auth

package
v1.2.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jan 4, 2023 License: Apache-2.0 Imports: 24 Imported by: 0

Documentation

Index

Constants

View Source
const ValidStateDuration = 30 * time.Second

ValidStateDuration is the amount of time before the state is considered expired. This will be replaced by an expiration in a JWT token in a future review.

Variables

View Source
var ErrBadAuthorizationValue = errors.New("bad authorization value provided")

ErrBadAuthorizationValue error thrown when the authorization header value is in wrong format

View Source
var ErrHostArgNotFound = errors.New("host arg not found")

ErrSSLArgNotFound error thrown when the host arg has not been provided by HAProxy

View Source
var ErrNoCredential = errors.New("no credentials provided")

ErrNoCredential error thrown when no credentials are provided with the request

View Source
var ErrOIDCClientConfigNotFound = errors.New("no OIDC client found for this domain")

ErrOIDCClientConfigNotFound error thrown when there is no client config related to a given domain

View Source
var ErrPathqArgNotFound = errors.New("pathq arg not found")

ErrSSLArgNotFound error thrown when the pathq arg has not been provided by HAProxy

View Source
var ErrSSLArgNotFound = errors.New("SSL arg not found")

ErrSSLArgNotFound error thrown when the ssl arg has not been provided by HAProxy

View Source
var ErrTooManyUsersMatching = errors.New("there are too many user matching this request")

ErrTooManyUsersMatching error thrown when too many users are retrieved upon LDAP search

View Source
var ErrUserDoesntExist = errors.New("user does not exist")

ErrUserDoesntExist error thrown when provided user does not exist

View Source
var ErrWrongCredentials = errors.New("wrong credentials")

ErrWrongCredentials error thrown when credentials provided by user are wrong

View Source
var ErrorPageTemplate = `` /* 133-byte string literal not displayed */

ErrorPage is a template used in the case the final redirection cannot happen due to the bad signature of the original URL

View Source
var LogoutPageTemplate = `<html>
<head><title>Logout</title></head>
<body>You have been logged out successfully.</body>
</html>`

LogoutPage is an HTML content stating the user has been logged out successfully

View Source
var NonceLength = 12

NonceLength the length of the nonce to use

View Source
var RedirectPageTemplate = `` /* 168-byte string literal not displayed */

RedirectPage is a template used for the final redirection

Functions

func BuildHasErrorMessage

func BuildHasErrorMessage() spoe.ActionSetVar

BuildHasErrorMessage build a message stating an error was thrown in SPOE agent

func BuildRedirectURLMessage

func BuildRedirectURLMessage(url string) spoe.ActionSetVar

BuildRedirectURLMessage build a message containing the URL the user should be redirected too

Types

type AESEncryptor

type AESEncryptor struct {
	Key []byte
	// contains filtered or unexported fields
}

AESEncryptor represent an encryptor leveraging AES-GCM. GCM mode operation is used to ensure the encryption is authenticated.

func NewAESEncryptor

func NewAESEncryptor(secret string) *AESEncryptor

NewAESEncryptor create an instance of the AESEncryptor

func (*AESEncryptor) Decrypt

func (ae *AESEncryptor) Decrypt(securemess string) (string, error)

Decrypt a payload

func (*AESEncryptor) Encrypt

func (ae *AESEncryptor) Encrypt(message string) (string, error)

Encrypt a payload

type Authenticator

type Authenticator interface {
	// Check whether the user is authenticated by this authenticator
	Authenticate(msg *spoe.Message) (bool, []spoe.Action, error)
}

Authenticator the authenticator interface that can be implemented for LDAP, OAuth2, OIDC or whatever else.

type HmacSha256Computer

type HmacSha256Computer struct {
	// contains filtered or unexported fields
}

HmacSha256Computer represent a producer and verifier of HMAC SHA256 signatures SHA256 is prefered over SHA1 for the security margin it implies but both would be ok at this time even if SHA1 is known to be vulnerable to collision attacks.

func NewHmacSha256Computer

func NewHmacSha256Computer(secret string) *HmacSha256Computer

NewHmacSha256Computer create an instance of HMAC SHA256 computer

func (*HmacSha256Computer) ProduceSignature

func (hsc *HmacSha256Computer) ProduceSignature(data []byte) string

ProduceSignature produce a signature for the given data

type LDAPAuthenticator

type LDAPAuthenticator struct {
	// contains filtered or unexported fields
}

LDAPAuthenticator is the LDAP implementation of the Authenticator interface

func NewLDAPAuthenticator

func NewLDAPAuthenticator(options LDAPConnectionDetails) *LDAPAuthenticator

NewLDAPAuthenticator create an instance of a LDAP authenticator

func (*LDAPAuthenticator) Authenticate

func (la *LDAPAuthenticator) Authenticate(msg *spoe.Message) (bool, []spoe.Action, error)

Authenticate handle an authentication request coming from HAProxy

type LDAPConnectionDetails

type LDAPConnectionDetails struct {
	URI        string
	Port       int
	UserDN     string
	Password   string
	BaseDN     string
	UserFilter string
	VerifyTLS  bool
}

LDAPConnectionDetails represents the connection details

type OAuth2AuthenticatorOptions

type OAuth2AuthenticatorOptions struct {
	Endpoints            oauth2.Endpoint
	RedirectCallbackPath string
	LogoutPath           string
	HealthCheckPath      string

	// This is used to sign the redirection URL
	SignatureSecret string

	CookieName   string
	CookieSecure bool
	CookieTTL    time.Duration

	// The addr interface the callback will be exposed on.
	CallbackAddr string

	// The object retrieving the OIDC client configuration from the given domain
	ClientsStore OIDCClientsStore
}

OAuth2AuthenticatorOptions options to customize to the OAuth2 authenticator

type OIDCAuthenticator

type OIDCAuthenticator struct {
	// contains filtered or unexported fields
}

OIDCAuthenticator is the OIDC implementation of the Authenticator interface

func NewOIDCAuthenticator

func NewOIDCAuthenticator(options OIDCAuthenticatorOptions) *OIDCAuthenticator

NewOIDCAuthenticator create an instance of an OIDC authenticator

func (*OIDCAuthenticator) Authenticate

func (oa *OIDCAuthenticator) Authenticate(msg *spoe.Message) (bool, []spoe.Action, error)

Authenticate treat an authentication request coming from HAProxy

type OIDCAuthenticatorOptions

type OIDCAuthenticatorOptions struct {
	OAuth2AuthenticatorOptions

	// The URL to the OIDC provider exposing the configuration
	ProviderURL string

	// This is used to encrypt the ID Token returned by the IdP.
	EncryptionSecret string
}

OIDCAuthenticatorOptions options to customize to the OIDC authenticator

type OIDCClientConfig

type OIDCClientConfig struct {
	ClientID     string `mapstructure:"client_id"`
	ClientSecret string `mapstructure:"client_secret"`
	RedirectURL  string `mapstructure:"redirect_url"`
}

type OIDCClientsStore

type OIDCClientsStore interface {
	// Retrieve the client_id and client_secret based on the domain
	GetClient(domain string) (*OIDCClientConfig, error)
}

type SignatureProducer

type SignatureProducer interface {
	ProduceSignature(data []byte) []byte
}

SignatureProducer produces a signature

type SignatureVerifier

type SignatureVerifier interface {
	VerifySignature(signature []byte) bool
}

SignatureVerifier verify a signature

type State

type State struct {
	Timestamp          time.Time
	Signature          string
	PathAndQueryString string
	SSL                bool
}

State the content of the state

type StaticOIDCClientsStore

type StaticOIDCClientsStore struct {
	// contains filtered or unexported fields
}

func NewStaticOIDCClientStore

func NewStaticOIDCClientStore(config map[string]OIDCClientConfig) *StaticOIDCClientsStore

func (*StaticOIDCClientsStore) GetClient

func (ocf *StaticOIDCClientsStore) GetClient(domain string) (*OIDCClientConfig, error)

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL