Documentation ¶
Overview ¶
Package auth provides tools related to authentication of pydio services
Index ¶
- func AddContextVerifier(v ContextVerifier)
- func ClaimsFromMetadata(ctx context.Context) (c claim.Claims, o bool)
- func ContextFromClaims(ctx context.Context, claims claim.Claims) context.Context
- func DuplicateRegistryForConf(refService string, c ConfigurationProvider) (driver.Registry, error)
- func GetRedirectURIFromRequestValues(values url.Values) (string, error)
- func GetRegistry() driver.Registry
- func GetRegistrySQL() *driver.RegistrySQL
- func InitConfiguration(values configx.Values)
- func InitRegistry(dbServiceName string) (e error)
- func OnConfigurationInit(f func(scanner common.Scanner))
- func OnRegistryInit(f func())
- func RandStringBytes(n int) []byte
- func RegisterConnector(id, name, connectorType string, data proto.Message)
- func RegisterConnectorType(connType string, openerFunc OpenerFunc)
- func RegisterGRPCProvider(pType ProviderType, service string)
- func RegisterOryProvider(o fosite.OAuth2Provider)
- func SubjectsForResourcePolicyQuery(ctx context.Context, q *rest.ResourcePolicyQuery) (subjects []string, err error)
- func SubjectsFromClaim(claim claim.Claims) (subjects []string)
- func VerifyContext(ctx context.Context, user *idm.User) error
- func WithImpersonate(ctx context.Context, user *idm.User) context.Context
- type BasicAuthenticator
- type CallbackConnector
- type ConfigurationProvider
- type Connector
- type ConnectorConfig
- type ContextVerifier
- type Exchanger
- type IDToken
- type Identity
- type JWTVerifier
- func (j *JWTVerifier) Exchange(ctx context.Context, code, codeVerifier string) (*oauth2.Token, error)
- func (j *JWTVerifier) LoginChallengeCode(ctx context.Context, claims claim.Claims, opts ...TokenOption) (string, error)
- func (j *JWTVerifier) Logout(ctx context.Context, url, subject, sessionID string, opts ...TokenOption) error
- func (j *JWTVerifier) PasswordCredentialsCode(ctx context.Context, username, password string, opts ...TokenOption) (string, error)
- func (j *JWTVerifier) PasswordCredentialsToken(ctx context.Context, userName string, password string) (*oauth2.Token, error)
- func (j *JWTVerifier) Verify(ctx context.Context, rawIDToken string) (context.Context, claim.Claims, error)
- type LockVerifier
- type LoginChallengeCodeExchanger
- type LogoutProvider
- type MappingRule
- func (m MappingRule) AddPrefix(prefix string, strs []string) []string
- func (m MappingRule) ConvertDNtoName(strs []string) []string
- func (m MappingRule) FilterList(list []string, strs []string) []string
- func (m MappingRule) FilterPreg(preg string, strs []string) []string
- func (m MappingRule) IsDnFormat(str string) bool
- func (m MappingRule) RemoveLdapEscape(strs []string) []string
- func (m MappingRule) SanitizeValues(strs []string) []string
- type OIDCPoliciesVerifier
- type Opener
- type OpenerFunc
- type PasswordConnector
- type PasswordCredentialsCodeExchanger
- type PasswordCredentialsTokenExchanger
- type Provider
- type ProviderType
- type PydioPW
- type RefreshConnector
- type SAMLConnector
- type Scopes
- type TokenOption
- type Verifier
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func AddContextVerifier ¶
func AddContextVerifier(v ContextVerifier)
AddContextVerifier registers an additional verifier
func ClaimsFromMetadata ¶
ClaimsFromMetadata loads Claims from metadata (be passed along by grpc queries)
func ContextFromClaims ¶
ContextFromClaims feeds context with correct Keys and Metadata for a given Claims
func DuplicateRegistryForConf ¶
func DuplicateRegistryForConf(refService string, c ConfigurationProvider) (driver.Registry, error)
func GetRedirectURIFromRequestValues ¶
GetRedirectURIFromRequestValues extracts the redirect_uri from values but does not do any sort of validation.
