Documentation ¶
Index ¶
- Constants
- Variables
- func CallbackAuthenticate(auth *AuthenticationServer, principal PrincipalInterface, ...) error
- func CallbackInit(auth *AuthenticationServer) error
- func CheckPasswordFileUser(u, password string) (string, error)
- func ClearCallbacks()
- func CountLoginUser(passwordFile string) int
- func DecryptData(token string) (string, error)
- func EncryptData(data string) (string, error)
- func GenerateHash(enc, password string) string
- func InitLoginService(auth *Authentication) error
- func InitPasswordFile(passwordFile string) (err error)
- func InvalidateUUID(uuid string, elapsed time.Time) bool
- func LoadUsers(role AccessRole, file string) error
- func PerDatabase(dbName, userName, passwd string) error
- func Register(r func(PrincipalInterface) error)
- func RegisterCallback(callback CallbackInterface)
- func RegisterDatabaseForAuth(layer, URL, query string)
- func RegisterPlugin()
- func RegisterTargetForAuth(layer, URL, query string)
- func RemoveLoginService(auth *Authentication)
- func RemovePasswordFile(passwordFile string)
- func SystemAuthenticate(pamName, userName, passwd string) error
- func ValidAdmin(user string) bool
- func ValidUser(role AccessRole, writeAccess bool, user *UserInfo, resource string) bool
- type AccessRole
- type Authentication
- type AuthenticationServer
- type CallbackInterface
- type Default
- type DefaultJWTHandler
- func (df *DefaultJWTHandler) InvalidateUUID(uuid string, elapsed time.Time) bool
- func (df *DefaultJWTHandler) Range(f func(uuid, value any) bool) error
- func (df *DefaultJWTHandler) Store(principal PrincipalInterface, user, pass string) error
- func (df *DefaultJWTHandler) UUIDInfo(uuid string) (*SessionInfo, error)
- func (df *DefaultJWTHandler) ValidateUUID(claims *JWTClaims) (PrincipalInterface, bool)
- type JWTClaims
- type JWTValidate
- type Method
- type PasswordFileStruct
- func (rfs *PasswordFileStruct) AppendUserToPasswordFile(user, newPassword, roles string) error
- func (rfs *PasswordFileStruct) CheckPasswordFileUser(u, password string) (string, error)
- func (rfs *PasswordFileStruct) CheckUser(u string) bool
- func (rfs *PasswordFileStruct) Close()
- func (rfs *PasswordFileStruct) CountLoginUser() int
- func (rfs *PasswordFileStruct) CreateDefaultRealm() (err error)
- func (rfs *PasswordFileStruct) CreateDefaultUser() error
- func (rfs *PasswordFileStruct) FlushUserToPasswordFile() error
- func (rfs *PasswordFileStruct) LoadPasswordFile() (err error)
- func (rfs *PasswordFileStruct) UpdateUserPasswordToRealmFile(user, newPassword string) error
- type PrincipalInterface
- type SearchResult
- type SecurityProtocol
- type SessionInfo
- type Source
- type User
- type UserInfo
- type Users
- type WebToken
Constants ¶
const CheckDefaultPassword = "Test123"
CheckDefaultPassword check default password must be changed
Variables ¶
var DefaultRoles = []string{}
DefaultRoles default roles set for users
var JWTOperator = JWTValidate(&DefaultJWTHandler{uuidHashStore: sync.Map{}})
JWTOperator JWT operator check for UUID
var PrincipalCreater func(session *SessionInfo, user, pass string) PrincipalInterface
PrincipalCreater creator of an principal instance
var TriggerInvalidUUID func(*SessionInfo, *UserInfo)
TriggerInvalidUUID trigger if UUID is invalidated
Functions ¶
func CallbackAuthenticate ¶
func CallbackAuthenticate(auth *AuthenticationServer, principal PrincipalInterface, userName, passwd string) error
CallbackAuthenticate authenticate user and password to callback
func CallbackInit ¶
func CallbackInit(auth *AuthenticationServer) error
CallbackInit init login service realm and authorization instances of user using callbacks or plugins
func CheckPasswordFileUser ¶
CheckPasswordFileUser auth user and password for default realm
func CountLoginUser ¶
CountLoginUser count number of registered login user
func DecryptData ¶
DecryptData decsrypt base64 data to string
func EncryptData ¶
EncryptData encrypt data to base64 string
func GenerateHash ¶
GenerateHash generate hash by given hash algorithm
func InitLoginService ¶
func InitLoginService(auth *Authentication) error
InitLoginService init login service realm and authorization instances of user
func InitPasswordFile ¶
InitPasswordFile init password to file data
func InvalidateUUID ¶
InvalidateUUID invalidate UUID not valid any more
func LoadUsers ¶
func LoadUsers(role AccessRole, file string) error
LoadUsers load permission rights
func PerDatabase ¶
PerDatabase authenticate user and password to database
func RegisterCallback ¶
func RegisterCallback(callback CallbackInterface)
RegisterCallback register callback
func RegisterDatabaseForAuth ¶
func RegisterDatabaseForAuth(layer, URL, query string)
RegisterDatabaseForAuth register principal hooks
func RegisterTargetForAuth ¶
func RegisterTargetForAuth(layer, URL, query string)
RegisterTargetForAuth register principal hooks
func RemoveLoginService ¶
func RemoveLoginService(auth *Authentication)
RemoveLoginService remove login service realm and authorization instances of user
func RemovePasswordFile ¶
func RemovePasswordFile(passwordFile string)
RemovePasswordFile remove password to file data
func SystemAuthenticate ¶
SystemAuthenticate authenticate user and password
Types ¶
type AccessRole ¶
type AccessRole int
AccessRole access role
const ( // AdministratorRole use of administration user AdministratorRole AccessRole = iota // UserRole user access role UserRole )
type Authentication ¶
type Authentication struct {
AuthenticationServer []*AuthenticationServer
}
Authentication authenticator base
var AuthenticationConfig *Authentication
AuthenticationConfig authentication config base
type AuthenticationServer ¶
type AuthenticationServer struct { Comment string `xml:",comment" yaml:"-"` Module string `xml:"module,attr" yaml:"module,omitempty"` Type string `xml:"type,attr" yaml:"type,omitempty"` Layer string `xml:"driver,attr" yaml:"driver,omitempty"` AuthMethod Method `xml:"-" yaml:"-"` Target string `xml:"target,omitempty" yaml:"target,omitempty"` PasswordFile string `xml:"passwordFile,omitempty" yaml:"passwordFile,omitempty"` LDAP []Source `xml:"LDAP,omitempty" yaml:"LDAP,omitempty"` }
AuthenticationServer authentication server
func (*AuthenticationServer) Authenticate ¶
func (service *AuthenticationServer) Authenticate(principal PrincipalInterface, user, passwd string) error
Authenticate authenticate user and password
type CallbackInterface ¶
type CallbackInterface interface { GetName() string Init() error Authenticate(principal PrincipalInterface, userName, passwd string) error CheckToken(token string, scopes []string) (PrincipalInterface, error) GenerateToken(IAt string, principal PrincipalInterface) (tokenString string, err error) }
CallbackInterface callback interface for auth
type Default ¶
type Default struct { Read string `xml:"read,attr" yaml:"read"` Write string `xml:"write,attr" yaml:"write"` ReadMap map[string]bool `xml:"-" yaml:"-"` WriteMap map[string]bool `xml:"-" yaml:"-"` }
Default default rights
type DefaultJWTHandler ¶
type DefaultJWTHandler struct {
// contains filtered or unexported fields
}
DefaultJWTHandler default local Map instance
func (*DefaultJWTHandler) InvalidateUUID ¶
func (df *DefaultJWTHandler) InvalidateUUID(uuid string, elapsed time.Time) bool
InvalidateUUID invalidate UUID entry and given elapsed time
func (*DefaultJWTHandler) Range ¶
func (df *DefaultJWTHandler) Range(f func(uuid, value any) bool) error
Range go through all session entries
func (*DefaultJWTHandler) Store ¶
func (df *DefaultJWTHandler) Store(principal PrincipalInterface, user, pass string) error
Store store entry for given input
func (*DefaultJWTHandler) UUIDInfo ¶
func (df *DefaultJWTHandler) UUIDInfo(uuid string) (*SessionInfo, error)
UUIDInfo get UUID info User information
func (*DefaultJWTHandler) ValidateUUID ¶
func (df *DefaultJWTHandler) ValidateUUID(claims *JWTClaims) (PrincipalInterface, bool)
ValidateUUID validate JWT claims are in UUID session list
type JWTClaims ¶
