auth

package
v0.8.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Sep 15, 2020 License: Apache-2.0 Imports: 20 Imported by: 3

Documentation

Index

Constants

View Source
const (
	PermissionNone = iota
	PermissionR
	PermissionRW
)

Non-admin permissions

View Source
const PermissionAdmin = 254

PermissionAdmin the system admin permission byte

View Source
const PermissionSysAdmin = 255

PermissionSysAdmin the admin permission byte

Variables

View Source
var AuthEnabled bool

AuthEnabled toggles authentication on or off

View Source
var DevMode bool

DevMode if set to true, remote client commands (except admin ones) will be accepted even if auth is off

View Source
var IsTampered bool

IsTampered if set to true then one of the databases is tempered and the user is notified

View Source
var IsValidUsername = regexp.MustCompile(`^[a-zA-Z0-9_]+$`).MatchString

IsValidUsername is a regexp function used to check username requirements

View Source
var PasswordRequirementsMsg = fmt.Sprintf(
	"password must have between %d and %d letters, digits and special characters "+
		"of which at least 1 uppercase letter, 1 digit and 1 special character",
	minPasswordLen,
	maxPasswordLen,
)

PasswordRequirementsMsg message used to inform the user about password strength requirements

View Source
var SysAdminPassword = SysAdminUsername

SysAdminPassword the admin password (can be default or from command flags, config or env var)

View Source
var SysAdminUsername = "immudb"

SysAdminUsername the system admin username

View Source
var UpdateMetrics func(context.Context)

UpdateMetrics callback which will be called to update metrics

View Source
var WarnDefaultAdminPassword = "immudb user has the default password: please change it to ensure proper security"

WarnDefaultAdminPassword warning user message for the case when admin uses the default password

Functions

func ClientStreamInterceptor

func ClientStreamInterceptor(token string) func(context.Context, *grpc.StreamDesc, *grpc.ClientConn, string, grpc.Streamer, ...grpc.CallOption) (grpc.ClientStream, error)

ClientStreamInterceptor gRPC client interceptor for streams

func ClientUnaryInterceptor

func ClientUnaryInterceptor(token string) func(context.Context, string, interface{}, interface{}, *grpc.ClientConn, grpc.UnaryInvoker, ...grpc.CallOption) error

ClientUnaryInterceptor gRPC client interceptor for unary methods

func ComparePasswords

func ComparePasswords(hashedPassword []byte, plainPassword []byte) error

ComparePasswords compares the provided plainPassword against the provided hashed password

func DecodeBase64Password added in v0.6.2

func DecodeBase64Password(passwordBase64 string) (string, error)

DecodeBase64Password decodes the provided base64-encoded password if it has the "enc:" prefix or returns it with leading and trailing space trimmed otherwise

func DropTokenKeys

func DropTokenKeys(username string) bool

DropTokenKeys removes the token keys from the cache, hence invalidating any token that was generated with those keys

func DropTokenKeysForCtx added in v0.6.1

func DropTokenKeysForCtx(ctx context.Context) (bool, error)

DropTokenKeysForCtx removes the token keys from the cache for the username of the token that resides in the provided context

func GenerateToken

func GenerateToken(user User, database int64) (string, error)

GenerateToken ...

func HasPermissionForMethod

func HasPermissionForMethod(userPermission uint32, method string) bool

HasPermissionForMethod checks if userPermission can access method name

func HashAndSaltPassword

func HashAndSaltPassword(plainPassword []byte) ([]byte, error)

HashAndSaltPassword hashes and salts the provided password

func IsStrongPassword

func IsStrongPassword(password string) error

IsStrongPassword checks if the provided password meets the strength requirements

func NewStringUUID added in v0.7.0

func NewStringUUID() string

NewStringUUID generate uuid and return as string

func NewUUID added in v0.7.0

func NewUUID() xid.ID

NewUUID generate uuid

func ServerStreamInterceptor

func ServerStreamInterceptor(srv interface{}, ss grpc.ServerStream, info *grpc.StreamServerInfo, handler grpc.StreamHandler) error

ServerStreamInterceptor gRPC server interceptor for streams

func ServerUnaryInterceptor

func ServerUnaryInterceptor(ctx context.Context, req interface{}, info *grpc.UnaryServerInfo, handler grpc.UnaryHandler) (interface{}, error)

ServerUnaryInterceptor gRPC server interceptor for unary methods

Types

type JSONToken

type JSONToken struct {
	Username      string
	Expiration    time.Time
	DatabaseIndex int64
}

JSONToken ...

func GetLoggedInUser added in v0.7.0

func GetLoggedInUser(ctx context.Context) (*JSONToken, error)

GetLoggedInUser gets userdata from context

type Kind

type Kind uint32

Kind the authentication kind

const (
	KindNone Kind = iota
	KindPassword
	KindCryptoSig
)

Authentication kinds

type Permission added in v0.7.0

type Permission struct {
	Permission uint32 `json:"permission"` //permission of type auth.PermissionW
	Database   string `json:"database"`   //databases the user has access to
}

Permission per database

type TokenAuth

type TokenAuth struct {
	Token string
}

TokenAuth authentication token data structure

func (TokenAuth) GetRequestMetadata

func (t TokenAuth) GetRequestMetadata(ctx context.Context, in ...string) (map[string]string, error)

GetRequestMetadata callback which returns the Bearer token to be set in request metadata

func (TokenAuth) RequireTransportSecurity

func (TokenAuth) RequireTransportSecurity() bool

RequireTransportSecurity callback which returns whether TLS is mandatory or not

type User

type User struct {
	Username       string       `json:"username"`
	HashedPassword []byte       `json:"hashedpassword"`
	Permissions    []Permission `json:"permissions"`
	Active         bool         `json:"active"`
	IsSysAdmin     bool         `json:"-"`         //for the sysadmin we'll use this instead of adding all db and permissions to Permissions, to save some cpu cycles
	CreatedBy      string       `json:"createdBy"` //user which created this user
	CreatedAt      time.Time    `json:"createdat"` //time in which this user is created/updated
}

User ...

func (*User) ComparePasswords

func (u *User) ComparePasswords(plainPassword []byte) error

ComparePasswords ...

func (*User) GrantPermission added in v0.7.0

func (u *User) GrantPermission(database string, permission uint32) bool

GrantPermission add permission to database

func (*User) HasAtLeastOnePermission added in v0.7.0

func (u *User) HasAtLeastOnePermission(permission uint32) bool

HasAtLeastOnePermission checks if user has this permission for at least one database

func (*User) HasPermission added in v0.7.0

func (u *User) HasPermission(database string, permission uint32) bool

HasPermission checks if user has such permission for this database

func (*User) RevokePermission added in v0.7.0

func (u *User) RevokePermission(database string) bool

RevokePermission revoke database permission from user

func (*User) SetPassword

func (u *User) SetPassword(plainPassword []byte) ([]byte, error)

SetPassword Hashes and salts the password and assigns it to hashedPassword of User

func (*User) WhichPermission added in v0.7.0

func (u *User) WhichPermission(database string) uint32

WhichPermission returns the permission that this user has on this database

type WrappedClientStream

type WrappedClientStream struct {
	grpc.ClientStream
}

WrappedClientStream ...

func (*WrappedClientStream) RecvMsg

func (w *WrappedClientStream) RecvMsg(m interface{}) error

RecvMsg ...

func (*WrappedClientStream) SendMsg

func (w *WrappedClientStream) SendMsg(m interface{}) error

SendMsg ...

type WrappedServerStream

type WrappedServerStream struct {
	grpc.ServerStream
}

WrappedServerStream ...

func (*WrappedServerStream) RecvMsg

func (w *WrappedServerStream) RecvMsg(m interface{}) error

RecvMsg ...

func (*WrappedServerStream) SendMsg

func (w *WrappedServerStream) SendMsg(m interface{}) error

SendMsg ...

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL