auth

package
v0.5.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jan 8, 2026 License: Apache-2.0 Imports: 39 Imported by: 8

Documentation

Index

Constants

View Source 
const CheckDefaultPassword = "Test123"

CheckDefaultPassword check default password must be changed

Variables

View Source 
var DefaultRoles = []string{}

DefaultRoles default roles set for users

View Source 
var JWTOperator = JWTValidate(&DefaultJWTHandler{uuidHashStore: sync.Map{}})

JWTOperator JWT operator check for UUID

View Source 
var PermissionPrefix = []string{"#", "^", ">"}

PermissionPrefix permission group prefix used for different groups and prefix characters

View Source 
var PrincipalCreater func(session *SessionInfo, user, pass string) PrincipalInterface

PrincipalCreater creator of an principal instance

View Source 
var TriggerInvalidUUID func(*SessionInfo, *UserInfo)

TriggerInvalidUUID trigger if UUID is invalidated

Functions

func CallbackInit 

func CallbackInit(auth *AuthenticationServer) error

CallbackInit init login service realm and authorization instances of user using callbacks or plugins

func ClearCallbacks 

func ClearCallbacks()

ClearCallbacks clear callbacks

func ClearUsers 

func ClearUsers()

ClearUsers clear permission rights

func CountLoginUser 

func CountLoginUser(passwordFile string) int

CountLoginUser count number of registered login user

func DecryptData 

func DecryptData(token string) (string, error)

DecryptData decsrypt base64 data to string

func EncryptData 

func EncryptData(data string) (string, error)

EncryptData encrypt data to base64 string

func GenerateHash 

func GenerateHash(enc, password string) string

GenerateHash generate hash by given hash algorithm

func InitLoginService 

func InitLoginService(auth *Authentication) error

InitLoginService init login service realm and authorization instances of user

func InitOIDC 

func InitOIDC(auth *AuthenticationServer) error

InitOIDC initialize basic parameters for OIDCS authentication

func InitPasswordFile 

func InitPasswordFile(passwordFile string) (err error)

InitPasswordFile init password to file data

func InvalidateUUID 

func InvalidateUUID(uuid string, elapsed time.Time) bool

InvalidateUUID invalidate UUID not valid any more

func LoadUsers 

func LoadUsers(role AccessRole, file string, watcher bool) error

LoadUsers load permission rights

func Register 

func Register(r func(PrincipalInterface) error)

Register register principal hooks

func RegisterCallback 

func RegisterCallback(callback CallbackInterface)

RegisterCallback register callback

func RegisterDatabaseForAuth 

func RegisterDatabaseForAuth(layer, URL, query string)

RegisterDatabaseForAuth register principal hooks

func RegisterPlugin 

func RegisterPlugin()

RegisterPlugin register plugin

func RegisterTargetForAuth 

func RegisterTargetForAuth(layer, URL, query string)

RegisterTargetForAuth register principal hooks

func RemoveLoginService 

func RemoveLoginService(auth *Authentication)

RemoveLoginService remove login service realm and authorization instances of user

func RemovePasswordFile 

func RemovePasswordFile(passwordFile string)

RemovePasswordFile remove password to file data

func ValidAdmin 

func ValidAdmin(user string) bool

ValidAdmin check the role of the user

func ValidUser 

func ValidUser(role AccessRole, writeAccess bool, user *UserInfo, resource string) bool

ValidUser check the role of the user

Types

type AccessRole 

type AccessRole int

AccessRole access role 

const (
	// AdministratorRole use of administration user
	AdministratorRole AccessRole = iota

	// UserRole user access role
	UserRole
)

type Authentication 

type Authentication struct {
	AuthenticationServer []*AuthenticationServer
}

Authentication authenticator base 

var AuthenticationConfig *Authentication

AuthenticationConfig authentication config base

type AuthenticationServer 

type AuthenticationServer struct {
	Comment      string   `xml:",comment" yaml:"-"`
	Module       string   `xml:"module,attr" yaml:"module,omitempty"`
	Type         string   `xml:"type,attr" yaml:"type,omitempty"`
	Layer        string   `xml:"driver,attr" yaml:"driver,omitempty"`
	AuthMethod   Method   `xml:"-" yaml:"-"`
	Target       string   `xml:"target,omitempty" yaml:"target,omitempty"`
	ClientID     string   `xml:"clientID,omitempty" yaml:"clientID,omitempty"`
	ClientSecret string   `xml:"clientSecret,omitempty" yaml:"clientSecret,omitempty"`
	URL          string   `xml:"url,omitempty" yaml:"url,omitempty"`
	RedirectURL  string   `xml:"redirectUrl,omitempty" yaml:"redirectUrl,omitempty"`
	PasswordFile string   `xml:"passwordFile,omitempty" yaml:"passwordFile,omitempty"`
	LDAP         []Source `xml:"LDAP,omitempty" yaml:"LDAP,omitempty"`
}