type JWTClaims struct { UUID string `json:"jti,omitempty"` Subject string `json:"sub,omitempty"` Audience string `json:"aud,omitempty"` IAt string `json:"iat,omitempty"` Roles []string `json:"roles"` Remote string `json:"rem,omitempty"` ID string `json:"id,omitempty"` Issuer string `json:"iss,omitempty"` ExpiresAt *jwt.NumericDate `json:"exp,omitempty"` }
JWTClaims describes the format of our JWT token's claims
type JWTValidate ¶
type JWTValidate interface { UUIDInfo(uuid string) (*SessionInfo, error) Range(func(uuid, value any) bool) error ValidateUUID(claims *JWTClaims) (PrincipalInterface, bool) InvalidateUUID(string, time.Time) bool Store(PrincipalInterface, string, string) error }
JWTValidate JWT validate instance
type Method ¶
type Method int
Method method of authenticate
const ( // UnknownMethod unknown UnknownMethod Method = iota // SystemMethod System method SystemMethod // FileMethod password file method FileMethod // LDAPMethod LDAP method LDAPMethod // OpenIDMethod OpenID method OpenIDMethod // SQLDatabaseMethod database method SQLDatabaseMethod // PluginMethod plugin method PluginMethod // CallbackMethod callback method CallbackMethod )
type PasswordFileStruct ¶
type PasswordFileStruct struct { Counter uint64 // contains filtered or unexported fields }
PasswordFileStruct password file struct
func NewAppendPasswordFile ¶
func NewAppendPasswordFile(realmFile string) *PasswordFileStruct
NewAppendPasswordFile new append password file to append only
func NewInitFileRealm ¶
func NewInitFileRealm(realmFile string, createAutogenerated bool) (*PasswordFileStruct, error)
NewInitFileRealm new init file realm (Create new one if not available)
func (*PasswordFileStruct) AppendUserToPasswordFile ¶
func (rfs *PasswordFileStruct) AppendUserToPasswordFile(user, newPassword, roles string) error
AppendUserToPasswordFile append user to realm file
func (*PasswordFileStruct) CheckPasswordFileUser ¶
func (rfs *PasswordFileStruct) CheckPasswordFileUser(u, password string) (string, error)
CheckPasswordFileUser auth user and password for default realm
func (*PasswordFileStruct) CheckUser ¶
func (rfs *PasswordFileStruct) CheckUser(u string) bool
CheckUser check user to realm file
func (*PasswordFileStruct) Close ¶
func (rfs *PasswordFileStruct) Close()
Close close file descriptor
func (*PasswordFileStruct) CountLoginUser ¶
func (rfs *PasswordFileStruct) CountLoginUser() int
CountLoginUser count number of registered login user for a specific realm file
func (*PasswordFileStruct) CreateDefaultRealm ¶
func (rfs *PasswordFileStruct) CreateDefaultRealm() (err error)
CreateDefaultRealm create default realm
func (*PasswordFileStruct) CreateDefaultUser ¶
func (rfs *PasswordFileStruct) CreateDefaultUser() error
CreateDefaultUser create default user
func (*PasswordFileStruct) FlushUserToPasswordFile ¶
func (rfs *PasswordFileStruct) FlushUserToPasswordFile() error
FlushUserToPasswordFile flush user to realm file
func (*PasswordFileStruct) LoadPasswordFile ¶
func (rfs *PasswordFileStruct) LoadPasswordFile() (err error)
LoadPasswordFile load user of file realm
func (*PasswordFileStruct) UpdateUserPasswordToRealmFile ¶
func (rfs *PasswordFileStruct) UpdateUserPasswordToRealmFile(user, newPassword string) error
UpdateUserPasswordToRealmFile update user password to realm file
type PrincipalInterface ¶
type PrincipalInterface interface { UUID() string Name() string AddRoles([]string) Remote() string SetRemote(string) Roles() []string Session() interface{} SetSession(interface{}) }
PrincipalInterface principal independent to model
type SearchResult ¶
type SearchResult struct { Username string // Username Name string // Name Surname string // Surname Mail string // E-mail address IsAdmin bool // if user is administrator IsRestricted bool // if user is restricted }
SearchResult : user data
type SecurityProtocol ¶
type SecurityProtocol int
SecurityProtocol integer protocol type
const ( SecurityProtocolUnencrypted SecurityProtocol = iota SecurityProtocolLDAPS SecurityProtocolStartTLS )
Note: new type must be added at the end of list to maintain compatibility.
type SessionInfo ¶
type SessionInfo struct { User string `flynn:"Name"` UUID string `flynn:"UUID:PRIMARY KEY"` Data []byte Created time.Time LastAccess time.Time Invalidated time.Time }
SessionInfo session information context
func NewSessionInfo ¶
func NewSessionInfo(user string) *SessionInfo
NewSessionInfo create a new Session Info instance with created and UUID filled
func UUIDInfo ¶
func UUIDInfo(uuid string) (*SessionInfo, error)
UUIDInfo get UUID info User information
type Source ¶
type Source struct { Name string // canonical name (ie. corporate.ad) Host string // LDAP host Port int // port number SecurityProtocol SecurityProtocol SkipVerify bool `xml:"skipVerify,attr"` BindDN string // DN to bind with BindPassword string // Bind DN password UserBase string // Base search path for users UserDN string // Template for the DN of the user for simple auth AttributeUsername string // Username attribute AttributeName string // First name attribute AttributeSurname string // Surname attribute AttributeMail string // E-mail attribute AttributesInBind bool `xml:"attributesInBind,attr"` // fetch attributes in bind context (not user) SearchPageSize uint32 // Search with paging page size Filter string // Query filter to validate entry AdminFilter string // Query filter to check if user is admin RestrictedFilter string // Query filter to check if user is restricted Enabled bool `xml:"-"` // if this source is disabled GroupsEnabled bool `xml:"groupsEnabled,attr"` // if the group checking is enabled GroupDN string // Group Search Base GroupFilter string // Group Name Filter GroupMemberUID string // Group Attribute containing array of UserUID UserUID string // User Attribute listed in Group }
Source Basic LDAP authentication service
func (*Source) SearchEntries ¶
func (src *Source) SearchEntries() ([]*SearchResult, error)
SearchEntries : search an LDAP source for all users matching userFilter
func (*Source) SearchEntry ¶
func (src *Source) SearchEntry(name, passwd string, directBind bool) (*SearchResult, error)
SearchEntry : search an LDAP source if an entry (name, passwd) is valid and in the specific filter
func (*Source) UsePagedSearch ¶
UsePagedSearch returns if need to use paged search
type User ¶
type User struct { Name string `xml:"name,attr" yaml:"name"` Read string `xml:"read,attr" yaml:"read"` Write string `xml:"write,attr" yaml:"write"` ReadMap map[string]bool `xml:"-" yaml:"-"` WriteMap map[string]bool `xml:"-" yaml:"-"` }
User REST user
func (*User) InitPermission ¶
InitPermission init permission
type UserInfo ¶
type UserInfo struct { User string `flynn:"Name:PRIMARY KEY"` EMail string LongName string Created time.Time LastLogin time.Time Picture []byte Permission *User `flynn:":YAML"` Administrator bool }
UserInfo user information context
type Users ¶
type Users struct { Role AccessRole `xml:"-" yaml:"-"` File string `xml:"-" yaml:"-"` Default *Default `xml:"Default" yaml:"default,omitempty"` User []*User `xml:"User" yaml:"user,omitempty"` UserMap map[string]*User `xml:"-" yaml:"-"` }
Users REST user list allowed accessing data
type WebToken ¶
type WebToken struct { Comment string `xml:",comment" yaml:"-"` IssuerName string `xml:"issuer,attr" yaml:"issuer,omitempty"` Expirer string `xml:"expire,attr" yaml:"expire,omitempty"` Encrypt bool `xml:"encrypt,attr" yaml:"encrypt,omitempty"` PublicKey string `xml:"PublicKey" yaml:"publicKey,omitempty"` PrivateKey string `xml:"PrivateKey" yaml:"privateKey,omitempty"` PassToken string `xml:"PassToken" yaml:"passToken,omitempty"` }
WebToken Web token configuration
var WebTokenConfig *WebToken
WebTokenConfig web token JWT configuration
func (*WebToken) GenerateJWToken ¶
func (webToken *WebToken) GenerateJWToken(IAt string, principal PrincipalInterface) (tokenString string, err error)
GenerateJWToken generate JWT token using golang Jose.v2
func (*WebToken) InitWebTokenJose2 ¶
InitWebTokenJose2 initialize WebToken Jose.v2 token
func (*WebToken) JWTContainsRoles ¶
func (webToken *WebToken) JWTContainsRoles(token string, scopes []string) (PrincipalInterface, error)
JWTContainsRoles tells if the Bearer token is a JWT signed by us with a claim to be member of an authorization scope. We verify that the claimed role is one of the passed scopes and if the UUID is stored and valid.