Considered specifications
- https://tools.ietf.org/html/rfc6749#section-3.1 The endpoint URI MAY include an "application/x-www-form-urlencoded" formatted (per Appendix B) query component ([RFC3986] Section 3.4), which MUST be retained when adding additional query parameters.
func GetRegistry ¶
func GetRegistrySQL ¶
func GetRegistrySQL() *driver.RegistrySQL
func InitConfiguration ¶
func InitRegistry ¶
func OnConfigurationInit ¶
func OnRegistryInit ¶
func OnRegistryInit(f func())
func RandStringBytes ¶
func RegisterConnector ¶
RegisterConnector to the auth registry and opens up the connection
func RegisterConnectorType ¶
func RegisterConnectorType(connType string, openerFunc OpenerFunc)
RegisterConnectorType registers how to set an opener for a connector type
func RegisterGRPCProvider ¶
func RegisterGRPCProvider(pType ProviderType, service string)
func RegisterOryProvider ¶
func RegisterOryProvider(o fosite.OAuth2Provider)
func SubjectsForResourcePolicyQuery ¶
func SubjectsForResourcePolicyQuery(ctx context.Context, q *rest.ResourcePolicyQuery) (subjects []string, err error)
SubjectsForResourcePolicyQuery prepares a slice of strings that will be used to check for resource ownership. Can be extracted either from context or by loading a given user ID from database.
func SubjectsFromClaim ¶
SubjectsFromClaim builds a list of subjects based on Claim attributes.
func VerifyContext ¶
VerifyContext ranges over registered ContextVerifiers and check if one of them returns an error.
Types ¶
type BasicAuthenticator ¶
type BasicAuthenticator struct { TTL time.Duration Realm string // contains filtered or unexported fields }
func NewBasicAuthenticator ¶
func NewBasicAuthenticator(realm string, ttl time.Duration) *BasicAuthenticator
func (*BasicAuthenticator) Wrap ¶
func (b *BasicAuthenticator) Wrap(handler http.Handler) http.HandlerFunc
type CallbackConnector ¶
type CallbackConnector interface { // The initial URL to redirect the user to. // // OAuth2 implementations should request different scopes from the upstream // identity provider based on the scopes requested by the downstream client. // For example, if the downstream client requests a refresh token from the // server, the connector should also request a token from the provider. // // Many identity providers have arbitrary restrictions on refresh tokens. For // example Google only allows a single refresh token per client/user/scopes // combination, and wont return a refresh token even if offline access is // requested if one has already been issues. There's no good general answer // for these kind of restrictions, and may require this package to become more // aware of the global set of user/connector interactions. LoginURL(s Scopes, callbackURL, state string) (string, error) // Handle the callback to the server and return an identity. HandleCallback(s Scopes, r *http.Request) (identity Identity, err error) }
CallbackConnector is an interface implemented by connectors which use an OAuth style redirect flow to determine user information.
type ConfigurationProvider ¶
type ConfigurationProvider interface { Set(key string, value interface{}) error MustSet(key string, value interface{}) InsecureRedirects() []string WellKnownKeys(include ...string) []string IsUsingJWTAsAccessTokens() bool AllowedTopLevelClaims() []string SubjectTypesSupported() []string DefaultClientScope() []string DSN() string EncryptSessionData() bool ExcludeNotBeforeClaim() bool DataSourcePlugin() string BCryptCost() int CookieSameSiteMode() http.SameSite CookieSameSiteLegacyWorkaround() bool ConsentRequestMaxAge() time.Duration AccessTokenLifespan() time.Duration RefreshTokenLifespan() time.Duration IDTokenLifespan() time.Duration AuthCodeLifespan() time.Duration ScopeStrategy() string // TODO v4 ? Tracing() *tracing.Config GetCookieSecrets() [][]byte GetRotatedSystemSecrets() [][]byte GetSystemSecret() []byte LogoutRedirectURL() *url.URL LoginURL() *url.URL LogoutURL() *url.URL ConsentURL() *url.URL ErrorURL() *url.URL PublicURL() *url.URL IssuerURL() *url.URL OAuth2ClientRegistrationURL() *url.URL OAuth2TokenURL() *url.URL OAuth2AuthURL() *url.URL JWKSURL() *url.URL TokenRefreshHookURL() *url.URL AccessTokenStrategy() string SubjectIdentifierAlgorithmSalt() string OIDCDiscoverySupportedClaims() []string OIDCDiscoverySupportedScope() []string OIDCDiscoveryUserinfoEndpoint() *url.URL OAuth2LegacyErrors() bool PKCEEnforced() bool EnforcePKCEForPublicClients() bool CGroupsV1AutoMaxProcsEnabled() bool GrantAllClientCredentialsScopesPerDefault() bool GetProvider() *hconf.Provider Clients() common.Scanner Connectors() common.Scanner }
func GetConfigurationProvider ¶
func GetConfigurationProvider(hostname ...string) ConfigurationProvider
func NewProvider ¶
func NewProvider(rootURL string, values configx.Values) ConfigurationProvider
type ConnectorConfig ¶
func GetConnectors ¶
func GetConnectors() []ConnectorConfig
GetConnectors list all the connectors correctly configured
type ContextVerifier ¶
type Identity ¶
type Identity struct { UserID string Username string Email string EmailVerified bool Claims map[string]interface{} Groups []string // ConnectorData holds data used by the connector for subsequent requests after initial // authentication, such as access tokens for upstream provides. // // This data is never shared with end users, OAuth clients, or through the API. ConnectorData []byte }
Identity represents the ID Token claims supported by the server.
type JWTVerifier ¶
type JWTVerifier struct {
// contains filtered or unexported fields
}
func DefaultJWTVerifier ¶
func DefaultJWTVerifier() *JWTVerifier
DefaultJWTVerifier creates a ready to use JWTVerifier
func LocalJWTVerifier ¶
func LocalJWTVerifier() *JWTVerifier
func (*JWTVerifier) Exchange ¶
func (j *JWTVerifier) Exchange(ctx context.Context, code, codeVerifier string) (*oauth2.Token, error)
Exchange retrieves an oauth2 Token from a code.
func (*JWTVerifier) LoginChallengeCode ¶
func (j *JWTVerifier) LoginChallengeCode(ctx context.Context, claims claim.Claims, opts ...TokenOption) (string, error)
LoginChallengeCode will perform an implicit flow to get a valid code from given claims and challenge
func (*JWTVerifier) Logout ¶
func (j *JWTVerifier) Logout(ctx context.Context, url, subject, sessionID string, opts ...TokenOption) error
Logout calls logout on underlying provider
func (*JWTVerifier) PasswordCredentialsCode ¶
func (j *JWTVerifier) PasswordCredentialsCode(ctx context.Context, username, password string, opts ...TokenOption) (string, error)
PasswordCredentialsCode will perform an implicit flow to get a valid code from given claims and challenge
func (*JWTVerifier) PasswordCredentialsToken ¶
func (j *JWTVerifier) PasswordCredentialsToken(ctx context.Context, userName string, password string) (*oauth2.Token, error)
PasswordCredentialsToken will perform a call to the OIDC service with grantType "password" to get a valid token from a given user/pass credentials
type LockVerifier ¶
type LockVerifier struct{}
type LogoutProvider ¶
type MappingRule ¶
type MappingRule struct { RuleName string // Left Attribute is attribute of external user (ldap, sql, api ...) // For example: displayName, mail, memberOf LeftAttribute string // Right Attribute is attribute of standard user // For example: displayName, email // Two reserved attributes: Roles, GroupPath RightAttribute string // Rule string define an acceptable list of right value // It can be: // * Empty // * A list of accepted values separated by comma , . For example: teacher,researcher,employee // * preg string RuleString string // RolePrefix // AuthSourceName_Prefix_RoleID RolePrefix string }
func (MappingRule) AddPrefix ¶
func (m MappingRule) AddPrefix(prefix string, strs []string) []string
func (MappingRule) ConvertDNtoName ¶
func (m MappingRule) ConvertDNtoName(strs []string) []string
ConvertDNtoName tries to extract value from distinguishedName For example: member: uid=user01,dc=com,dc=fr member: uid=user02,dc=com,dc=fr member: uid=user03,dc=com,dc=fr return an array like:
user01 user02 user03
func (MappingRule) FilterList ¶
func (m MappingRule) FilterList(list []string, strs []string) []string
func (MappingRule) FilterPreg ¶
func (m MappingRule) FilterPreg(preg string, strs []string) []string
func (MappingRule) IsDnFormat ¶
func (m MappingRule) IsDnFormat(str string) bool
IsDnFormat simply checks if the passed string is valid. See: https://www.ietf.org/rfc/rfc2253.txt
func (MappingRule) RemoveLdapEscape ¶
func (m MappingRule) RemoveLdapEscape(strs []string) []string
RemoveLdapEscape remove LDAP escape characters but except '\,'.
func (MappingRule) SanitizeValues ¶
func (m MappingRule) SanitizeValues(strs []string) []string
type OIDCPoliciesVerifier ¶
type OIDCPoliciesVerifier struct{}
type PasswordConnector ¶
type PasswordConnector interface { Prompt() string Login(ctx context.Context, s Scopes, username, password string) (identity Identity, validPassword bool, err error) }
PasswordConnector is an interface implemented by connectors which take a username and password. Prompt() is used to inform the handler what to display in the password template. If this returns an empty string, it'll default to "Username".
type Provider ¶
type Provider interface {
GetType() ProviderType
}
type ProviderType ¶
type ProviderType int
const ( ProviderTypeOry ProviderType = iota ProviderTypeGrpc ProviderTypePAT )
type PydioPW ¶
type PydioPW struct { PBKDF2_HASH_ALGORITHM string PBKDF2_ITERATIONS int PBKDF2_SALT_BYTE_SIZE int PBKDF2_HASH_BYTE_SIZE int HASH_SECTIONS int HASH_ALGORITHM_INDEX int HASH_ITERATION_INDEX int HASH_SALT_INDEX int HASH_PBKDF2_INDEX int }
func (PydioPW) CheckDBKDF2PydioPwd ¶
func (PydioPW) CreateHash ¶
type RefreshConnector ¶
type RefreshConnector interface { // Refresh is called when a client attempts to claim a refresh token. The // connector should attempt to update the identity object to reflect any // changes since the token was last refreshed. Refresh(ctx context.Context, s Scopes, identity Identity) (Identity, error) }
RefreshConnector is a connector that can update the client claims.
type SAMLConnector ¶
type SAMLConnector interface { // POSTData returns an encoded SAML request and SSO URL for the server to // render a POST form with. // // POSTData should encode the provided request ID in the returned serialized // SAML request. POSTData(s Scopes, requestID string) (ssoURL, samlRequest string, err error) // HandlePOST decodes, verifies, and maps attributes from the SAML response. // It passes the expected value of the "InResponseTo" response field, which // the connector must ensure matches the response value. // // See: https://www.oasis-open.org/committees/download.php/35711/sstc-saml-core-errata-2.0-wd-06-diff.pdf // "3.2.2 Complex Type StatusResponseType" HandlePOST(s Scopes, samlResponse, inResponseTo string) (identity Identity, err error) }
SAMLConnector represents SAML connectors which implement the HTTP POST binding.
RelayState is handled by the server.
See: https://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf "3.5 HTTP POST Binding"
type Scopes ¶
type Scopes struct { // The client has requested a refresh token from the server. OfflineAccess bool // The client has requested group information about the end user. Groups bool }
Scopes represents additional data requested by the clients about the end user.
type TokenOption ¶
type TokenOption interface {
// contains filtered or unexported methods
}
TokenOption is an AuthCodeOption is passed to Config.AuthCodeURL.
func SetAccessToken ¶
func SetAccessToken(value string) TokenOption
SetAccessToken builds a TokenOption for passing the access token.
func SetChallenge ¶
func SetChallenge(value string) TokenOption
SetChallenge builds a TokenOption which passes key/value parameters to a provider's token exchange endpoint.
func SetRefreshToken ¶
func SetRefreshToken(value string) TokenOption
SetRefreshToken builds a TokenOption for passing the refresh_token.