AuthenticationServer authentication server

func (*AuthenticationServer) Authenticate 

func (service *AuthenticationServer) Authenticate(principal PrincipalInterface, user, passwd string) error

Authenticate authenticate using user and password adding roles to the principal The principal interface need to be implemented to add roles corresponding to the defined system. If system does not provide roles the DefaultRoles will be added to principal instance

type CallbackInterface 

type CallbackInterface interface {
	GetName() string
	Init() error
	Authenticate(principal PrincipalInterface, userName, passwd string) error
	CheckToken(token string, scopes []string) (PrincipalInterface, error)
	GenerateToken(IAt string, principal PrincipalInterface) (tokenString string, err error)
}

CallbackInterface callback interface for auth

type Default 

type Default struct {
	Read     string          `xml:"read,attr"  yaml:"read"`
	Write    string          `xml:"write,attr" yaml:"write"`
	ReadMap  map[string]bool `xml:"-" yaml:"-" json:"-"`
	WriteMap map[string]bool `xml:"-" yaml:"-" json:"-"`
}

Default default rights

type DefaultJWTHandler 

type DefaultJWTHandler struct {
	// contains filtered or unexported fields
}

DefaultJWTHandler default local Map instance

func (*DefaultJWTHandler) InvalidateUUID 

func (df *DefaultJWTHandler) InvalidateUUID(uuid string, elapsed time.Time) bool

InvalidateUUID invalidate UUID entry and given elapsed time

func (*DefaultJWTHandler) Range 

func (df *DefaultJWTHandler) Range(f func(uuid, value any) bool) error

Range go through all session entries

func (*DefaultJWTHandler) Store 

func (df *DefaultJWTHandler) Store(principal PrincipalInterface, user, pass string) error

Store store entry for given input

func (*DefaultJWTHandler) UUIDInfo 

func (df *DefaultJWTHandler) UUIDInfo(uuid string) (*SessionInfo, error)

UUIDInfo get UUID info User information

func (*DefaultJWTHandler) ValidateUUID 

func (df *DefaultJWTHandler) ValidateUUID(claims *JWTClaims) (PrincipalInterface, bool)

ValidateUUID validate JWT claims are in UUID session list

type JWTClaims 

type JWTClaims struct {
	UUID      string           `json:"jti,omitempty"`
	Subject   string           `json:"sub,omitempty"`
	Audience  string           `json:"aud,omitempty"`
	IAt       string           `json:"iat,omitempty"`
	Roles     []string         `json:"roles"`
	Remote    string           `json:"rem,omitempty"`
	ID        string           `json:"id,omitempty"`
	Issuer    string           `json:"iss,omitempty"`
	ExpiresAt *jwt.NumericDate `json:"exp,omitempty"`
}

JWTClaims describes the format of our JWT token's claims

type JWTValidate 

type JWTValidate interface {
	UUIDInfo(uuid string) (*SessionInfo, error)
	Range(func(uuid, value any) bool) error
	ValidateUUID(claims *JWTClaims) (PrincipalInterface, bool)
	InvalidateUUID(string, time.Time) bool
	Store(PrincipalInterface, string, string) error
}

JWTValidate JWT validate instance

type Method 

type Method int

Method method of authenticate 

const (
	// UnknownMethod unknown
	UnknownMethod Method = iota
	// SystemMethod System method
	SystemMethod
	// FileMethod password file method
	FileMethod
	// LDAPMethod LDAP method
	LDAPMethod
	// OpenIDMethod OpenID method
	OpenIDMethod
	// SQLDatabaseMethod database method
	SQLDatabaseMethod
	// PluginMethod plugin method
	PluginMethod
	// OIDCClientMethod use OIDC client
	OIDCClientMethod
	// CallbackMethod callback method
	CallbackMethod
)

func MethodType 

func MethodType(s string) Method

MethodType parse method type out of string

func (Method) String 

func (authMethod Method) String() string

Method used authorization method string info

type PasswordFileStruct 

type PasswordFileStruct struct {
	Counter uint64
	// contains filtered or unexported fields
}

PasswordFileStruct password file struct

func NewAppendPasswordFile 

func NewAppendPasswordFile(realmFile string) *PasswordFileStruct

NewAppendPasswordFile new append password file to append only

func NewInitFileRealm 

func NewInitFileRealm(realmFile string, createAutogenerated bool) (*PasswordFileStruct, error)

NewInitFileRealm new init file realm (Create new one if not available)

func (*PasswordFileStruct) AppendUserToPasswordFile 

func (rfs *PasswordFileStruct) AppendUserToPasswordFile(user, newPassword, roles string) error

AppendUserToPasswordFile append user to realm file

func (*PasswordFileStruct) CheckUser 

func (rfs *PasswordFileStruct) CheckUser(u string) bool

CheckUser check user to realm file

func (*PasswordFileStruct) Close 

func (rfs *PasswordFileStruct) Close()

Close close file descriptor

func (*PasswordFileStruct) CountLoginUser 

func (rfs *PasswordFileStruct) CountLoginUser() int

CountLoginUser count number of registered login user for a specific realm file

func (*PasswordFileStruct) CreateDefaultRealm 

func (rfs *PasswordFileStruct) CreateDefaultRealm() (err error)

CreateDefaultRealm create default realm

func (*PasswordFileStruct) CreateDefaultUser 

func (rfs *PasswordFileStruct) CreateDefaultUser() error

CreateDefaultUser create default user

func (*PasswordFileStruct) FlushUserToPasswordFile 

func (rfs *PasswordFileStruct) FlushUserToPasswordFile() error

FlushUserToPasswordFile flush user to realm file

func (*PasswordFileStruct) LoadPasswordFile 

func (rfs *PasswordFileStruct) LoadPasswordFile() (err error)

LoadPasswordFile load user of file realm

func (*PasswordFileStruct) UpdateUserPasswordToRealmFile 

func (rfs *PasswordFileStruct) UpdateUserPasswordToRealmFile(user, newPassword string) error

UpdateUserPasswordToRealmFile update user password to realm file

type PrincipalInterface 

type PrincipalInterface interface {
	UUID() string
	Name() string
	AddRoles([]string)
	Remote() string
	SetRemote(string)
	Roles() []string
	Session() interface{}
	SetSession(interface{})
}

PrincipalInterface principal independent to model

func BasicAuth 

func BasicAuth(user string, pass string) (PrincipalInterface, error)

BasicAuth basic authentication on REST

type SearchResult 

type SearchResult struct {
	Username     string // Username
	Name         string // Name
	Surname      string // Surname
	Mail         string // E-mail address
	IsAdmin      bool   // if user is administrator
	IsRestricted bool   // if user is restricted
}

SearchResult : user data

type SecurityProtocol 

type SecurityProtocol int

SecurityProtocol integer protocol type 

const (
	SecurityProtocolUnencrypted SecurityProtocol = iota
	SecurityProtocolLDAPS
	SecurityProtocolStartTLS
)

Note: new type must be added at the end of list to maintain compatibility.

type SessionInfo 

type SessionInfo struct {
	User        string `flynn:"Name"`
	UUID        string `flynn:"UUID:PRIMARY KEY"`
	Data        []byte
	Created     time.Time
	LastAccess  time.Time
	Invalidated time.Time
	// contains filtered or unexported fields
}

SessionInfo session information context

func NewSessionInfo 

func NewSessionInfo(user string) *SessionInfo

NewSessionInfo create a new Session Info instance with created and UUID filled

func UUIDInfo 

func UUIDInfo(uuid string) (*SessionInfo, error)

UUIDInfo get UUID info User information

type Source 

type Source struct {
	Name              string // canonical name (ie. corporate.ad)
	Host              string // LDAP host
	Port              int    // port number
	SecurityProtocol  SecurityProtocol
	SkipVerify        bool   `xml:"skipVerify,attr"`
	BindDN            string // DN to bind with
	BindPassword      string // Bind DN password
	UserBase          string // Base search path for users
	UserDN            string // Template for the DN of the user for simple auth
	AttributeUsername string // Username attribute
	AttributeName     string // First name attribute
	AttributeSurname  string // Surname attribute
	AttributeMail     string // E-mail attribute
	AttributesInBind  bool   `xml:"attributesInBind,attr"` // fetch attributes in bind context (not user)
	SearchPageSize    uint32 // Search with paging page size
	Filter            string // Query filter to validate entry
	AdminFilter       string // Query filter to check if user is admin
	RestrictedFilter  string // Query filter to check if user is restricted
	Enabled           bool   `xml:"-"`                  // if this source is disabled
	GroupsEnabled     bool   `xml:"groupsEnabled,attr"` // if the group checking is enabled
	GroupDN           string // Group Search Base
	GroupFilter       string // Group Name Filter
	GroupMemberUID    string // Group Attribute containing array of UserUID
	UserUID           string // User Attribute listed in Group
}

Source Basic LDAP authentication service

func (*Source) SearchEntries 

func (src *Source) SearchEntries() ([]*SearchResult, error)

SearchEntries : search an LDAP source for all users matching userFilter

func (*Source) SearchEntry 

func (src *Source) SearchEntry(name, passwd string, directBind bool) (*SearchResult, error)

SearchEntry : search an LDAP source if an entry (name, passwd) is valid and in the specific filter

func (*Source) UsePagedSearch 

func (src *Source) UsePagedSearch() bool

UsePagedSearch returns if need to use paged search

type User 

type User struct {
	Name     string          `xml:"name,attr" yaml:"name"`
	Read     string          `xml:"read,attr" yaml:"read"`
	Write    string          `xml:"write,attr" yaml:"write"`
	ReadMap  map[string]bool `xml:"-" yaml:"-"`
	WriteMap map[string]bool `xml:"-" yaml:"-"`
}

User REST user

func (*User) InitPermission 

func (user *User) InitPermission(d *Default)

InitPermission init permission

type UserInfo 

type UserInfo struct {
	User          string `flynn:"Name:PRIMARY KEY"`
	EMail         string
	LongName      string
	Created       time.Time
	LastLogin     time.Time
	Picture       []byte
	Permission    *User `flynn:":YAML"`
	Administrator bool
}

UserInfo user information context

type Users 

type Users struct {
	Role    AccessRole       `xml:"-" yaml:"-" json:"-"`
	File    string           `xml:"-" yaml:"-" json:"-"`
	Default *Default         `xml:"Default" yaml:"default,omitempty"`
	User    []*User          `xml:"User"  yaml:"user,omitempty"`
	UserMap map[string]*User `xml:"-" yaml:"-" json:"-"`
}

Users REST user list allowed accessing data 

var AllowedAdministrators *Users = nil

AllowedAdministrators allowed user reading data 

var AllowedUsers *Users = nil

AllowedUsers allowed user reading data

func (*Users) Add 

func (users *Users) Add(user string) error

Add user to list

func (*Users) Delete 

func (users *Users) Delete(user string) error

Delete user from list

type WebToken 

type WebToken struct {
	Comment    string `xml:",comment" yaml:"-"`
	OAuth2     bool   `xml:"oauth2,attr" yaml:"oauth2,omitempty"`
	IssuerName string `xml:"issuer,attr" yaml:"issuer,omitempty"`
	Expirer    string `xml:"expire,attr" yaml:"expire,omitempty"`
	Encrypt    bool   `xml:"encrypt,attr" yaml:"encrypt,omitempty"`
	PublicKey  string `xml:"PublicKey" yaml:"publicKey,omitempty"`
	PrivateKey string `xml:"PrivateKey" yaml:"privateKey,omitempty"`
	PassToken  string `xml:"PassToken" yaml:"passToken,omitempty"`
}

WebToken Web token configuration 

var WebTokenConfig *WebToken

WebTokenConfig web token JWT configuration

func (*WebToken) GenerateJWToken 

func (webToken *WebToken) GenerateJWToken(IAt string, principal PrincipalInterface) (tokenString string, err error)

GenerateJWToken generate JWT token using golang Jose.v2

func (*WebToken) InitWebTokenJose2 

func (webToken *WebToken) InitWebTokenJose2() error

InitWebTokenJose2 initialize WebToken Jose.v2 token

func (*WebToken) InitWebTokenOIDC 

func (webToken *WebToken) InitWebTokenOIDC() error

InitWebTokenOIDC init web token for OIDC

func (*WebToken) JWTContainsRoles 

func (webToken *WebToken) JWTContainsRoles(token string, scopes []string) (PrincipalInterface, error)

JWTContainsRoles tells if the Bearer token is a JWT signed by us with a claim to be member of an authorization scope. We verify that the claimed role is one of the passed scopes and if the UUID is stored and valid.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.