authn

package
v0.0.0-...-dd8ea4b Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jan 2, 2018 License: Apache-2.0 Imports: 28 Imported by: 0

Documentation

Overview

Copyright 2017 Cesanta Software Ltd.

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at 

https://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

Index

Constants

This section is empty.

Variables

View Source 
var ExpiredToken = errors.New("expired token")
View Source 
var NoMatch = errors.New("did not match any rule")
View Source 
var WrongPass = errors.New("wrong password for user")

Functions

func Asset 

func Asset(name string) ([]byte, error)

Asset loads and returns the asset for the given name. It returns an error if the asset could not be found or could not be loaded.

func AssetDir 

func AssetDir(name string) ([]string, error)

AssetDir returns the file names below a certain directory embedded in the file by go-bindata. For example if you run go-bindata on data/... and data contains the following hierarchy: 

data/
  foo.txt
  img/
    a.png
    b.png

then AssetDir("data") would return []string{"foo.txt", "img"} AssetDir("data/img") would return []string{"a.png", "b.png"} AssetDir("foo.txt") and AssetDir("notexist") would return an error AssetDir("") will return []string{"data"}.

func AssetInfo 

func AssetInfo(name string) (os.FileInfo, error)

AssetInfo loads and returns the asset info for the given name. It returns an error if the asset could not be found or could not be loaded.

func AssetNames 

func AssetNames() []string

AssetNames returns the names of the assets.

func MustAsset 

func MustAsset(name string) []byte

MustAsset is like Asset but panics when Asset would return an error. It simplifies safe initialization of global variables.

func NewExtAuth 

func NewExtAuth(cfg *ExtAuthConfig) *extAuth

func NewStaticUserAuth 

func NewStaticUserAuth(users map[string]*Requirements) *staticUsersAuth

func RestoreAsset 

func RestoreAsset(dir, name string) error

RestoreAsset restores an asset under the given directory

func RestoreAssets 

func RestoreAssets(dir, name string) error

RestoreAssets restores an asset under the given directory recursively

Types

type Authenticator 

type Authenticator interface {
	// Given a user name and a password (plain text), responds with the result or an error.
	// Error should only be reported if request could not be serviced, not if it should be denied.
	// A special NoMatch error is returned if the authorizer could not reach a decision,
	// e.g. none of the rules matched.
	// Another special WrongPass error is returned if the authorizer failed to authenticate.
	// Implementations must be goroutine-safe.
	Authenticate(user string, password PasswordString) (bool, Labels, error)

	// Finalize resources in preparation for shutdown.
	// When this call is made there are guaranteed to be no Authenticate requests in flight
	// and there will be no more calls made to this instance.
	Stop()

	// Human-readable name of the authenticator.
	Name() string
}

Authentication plugin interface.

type CodeToTokenResponse 

type CodeToTokenResponse struct {
	IDToken      string `json:"id_token,omitempty"`
	AccessToken  string `json:"access_token,omitempty"`
	RefreshToken string `json:"refresh_token,omitempty"`
	ExpiresIn    int64  `json:"expires_in,omitempty"`
	TokenType    string `json:"token_type,omitempty"`

	// Returned in case of error.
	Error            string `json:"error,omitempty"`
	ErrorDescription string `json:"error_description,omitempty"`
}

CodeToTokenResponse is sent by Google servers in response to the grant_type=authorization_code request.

type ExtAuthConfig 

type ExtAuthConfig struct {
	Command string   `yaml:"command"`
	Args    []string `yaml:"args"`
}

func (*ExtAuthConfig) Validate 

func (c *ExtAuthConfig) Validate() error

type ExtAuthResponse 

type ExtAuthResponse struct {
	Labels Labels `json:"labels,omitempty"`
}

type ExtAuthStatus 

type ExtAuthStatus int
const (
	ExtAuthAllowed ExtAuthStatus = 0
	ExtAuthDenied  ExtAuthStatus = 1
	ExtAuthNoMatch ExtAuthStatus = 2
	ExtAuthError   ExtAuthStatus = 3
)

type GitHubAuth 

type GitHubAuth struct {
	// contains filtered or unexported fields
}

func NewGitHubAuth 

func NewGitHubAuth(c *GitHubAuthConfig) (*GitHubAuth, error)

func (*GitHubAuth) Authenticate 

func (gha *GitHubAuth) Authenticate(user string, password PasswordString) (bool, Labels, error)

func (*GitHubAuth) DoGitHubAuth 

func (gha *GitHubAuth) DoGitHubAuth(rw http.ResponseWriter, req *http.Request)

func (*GitHubAuth) Name 

func (gha *GitHubAuth) Name() string

func (*GitHubAuth) Stop 

func (gha *GitHubAuth) Stop()

type GitHubAuthConfig 

type GitHubAuthConfig struct {
	Organization     string                `yaml:"organization,omitempty"`
	ClientId         string                `yaml:"client_id,omitempty"`
	ClientSecret     string                `yaml:"client_secret,omitempty"`
	ClientSecretFile string                `yaml:"client_secret_file,omitempty"`
	TokenDB          string                `yaml:"token_db,omitempty"`
	GCSTokenDB       *GitHubGCSStoreConfig `yaml:"gcs_token_db,omitempty"`
	HTTPTimeout      time.Duration         `yaml:"http_timeout,omitempty"`
	RevalidateAfter  time.Duration         `yaml:"revalidate_after,omitempty"`
	GithubWebUri     string                `yaml:"github_web_uri,omitempty"`
	GithubApiUri     string                `yaml:"github_api_uri,omitempty"`
}

type GitHubAuthRequest 

type GitHubAuthRequest struct {
	Action string `json:"action,omitempty"`
	Code   string `json:"code,omitempty"`
	Token  string `json:"token,omitempty"`
}

type GitHubGCSStoreConfig 

type GitHubGCSStoreConfig struct {
	Bucket           string `yaml:"bucket,omitempty"`
	ClientSecretFile string `yaml:"client_secret_file,omitempty"`
}

type GitHubTokenUser 

type GitHubTokenUser struct {
	Login string `json:"login,omitempty"`
	Email string `json:"email,omitempty"`
}

type GoogleAuth 

type GoogleAuth struct {
	// contains filtered or unexported fields
}

func NewGoogleAuth 

func NewGoogleAuth(c *GoogleAuthConfig) (*GoogleAuth, error)

func (*GoogleAuth) Authenticate 

func (ga *GoogleAuth) Authenticate(user string, password PasswordString) (bool, Labels, error)

func (*GoogleAuth) DoGoogleAuth 

func (ga *GoogleAuth) DoGoogleAuth(rw http.ResponseWriter, req *http.Request)

func (*GoogleAuth) Name 

func (ga *GoogleAuth) Name() string

func (*GoogleAuth) Stop 

func (ga *GoogleAuth) Stop()

type GoogleAuthConfig 

type GoogleAuthConfig struct {
	Domain           string `yaml:"domain,omitempty"`
	ClientId         string `yaml:"client_id,omitempty"`
	ClientSecret     string `yaml:"client_secret,omitempty"`
	ClientSecretFile string `yaml:"client_secret_file,omitempty"`
	TokenDB          string `yaml:"token_db,omitempty"`
	HTTPTimeout      int    `yaml:"http_timeout,omitempty"`
}

type GoogleAuthRequest 

type GoogleAuthRequest struct {
	Action string `json:"action,omitempty"`
	Code   string `json:"code,omitempty"`
	Token  string `json:"token,omitempty"`
}

type GoogleTokenInfo 

type GoogleTokenInfo struct {
	// AccessType: The access type granted with this token. It can be
	// offline or online.
	AccessType string `json:"access_type,omitempty"`

	// Audience: Who is the intended audience for this token. In general the
	// same as issued_to.
	Audience string `json:"audience,omitempty"`

	// Email: The email address of the user. Present only if the email scope
	// is present in the request.
	Email string `json:"email,omitempty"`

	// ExpiresIn: The expiry time of the token, as number of seconds left
	// until expiry.
	ExpiresIn int64 `json:"expires_in,omitempty"`

	// IssuedTo: To whom was the token issued to. In general the same as
	// audience.
	IssuedTo string `json:"issued_to,omitempty"`

	// Scope: The space separated list of scopes granted to this token.
	Scope string `json:"scope,omitempty"`

	// TokenHandle: The token handle associated with this token.
	TokenHandle string `json:"token_handle,omitempty"`

	// UserId: The obfuscated user id.
	UserId string `json:"user_id,omitempty"`

	// VerifiedEmail: Boolean flag which is true if the email address is
	// verified. Present only if the email scope is present in the request.
	VerifiedEmail bool `json:"verified_email,omitempty"`

	// Returned in case of error.
	Error            string `json:"error,omitempty"`
	ErrorDescription string `json:"error_description,omitempty"`
}

From github.com/google-api-go-client/oauth2/v2/oauth2-gen.go

type LDAPAuth 

type LDAPAuth struct {
	// contains filtered or unexported fields
}

func NewLDAPAuth 

func NewLDAPAuth(c *LDAPAuthConfig) (*LDAPAuth, error)

func (*LDAPAuth) Authenticate 

func (la *LDAPAuth) Authenticate(account string, password PasswordString) (bool, Labels, error)

How to authenticate user, please refer to https://github.com/go-ldap/ldap/blob/master/example_test.go#L166

func (*LDAPAuth) Name 

func (la *LDAPAuth) Name() string

func (*LDAPAuth) Stop 

func (la *LDAPAuth) Stop()

type LDAPAuthConfig 

type LDAPAuthConfig struct {
	Addr                  string `yaml:"addr,omitempty"`
	TLS                   string `yaml:"tls,omitempty"`
	InsecureTLSSkipVerify bool   `yaml:"insecure_tls_skip_verify,omitempty"`
	CACertificate         string `yaml:"ca_certificate,omitempty"`
	Base                  string `yaml:"base,omitempty"`
	Filter                string `yaml:"filter,omitempty"`
	BindDN                string `yaml:"bind_dn,omitempty"`
	BindPasswordFile      string `yaml:"bind_password_file,omitempty"`
	GroupBaseDN           string `yaml:"group_base_dn,omitempty"`
	GroupFilter           string `yaml:"group_filter,omitempty"`
}

type Labels 

type Labels map[string][]string

type MongoAuth 

type MongoAuth struct {
	Collection string `yaml:"collection,omitempty"`
	// contains filtered or unexported fields
}

func NewMongoAuth 

func NewMongoAuth(c *MongoAuthConfig) (*MongoAuth, error)

func (*MongoAuth) Authenticate 

func (mauth *MongoAuth) Authenticate(account string, password PasswordString) (bool, Labels, error)

func (*MongoAuth) Name 

func (ga *MongoAuth) Name() string

func (*MongoAuth) Stop 

func (ma *MongoAuth) Stop()

type MongoAuthConfig 

type MongoAuthConfig struct {
	MongoConfig *mgo_session.Config `yaml:"dial_info,omitempty"`
	Collection  string              `yaml:"collection,omitempty"`
}

func (*MongoAuthConfig) Validate 

func (c *MongoAuthConfig) Validate(configKey string) error

Validate ensures that any custom config options in a Config are set correctly.

type PasswordString 

type PasswordString string

func (PasswordString) String 

func (ps PasswordString) String() string

type ProfileResponse 

type ProfileResponse struct {
	Email         string `json:"email,omitempty"`
	VerifiedEmail bool   `json:"verified_email,omitempty"`
}

ProfileResponse is sent by the /userinfo/v2/me endpoint. We use it to validate access token and (re)verify the email address associated with it.

type RefreshTokenResponse 

type RefreshTokenResponse struct {
	AccessToken string `json:"access_token,omitempty"`
	ExpiresIn   int64  `json:"expires_in,omitempty"`
	TokenType   string `json:"token_type,omitempty"`

	// Returned in case of error.
	Error            string `json:"error,omitempty"`
	ErrorDescription string `json:"error_description,omitempty"`
}

CodeToTokenResponse is sent by Google servers in response to the grant_type=refresh_token request.

type Requirements 

type Requirements struct {
	Password *PasswordString `yaml:"password,omitempty" json:"password,omitempty"`
	Labels   Labels          `yaml:"labels,omitempty" json:"labels,omitempty"`
}

func (Requirements) String 

func (r Requirements) String() string

type TokenDB 

type TokenDB interface {
	// GetValue takes a username returns the corresponding token
	GetValue(string) (*TokenDBValue, error)

	// StoreToken takes a username and token, stores them in the DB
	// and returns a password and error
	StoreToken(string, *TokenDBValue, bool) (string, error)

	// ValidateTOken takes a username and password
	// and returns an error
	ValidateToken(string, PasswordString) error

	// DeleteToken takes a username
	// and deletes the corresponding token from the DB
	DeleteToken(string) error

	// Composed from leveldb.DB
	Close() error
}

TokenDB stores tokens using LevelDB

func NewGCSTokenDB 

func NewGCSTokenDB(bucket, clientSecretFile string) (TokenDB, error)

NewGCSTokenDB return a new TokenDB structure which uses Google Cloud Storage as backend. The created DB uses file-per-user strategy and stores credentials independently for each user.

Note: it's not recomanded bucket to be shared with other apps or services

func NewTokenDB 

func NewTokenDB(file string) (TokenDB, error)

NewTokenDB returns a new TokenDB structure

type TokenDBImpl 

type TokenDBImpl struct {
	*leveldb.DB
}

TokenDB stores tokens using LevelDB

func (*TokenDBImpl) DeleteToken 

func (db *TokenDBImpl) DeleteToken(user string) error

func (*TokenDBImpl) GetValue 

func (db *TokenDBImpl) GetValue(user string) (*TokenDBValue, error)

func (*TokenDBImpl) StoreToken 

func (db *TokenDBImpl) StoreToken(user string, v *TokenDBValue, updatePassword bool) (dp string, err error)

func (*TokenDBImpl) ValidateToken 

func (db *TokenDBImpl) ValidateToken(user string, password PasswordString) error

type TokenDBValue 

type TokenDBValue struct {
	TokenType    string    `json:"token_type,omitempty"` // Usually "Bearer"
	AccessToken  string    `json:"access_token,omitempty"`
	RefreshToken string    `json:"refresh_token,omitempty"`
	ValidUntil   time.Time `json:"valid_until,omitempty"`
	// DockerPassword is the temporary password we use to authenticate Docker users.
	// Generated at the time of token creation, stored here as a BCrypt hash.
	DockerPassword string `json:"docker_password,omitempty"`
}

TokenDBValue is stored in the database, JSON-serialized.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.