auth

package
v4.0.0-alpha3 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Apr 8, 2022 License: AGPL-3.0 Imports: 53 Imported by: 0

Documentation

Overview

Package auth provides tools related to authentication of pydio services

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func AddContextVerifier

func AddContextVerifier(v ContextVerifier)

AddContextVerifier registers an additional verifier

func ClaimsFromMetadata

func ClaimsFromMetadata(ctx context.Context) (c claim.Claims, o bool)

ClaimsFromMetadata loads Claims from metadata (be passed along by grpc queries)

func ContextFromClaims

func ContextFromClaims(ctx context.Context, claims claim.Claims) context.Context

ContextFromClaims feeds context with correct Keys and Metadata for a given Claims

func DuplicateRegistryForConf

func DuplicateRegistryForConf(refService string, c ConfigurationProvider) (driver.Registry, error)

func GetRedirectURIFromRequestValues

func GetRedirectURIFromRequestValues(values url.Values) (string, error)

GetRedirectURIFromRequestValues extracts the redirect_uri from values but does not do any sort of validation.

Considered specifications

  • https://tools.ietf.org/html/rfc6749#section-3.1 The endpoint URI MAY include an "application/x-www-form-urlencoded" formatted (per Appendix B) query component ([RFC3986] Section 3.4), which MUST be retained when adding additional query parameters.

func GetRegistry

func GetRegistry() driver.Registry

func GetRegistrySQL

func GetRegistrySQL() *driver.RegistrySQL

func InitConfiguration

func InitConfiguration(values configx.Values)

func InitRegistry

func InitRegistry(ctx context.Context, dbServiceName string) (e error)

func OnConfigurationInit

func OnConfigurationInit(f func(scanner common.Scanner))

func OnRegistryInit

func OnRegistryInit(f func())

func RandStringBytes

func RandStringBytes(n int) []byte

func RegisterConnector

func RegisterConnector(id, name, connectorType string, data proto.Message)

RegisterConnector to the auth registry and opens up the connection

func RegisterConnectorType

func RegisterConnectorType(connType string, openerFunc OpenerFunc)

RegisterConnectorType registers how to set an opener for a connector type

func RegisterGRPCProvider

func RegisterGRPCProvider(pType ProviderType, service string)

func RegisterOryProvider

func RegisterOryProvider(o fosite.OAuth2Provider)

func SubjectsForResourcePolicyQuery

func SubjectsForResourcePolicyQuery(ctx context.Context, q *rest.ResourcePolicyQuery) (subjects []string, err error)

SubjectsForResourcePolicyQuery prepares a slice of strings that will be used to check for resource ownership. Can be extracted either from context or by loading a given user ID from database.

func SubjectsFromClaim

func SubjectsFromClaim(claim claim.Claims) (subjects []string)

SubjectsFromClaim builds a list of subjects based on Claim attributes.

func VerifyContext

func VerifyContext(ctx context.Context, user *idm.User) error

VerifyContext ranges over registered ContextVerifiers and check if one of them returns an error.

func WithImpersonate

func WithImpersonate(ctx context.Context, user *idm.User) context.Context

WithImpersonate Add a fake Claims in context to impersonate a user.

Types

type BasicAuthenticator

type BasicAuthenticator struct {
	TTL   time.Duration
	Realm string
	// contains filtered or unexported fields
}

func NewBasicAuthenticator

func NewBasicAuthenticator(realm string, ttl time.Duration) *BasicAuthenticator

func (*BasicAuthenticator) Wrap

func (b *BasicAuthenticator) Wrap(handler http.Handler) http.HandlerFunc

type CallbackConnector

type CallbackConnector interface {
	// The initial URL to redirect the user to.
	//
	// OAuth2 implementations should request different scopes from the upstream
	// identity provider based on the scopes requested by the downstream client.
	// For example, if the downstream client requests a refresh token from the
	// server, the connector should also request a token from the provider.
	//
	// Many identity providers have arbitrary restrictions on refresh tokens. For
	// example Google only allows a single refresh token per client/user/scopes
	// combination, and wont return a refresh token even if offline access is
	// requested if one has already been issues. There's no good general answer
	// for these kind of restrictions, and may require this package to become more
	// aware of the global set of user/connector interactions.
	LoginURL(s Scopes, callbackURL, state string) (string, error)

	// Handle the callback to the server and return an identity.
	HandleCallback(s Scopes, r *http.Request) (identity Identity, err error)
}

CallbackConnector is an interface implemented by connectors which use an OAuth style redirect flow to determine user information.

type ConfigurationProvider

type ConfigurationProvider interface {

	// GetProvider returns an instanciated hconf.Provider struct
	GetProvider() *hconf.Provider

