pubtkt

package module
v0.0.1 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jun 3, 2024 License: Apache-2.0 Imports: 30 Imported by: 0

README

Go-auth-pubtkt

Important: This repository has been archived, it does contain some security issues which has not been addressed.

This A golang implementation of mod_auth_pubtkt with some enhancements (cookie encryption, optional check options...)

Usage

This can be used in two different ways:

  • As a middleware
  • As a lib (redirect will not be used, it will only check ticket)
As a middleware
package main

import (
	"github.com/efigence/go-auth-pubtkt"
	"net/http"
)

func main() {
	finalHandler := http.HandlerFunc(func(w http.ResponseWriter, req http.Request) {
		w.WriteHeader(200)

		ticket := pubtkt.TicketRequest(req)
		w.Write([]byte("you are logged as " + ticket.Uid))
	})
	pubtktHandler, err := pubtkt.NewAuthPubTktHandler(pubtkt.AuthPubTktOptions{
		TKTAuthPublicKey: "mypublic key",
	}, finalHandler)
	// you can also see handler option in https://github.com/efigence/go-auth-pubtkt/blob/master/middleware.go#L171-L203
	if err != nil {
		panic(err)
	}
	http.HandleFunc("/", pubtktHandler)
	http.ListenAndServe(":8080", nil)
}
As a lib
package main

import (
        "github.com/efigence/go-auth-pubtkt"
)

func main() {
    auth, err := pubtkt.NewAuthPubTkt(pubtkt.AuthPubTktOptions{
        TKTAuthPublicKey: "mypublic key",
        TKTAuthPrivateKey: "my private for signing",
        TKTAuthCookieName: "auth_pubtkt",
        TKTAuthHeader: []string{"Cookie"},
    })
    if err != nil {
        panic(err)
    }
    tkt := &pubtkt.Ticket{ 
       Uid: "myuser",
       Sig: "the_signature",
    }
    err = auth.SignTicket(tkt)
    if err != nil {
        panic(err)
    }
    err = auth.VerifyTicket(tkt, "")
    if err != nil {
        panic(err)
    }
    // if no error we can continue
    // you can also use
    // Verify ticket and pre-check from a request
    // VerifyFromRequest(*http.Request) (*Ticket, error)
    // Transform a request to a ticket (if found)
    // RequestToTicket(*http.Request) (*Ticket, error)
    // Transform an encoded ticket or plain ticket as a ticket strcture
    // RawToTicket(ticketStr string) (*Ticket, error)
    // Verify a ticket with signature, expiration, token (if set) and ip (against the provided ip and if TKTCheckIpEnabled option is true)
    // VerifyTicket(ticket *Ticket, clientIp string) error
    // Place ticket in request as requested in options
    // TicketInRequest(*http.Request, *Ticket) error
    // TicketInResponse(http.ResponseWriter, *Ticket) error
    // Transform a ticket to a plain or encrypted ticket data
    // TicketToRaw(ticket *Ticket) (string, error)
    // This will add a signature to the ticket with private key set with TKTAuthPrivateKey option
    // SignTicket(ticket *Ticket) error
}

Options

This implementation use the same options as you can found on mod_auth_pubtkt doc but with new features like:

  • Ticket encryption (options: TKTCypherTicketsWithPasswd and TKTCypherTicketsMethod)
  • Enable and disable check for IP (options: TKTCheckIpEnabled and TKTCheckXForwardedIp)

Here options you can set as pubtkt.AuthPubTktOptions:

type AuthPubTktOptions struct {
	// A DSA or RSA public key in PEM format
	// This public key will be used to verify ticket signatures
	TKTAuthPublicKey string
	// A DSA or RSA private key in PEM format
    // This private key will be used to create ticket signature
    // This is optional, only needed if you want sign ticket
    TKTAuthPrivateKey string
    // Domain to use when placing ticket as a cookie
    // E.G.: .example.com
    TKTAuthDomain string
    // Set to true if all your website use https and ticket is placed in a cookie
    TKTAuthSecureCookie bool
	// String indicating what digest algorithm to use when verifying ticket signatures
	// Valid values are SHA1, DSS1, SHA224, SHA256, SHA384, and SHA512
	// If not specified, the old defaults of SHA1 (for an RSA public key) or DSS1 (for a DSA public key) will be used.
	TKTAuthDigest string
	// URL that users without a valid ticket will be redirected to
	// The originally requested URL will be appended as a GET parameter (normally named "back", but can be changed with TKTAuthBackArgName)
	TKTAuthLoginURL string
	// URL that users whose ticket has expired will be redirected to
	// If not set, TKTAuthLoginURL is used
	TKTAuthTimeoutURL string
	// Same as TKTAuthTimeoutURL, but in case the request was a POST
	// If not set, TKTAuthTimeoutURL is used (and if that is not set either, TKTAuthLoginURL)
	TKTAuthPostTimeoutURL string
	// URL that users whose ticket doesn't contain any of the required tokens (as set with TKTAuthToken) will be redirected to
	TKTAuthUnauthURL string
	// URL that users whose ticket is within the grace period (as set with the graceperiod key in the ticket) before the actual expiry will be redirected to.
	// Only GET requests are redirected; POST requests are accepted normally. The script at this URL should check the ticket and issue a new one
	// If not set, TKTAuthLoginURL is used
	TKTAuthRefreshURL string
	// A space separated list of headers to use for finding the ticket (case insensitive).
	// If this header specified is Cookie then the format of the value expects to be a valid cookie (subject to the TKTAuthCookieName directive).
	// Any other header assumes the value is a simple URL-encoded value of the ticket.
	// The first header that has content is tried and any other tickets in other header(s) are ignored.
	// example, use Cookie first, fallback to X-My-Auth: TKTAuthHeader: []string{"Cookie", "X-My-Auth"}
	// Default: Cookie
	TKTAuthHeader []string
	// Name of the authentication cookie to use
	// Default: auth_pubtkt
	TKTAuthCookieName string
	// Name of the GET argument with the originally requested URL (when redirecting to the login page)
	// Default: back
	TKTAuthBackArgName string
	// only accept tickets in HTTPS requests
	// Default: false
	TKTAuthRequireSSL bool
	// token that must be present in a ticket for access to be granted
	// Multiple tokens may be specified; only one of them needs to be present in the ticket (i.e. any token can match, not all tokens need to match)
	TKTAuthToken []string
	// if on, a fake Authorization header will be added to each request (username from ticket, fixed string "password" as the password).
	// This can be used in reverse proxy situations, and to prevent PHP from stripping username information from the request (which would then not be available for logging purposes)
	// Default: false
	TKTAuthFakeBasicAuth bool
	// if on, the value from the ticket's "bauth" field will be added to the request as a Basic Authorization header.
	// This can be used in reverse proxy situations where one needs complete control over the username and password (see also TKTAuthFakeBasicAuth, which should not be used at the same time).
	// Default: false
	TKTAuthPassthruBasicAuth bool
	// if set, the bauth value will be decrypted using the given key before it is added to the Authorization header.
	// length must be exactly 16 characters (AES 128)
	TKTAuthPassthruBasicKey string
	// If set it will crypt/encrypt the cookie or the content of the header with this passphrase (not a key but a passphrase like in openssl)
	TKTCypherTicketsWithPasswd string
	// Method of encryption under aes, it can be either cbc or ecb
	TKTCypherTicketsMethod string
	// If true it will check if ip which created the token is the correct ip who use it
	// Default: false
	TKTCheckIpEnabled bool
	// If true and TKTCheckIpEnabled is true it will check ip from header X-Forwarded-For instead client remote ip
	// default: false
	TKTCheckXForwardedIp bool
}

Note: Disclaimer about TKTCypherTicketsMethod with the ecb method, orange forked mod_auth_pubtkt to add ticket encryption and use ecb method, you must always choose to use cbc method if you want to use apache plugin from original pubtkt

Documentation

Index

Constants

View Source
const (
	Hsha1   hashMethod = "sha1"
	Hsha224 hashMethod = "sha224"
	Hsha256 hashMethod = "sha256"
	Hsha384 hashMethod = "sha384"
	Hsha512 hashMethod = "sha512"
)
View Source
const (
	KeyAlgoRSA      = "ssh-rsa"
	KeyAlgoDSA      = "ssh-dss"
	KeyAlgoECDSA256 = "ecdsa-sha2-nistp256"
	KeyAlgoECDSA384 = "ecdsa-sha2-nistp384"
	KeyAlgoECDSA521 = "ecdsa-sha2-nistp521"
	KeyAlgoED25519  = "ssh-ed25519"
)

These constants represent the algorithm names for key types supported by this package.

View Source
const (
	SigAlgoRSA        = "ssh-rsa"
	SigAlgoRSASHA2256 = "rsa-sha2-256"
	SigAlgoRSASHA2512 = "rsa-sha2-512"
)

These constants represent non-default signature algorithms that are supported as algorithm parameters to AlgorithmSigner.SignWithAlgorithm methods. See [PROTOCOL.agent] section 4.5.1 and https://tools.ietf.org/html/draft-ietf-curdle-rsa-sha2-10

Variables

View Source
var (
	// ErrInvalidBlockSize indicates hash blocksize <= 0.
	ErrInvalidBlockSize = errors.New("invalid blocksize")

	// ErrInvalidPKCS7Data indicates bad input to PKCS7 pad or unpad.
	ErrInvalidPKCS7Data = errors.New("invalid PKCS7 data (empty or not padded)")

	// ErrInvalidPKCS7Padding indicates PKCS7 unpad fails to bad input.
	ErrInvalidPKCS7Padding = errors.New("invalid padding on input")
)
View Source
var TimeNowFunc = func() time.Time {
	return time.Now()
}

Functions

func BauthDecrypt

func BauthDecrypt(bauth, keyStr string) (string, error)

func BauthEncrypt

func BauthEncrypt(plainData, keyStr string) (string, error)

func FindHash

func FindHash(hashStr string) (hash.Hash, crypto.Hash, error)

func FingerprintLegacyMD5

func FingerprintLegacyMD5(pubKey PublicKey) string

FingerprintLegacyMD5 returns the user presentation of the key's fingerprint as described by RFC 4716 section 4.

func FingerprintSHA256

func FingerprintSHA256(pubKey PublicKey) string

FingerprintSHA256 returns the user presentation of the key's fingerprint as unpadded base64 encoded sha256 hash. This format was introduced from OpenSSH 6.8. https://www.openssh.com/txt/release-6.8 https://tools.ietf.org/html/rfc4648#section-3.2 (unpadded base64 encoding)

func MarshalAuthorizedKey

func MarshalAuthorizedKey(key PublicKey) []byte

MarshalAuthorizedKey serializes key for inclusion in an OpenSSH authorized_keys file. The return value ends with newline.

func NewECBDecrypter

func NewECBDecrypter(b cipher.Block) cipher.BlockMode

func NewECBEncrypter

func NewECBEncrypter(b cipher.Block) cipher.BlockMode

func NewErrGracePeriodExpired

func NewErrGracePeriodExpired() error

func NewErrNoSSl

func NewErrNoSSl() error

func NewErrNoSig

func NewErrNoSig() error

func NewErrNoTicket

func NewErrNoTicket() error

func NewErrNoValidToken

func NewErrNoValidToken() error

func NewErrSigNotValid

func NewErrSigNotValid(prevErrors ...error) error

func NewErrValidationExpired

func NewErrValidationExpired() error

func NewErrWrongIp

func NewErrWrongIp() error

func ParseDSAPrivateKey

func ParseDSAPrivateKey(der []byte) (*dsa.PrivateKey, error)

ParseDSAPrivateKey returns a DSA private key from its ASN.1 DER encoding, as specified by the OpenSSL DSA man page.

func ParseRawPrivateKey

func ParseRawPrivateKey(pemBytes []byte) (interface{}, error)

ParseRawPrivateKey returns a private key from a PEM encoded private key. It supports RSA (PKCS#1), PKCS#8, DSA (OpenSSL), and ECDSA private keys.

func ParseRawPrivateKeyWithPassphrase

func ParseRawPrivateKeyWithPassphrase(pemBytes, passPhrase []byte) (interface{}, error)

ParseRawPrivateKeyWithPassphrase returns a private key decrypted with passphrase from a PEM encoded private key. If wrong passphrase, return x509.IncorrectPasswordError.

Types

type AlgorithmSigner

type AlgorithmSigner interface {
	Signer

	// SignWithAlgorithm is like Signer.Sign, but allows specification of a
	// non-default signing algorithm. See the SigAlgo* constants in this
	// package for signature algorithms supported by this package. Callers may
	// pass an empty string for the algorithm in which case the AlgorithmSigner
	// will use its default algorithm.
	SignWithAlgorithm(rand io.Reader, data []byte, algorithm string) (*ssh.Signature, error)
}

A AlgorithmSigner is a Signer that also supports specifying a specific algorithm to use for signing.

type AuthPubTkt

type AuthPubTkt interface {
	// VerifyFromRequest Verify ticket and pre-check from a request
	VerifyFromRequest(*http.Request) (*Ticket, error)
	// RequestToTicket Transform a request to a ticket (if found)
	RequestToTicket(*http.Request) (*Ticket, error)
	// TicketInRequest Place ticket in request as requested in options
	TicketInRequest(*http.Request, *Ticket) error
	// TicketInResponse Place ticket in response writer as requested in options
	TicketInResponse(http.ResponseWriter, *Ticket) error
	// TicketInHeader Place ticket in http headers as requested in options
	TicketInHeader(inHeader http.Header, ticket *Ticket) error
	// RawToTicket Transform an encoded ticket or plain ticket as a ticket structure
	RawToTicket(ticketStr string) (*Ticket, error)
	// TicketToRaw Transform a ticket to a plain or encrypted ticket data
	TicketToRaw(ticket *Ticket) (string, error)
	// VerifyTicket Verify a ticket with signature, expiration, token (if set) and ip (against the provided ip and if TKTCheckIpEnabled option is true)
	VerifyTicket(ticket *Ticket, clientIp string) error
	// SignTicket This will add a signature to the ticket with private key set with TKTAuthPrivateKey option
	SignTicket(ticket *Ticket) error
}

func NewAuthPubTkt

func NewAuthPubTkt(options AuthPubTktOptions) (AuthPubTkt, error)

type AuthPubTktContextKey

type AuthPubTktContextKey int

type AuthPubTktHandler

type AuthPubTktHandler struct {
	// contains filtered or unexported fields
}

func NewAuthPubTktHandler

func NewAuthPubTktHandler(options AuthPubTktOptions, next http.Handler, handlerOpts ...AuthPubTktHandlerOption) (*AuthPubTktHandler, error)

func (AuthPubTktHandler) ServeHTTP

func (h AuthPubTktHandler) ServeHTTP(w http.ResponseWriter, req *http.Request)

func (AuthPubTktHandler) WriteBasicAuth

func (h AuthPubTktHandler) WriteBasicAuth(ticket *Ticket, req *http.Request) error

type AuthPubTktHandlerOption

type AuthPubTktHandlerOption func(*AuthPubTktHandler) error

func PanicOnError

func PanicOnError() AuthPubTktHandlerOption

PanicOnError - If used unrecognized error send a panic instead

func SetCreateAuthPubTktFunc

func SetCreateAuthPubTktFunc(fn func(options AuthPubTktOptions) (AuthPubTkt, error)) AuthPubTktHandlerOption

