README
¶
go-sasl
-- pure go sasl implementation for thrift sasl transport
Documentation
¶
Index ¶
- Constants
- Variables
- type Client
- type PlainClient
- func (c *PlainClient) Dispose() error
- func (c *PlainClient) EvaluateChallenge(challengeData []byte) ([]byte, error)
- func (c *PlainClient) GetMechanismName() string
- func (c *PlainClient) GetNegotiatedProperty(propName string) (interface{}, error)
- func (c *PlainClient) HasInitialResponse() bool
- func (c *PlainClient) IsComplete() bool
- func (c *PlainClient) Unwrap(incoming []byte, offset, len int) ([]byte, error)
- func (c *PlainClient) Wrap(outgong []byte, offset, len int) ([]byte, error)
- type Sasl
- func (s *Sasl) CombineMasks(in []byte) byte
- func (s *Sasl) FindPreferredMask(pref byte, in []byte) byte
- func (s *Sasl) GetNegotiatedProperty(propName string) (interface{}, error)
- func (s *Sasl) IntToNetworkByteOrder(num int, buf []byte, start, count int) error
- func (s *Sasl) IsCompete() bool
- func (s *Sasl) NetworkByteOrderToInt(buf []byte, start, count int) (int, error)
- func (s *Sasl) ParseProp(propName, propVal string, vals []string, masks []byte, tokens []string, ...) ([]byte, error)
- func (s *Sasl) ParseQop(qop string) ([]byte, error)
- func (s *Sasl) ParseQop2(qop string, saveTokens []string, ignore bool) ([]byte, error)
- func (s *Sasl) ParseStrength(strength string) ([]byte, error)
Constants ¶
View Source
const ( // SaslPropertyQop is a property that specifies the quality-of-protection to use. // The property contains a comma-separated, ordered list // of quality-of-protection values that the // client or server is willing to support. A qop value is one of // // "auth" - authentication only // "auth-int" - authentication plus integrity protection // "auth-conf" - authentication plus integrity and confidentiality protection // // The order of the list specifies the preference order of the client or // server. If this property is absent, the default qop is "auth". // The value of this constant is "golang.security.sasl.qop". SaslPropertyQop = "golang.security.sasl.qop" // SaslPropertyStrength is a property that specifies the cipher strength to use. // The property contains a comma-separated, ordered list // of cipher strength values that // the client or server is willing to support. A strength value is one of // // "low", "medium", "high" // // The order of the list specifies the preference order of the client or // server. An implementation should allow configuration of the meaning // of these values. An application may use the Java Cryptography // Extension (JCE) with JCE-aware mechanisms to control the selection of // cipher suites that match the strength values. // If this property is absent, the default strength is // "high,medium,low". // The value of this constant is "golang.security.sasl.strength". SaslPropertyStrength = "golang.security.sasl.strength" // SaslPropertyServerAuth is a property that specifies whether the // server must authenticate to the client. The property contains // "true" if the server must authenticate the to client; // "false" otherwise. The default is "false". The value of this // constant is "golang.security.sasl.server.authentication". SaslPropertyServerAuth = "golang.security.sasl.server.authentication" // SaslPropertyBoundServerName is a property that specifies the bound server name for // an unbound server. A server is created as an unbound server by setting // the serverName argument in CreateSaslServer as null. // The property contains the bound host name after the authentication // exchange has completed. It is only available on the server side. // The value of this constant is // golang.security.sasl.bound.server.name". SaslPropertyBoundServerName = "golang.security.sasl.bound.server.name" // SaslPropertyMaxBuffer is a property that specifies the maximum size of the receive // buffer in bytes of SaslClient/SaslServer. // The property contains the string representation of an integer. // If this property is absent, the default size // is defined by the mechanism. // The value of this constant is "golang.security.sasl.maxbuffer". SaslPropertyMaxBuffer = "golang.security.sasl.maxbuffer" // SaslPropertyRawSendSize is a property that specifies the maximum size of the raw send // buffer in bytes of SaslClient/ SaslServer. // The property contains the string representation of an integer. // The value of this property is negotiated between the client and server // during the authentication exchange. // The value of this constant is "golang.security.sasl.rawsendsize". SaslPropertyRawSendSize = "golang.security.sasl.rawsendsize" // SaslPropertyReuse is a property that specifies whether to reuse previously // authenticated session information. The property contains "true" if the // mechanism implementation may attempt to reuse previously authenticated // session information; it contains "false" if the implementation must // not reuse previously authenticated session information. A setting of // "true" serves only as a hint: it does not necessarily entail actual // reuse because reuse might not be possible due to a number of reasons, // including, but not limited to, lack of mechanism support for reuse, // expiration of reusable information, and the peer's refusal to support // reuse. // // The property's default value is "false". The value of this constant // is "golang.security.sasl.reuse". // // Note that all other parameters and properties required to create a // SASL client/server instance must be provided regardless of whether // this property has been supplied. That is, you cannot supply any less // information in anticipation of reuse. // // Mechanism implementations that support reuse might allow customization // of its implementation, for factors such as cache size, timeouts, and // criteria for reusability. Such customizations are // implementation-dependent. SaslPropertyReuse = "golang.security.sasl.reuse" // SaslPropertyPolicyNoPlainText is a property that specifies // whether mechanisms susceptible to simple plain passive attacks (e.g., // "PLAIN") are not permitted. The property // contains "true" if such mechanisms are not permitted; // "false" if such mechanisms are permitted. // The default is "false". The value of this constant is // "golang.security.sasl.policy.noplaintext". SaslPropertyPolicyNoPlainText = "golang.security.sasl.policy.noplaintext" // SaslPropertyPolicyNoActive is a property that specifies whether // mechanisms susceptible to active (non-dictionary) attacks // are not permitted. The property contains "true" // if mechanisms susceptible to active attacks // are not permitted; "false" if such mechanisms are permitted. // The default is "false". The value of this constant is // "golang.security.sasl.policy.noactive". SaslPropertyPolicyNoActive = "golang.security.sasl.policy.noactive" // SaslPropertyPolicyNoDictionary is a property that specifies whether // mechanisms susceptible to passive dictionary attacks are not permitted. // The property contains "true" // if mechanisms susceptible to dictionary attacks are not permitted; // "false" if such mechanisms are permitted. // The default is "false". The value of this constant is // "golang.security.sasl.policy.nodictionary". SaslPropertyPolicyNoDictionary = "golang.security.sasl.policy.nodictionary" // SaslPropertyPolicyNoAnonymous is a property that specifies whether mechanisms that accept // anonymous login are not permitted. The property contains "true" // if mechanisms that accept anonymous login are not permitted; // "false" // if such mechanisms are permitted. The default is "false". // The value of this constant is // "golang.security.sasl.policy.noanonymous". SaslPropertyPolicyNoAnonymous = "golang.security.sasl.policy.noanonymous" // SaslPropertyPolicyForwardSecrecy is a property that specifies whether mechanisms that implement // forward secrecy between sessions are required. Forward secrecy // means that breaking into one session will not automatically // provide information for breaking into future sessions. // The property contains "true" if mechanisms that implement forward secrecy // between sessions are required; "false" if such mechanisms // are not required. The default is "false". // The value of this constant is // "golang.security.sasl.policy.forward". SaslPropertyPolicyForwardSecrecy = "golang.security.sasl.policy.forward" // SaslPropertyPolicyPassCredentials is a property that specifies whether // mechanisms that pass client credentials are required. The property // contains "true" if mechanisms that pass // client credentials are required; "false" // if such mechanisms are not required. The default is "false". // The value of this constant is // "golang.security.sasl.policy.credentials". SaslPropertyPolicyPassCredentials = "golang.security.sasl.policy.credentials" // SaslPropertyCredentials is a property that specifies the credentials to use. // The property contains a mechanism-specific golang credential object. // Mechanism implementations may examine the value of this property // to determine whether it is a class that they support. // The property may be used to supply credentials to a mechanism that // supports delegated authentication. // The value of this constant is // "golang.security.sasl.credentials". SaslPropertyCredentials = "golang.security.sasl.credentials" )
Variables ¶
View Source
var ( DEFAULT_QOP = []byte{NO_PROTECTION} QOP_TOKENS = []string{"auth-conf", "auth-int", "auth"} QOP_MASKS = []byte{PRIVACY_PROTECTION, INTEGRITY_ONLY_PROTECTION, NO_PROTECTION} DEFAULT_STRENGTH = []byte{HIGH_STRENGTH, MEDIUM_STRENGTH, LOW_STRENGTH} STRENGTH_TOKENS = []string{"low", "medium", "high"} STRENGTH_MASKS = []byte{LOW_STRENGTH, MEDIUM_STRENGTH, HIGH_STRENGTH} )
View Source
var ( // SEP is US-ASCII <NUL> SEP byte )
Functions ¶
This section is empty.
Types ¶
type Client ¶
type Client interface {
// Returns the IANA-registered mechanism name of this SASL client.
// (e.g. "CRAM-MD5", "GSSAPI").
GetMechanismName() string
// Determines whether this mechanism has an optional initial response.
// If true, caller should call EaluateChallenge() with an
// empty array to get the initial response.
HasInitialResponse() bool
// Evaluates the challenge data and generates a response.
// If a challenge is received from the server during the authentication
// process, this method is called to prepare an appropriate next
// response to submit to the server.
// The challenge array may have zero length.
// The response to send to the server may has zero length.
// It is null if the challenge accompanied a "SUCCESS" status and the challenge
// only contains data for the client to update its state and no response
// needs to be sent to the server. The response is a zero-length byte
// array if the client is to send a response with no data.
EvaluateChallenge(challenge []byte) ([]byte, error)
// Determines whether the authentication exchange has completed.
// This method may be called at any time, but typically, it
// will not be called until the caller has received indication
// from the server (in a protocol-specific manner) that the exchange has completed.
IsComplete() bool
// Unwraps a byte array received from the server.
// This method can be called only after the authentication exchange has
// completed (i.e., when IsComplete() returns true) and only if
// the authentication exchange has negotiated integrity and/or privacy
// as the quality of protection; otherwise, an error is returned.
Unwrap(incoming []byte, offset, len int) ([]byte, error)
// Wraps a byte array to be sent to the server.
// This method can be called only after the authentication exchange has
// completed (i.e., when IsComplete() returns true) and only if
// the authentication exchange has negotiated integrity and/or privacy
// as the quality of protection; otherwise, an error is returned.
Wrap(outgoing []byte, offset, len int) ([]byte, error)
// Retrieves the negotiated property.
// This method can be called only after the authentication exchange has
// completed (i.e., when IsComplete() returns true); otherwise, an
// error is returned.
GetNegotiatedProperty(propName string) (interface{}, error)
// Disposes of any system resources or security-sensitive information
// the SaslClient might be using. Invoking this method invalidates
// the SaslClient instance. This method is idempotent.
Dispose() error
}
Client performs SASL authentication as a client.
A protocol library such as one for LDAP gets an instance of this class in order to perform authentication defined by a specific SASL mechanism. Invoking methods on the Client instance process challenges and create responses according to the SASL mechanism implemented by the Client. As the authentication proceeds, the instance encapsulates the state of a SASL client's authentication exchange.
If the mechanism has an initial response, the library invokes EvaludateChallenge() with an empty challenge and to get initial response. Protocols such as IMAP4, which do not include an initial response with their first authentication command to the server, initiates the authentication without first calling HasInitialResponse() or EvaludateChallenge(). When the server responds to the command, it sends an initial challenge. For a SASL mechanism in which the client sends data first, the server should have issued a challenge with no data. This will then result in a call (on the client) to EvaludateChallenge() with an empty challenge.
type PlainClient ¶
type PlainClient struct {
// contains filtered or unexported fields
}
PlainClient implements the PLAIN SASL client mechanism http://ftp.isi.edu/in-notes/rfc2595.txt
func NewPlainClient ¶
func NewPlainClient(authorizationID, authenticationID string, pw []byte) (*PlainClient, error)
NewPlainClient creates a new PlainClient instance
func (*PlainClient) EvaluateChallenge ¶
func (c *PlainClient) EvaluateChallenge(challengeData []byte) ([]byte, error)
EvaluateChallenge retrieves the initial response for the SASL command, which for PLAIN is the concatenation of authorization ID, authentication ID and password, with each component separated by the US-ASCII <NUL> byte.
func (*PlainClient) GetMechanismName ¶
func (c *PlainClient) GetMechanismName() string
GetMechanismName retrieves this mechanism's name for to initiate the PLAIN protocol exchange.
func (*PlainClient) GetNegotiatedProperty ¶
func (c *PlainClient) GetNegotiatedProperty(propName string) (interface{}, error)
GetNegotiatedProperty retrieves the negotiated property. This method can be called only after the authentication exchange has completed (i.e., when IsComplete() returns true); otherwise, an error is returned.
func (*PlainClient) HasInitialResponse ¶
func (c *PlainClient) HasInitialResponse() bool
HasInitialResponse test if has initial response
func (*PlainClient) IsComplete ¶
func (c *PlainClient) IsComplete() bool
IsComplete determines whether this mechanism has completed. Plain completes after returning one response.
type Sasl ¶
type Sasl struct {
Completed bool
Privacy bool
Integrity bool
Qop []byte
AllQop byte
Strength []byte
SendMaxBufSize int
RecvMaxBufSize int
RawSendSize int
}
Sasl defines the policy of how to locate, load, and instantiate SASL clients and servers.
func (*Sasl) CombineMasks ¶
CombineMasks combine the masks
func (*Sasl) FindPreferredMask ¶
FindPreferredMask find the preferred mask
func (*Sasl) GetNegotiatedProperty ¶
GetNegotiatedProperty retrieves the negotiated property. This method can be called only after the authentication exchange has completed (i.e., when IsComplete() returns true); otherwise, an error is returned.
func (*Sasl) IntToNetworkByteOrder ¶
IntToNetworkByteOrder encodes an integer into 4 bytes in network byte order in the buffer
func (*Sasl) IsCompete ¶
IsCompete determines whether the authentication exchange has completed. This method may be called at any time, but typically, it will not be called until the caller has received indication from the server (in a protocol-specific manner) that the exchange has completed.
func (*Sasl) NetworkByteOrderToInt ¶
NetworkByteOrderToInt returns the integer represented by 4 bytes in network byte order.
func (*Sasl) ParseProp ¶
func (s *Sasl) ParseProp(propName, propVal string, vals []string, masks []byte, tokens []string, ignore bool) ([]byte, error)
ParseProp parse property value from given vals
Source Files
Directories
Click to show internal directories.
Click to hide internal directories.