	// Clients lists all defined clients
	Clients() common.Scanner

	// Connectors lists all defined connectors
	Connectors() common.Scanner
}

func GetConfigurationProvider

func GetConfigurationProvider(hostname ...string) ConfigurationProvider

func NewProvider

func NewProvider(rootURL string, values configx.Values) ConfigurationProvider

type Connector

type Connector interface{}

type ConnectorConfig

type ConnectorConfig interface {
	ID() string
	Name() string
	Type() string
	Conn() Connector
}

func GetConnectors

func GetConnectors() []ConnectorConfig

GetConnectors list all the connectors correctly configured

type ContextVerifier

type ContextVerifier interface {
	Verify(ctx context.Context, user *idm.User) error
}

type Exchanger

type Exchanger interface {
	Exchange(context.Context, string, string) (*oauth2.Token, error)
}

type HydraJwk added in v4.0.1

type HydraJwk struct {
	Pk        uint      `db:"pk"`
	Sid       string    `db:"sid"`
	Kid       string    `db:"kid"`
	Version   uint      `db:"version"`
	KeyData   string    `db:"keydata"`
	CreatedAt time.Time `db:"created_at"`
}

func (HydraJwk) TableName added in v4.0.1

func (hj HydraJwk) TableName() string

type HydraJwkMigration added in v4.0.1

type HydraJwkMigration struct {
	Id        string    `db:"id"`
	AppliedAt time.Time `db:"applied_at"`
}

func (*HydraJwkMigration) TableName added in v4.0.1

func (hjm *HydraJwkMigration) TableName() string

type IDToken

type IDToken interface {
	Claims(interface{}) error
	ScopedClaims(claims *claim.Claims) error
}

type Identity

type Identity struct {
	UserID        string
	Username      string
	Email         string
	EmailVerified bool
	Claims        map[string]interface{}

	Groups []string

	// ConnectorData holds data used by the connector for subsequent requests after initial
	// authentication, such as access tokens for upstream provides.
	//
	// This data is never shared with end users, OAuth clients, or through the API.
	ConnectorData []byte
}

Identity represents the ID Token claims supported by the server.

type JWTVerifier

type JWTVerifier struct {
	// contains filtered or unexported fields
}

func DefaultJWTVerifier

func DefaultJWTVerifier() *JWTVerifier

DefaultJWTVerifier creates a ready to use JWTVerifier

func LocalJWTVerifier

func LocalJWTVerifier() *JWTVerifier

func (*JWTVerifier) Exchange

func (j *JWTVerifier) Exchange(ctx context.Context, code, codeVerifier string) (*oauth2.Token, error)

Exchange retrieves an oauth2 Token from a code.

func (*JWTVerifier) LoginChallengeCode

func (j *JWTVerifier) LoginChallengeCode(ctx context.Context, claims claim.Claims, opts ...TokenOption) (string, error)

LoginChallengeCode will perform an implicit flow to get a valid code from given claims and challenge

func (*JWTVerifier) Logout

func (j *JWTVerifier) Logout(ctx context.Context, url, subject, sessionID string, opts ...TokenOption) error

Logout calls logout on underlying provider

func (*JWTVerifier) PasswordCredentialsCode

func (j *JWTVerifier) PasswordCredentialsCode(ctx context.Context, username, password string, opts ...TokenOption) (string, error)

PasswordCredentialsCode will perform an implicit flow to get a valid code from given claims and challenge

func (*JWTVerifier) PasswordCredentialsToken

func (j *JWTVerifier) PasswordCredentialsToken(ctx context.Context, userName string, password string) (*oauth2.Token, error)

PasswordCredentialsToken will perform a call to the OIDC service with grantType "password" to get a valid token from a given user/pass credentials

func (*JWTVerifier) Verify

func (j *JWTVerifier) Verify(ctx context.Context, rawIDToken string) (context.Context, claim.Claims, error)

Verify validates an existing JWT token against the OIDC service that issued it

type LockVerifier

type LockVerifier struct{}

func (LockVerifier) Verify

func (l LockVerifier) Verify(ctx context.Context, user *idm.User) error

type LoginChallengeCodeExchanger

type LoginChallengeCodeExchanger interface {
	LoginChallengeCode(context.Context, claim.Claims, ...TokenOption) (string, error)
}

type LogoutProvider

type LogoutProvider interface {
	Logout(context.Context, string, string, string, ...TokenOption) error
}

type MappingRule

type MappingRule struct {
	RuleName string

	// Left Attribute is attribute of external user (ldap, sql, api ...)
	// For example: displayName, mail, memberOf
	LeftAttribute string

	// Right Attribute is attribute of standard user
	// For example: displayName, email
	// Two reserved attributes: Roles, GroupPath
	RightAttribute string

	// Rule string define an acceptable list of right value
	// It can be:
	// * Empty
	// * A list of accepted values separated by comma , . For example: teacher,researcher,employee
	// * preg string
	RuleString string

	// RolePrefix
	// AuthSourceName_Prefix_RoleID
	RolePrefix string
}

func (MappingRule) AddPrefix

func (m MappingRule) AddPrefix(prefix string, strs []string) []string

func (MappingRule) ConvertDNtoName

func (m MappingRule) ConvertDNtoName(strs []string) []string

ConvertDNtoName tries to extract value from distinguishedName For example: member: uid=user01,dc=com,dc=fr member: uid=user02,dc=com,dc=fr member: uid=user03,dc=com,dc=fr return an array like:

user01
user02
user03

func (MappingRule) FilterList

func (m MappingRule) FilterList(list []string, strs []string) []string

func (MappingRule) FilterPreg

func (m MappingRule) FilterPreg(preg string, strs []string) []string

func (MappingRule) IsDnFormat

func (m MappingRule) IsDnFormat(str string) bool

IsDnFormat simply checks if the passed string is valid. See: https://www.ietf.org/rfc/rfc2253.txt

func (MappingRule) RemoveLdapEscape

func (m MappingRule) RemoveLdapEscape(strs []string) []string

RemoveLdapEscape remove LDAP escape characters but except '\,'.

func (MappingRule) SanitizeValues

func (m MappingRule) SanitizeValues(strs []string) []string

type OIDCPoliciesVerifier

type OIDCPoliciesVerifier struct{}

func (OIDCPoliciesVerifier) Verify

func (O OIDCPoliciesVerifier) Verify(ctx context.Context, user *idm.User) error

type Opener

type Opener interface {
	Open(string, log.ZapLogger) (Connector, error)
}

type OpenerFunc

type OpenerFunc func(proto.Message) (Opener, error)

type PasswordConnector

type PasswordConnector interface {
	Prompt() string
	Login(ctx context.Context, s Scopes, username, password string) (identity Identity, validPassword bool, err error)
}

PasswordConnector is an interface implemented by connectors which take a username and password. Prompt() is used to inform the handler what to display in the password template. If this returns an empty string, it'll default to "Username".

type PasswordCredentialsCodeExchanger

type PasswordCredentialsCodeExchanger interface {
	PasswordCredentialsCode(context.Context, string, string, ...TokenOption) (string, error)
}

type PasswordCredentialsTokenExchanger

type PasswordCredentialsTokenExchanger interface {
	PasswordCredentialsToken(context.Context, string, string) (*oauth2.Token, error)
}

type Provider

type Provider interface {
	GetType() ProviderType
}

type ProviderType

type ProviderType int
const (
	ProviderTypeOry ProviderType = iota
	ProviderTypeGrpc
	ProviderTypePAT
)

type PydioPW

type PydioPW struct {
	PBKDF2_HASH_ALGORITHM string
	PBKDF2_ITERATIONS     int
	PBKDF2_SALT_BYTE_SIZE int
	PBKDF2_HASH_BYTE_SIZE int
	HASH_SECTIONS         int
	HASH_ALGORITHM_INDEX  int
	HASH_ITERATION_INDEX  int
	HASH_SALT_INDEX       int
	HASH_PBKDF2_INDEX     int
}

func (PydioPW) CheckDBKDF2PydioPwd

func (p PydioPW) CheckDBKDF2PydioPwd(password string, hashedPw string, legacySalt ...bool) (bool, error)

func (PydioPW) CreateHash

func (p PydioPW) CreateHash(password string) (base64Pw string)

type RefreshConnector

type RefreshConnector interface {
	// Refresh is called when a client attempts to claim a refresh token. The
	// connector should attempt to update the identity object to reflect any
	// changes since the token was last refreshed.
	Refresh(ctx context.Context, s Scopes, identity Identity) (Identity, error)
}

RefreshConnector is a connector that can update the client claims.

type SAMLConnector

type SAMLConnector interface {
	// POSTData returns an encoded SAML request and SSO URL for the server to
	// render a POST form with.
	//
	// POSTData should encode the provided request ID in the returned serialized
	// SAML request.
	POSTData(s Scopes, requestID string) (ssoURL, samlRequest string, err error)

	// HandlePOST decodes, verifies, and maps attributes from the SAML response.
	// It passes the expected value of the "InResponseTo" response field, which
	// the connector must ensure matches the response value.
	//
	// See: https://www.oasis-open.org/committees/download.php/35711/sstc-saml-core-errata-2.0-wd-06-diff.pdf
	// "3.2.2 Complex Type StatusResponseType"
	HandlePOST(s Scopes, samlResponse, inResponseTo string) (identity Identity, err error)
}

SAMLConnector represents SAML connectors which implement the HTTP POST binding.

RelayState is handled by the server.

See: https://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf "3.5 HTTP POST Binding"

type Scopes

type Scopes struct {
	// The client has requested a refresh token from the server.
	OfflineAccess bool

	// The client has requested group information about the end user.
	Groups bool
}

Scopes represents additional data requested by the clients about the end user.

type TokenOption

type TokenOption interface {
	// contains filtered or unexported methods
}

TokenOption is an AuthCodeOption is passed to Config.AuthCodeURL.

func SetAccessToken

func SetAccessToken(value string) TokenOption

SetAccessToken builds a TokenOption for passing the access token.

func SetChallenge

func SetChallenge(value string) TokenOption

SetChallenge builds a TokenOption which passes key/value parameters to a provider's token exchange endpoint.

func SetRefreshToken

func SetRefreshToken(value string) TokenOption

SetRefreshToken builds a TokenOption for passing the refresh_token.

type Verifier

type Verifier interface {
	Verify(context.Context, string) (IDToken, error)
}

Directories

Path Synopsis
Package claim wraps the JWT claims with util functions
Package claim wraps the JWT claims with util functions

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL