MFAEventListenerFunc
	Checkers          []AuthenticationDecisionMaker
	PostProcessors    []PostAuthenticationProcessor
}

type AuthenticatorOptionsFunc 

type AuthenticatorOptionsFunc func(*AuthenticatorOptions)

type ConditionalDecisionMaker 

type ConditionalDecisionMaker struct {
	// contains filtered or unexported fields
}

ConditionalDecisionMaker implements AuthenticationDecisionMaker with ability to skip based on condiitons

func (*ConditionalDecisionMaker) Decide 

func (dm *ConditionalDecisionMaker) Decide(ctx context.Context, c security.Candidate, acct security.Account, auth security.Authentication) error

type DecisionMakerConditionFunc 

type DecisionMakerConditionFunc func(context.Context, security.Candidate, security.Account, security.Authentication) bool

type MFAEvent 

type MFAEvent int

type MFAEventListenerFunc 

type MFAEventListenerFunc func(event MFAEvent, otp OTP, principal interface{})

type MFAMode 

type MFAMode int
const (
	MFAModeSkip MFAMode = iota
	MFAModeOptional
	MFAModeMust
)

type MFAOtpRefresh 

type MFAOtpRefresh struct {
	CurrentAuth UsernamePasswordAuthentication
	DetailsMap  map[string]interface{}
}

MFAOtpRefresh is the supported security.Candidate for MFA OTP refresh

func (*MFAOtpRefresh) Credentials 

func (uop *MFAOtpRefresh) Credentials() interface{}

Credentials implements security.Candidate

func (*MFAOtpRefresh) Details 

func (uop *MFAOtpRefresh) Details() interface{}

Details implements security.Candidate

func (*MFAOtpRefresh) Principal 

func (uop *MFAOtpRefresh) Principal() interface{}

Principal implements security.Candidate

type MFAOtpVerification 

type MFAOtpVerification struct {
	CurrentAuth UsernamePasswordAuthentication
	OTP         string
	DetailsMap  map[string]interface{}
}

MFAOtpVerification is the supported security.Candidate for MFA authentication

func (*MFAOtpVerification) Credentials 

func (uop *MFAOtpVerification) Credentials() interface{}

Credentials implements security.Candidate

func (*MFAOtpVerification) Details 

func (uop *MFAOtpVerification) Details() interface{}

Details implements security.Candidate

func (*MFAOtpVerification) Principal 

func (uop *MFAOtpVerification) Principal() interface{}

Principal implements security.Candidate

type MfaRefreshAuthenticator 

type MfaRefreshAuthenticator struct {
	// contains filtered or unexported fields
}

func NewMFARefreshAuthenticator 

func NewMFARefreshAuthenticator(optionFuncs ...AuthenticatorOptionsFunc) *MfaRefreshAuthenticator

func (*MfaRefreshAuthenticator) Authenticate 

func (a *MfaRefreshAuthenticator) Authenticate(ctx context.Context, candidate security.Candidate) (auth security.Authentication, err error)

func (*MfaRefreshAuthenticator) CreateSuccessAuthentication 

func (a *MfaRefreshAuthenticator) CreateSuccessAuthentication(candidate *MFAOtpRefresh, _ security.Account) (security.Authentication, error)

CreateSuccessAuthentication exported for override possibility

type MfaVerifyAuthenticator 

type MfaVerifyAuthenticator struct {
	// contains filtered or unexported fields
}

func NewMFAVerifyAuthenticator 

func NewMFAVerifyAuthenticator(optionFuncs ...AuthenticatorOptionsFunc) *MfaVerifyAuthenticator

func (*MfaVerifyAuthenticator) Authenticate 

func (a *MfaVerifyAuthenticator) Authenticate(ctx context.Context, candidate security.Candidate) (auth security.Authentication, err error)

func (*MfaVerifyAuthenticator) CreateSuccessAuthentication 

func (a *MfaVerifyAuthenticator) CreateSuccessAuthentication(candidate *MFAOtpVerification, account security.Account) (security.Authentication, error)

CreateSuccessAuthentication exported for override posibility

type OTP 

type OTP interface {
	ID() string
	Passcode() string
	TTL() time.Duration
	Expire() time.Time
	Attempts() uint
	Refreshes() uint
	IncrementAttempts()
	IncrementRefreshes()
	// contains filtered or unexported methods
}

type OTPManager 

type OTPManager interface {
	// New create new OTP and save it
	New() (OTP, error)

	// Get loads OTP by Domain
	Get(id string) (OTP, error)

	// Verify use Get to load OTP and check the given passcode against the loaded OTP.
	// It returns the loaded OTP regardless the verification result.
	// It returns false if it reaches maximum attempts limit. otherwise returns true
	// error parameter indicate wether the given passcode is valid. It's nil if it's valid
	Verify(id, passcode string) (loaded OTP, hasMoreChances bool, err error)

	// Refresh regenerate OTP passcode without changing secret and Domain
	// It returns the loaded or refreshed OTP regardless the verification result.
	// It returns false if it reaches maximum attempts limit. otherwise returns true
	// error parameter indicate wether the passcode is refreshed
	Refresh(id string) (refreshed OTP, hasMoreChances bool, err error)

	// Delete delete OTP by Domain
	Delete(id string) error
}

type OTPStore 

type OTPStore interface {
	Save(OTP) error
	Load(id string) (OTP, error)
	Delete(id string) error
}

type PasswordAuthConfigurer 

type PasswordAuthConfigurer struct {
	// contains filtered or unexported fields
}

func (*PasswordAuthConfigurer) Apply 

func (pac *PasswordAuthConfigurer) Apply(feature security.Feature, ws security.WebSecurity) error

type PasswordAuthFeature 

type PasswordAuthFeature struct {
	// contains filtered or unexported fields
}

func Configure 

func Configure(ws security.WebSecurity) *PasswordAuthFeature

Configure is Standard security.Feature entrypoint

func New 

func New() *PasswordAuthFeature

New is Standard security.Feature entrypoint, DSL style. Used with security.WebSecurity

func (*PasswordAuthFeature) AccountStore 

func (f *PasswordAuthFeature) AccountStore(as security.AccountStore) *PasswordAuthFeature

func (*PasswordAuthFeature) Identifier 

func (f *PasswordAuthFeature) Identifier() security.FeatureIdentifier

func (*PasswordAuthFeature) MFA 

func (f *PasswordAuthFeature) MFA(enabled bool) *PasswordAuthFeature

func (*PasswordAuthFeature) MFAEventListeners 

func (f *PasswordAuthFeature) MFAEventListeners(handlers ...MFAEventListenerFunc) *PasswordAuthFeature

func (*PasswordAuthFeature) OtpLength 

func (f *PasswordAuthFeature) OtpLength(v uint) *PasswordAuthFeature

func (*PasswordAuthFeature) OtpRefreshLimit 

func (f *PasswordAuthFeature) OtpRefreshLimit(v uint) *PasswordAuthFeature

func (*PasswordAuthFeature) OtpSecretSize 

func (f *PasswordAuthFeature) OtpSecretSize(v uint) *PasswordAuthFeature

func (*PasswordAuthFeature) OtpTTL 

func (f *PasswordAuthFeature) OtpTTL(ttl time.Duration) *PasswordAuthFeature

func (*PasswordAuthFeature) OtpVerifyLimit 

func (f *PasswordAuthFeature) OtpVerifyLimit(v uint) *PasswordAuthFeature

func (*PasswordAuthFeature) PasswordEncoder 

func (f *PasswordAuthFeature) PasswordEncoder(pe PasswordEncoder) *PasswordAuthFeature

type PasswordEncoder 

type PasswordEncoder interface {
	Encode(rawPassword string) string
	Matches(raw, encoded string) bool
}

func NewBcryptPasswordEncoder 

func NewBcryptPasswordEncoder() PasswordEncoder

func NewNoopPasswordEncoder 

func NewNoopPasswordEncoder() PasswordEncoder

type PasswordPolicyChecker 

type PasswordPolicyChecker struct {
	// contains filtered or unexported fields
}

PasswordPolicyChecker takes account password policy into consideration

func NewPasswordPolicyChecker 

func NewPasswordPolicyChecker(store security.AccountStore) *PasswordPolicyChecker

func (*PasswordPolicyChecker) Decide 

func (c *PasswordPolicyChecker) Decide(ctx context.Context, _ security.Candidate, acct security.Account, auth security.Authentication) error

type PersistAccountPostProcessor 

type PersistAccountPostProcessor struct {
	// contains filtered or unexported fields
}

PersistAccountPostProcessor saves Account. It's implement order.Ordered with highest priority Note: post-processors executed in reversed order

func NewPersistAccountPostProcessor 

func NewPersistAccountPostProcessor(store security.AccountStore) *PersistAccountPostProcessor

func (*PersistAccountPostProcessor) Order 

func (p *PersistAccountPostProcessor) Order() int

Order the processor run last

func (*PersistAccountPostProcessor) Process 

func (p *PersistAccountPostProcessor) Process(ctx context.Context, acct security.Account, result AuthenticationResult) AuthenticationResult

type PostAuthenticationProcessor 

type PostAuthenticationProcessor interface {
	// Process is invoked at the end of authentication process by the Authenticator to perform post-auth action.
	// The method is invoked regardless if the authentication is granted:
	// 	- If the authentication is granted, the AuthenticationResult.Auth is non-nil and AuthenticationResult.Error is nil
	//	- If the authentication is rejected, the AuthenticationResult.Error is non-nil and AuthenticationResult.Auth should be ignored
	//
	// If the context.Context and security.Account parameters are mutable, PostAuthenticationProcessor is allowed to change it
	// Note: PostAuthenticationProcessor typically shouldn't overwrite authentication decision (rejected or approved)
	// 		 However, it is allowed to modify result by returning different AuthenticationResult.
	//       This is useful when PostAuthenticationProcessor want to returns different error or add more details to authentication
	Process(context.Context, security.Account, AuthenticationResult) AuthenticationResult
}

PostAuthenticationProcessor is invoked at the end of authentication process regardless of authentication decisions (granted or rejected) If PostAuthenticationProcessor implement order.Ordered interface, its order is respected using order.OrderedFirstCompareReverse. This means highest priority is executed last

type TOTP 

type TOTP struct {
	Passcode string
	Secret   string
	TTL      time.Duration
	Expire   time.Time
}

type TOTPFactory 

type TOTPFactory interface {
	Generate(ttl time.Duration) (totp TOTP, err error)
	Refresh(secret string, ttl time.Duration) (totp TOTP, err error)
	Validate(totp TOTP) (valid bool, err error)
}

type UsernamePasswordAuthentication 

type UsernamePasswordAuthentication interface {
	security.Authentication
	Username() string
	IsMFAPending() bool
	OTPIdentifier() string
}

UsernamePasswordAuthentication implements security.Authentication

type UsernamePasswordPair 

type UsernamePasswordPair struct {
	Username   string
	Password   string
	DetailsMap map[string]interface{}
	EnforceMFA MFAMode
}

UsernamePasswordPair is the supported security.Candidate of this authenticator

func (*UsernamePasswordPair) Credentials 

func (upp *UsernamePasswordPair) Credentials() interface{}

Credentials implements security.Candidate

func (*UsernamePasswordPair) Details 

func (upp *UsernamePasswordPair) Details() interface{}

Details implements security.Candidate

func (*UsernamePasswordPair) Principal 

func (upp *UsernamePasswordPair) Principal() interface{}

Principal implements security.Candidate

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.