Documentation ¶
Index ¶
- Constants
- Variables
- func AddCredentialToUser(ap AuthenticationProvider, email string, credential *webauthn.Credential) error
- func AuthenticateUserByToken(token *auth.Token, user *User) (bool, error)
- func BeginWebAuthnLogin(user User, uwas []WebAuthn, sr SessionRequest) (*protocol.CredentialAssertion, error)
- func FinishWebAuthnLogin(user User, uwas []WebAuthn, sr SessionRequest) error
- func ValidateAndHashPassword(plainPwd string) (string, error)
- func ValidateEmail(email string) error
- type AuthenticationProvider
- type AuthenticationProviderName
- type BasicAdminUsersORM
- type ChangeAuthTokenRequest
- type Session
- type SessionRequest
- type User
- type UserRole
- type WebAuthn
- type WebAuthnConfiguration
- type WebAuthnSessionStore
- func (store *WebAuthnSessionStore) BeginWebAuthnRegistration(user User, uwas []WebAuthn, config WebAuthnConfiguration) (*protocol.CredentialCreation, error)
- func (store *WebAuthnSessionStore) FinishWebAuthnRegistration(user User, uwas []WebAuthn, response *http.Request, ...) (*webauthn.Credential, error)
- func (store *WebAuthnSessionStore) GetWebauthnSession(key string) (data webauthn.SessionData, err error)
- func (store *WebAuthnSessionStore) SaveWebauthnSession(key string, data *webauthn.SessionData) error
- type WebAuthnUser
- func (u WebAuthnUser) CredentialExcludeList() []protocol.CredentialDescriptor
- func (u *WebAuthnUser) LoadWebAuthnCredentials(uwas []WebAuthn) error
- func (u WebAuthnUser) WebAuthnCredentials() []webauthn.Credential
- func (u WebAuthnUser) WebAuthnDisplayName() string
- func (u WebAuthnUser) WebAuthnID() []byte
- func (u WebAuthnUser) WebAuthnIcon() string
- func (u WebAuthnUser) WebAuthnName() string
Constants ¶
const (
MaxBcryptPasswordLength = 50
)
https://security.stackexchange.com/questions/39849/does-bcrypt-have-a-maximum-password-length
Variables ¶
var ErrEmptySessionID = errors.New("session ID cannot be empty")
ErrEmptySessionID captures the empty case error message
var ErrNotSupported = fmt.Errorf("functionality not supported with current authentication provider: %w", errors.ErrUnsupported)
ErrNotSupported defines the error where interface functionality doesn't align with the underlying Auth Provider
var ErrUserSessionExpired = errors.New("session missing or expired, please login again")
ErrUserSessionExpired defines the error triggered when the user session has expired
Functions ¶
func AddCredentialToUser ¶
func AddCredentialToUser(ap AuthenticationProvider, email string, credential *webauthn.Credential) error
func AuthenticateUserByToken ¶
AuthenticateUserByToken returns true on successful authentication of the user against the given Authentication Token.
func BeginWebAuthnLogin ¶
func BeginWebAuthnLogin(user User, uwas []WebAuthn, sr SessionRequest) (*protocol.CredentialAssertion, error)
func FinishWebAuthnLogin ¶
func FinishWebAuthnLogin(user User, uwas []WebAuthn, sr SessionRequest) error
func ValidateAndHashPassword ¶
ValidateAndHashPassword is the single point of logic for user password validations
func ValidateEmail ¶
ValidateEmail is the single point of logic for user email validations
Types ¶
type AuthenticationProvider ¶ added in v2.8.0
type AuthenticationProvider interface { FindUser(email string) (User, error) FindUserByAPIToken(apiToken string) (User, error) ListUsers() ([]User, error) AuthorizedUserWithSession(sessionID string) (User, error) DeleteUser(email string) error DeleteUserSession(sessionID string) error CreateSession(sr SessionRequest) (string, error) ClearNonCurrentSessions(sessionID string) error CreateUser(user *User) error UpdateRole(email, newRole string) (User, error) SetAuthToken(user *User, token *auth.Token) error CreateAndSetAuthToken(user *User) (*auth.Token, error) DeleteAuthToken(user *User) error SetPassword(user *User, newPassword string) error TestPassword(email, password string) error Sessions(offset, limit int) ([]Session, error) GetUserWebAuthn(email string) ([]WebAuthn, error) SaveWebAuthn(token *WebAuthn) error FindExternalInitiator(eia *auth.Token) (initiator *bridges.ExternalInitiator, err error) }
AuthenticationProvider is an interface that abstracts the required application calls to a user management backend Currently localauth (users table DB) or LDAP server (readonly)
type AuthenticationProviderName ¶ added in v2.8.0
type AuthenticationProviderName string
Application config constant options
const ( LocalAuth AuthenticationProviderName = "local" LDAPAuth AuthenticationProviderName = "ldap" )
type BasicAdminUsersORM ¶ added in v2.8.0
type BasicAdminUsersORM interface { ListUsers() ([]User, error) CreateUser(user *User) error FindUser(email string) (User, error) }
BasicAdminUsersORM is the interface that defines the functionality required for supporting basic admin functionality adjacent to the identity provider authentication provider implementation. It is currently implemented by the local users/sessions ORM containing local admin CLI actions. This is separate from the AuthenticationProvider, as local admin management (ie initial core node setup, initial admin user creation), is always required no matter what the pluggable AuthenticationProvider implementation is.
type ChangeAuthTokenRequest ¶
type ChangeAuthTokenRequest struct {
Password string `json:"password"`
}
Changeauth.TokenRequest is sent when updating a User's authentication token.
type Session ¶
type Session struct { ID string `json:"id"` Email string `json:"email"` LastUsed time.Time `json:"lastUsed"` CreatedAt time.Time `json:"createdAt"` }
Session holds the unique id for the authenticated session.
func NewSession ¶
func NewSession() Session
NewSession returns a session instance with ID set to a random ID and LastUsed to now.
type SessionRequest ¶
type SessionRequest struct { Email string `json:"email"` Password string `json:"password"` WebAuthnData string `json:"webauthndata"` WebAuthnConfig WebAuthnConfiguration SessionStore *WebAuthnSessionStore }
SessionRequest encapsulates the fields needed to generate a new SessionID, including the hashed password.
type User ¶
type User struct { Email string HashedPassword string Role UserRole CreatedAt time.Time TokenKey null.String TokenSalt null.String TokenHashedSecret null.String UpdatedAt time.Time }
User holds the credentials for API user.
func (*User) GenerateAuthToken ¶
GenerateAuthToken randomly generates and sets the users Authentication Token.
type UserRole ¶
type UserRole string
func GetUserRole ¶
GetUserRole is the single point of logic for mapping role string to UserRole
type WebAuthnConfiguration ¶
type WebAuthnSessionStore ¶
type WebAuthnSessionStore struct {
// contains filtered or unexported fields
}
WebAuthnSessionStore is a wrapper around an in memory key value store which provides some helper methods related to webauthn operations.
func NewWebAuthnSessionStore ¶
func NewWebAuthnSessionStore() *WebAuthnSessionStore
NewWebAuthnSessionStore returns a new session store.
func (*WebAuthnSessionStore) BeginWebAuthnRegistration ¶
func (store *WebAuthnSessionStore) BeginWebAuthnRegistration(user User, uwas []WebAuthn, config WebAuthnConfiguration) (*protocol.CredentialCreation, error)
func (*WebAuthnSessionStore) FinishWebAuthnRegistration ¶
func (store *WebAuthnSessionStore) FinishWebAuthnRegistration(user User, uwas []WebAuthn, response *http.Request, config WebAuthnConfiguration) (*webauthn.Credential, error)
func (*WebAuthnSessionStore) GetWebauthnSession ¶
func (store *WebAuthnSessionStore) GetWebauthnSession(key string) (data webauthn.SessionData, err error)
GetWebauthnSession unmarshals and returns the webauthn session information from the session cookie, which is removed.
func (*WebAuthnSessionStore) SaveWebauthnSession ¶
func (store *WebAuthnSessionStore) SaveWebauthnSession(key string, data *webauthn.SessionData) error
SaveWebauthnSession marshals and saves the webauthn data to the provided key given the request and responsewriter
type WebAuthnUser ¶
type WebAuthnUser struct { Email string WACredentials []webauthn.Credential }
WebAuthnUser implements the required duo-labs/webauthn/ 'User' interface kept separate from our internal 'User' struct
func (WebAuthnUser) CredentialExcludeList ¶
func (u WebAuthnUser) CredentialExcludeList() []protocol.CredentialDescriptor
CredentialExcludeList returns a CredentialDescriptor array filled with all the user's credentials to prevent them from re-registering keys
func (*WebAuthnUser) LoadWebAuthnCredentials ¶
func (u *WebAuthnUser) LoadWebAuthnCredentials(uwas []WebAuthn) error
func (WebAuthnUser) WebAuthnCredentials ¶
func (u WebAuthnUser) WebAuthnCredentials() []webauthn.Credential
WebAuthnCredentials returns credentials owned by the user
func (WebAuthnUser) WebAuthnDisplayName ¶
func (u WebAuthnUser) WebAuthnDisplayName() string
WebAuthnDisplayName returns the user's display name. In this case we just return the email
func (WebAuthnUser) WebAuthnID ¶
func (u WebAuthnUser) WebAuthnID() []byte
WebAuthnID returns the user's ID
func (WebAuthnUser) WebAuthnIcon ¶
func (u WebAuthnUser) WebAuthnIcon() string
WebAuthnIcon should be the logo in some form. How it should be is currently unclear to me.
func (WebAuthnUser) WebAuthnName ¶
func (u WebAuthnUser) WebAuthnName() string
WebAuthnName returns the user's email
Directories ¶
Path | Synopsis |
---|---|
The LDAP authentication package forwards the credentials in the user session request for authentication with a configured upstream LDAP server
|
The LDAP authentication package forwards the credentials in the user session request for authentication with a configured upstream LDAP server |