Documentation ¶
Overview ¶
Package auth provides tools related to authentication of pydio services
Index ¶
- func AddContextVerifier(v ContextVerifier)
- func ContextFromClaims(ctx context.Context, claims claim.Claims) context.Context
- func RandStringBytes(n int) []byte
- func RegisterConnectorType(connType string, openerFunc OpenerFunc)
- func RegisterGRPCProvider(pType ProviderType, service string)
- func RegisterProvider(p Provider)
- func SetConnectorScanner(scanner ConnectorScanner)
- func SubjectsForResourcePolicyQuery(ctx context.Context, q *rest.ResourcePolicyQuery) (subjects []string, err error)
- func SubjectsFromClaim(claim claim.Claims) (subjects []string)
- func VerifyContext(ctx context.Context, user *idm.User) error
- func WithImpersonate(ctx context.Context, user *idm.User) context.Context
- type BasicAuthenticator
- type CallbackConnector
- type Connector
- type ConnectorConfig
- func DefaultConnectorScanner(ctx context.Context, values configx.Scanner) (connectors []ConnectorConfig, err error)
- func OpenConnector(ctx context.Context, id, name, connectorType string, data proto.Message) (ConnectorConfig, error)
- func ScanConnectors(ctx context.Context, values configx.Values) ([]ConnectorConfig, error)
- type ConnectorScanner
- type ContextVerifier
- type Exchanger
- type IDToken
- type Identity
- type JWTVerifier
- func (j *JWTVerifier) Exchange(ctx context.Context, code, codeVerifier string) (*oauth2.Token, error)
- func (j *JWTVerifier) LoginChallengeCode(ctx context.Context, claims claim.Claims, opts ...TokenOption) (*auth.GetLoginResponse, string, error)
- func (j *JWTVerifier) Logout(ctx context.Context, url, subject, sessionID string, opts ...TokenOption) error
- func (j *JWTVerifier) PasswordCredentialsCode(ctx context.Context, username, password string, opts ...TokenOption) (string, error)
- func (j *JWTVerifier) PasswordCredentialsToken(ctx context.Context, userName string, password string) (*oauth2.Token, error)
- func (j *JWTVerifier) Verify(ctx context.Context, rawIDToken string) (context.Context, claim.Claims, error)
- type LockVerifier
- type LoginChallengeCodeExchanger
- type LogoutProvider
- type MappingRule
- func (m MappingRule) AddPrefix(prefix string, strs []string) []string
- func (m MappingRule) ConvertDNtoName(strs []string) []string
- func (m MappingRule) FilterList(list []string, strs []string) []string
- func (m MappingRule) FilterPreg(preg string, strs []string) []string
- func (m MappingRule) IsDnFormat(str string) bool
- func (m MappingRule) RemoveLdapEscape(strs []string) []string
- func (m MappingRule) SanitizeValues(strs []string) []string
- type OIDCPoliciesVerifier
- type Opener
- type OpenerFunc
- type PasswordConnector
- type PasswordCredentialsCodeExchanger
- type PasswordCredentialsTokenExchanger
- type Provider
- type ProviderType
- type PydioPW
- type RefreshConnector
- type SAMLConnector
- type Scopes
- type TokenOption
- type Verifier
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func AddContextVerifier ¶
func AddContextVerifier(v ContextVerifier)
AddContextVerifier registers an additional verifier
func ContextFromClaims ¶
ContextFromClaims feeds context with correct Keys and Metadata for a given Claims
func RandStringBytes ¶
func RegisterConnectorType ¶
func RegisterConnectorType(connType string, openerFunc OpenerFunc)
RegisterConnectorType registers how to set an opener for a connector type
func RegisterGRPCProvider ¶
func RegisterGRPCProvider(pType ProviderType, service string)
func RegisterProvider ¶
func RegisterProvider(p Provider)
func SetConnectorScanner ¶
func SetConnectorScanner(scanner ConnectorScanner)
SetConnectorScanner replaces internal connectorScanner
func SubjectsForResourcePolicyQuery ¶
func SubjectsForResourcePolicyQuery(ctx context.Context, q *rest.ResourcePolicyQuery) (subjects []string, err error)
SubjectsForResourcePolicyQuery prepares a slice of strings that will be used to check for resource ownership. Can be extracted either from context or by loading a given user ID from database.
func SubjectsFromClaim ¶
SubjectsFromClaim builds a list of subjects based on Claim attributes.
func VerifyContext ¶
VerifyContext ranges over registered ContextVerifiers and check if one of them returns an error.
Types ¶
type BasicAuthenticator ¶
type BasicAuthenticator struct { TTL time.Duration Realm string // contains filtered or unexported fields }
func NewBasicAuthenticator ¶
func NewBasicAuthenticator(realm string, ttl time.Duration) *BasicAuthenticator
func (*BasicAuthenticator) Wrap ¶
func (b *BasicAuthenticator) Wrap(handler http.Handler) http.HandlerFunc
type CallbackConnector ¶
type CallbackConnector interface { // The initial URL to redirect the user to. // // OAuth2 implementations should request different scopes from the upstream // identity provider based on the scopes requested by the downstream client. // For example, if the downstream client requests a refresh token from the // server, the connector should also request a token from the provider. // // Many identity providers have arbitrary restrictions on refresh tokens. For // example Google only allows a single refresh token per client/user/scopes // combination, and wont return a refresh token even if offline access is // requested if one has already been issues. There's no good general answer // for these kind of restrictions, and may require this package to become more // aware of the global set of user/connector interactions. LoginURL(s Scopes, callbackURL, state string, additionalKeyPairs ...string) (string, error) // Handle the callback to the server and return an identity. HandleCallback(s Scopes, r *http.Request) (identity Identity, err error) }
CallbackConnector is an interface implemented by connectors which use an OAuth style redirect flow to determine user information.
type ConnectorConfig ¶
func DefaultConnectorScanner ¶
func OpenConnector ¶
func OpenConnector(ctx context.Context, id, name, connectorType string, data proto.Message) (ConnectorConfig, error)
OpenConnector finds the correct opener
func ScanConnectors ¶
ScanConnectors uses the internal connectorScanner to read configurations
type ConnectorScanner ¶
type ContextVerifier ¶
type Identity ¶
type Identity struct { UserID string Username string Email string EmailVerified bool Claims map[string]interface{} Groups []string // ConnectorData holds data used by the connector for subsequent requests after initial // authentication, such as access tokens for upstream provides. // // This data is never shared with end users, OAuth clients, or through the API. ConnectorData []byte }
Identity represents the ID Token claims supported by the server.
type JWTVerifier ¶
type JWTVerifier struct {
// contains filtered or unexported fields
}
func DefaultJWTVerifier ¶
func DefaultJWTVerifier() *JWTVerifier
DefaultJWTVerifier creates a ready to use JWTVerifier
func (*JWTVerifier) Exchange ¶
func (j *JWTVerifier) Exchange(ctx context.Context, code, codeVerifier string) (*oauth2.Token, error)
Exchange retrieves an oauth2 Token from a code.
func (*JWTVerifier) LoginChallengeCode ¶
func (j *JWTVerifier) LoginChallengeCode(ctx context.Context, claims claim.Claims, opts ...TokenOption) (*auth.GetLoginResponse, string, error)
LoginChallengeCode will perform an implicit flow to get a valid code from given claims and challenge
func (*JWTVerifier) Logout ¶
func (j *JWTVerifier) Logout(ctx context.Context, url, subject, sessionID string, opts ...TokenOption) error
Logout calls logout on underlying provider
func (*JWTVerifier) PasswordCredentialsCode ¶
func (j *JWTVerifier) PasswordCredentialsCode(ctx context.Context, username, password string, opts ...TokenOption) (string, error)
PasswordCredentialsCode will perform an implicit flow to get a valid code from given claims and challenge
func (*JWTVerifier) PasswordCredentialsToken ¶
func (j *JWTVerifier) PasswordCredentialsToken(ctx context.Context, userName string, password string) (*oauth2.Token, error)
PasswordCredentialsToken will perform a call to the OIDC service with grantType "password" to get a valid token from a given user/pass credentials
type LockVerifier ¶
type LockVerifier struct{}
type LoginChallengeCodeExchanger ¶
type LoginChallengeCodeExchanger interface {
LoginChallengeCode(context.Context, claim.Claims, ...TokenOption) (*auth.GetLoginResponse, string, error)
}
type LogoutProvider ¶
type MappingRule ¶
type MappingRule struct { RuleName string `yaml:"RuleName"` // Left Attribute is attribute of external user (ldap, sql, api ...) // For example: displayName, mail, memberOf LeftAttribute string `yaml:"LeftAttribute"` // Right Attribute is attribute of standard user // For example: displayName, email // Two reserved attributes: Roles, GroupPath RightAttribute string `yaml:"RightAttribute"` // Rule string define an acceptable list of right value // It can be: // * Empty // * A list of accepted values separated by comma , . For example: teacher,researcher,employee // * preg string RuleString string `yaml:"RuleString"` // RolePrefix // AuthSourceName_Prefix_RoleID RolePrefix string `yaml:"RolePrefix"` }
func (MappingRule) AddPrefix ¶
func (m MappingRule) AddPrefix(prefix string, strs []string) []string
func (MappingRule) ConvertDNtoName ¶
func (m MappingRule) ConvertDNtoName(strs []string) []string
ConvertDNtoName tries to extract value from distinguishedName For example: member: uid=user01,dc=com,dc=fr member: uid=user02,dc=com,dc=fr member: uid=user03,dc=com,dc=fr return an array like:
user01 user02 user03
func (MappingRule) FilterList ¶
func (m MappingRule) FilterList(list []string, strs []string) []string
func (MappingRule) FilterPreg ¶
func (m MappingRule) FilterPreg(preg string, strs []string) []string
func (MappingRule) IsDnFormat ¶
func (m MappingRule) IsDnFormat(str string) bool
IsDnFormat simply checks if the passed string is valid. See: https://www.ietf.org/rfc/rfc2253.txt
func (MappingRule) RemoveLdapEscape ¶
func (m MappingRule) RemoveLdapEscape(strs []string) []string
RemoveLdapEscape remove LDAP escape characters but except '\,'.
func (MappingRule) SanitizeValues ¶
func (m MappingRule) SanitizeValues(strs []string) []string
type OIDCPoliciesVerifier ¶
type OIDCPoliciesVerifier struct{}
type PasswordConnector ¶
type PasswordConnector interface { Prompt() string Login(ctx context.Context, s Scopes, username, password string) (identity Identity, validPassword bool, err error) }
PasswordConnector is an interface implemented by connectors which take a username and password. Prompt() is used to inform the handler what to display in the password template. If this returns an empty string, it'll default to "Username".
type Provider ¶
type Provider interface {
GetType() ProviderType
}
type ProviderType ¶
type ProviderType int
const ( ProviderTypeGrpc ProviderType = iota ProviderTypePAT )
type PydioPW ¶
type PydioPW struct { PBKDF2_HASH_ALGORITHM string PBKDF2_ITERATIONS int PBKDF2_SALT_BYTE_SIZE int PBKDF2_HASH_BYTE_SIZE int HASH_SECTIONS int HASH_ALGORITHM_INDEX int HASH_ITERATION_INDEX int HASH_SALT_INDEX int HASH_PBKDF2_INDEX int }
func (PydioPW) CheckDBKDF2PydioPwd ¶
func (PydioPW) CreateHash ¶
type RefreshConnector ¶
type RefreshConnector interface { // Refresh is called when a client attempts to claim a refresh token. The // connector should attempt to update the identity object to reflect any // changes since the token was last refreshed. Refresh(ctx context.Context, s Scopes, identity Identity) (Identity, error) }
RefreshConnector is a connector that can update the client claims.
type SAMLConnector ¶
type SAMLConnector interface { // POSTData returns an encoded SAML request and SSO URL for the server to // render a POST form with. // // POSTData should encode the provided request ID in the returned serialized // SAML request. POSTData(s Scopes, requestID string) (ssoURL, samlRequest string, err error) // HandlePOST decodes, verifies, and maps attributes from the SAML response. // It passes the expected value of the "InResponseTo" response field, which // the connector must ensure matches the response value. // // See: https://www.oasis-open.org/committees/download.php/35711/sstc-saml-core-errata-2.0-wd-06-diff.pdf // "3.2.2 Complex Type StatusResponseType" HandlePOST(s Scopes, samlResponse, inResponseTo string) (identity Identity, err error) }
SAMLConnector represents SAML connectors which implement the HTTP POST binding.
RelayState is handled by the server.
See: https://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf "3.5 HTTP POST Binding"
type Scopes ¶
type Scopes struct { // The client has requested a refresh token from the server. OfflineAccess bool // The client has requested group information about the end user. Groups bool }
Scopes represents additional data requested by the clients about the end user.
type TokenOption ¶
TokenOption is an AuthCodeOption is passed to Config.AuthCodeURL.
func SetAccessToken ¶
func SetAccessToken(value string) TokenOption
SetAccessToken builds a TokenOption for passing the access token.
func SetChallenge ¶
func SetChallenge(value string) TokenOption
SetChallenge builds a TokenOption which passes key/value parameters to a provider's token exchange endpoint.
func SetRefreshToken ¶
func SetRefreshToken(value string) TokenOption
SetRefreshToken builds a TokenOption for passing the refresh_token.