func SetStatus

func SetStatus(statusText string, statusCode int) AuthPubTktHandlerOption

SetStatus Customize status text and status code when an unrecognized error occurred in request response

func ShowErrorDetails

func ShowErrorDetails() AuthPubTktHandlerOption

ShowErrorDetails If used error details will be written in request response

type AuthPubTktImpl

type AuthPubTktImpl struct {
	// contains filtered or unexported fields
}

func (AuthPubTktImpl) RawToTicket

func (a AuthPubTktImpl) RawToTicket(ticketStr string) (*Ticket, error)

func (AuthPubTktImpl) RequestToTicket

func (a AuthPubTktImpl) RequestToTicket(req *http.Request) (*Ticket, error)

func (AuthPubTktImpl) SignTicket

func (a AuthPubTktImpl) SignTicket(ticket *Ticket) error

func (AuthPubTktImpl) TicketInHeader

func (a AuthPubTktImpl) TicketInHeader(inHeader http.Header, ticket *Ticket) error

func (AuthPubTktImpl) TicketInRequest

func (a AuthPubTktImpl) TicketInRequest(req *http.Request, ticket *Ticket) error

func (AuthPubTktImpl) TicketInResponse

func (a AuthPubTktImpl) TicketInResponse(resp http.ResponseWriter, ticket *Ticket) error

func (AuthPubTktImpl) TicketToRaw

func (a AuthPubTktImpl) TicketToRaw(ticket *Ticket) (string, error)

func (AuthPubTktImpl) VerifyFromRequest

func (a AuthPubTktImpl) VerifyFromRequest(req *http.Request) (*Ticket, error)

func (AuthPubTktImpl) VerifyTicket

func (a AuthPubTktImpl) VerifyTicket(ticket *Ticket, clientIp string) error

type AuthPubTktOptions

type AuthPubTktOptions struct {
	// A DSA or RSA public key in PEM format
	// This public key will be used to verify ticket signatures
	TKTAuthPublicKey string
	// A DSA or RSA private key in PEM format
	// This private key will be used to create ticket signature
	// This is optional, only needed if you want sign ticket
	TKTAuthPrivateKey string
	// Domain to use when placing ticket as a cookie
	// E.G.: .example.com
	TKTAuthDomain string
	// Set to true if all your website use https and ticket is placed in a cookie
	TKTAuthSecureCookie bool
	// String indicating what digest algorithm to use when verifying ticket signatures
	// Valid values are SHA1, DSS1, SHA224, SHA256, SHA384, and SHA512
	// If not specified, the old defaults of SHA1 (for an RSA public key) or DSS1 (for a DSA public key) will be used.
	TKTAuthDigest string
	// URL that users without a valid ticket will be redirected to
	// The originally requested URL will be appended as a GET parameter (normally named "back", but can be changed with TKTAuthBackArgName)
	TKTAuthLoginURL string
	// URL that users whose ticket has expired will be redirected to
	// If not set, TKTAuthLoginURL is used
	TKTAuthTimeoutURL string
	// Same as TKTAuthTimeoutURL, but in case the request was a POST
	// If not set, TKTAuthTimeoutURL is used (and if that is not set either, TKTAuthLoginURL)
	TKTAuthPostTimeoutURL string
	// URL that users whose ticket doesn't contain any of the required tokens (as set with TKTAuthToken) will be redirected to
	TKTAuthUnauthURL string
	// URL that users whose ticket is within the grace period (as set with the `graceperiod` key in the ticket) before the actual expiry will be redirected to.
	// Only GET requests are redirected; POST requests are accepted normally. The script at this URL should check the ticket and issue a new one
	// If not set, TKTAuthLoginURL is used
	TKTAuthRefreshURL string
	// A space separated list of headers to use for finding the ticket (case-insensitive).
	// If this header specified is Cookie then the format of the value expects to be a valid cookie (subject to the TKTAuthCookieName directive).
	// Any other header assumes the value is a simple URL-encoded value of the ticket.
	// The first header that has content is tried and any other tickets in other header(s) are ignored.
	// example, use Cookie first, fallback to X-My-Auth: TKTAuthHeader: []string{"Cookie", "X-My-Auth"}
	// Default: Cookie
	TKTAuthHeader []string
	// Name of the authentication cookie to use
	// Default: auth_pubtkt
	TKTAuthCookieName string
	// Name of the GET argument with the originally requested URL (when redirecting to the login page)
	// Default: back
	TKTAuthBackArgName string
	// only accept tickets in HTTPS requests
	// Default: false
	TKTAuthRequireSSL bool
	// token that must be present in a ticket for access to be granted
	// Multiple tokens may be specified; only one of them needs to be present in the ticket (i.e. any token can match, not all tokens need to match)
	TKTAuthToken []string
	// if on, a fake Authorization header will be added to each request (username from ticket, fixed string "password" as the password).
	// This can be used in reverse proxy situations, and to prevent PHP from stripping username information from the request (which would then not be available for logging purposes)
	// Default: false
	TKTAuthFakeBasicAuth bool
	// if on, the value from the ticket's "bauth" field will be added to the request as a Basic Authorization header.
	// This can be used in reverse proxy situations where one needs complete control over the username and password (see also TKTAuthFakeBasicAuth, which should not be used at the same time).
	// Default: false
	TKTAuthPassthruBasicAuth bool
	// if set, the bauth value will be decrypted using the given key before it is added to the Authorization header.
	// length must be exactly 16 characters (AES 128)
	TKTAuthPassthruBasicKey string
	// If set it will crypt/encrypt the cookie with this passphrase (not a key but a passphrase like in openssl)
	TKTCypherTicketsWithPasswd string
	// Method of encryption under aes, it can be either cbc or ecb
	TKTCypherTicketsMethod string
	// If true it will check if ip which created the token is the correct ip who use it
	// Default: false
	TKTCheckIpEnabled bool
	// If true and TKTCheckIpEnabled is true it will check ip from header X-Forwarded-For instead client remote ip
	// default: false
	TKTCheckXForwardedIp bool
}

type EncMethod

type EncMethod string
const (
	MethodEcb EncMethod = "ECB"
	MethodCbc EncMethod = "CBC"
)

type ErrGracePeriodExpired

type ErrGracePeriodExpired string

func (ErrGracePeriodExpired) Error

func (e ErrGracePeriodExpired) Error() string

type ErrNoSSl

type ErrNoSSl string

func (ErrNoSSl) Error

func (e ErrNoSSl) Error() string

type ErrNoSig

type ErrNoSig string

func (ErrNoSig) Error

func (e ErrNoSig) Error() string

type ErrNoTicket

type ErrNoTicket string

func (ErrNoTicket) Error

func (e ErrNoTicket) Error() string

type ErrNoValidToken

type ErrNoValidToken string

func (ErrNoValidToken) Error

func (e ErrNoValidToken) Error() string

type ErrSigNotValid

type ErrSigNotValid string

func (ErrSigNotValid) Error

func (e ErrSigNotValid) Error() string

type ErrValidationExpired

type ErrValidationExpired string

func (ErrValidationExpired) Error

func (e ErrValidationExpired) Error() string

type ErrWrongIp

type ErrWrongIp string

func (ErrWrongIp) Error

func (e ErrWrongIp) Error() string

type OpenSSL

type OpenSSL struct {
	// contains filtered or unexported fields
}

func NewOpenSSL

func NewOpenSSL() *OpenSSL

func (OpenSSL) DecryptString

func (o OpenSSL) DecryptString(passphrase, encryptedBase64String string, method EncMethod) ([]byte, error)

DecryptString - Decrypt string that was encrypted using OpenSSL and AES-256-CBC or AES-256-ECB

func (OpenSSL) EncryptString

func (o OpenSSL) EncryptString(passphrase, plainData string, method EncMethod) ([]byte, error)

EncryptString - Encrypt string that as OpenSSL like with AES-256-CBC or AES-256-ECB

func (OpenSSL) GenerateSalt

func (o OpenSSL) GenerateSalt() ([]byte, error)

type OpenSSLCreds

type OpenSSLCreds struct {
	// contains filtered or unexported fields
}

type PublicKey

type PublicKey interface {
	// Type returns the key's type, e.g. "ssh-rsa".
	Type() string

	// Marshal returns the serialized key data in SSH wire format,
	// with the name prefix. To unmarshal the returned data, use
	// the ParsePublicKey function.
	Marshal() []byte

	// Verify that sig is a signature on the given data using this
	// key. This function will hash the data appropriately first.
	Verify(data []byte, sig *ssh.Signature) error
}

PublicKey is an abstraction of different types of public keys.

func NewPublicKey

func NewPublicKey(key interface{}) (PublicKey, error)

func ParseAuthorizedKey

func ParseAuthorizedKey(in []byte) (out PublicKey, comment string, options []string, rest []byte, err error)

ParseAuthorizedKey - parses a public key from an authorized_keys file used in OpenSSH according to the sshd(8) manual page.

type Signer

type Signer interface {
	// PublicKey returns an associated PublicKey instance.
	PublicKey() PublicKey

	// Sign returns raw signature for the given data. This method
	// will apply the hash specified for the keytype to the data.
	Sign(rand io.Reader, data []byte) (*ssh.Signature, error)
}

A Signer can create signatures that verify against a public key.

func NewSignerFromKey

func NewSignerFromKey(key interface{}) (Signer, error)

NewSignerFromKey takes an *rsa.PrivateKey, *dsa.PrivateKey, *ecdsa.PrivateKey or any other crypto.Signer and returns a corresponding Signer instance. ECDSA keys must use P-256, P-384 or P-521. DSA keys must use parameter size L1024N160.

func NewSignerFromSigner

func NewSignerFromSigner(signer crypto.Signer) (Signer, error)

NewSignerFromSigner takes any crypto.Signer implementation and returns a corresponding Signer interface. This can be used, for example, with keys kept in hardware modules.

func ParsePrivateKey

func ParsePrivateKey(pemBytes []byte) (Signer, error)

ParsePrivateKey returns a Signer from a PEM encoded private key. It supports the same keys as ParseRawPrivateKey.

func ParsePrivateKeyWithPassphrase

func ParsePrivateKeyWithPassphrase(pemBytes, passPhrase []byte) (Signer, error)

ParsePrivateKeyWithPassphrase returns a Signer from a PEM encoded private key and passphrase. It supports the same keys as ParseRawPrivateKeyWithPassphrase.

type Ticket

type Ticket struct {
	Uid         string    `mapstructure:"uid"`
	Cip         string    `mapstructure:"cip"`
	Bauth       string    `mapstructure:"bauth"`
	Validuntil  time.Time `mapstructure:"validuntil"`
	Graceperiod time.Time `mapstructure:"graceperiod"`
	Tokens      []string  `mapstructure:"tokens"`
	Udata       string    `mapstructure:"udata"`
	Sig         string    `mapstructure:"sig"`
	RawData     string    `mapstructure:"-"`
}

func ParseTicket

func ParseTicket(ticketStr string) (*Ticket, error)

func TicketRequest

func TicketRequest(req *http.Request) *Ticket

func (Ticket) DataString

func (t Ticket) DataString() string

func (Ticket) String

func (t Ticket) String() string

Directories

Path Synopsis
Code generated by counterfeiter.
Code generated by counterfeiter.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL