sessions

package
v2.8.1-mercury-2023121... Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Feb 7, 2024 License: MIT Imports: 17 Imported by: 1

Documentation

Index

Constants

View Source
const (
	MaxBcryptPasswordLength = 50
)

https://security.stackexchange.com/questions/39849/does-bcrypt-have-a-maximum-password-length

Variables

View Source
var ErrEmptySessionID = errors.New("session ID cannot be empty")

ErrEmptySessionID captures the empty case error message

View Source
var ErrNotSupported = fmt.Errorf("functionality not supported with current authentication provider: %w", errors.ErrUnsupported)

ErrNotSupported defines the error where interface functionality doesn't align with the underlying Auth Provider

View Source
var ErrUserSessionExpired = errors.New("session missing or expired, please login again")

ErrUserSessionExpired defines the error triggered when the user session has expired

Functions

func AddCredentialToUser

func AddCredentialToUser(ap AuthenticationProvider, email string, credential *webauthn.Credential) error

func AuthenticateUserByToken

func AuthenticateUserByToken(token *auth.Token, user *User) (bool, error)

AuthenticateUserByToken returns true on successful authentication of the user against the given Authentication Token.

func BeginWebAuthnLogin

func BeginWebAuthnLogin(user User, uwas []WebAuthn, sr SessionRequest) (*protocol.CredentialAssertion, error)

func FinishWebAuthnLogin

func FinishWebAuthnLogin(user User, uwas []WebAuthn, sr SessionRequest) error

func ValidateAndHashPassword

func ValidateAndHashPassword(plainPwd string) (string, error)

ValidateAndHashPassword is the single point of logic for user password validations

func ValidateEmail

func ValidateEmail(email string) error

ValidateEmail is the single point of logic for user email validations

Types

type AuthenticationProvider added in v2.8.0

type AuthenticationProvider interface {
	FindUser(email string) (User, error)
	FindUserByAPIToken(apiToken string) (User, error)
	ListUsers() ([]User, error)
	AuthorizedUserWithSession(sessionID string) (User, error)
	DeleteUser(email string) error
	DeleteUserSession(sessionID string) error
	CreateSession(sr SessionRequest) (string, error)
	ClearNonCurrentSessions(sessionID string) error
	CreateUser(user *User) error
	UpdateRole(email, newRole string) (User, error)
	SetAuthToken(user *User, token *auth.Token) error
	CreateAndSetAuthToken(user *User) (*auth.Token, error)
	DeleteAuthToken(user *User) error
	SetPassword(user *User, newPassword string) error
	TestPassword(email, password string) error
	Sessions(offset, limit int) ([]Session, error)
	GetUserWebAuthn(email string) ([]WebAuthn, error)
	SaveWebAuthn(token *WebAuthn) error

	FindExternalInitiator(eia *auth.Token) (initiator *bridges.ExternalInitiator, err error)
}

AuthenticationProvider is an interface that abstracts the required application calls to a user management backend Currently localauth (users table DB) or LDAP server (readonly)

type AuthenticationProviderName added in v2.8.0

type AuthenticationProviderName string

Application config constant options

const (
	LocalAuth AuthenticationProviderName = "local"
	LDAPAuth  AuthenticationProviderName = "ldap"
)

type BasicAdminUsersORM added in v2.8.0

type BasicAdminUsersORM interface {
	ListUsers() ([]User, error)
	CreateUser(user *User) error
	FindUser(email string) (User, error)
}

BasicAdminUsersORM is the interface that defines the functionality required for supporting basic admin functionality adjacent to the identity provider authentication provider implementation. It is currently implemented by the local users/sessions ORM containing local admin CLI actions. This is separate from the AuthenticationProvider, as local admin management (ie initial core node setup, initial admin user creation), is always required no matter what the pluggable AuthenticationProvider implementation is.

type ChangeAuthTokenRequest

type ChangeAuthTokenRequest struct {
	Password string `json:"password"`
}

Changeauth.TokenRequest is sent when updating a User's authentication token.

type Session

type Session struct {
	ID        string    `json:"id"`
	Email     string    `json:"email"`
	LastUsed  time.Time `json:"lastUsed"`
	CreatedAt time.Time `json:"createdAt"`
}

Session holds the unique id for the authenticated session.

func NewSession

func NewSession() Session

NewSession returns a session instance with ID set to a random ID and LastUsed to now.

type SessionRequest

type SessionRequest struct {
	Email          string `json:"email"`
	Password       string `json:"password"`
	WebAuthnData   string `json:"webauthndata"`
	WebAuthnConfig WebAuthnConfiguration
	SessionStore   *WebAuthnSessionStore
}

SessionRequest encapsulates the fields needed to generate a new SessionID, including the hashed password.

type User

type User struct {
	Email             string
	HashedPassword    string
	Role              UserRole
	CreatedAt         time.Time
	TokenKey          null.String
	TokenSalt         null.String
	TokenHashedSecret null.String
	UpdatedAt         time.Time
}

User holds the credentials for API user.

func NewUser

func NewUser(email string, plainPwd string, role UserRole) (User, error)

NewUser creates a new user by hashing the passed plainPwd with bcrypt.

func (*User) GenerateAuthToken

func (u *User) GenerateAuthToken() (*auth.Token, error)

GenerateAuthToken randomly generates and sets the users Authentication Token.

func (*User) SetAuthToken

func (u *User) SetAuthToken(token *auth.Token) error

SetAuthToken updates the user to use the given Authentication Token.

type UserRole

type UserRole string
const (
	UserRoleAdmin UserRole = "admin"
	UserRoleEdit  UserRole = "edit"
	UserRoleRun   UserRole = "run"
	UserRoleView  UserRole = "view"
)

func GetUserRole

func GetUserRole(role string) (UserRole, error)

GetUserRole is the single point of logic for mapping role string to UserRole

type WebAuthn

type WebAuthn struct {
	Email         string
	PublicKeyData sqlxTypes.JSONText
}

WebAuthn holds the credentials for API user.

type WebAuthnConfiguration

type WebAuthnConfiguration struct {
	RPID     string
	RPOrigin string
}

type WebAuthnSessionStore

type WebAuthnSessionStore struct {
	// contains filtered or unexported fields
}

WebAuthnSessionStore is a wrapper around an in memory key value store which provides some helper methods related to webauthn operations.

func NewWebAuthnSessionStore

func NewWebAuthnSessionStore() *WebAuthnSessionStore

NewWebAuthnSessionStore returns a new session store.

func (*WebAuthnSessionStore) BeginWebAuthnRegistration

func (store *WebAuthnSessionStore) BeginWebAuthnRegistration(user User, uwas []WebAuthn, config WebAuthnConfiguration) (*protocol.CredentialCreation, error)

func (*WebAuthnSessionStore) FinishWebAuthnRegistration

func (store *WebAuthnSessionStore) FinishWebAuthnRegistration(user User, uwas []WebAuthn, response *http.Request, config WebAuthnConfiguration) (*webauthn.Credential, error)

func (*WebAuthnSessionStore) GetWebauthnSession

func (store *WebAuthnSessionStore) GetWebauthnSession(key string) (data webauthn.SessionData, err error)

GetWebauthnSession unmarshals and returns the webauthn session information from the session cookie, which is removed.

func (*WebAuthnSessionStore) SaveWebauthnSession

func (store *WebAuthnSessionStore) SaveWebauthnSession(key string, data *webauthn.SessionData) error

SaveWebauthnSession marshals and saves the webauthn data to the provided key given the request and responsewriter

type WebAuthnUser

type WebAuthnUser struct {
	Email         string
	WACredentials []webauthn.Credential
}

WebAuthnUser implements the required duo-labs/webauthn/ 'User' interface kept separate from our internal 'User' struct

func (WebAuthnUser) CredentialExcludeList

func (u WebAuthnUser) CredentialExcludeList() []protocol.CredentialDescriptor

CredentialExcludeList returns a CredentialDescriptor array filled with all the user's credentials to prevent them from re-registering keys

func (*WebAuthnUser) LoadWebAuthnCredentials

func (u *WebAuthnUser) LoadWebAuthnCredentials(uwas []WebAuthn) error

func (WebAuthnUser) WebAuthnCredentials

func (u WebAuthnUser) WebAuthnCredentials() []webauthn.Credential

WebAuthnCredentials returns credentials owned by the user

func (WebAuthnUser) WebAuthnDisplayName

func (u WebAuthnUser) WebAuthnDisplayName() string

WebAuthnDisplayName returns the user's display name. In this case we just return the email

func (WebAuthnUser) WebAuthnID

func (u WebAuthnUser) WebAuthnID() []byte

WebAuthnID returns the user's ID

func (WebAuthnUser) WebAuthnIcon

func (u WebAuthnUser) WebAuthnIcon() string

WebAuthnIcon should be the logo in some form. How it should be is currently unclear to me.

func (WebAuthnUser) WebAuthnName

func (u WebAuthnUser) WebAuthnName() string

WebAuthnName returns the user's email

Directories

Path Synopsis
The LDAP authentication package forwards the credentials in the user session request for authentication with a configured upstream LDAP server
The LDAP authentication package forwards the credentials in the user session request for authentication with a configured upstream LDAP server

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL