user

package
v0.1.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Sep 3, 2015 License: Apache-2.0 Imports: 18 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	// Claim representing where a user should be sent after verifying their email address.
	ClaimEmailVerificationCallback = "http://coreos.com/email/verification-callback"

	// ClaimEmailVerificationEmail represents the email to be verified. Note
	// that we are intentionally not using the "email" claim for this purpose.
	ClaimEmailVerificationEmail = "http://coreos.com/email/verificationEmail"
)
View Source 
const (

	// ClaimPasswordResetCallback represents where a user should be sent after
	// resetting their password.
	ClaimPasswordResetCallback = "http://coreos.com/password/reset-callback"

	// ClaimPasswordResetPassword represents the hash of the password to be
	// reset; in other words, the old password.
	ClaimPasswordResetPassword = "http://coreos.com/password/old-hash"
)
View Source 
const (
	MaxEmailLength = 200
)

Variables

View Source 
var (
	ErrorEVEmailDoesntMatch   = errors.New("email in EV doesn't match user email")
	ErrorEmailAlreadyVerified = errors.New("email already verified")

	ErrorPasswordAlreadyChanged = errors.New("password has already been changed")
)
View Source 
var (
	PasswordHasher = DefaultPasswordHasher

	ErrorInvalidPassword     = errors.New("invalid Password")
	ErrorPasswordHashNoMatch = errors.New("password and hash don't match")
	ErrorPasswordExpired     = errors.New("password has expired")
)
View Source 
var (
	ErrorDuplicateID    = errors.New("ID not available")
	ErrorDuplicateEmail = errors.New("email not available")

	ErrorDuplicateRemoteIdentity = errors.New("remote identity already in use for another user")
	ErrorInvalidEmail            = errors.New("invalid Email")
	ErrorInvalidID               = errors.New("invalid ID")
	ErrorNotFound                = errors.New("user not found in repository")
)

Functions

func DefaultPasswordHasher 

func DefaultPasswordHasher(s string) ([]byte, error)

func DefaultUserIDGenerator 

func DefaultUserIDGenerator() (string, error)

func EncodeNextPageToken 

func EncodeNextPageToken(filter UserFilter, maxResults int, offset int) (string, error)

func LoadPasswordInfos 

func LoadPasswordInfos(repo PasswordInfoRepo, pws []PasswordInfo) error

func ValidEmail 

func ValidEmail(email string) bool

func ValidPassword 

func ValidPassword(plaintext string) bool

Types

type EmailVerification 

type EmailVerification struct {
	// contains filtered or unexported fields
}

func NewEmailVerification 

func NewEmailVerification(user User, clientID string, issuer url.URL, callback url.URL, expires time.Duration) EmailVerification

NewEmailVerification creates an object which can be sent to a user in serialized form to verify that they control an email address. The clientID is the ID of the registering user. The callback is where a user should land after verifying their email.

func ParseAndVerifyEmailVerificationToken 

func ParseAndVerifyEmailVerificationToken(token string, issuer url.URL, keys []key.PublicKey) (EmailVerification, error)

ParseAndVerifyEmailVerificationToken parses a string into a an EmailVerification, verifies the signature, and ensures that required claims are present. In addition to the usual claims required by the OIDC spec, "aud" and "sub" must be present as well as ClaimEmailVerificationCallback and ClaimEmailVerificationEmail.

func (EmailVerification) Callback 

func (e EmailVerification) Callback() *url.URL

func (EmailVerification) Email 

func (e EmailVerification) Email() string

func (EmailVerification) Token 

func (e EmailVerification) Token(signer jose.Signer) (string, error)

Token serializes the EmailVerification into a signed JWT.

func (EmailVerification) UserID 

func (e EmailVerification) UserID() string

type Hasher 

type Hasher func(string) ([]byte, error)

type Manager 

type Manager struct {
	Clock clockwork.Clock
	// contains filtered or unexported fields
}

Manager performs user-related "business-logic" functions on user and related objects. This is in contrast to the Repos which perform little more than CRUD operations.

func NewManager 

func NewManager(userRepo UserRepo, pwRepo PasswordInfoRepo, txnFactory repo.TransactionFactory, options ManagerOptions) *Manager

func (*Manager) ChangePassword 

func (m *Manager) ChangePassword(pwr PasswordReset, plaintext string) (*url.URL, error)

func (*Manager) CreateUser 

func (m *Manager) CreateUser(user User, hashedPassword Password, connID string) (string, error)

CreateUser creates a new user with the given hashedPassword; the connID should be the ID of the local connector. The userID of the created user is returned as the first argument.

func (*Manager) Get 

func (m *Manager) Get(id string) (User, error)

func (*Manager) List 

func (m *Manager) List(filter UserFilter, maxResults int, nextPageToken string) ([]User, string, error)

func (*Manager) RegisterWithPassword 

func (m *Manager) RegisterWithPassword(email, plaintext, connID string) (string, error)

RegisterWithPassword creates a new user with the given name and password. connID is the connector ID of the ConnectorLocal connector.

func (*Manager) RegisterWithRemoteIdentity 

func (m *Manager) RegisterWithRemoteIdentity(email string, emailVerified bool, rid RemoteIdentity) (string, error)

RegisterWithRemoteIdentity creates new user and attaches the given remote identity.

func (*Manager) VerifyEmail 

func (m *Manager) VerifyEmail(ev EmailVerification) (*url.URL, error)

VerifyEmail sets EmailVerified to true for the user for the given EmailVerification. The email in the EmailVerification must match the User's email in the repository, and it must not already be verified. This function expects that ParseAndVerifyEmailVerificationToken was used to create it, ensuring that the token was signed and that the JWT was not expired. The callback url (i.e. where to send the user after the verification) is returned.

type ManagerOptions 

type ManagerOptions struct {
}

type Password 

type Password []byte

func NewPasswordFromPlaintext 

func NewPasswordFromPlaintext(plaintext string) (Password, error)

type PasswordInfo 

type PasswordInfo struct {
	UserID string

	Password Password

	PasswordExpires time.Time
}

func (PasswordInfo) Authenticate 

func (p PasswordInfo) Authenticate(plaintext string) (*oidc.Identity, error)

func (PasswordInfo) Identity 

func (p PasswordInfo) Identity() oidc.Identity

func (*PasswordInfo) UnmarshalJSON 

func (u *PasswordInfo) UnmarshalJSON(data []byte) error

type PasswordInfoRepo 

type PasswordInfoRepo interface {
	Get(tx repo.Transaction, id string) (PasswordInfo, error)
	Update(repo.Transaction, PasswordInfo) error
	Create(repo.Transaction, PasswordInfo) error
}

func NewPasswordInfoRepo 

func NewPasswordInfoRepo() PasswordInfoRepo

func NewPasswordInfoRepoFromFile 

func NewPasswordInfoRepoFromFile(loc string) (PasswordInfoRepo, error)

func NewPasswordInfoRepoFromPasswordInfos 

func NewPasswordInfoRepoFromPasswordInfos(pws []PasswordInfo) PasswordInfoRepo

type PasswordReset 

type PasswordReset struct {
	// contains filtered or unexported fields
}

func NewPasswordReset 

func NewPasswordReset(user User, password Password, issuer url.URL, clientID string, callback url.URL, expires time.Duration) PasswordReset

func ParseAndVerifyPasswordResetToken 

func ParseAndVerifyPasswordResetToken(token string, issuer url.URL, keys []key.PublicKey) (PasswordReset, error)

ParseAndVerifyPasswordResetToken parses a string into a an PasswordReset, verifies the signature, and ensures that required claims are present. In addition to the usual claims required by the OIDC spec, "aud" and "sub" must be present as well as ClaimPasswordResetCallback, ClaimPasswordResetEmail and ClaimPasswordResetPassword.

func (PasswordReset) Callback 

func (e PasswordReset) Callback() *url.URL

func (PasswordReset) Password 

func (e PasswordReset) Password() Password

func (PasswordReset) Token 

func (e PasswordReset) Token(signer jose.Signer) (string, error)

Token serializes the PasswordReset into a signed JWT.

func (PasswordReset) UserID 

func (e PasswordReset) UserID() string

type RemoteIdentity 

type RemoteIdentity struct {
	// IDPCID is the identifier of the IDP which hosts this identity.
	ConnectorID string

	// ID is the identifier of this User at the IDP.
	ID string
}

RemoteIdentity represents a User's identity at an IDP.

func (*RemoteIdentity) UnmarshalJSON 

func (u *RemoteIdentity) UnmarshalJSON(data []byte) error

type User 

type User struct {
	// ID is the machine-generated, stable, unique identifier for this User.
	ID string

	// DisplayName is human readable name meant for display purposes.
	// DisplayName is not neccesarily unique with a UserRepo.
	DisplayName string

	Email string

	EmailVerified bool

	Admin bool

	CreatedAt time.Time
}

func (*User) AddToClaims 

func (u *User) AddToClaims(claims jose.Claims)

AddToClaims adds basic information about the user to the given Claims. http://openid.net/specs/openid-connect-core-1_0.html#StandardClaims

func (*User) UnmarshalJSON 

func (u *User) UnmarshalJSON(data []byte) error

type UserFilter 

type UserFilter struct {
}

func DecodeNextPageToken 

func DecodeNextPageToken(tok string) (UserFilter, int, int, error)

type UserIDGenerator 

type UserIDGenerator func() (string, error)

type UserRepo 

type UserRepo interface {
	Get(tx repo.Transaction, id string) (User, error)

	// List returns a list of users meeting the given conditions.
	// A nextPageToken is returned when there are further results to be had,
	// with the expectation that it will be passed into a subsequent List
	// call. When nextPageToken is non-empty filter and maxResults are ignored.
	List(tx repo.Transaction, filter UserFilter, maxResults int, nextPageToken string) ([]User, string, error)

	Create(repo.Transaction, User) error

	GetByEmail(tx repo.Transaction, email string) (User, error)

	Update(repo.Transaction, User) error

	GetByRemoteIdentity(repo.Transaction, RemoteIdentity) (User, error)

	AddRemoteIdentity(tx repo.Transaction, userID string, remoteID RemoteIdentity) error

	RemoveRemoteIdentity(tx repo.Transaction, userID string, remoteID RemoteIdentity) error

	GetRemoteIdentities(tx repo.Transaction, userID string) ([]RemoteIdentity, error)

	GetAdminCount(repo.Transaction) (int, error)
}

UserRepo implementations maintain a persistent set of users. The following invariants must be maintained:

  • Users must have a unique Email and ID
  • No other Users may have the same RemoteIdentity as one of the users. (This constraint may be relaxed in the future)

func NewUserRepo 

func NewUserRepo() UserRepo

NewUserRepo returns an in-memory UserRepo useful for development.

func NewUserRepoFromFile 

func NewUserRepoFromFile(loc string) (UserRepo, error)

NewUserRepoFromFile returns an in-memory UserRepo useful for development given a JSON serialized file of Users.

func NewUserRepoFromUsers 

func NewUserRepoFromUsers(us []UserWithRemoteIdentities) UserRepo

type UserWithRemoteIdentities 

type UserWithRemoteIdentities struct {
	User             User             `json:"user"`
	RemoteIdentities []RemoteIdentity `json:"remoteIdentities"`
}

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.