Documentation

Overview

    Package auth implements Camlistore authentication.

    Index

    Constants

    View Source
    const (
    	OpUpload Operation = 1 << iota
    	OpStat
    	OpGet
    	OpEnumerate
    	OpRemove
    	OpSign
    	// OpDiscovery note: since we disclose an OpAll token in the discovery
    	// response, please bear in mind that granting OpDiscovery is in effect the
    	// same as granting OpAll for now.
    	OpDiscovery
    	OpRead   = OpEnumerate | OpStat | OpGet | OpDiscovery
    	OpRW     = OpUpload | OpEnumerate | OpStat | OpGet // Not Remove
    	OpVivify = OpUpload | OpStat | OpGet | OpDiscovery
    	OpAll    = OpUpload | OpEnumerate | OpStat | OpRemove | OpGet | OpSign | OpDiscovery
    )
    View Source
    const OmitAuthToken = "OmitAuthToken"

    Variables

    View Source
    var ErrNoAuth = errors.New("auth: no configured authentication")

      ErrNoAuth is returned when there is no configured authentication.

      Functions

      func AddMode

      func AddMode(am AuthMode)

        AddMode adds the given authentication mode to the list of modes that future requests can authenticate against.

        func Allowed

        func Allowed(req *http.Request, op Operation) bool

          Allowed returns whether the given request has access to perform all the operations in op.

          func AllowedWithAuth

          func AllowedWithAuth(am AuthMode, req *http.Request, op Operation) bool

            AllowedWithAuth returns whether the given request has access to perform all the operations in op against am.

            func DiscoveryToken

            func DiscoveryToken() string

              DiscoveryToken returns OmitAuthToken if the first registered auth mode is of type None, and Token() otherwise.

              func IsLocalhost

              func IsLocalhost(req *http.Request) bool

              func RandToken

              func RandToken(size int) string

                RandToken genererates (with crypto/rand.Read) and returns a token that is the hex version (2x size) of size bytes of randomness.

                func RegisterAuth

                func RegisterAuth(name string, ctor AuthConfigParser)

                  RegisterAuth registers a new authentication scheme.

                  func RequireAuth

                  func RequireAuth(h http.Handler, op Operation) http.Handler

                    RequireAuth wraps a function with another function that enforces HTTP Basic Auth and checks if the operations in op are all permitted.

                    func SendUnauthorized

                    func SendUnauthorized(rw http.ResponseWriter, req *http.Request)

                    func SetMode

                    func SetMode(m AuthMode)

                      SetMode sets the given authentication mode as the only allowed one for future requests. That is, it replaces all modes that were previously added.

                      func Token

                      func Token() string

                        Token returns a 20 byte token generated (only once, then cached) with RandToken. This token is used for authentication by the Camlistore web UI and its websockets, therefore it should be handled with care.

                        func TriedAuthorization

                        func TriedAuthorization(req *http.Request) bool

                        Types

                        type AuthConfigParser

                        type AuthConfigParser func(arg string) (AuthMode, error)

                          An AuthConfigParser parses a registered authentication type's option and returns an AuthMode.

                          type AuthMode

                          type AuthMode interface {
                          	// AllowedAccess returns a bitmask of all operations
                          	// this user/request is allowed to do.
                          	AllowedAccess(req *http.Request) Operation
                          	// AddAuthHeader inserts in req the credentials needed
                          	// for a client to authenticate.
                          	AddAuthHeader(req *http.Request)
                          }

                            An AuthMode is the interface implemented by diffent authentication schemes.

                            func FromConfig

                            func FromConfig(authConfig string) (AuthMode, error)

                              FromConfig parses authConfig and accordingly sets up the AuthMode that will be used for all upcoming authentication exchanges. The supported modes are UserPass and DevAuth. UserPass requires an authConfig of the kind "userpass:joe:ponies".

                              If the input string is empty, the error will be ErrNoAuth.

                              func FromEnv

                              func FromEnv() (AuthMode, error)

                              func NewBasicAuth

                              func NewBasicAuth(username, password string) AuthMode

                                NewBasicAuth returns a UserPass Authmode, adequate to support HTTP basic authentication.

                                type DevAuth

                                type DevAuth struct {
                                	Password string
                                	// Password for the vivify mode, automatically set to "vivi" + Password
                                	VivifyPass *string
                                }

                                  DevAuth is used for development. It has one password and one vivify password, but also accepts all passwords from localhost. Usernames are ignored.

                                  func (*DevAuth) AddAuthHeader

                                  func (da *DevAuth) AddAuthHeader(req *http.Request)

                                  func (*DevAuth) AllowedAccess

                                  func (da *DevAuth) AllowedAccess(req *http.Request) Operation

                                  type Handler

                                  type Handler struct {
                                  	http.Handler
                                  }

                                  func (Handler) ServeHTTP

                                  func (h Handler) ServeHTTP(w http.ResponseWriter, r *http.Request)

                                    ServeHTTP serves only if this request and auth mode are allowed all Operations.

                                    type Localhost

                                    type Localhost struct {
                                    	None
                                    }

                                    func (Localhost) AllowedAccess

                                    func (Localhost) AllowedAccess(req *http.Request) (out Operation)

                                    type None

                                    type None struct{}

                                    func (None) AddAuthHeader

                                    func (None) AddAuthHeader(req *http.Request)

                                    func (None) AllowedAccess

                                    func (None) AllowedAccess(req *http.Request) Operation

                                    type Operation

                                    type Operation int

                                      Operation represents a bitmask of operations. See the OpX constants.

                                      type UnauthorizedSender

                                      type UnauthorizedSender interface {
                                      	// SendUnauthorized sends an unauthorized response,
                                      	// and returns whether it handled it.
                                      	SendUnauthorized(http.ResponseWriter, *http.Request) (handled bool)
                                      }

                                        UnauthorizedSender may be implemented by AuthModes which want to handle sending unauthorized.

                                        type UserPass

                                        type UserPass struct {
                                        	Username, Password string
                                        	OrLocalhost        bool // if true, allow localhost ident auth too
                                        
                                        	// VivifyPass, if not nil, is the alternative password used (only) for the vivify operation.
                                        	// It is checked when uploading, but Password takes precedence.
                                        	VivifyPass *string
                                        }

                                          UserPass is used when the auth string provided in the config is of the kind "userpass:username:pass" Possible options appended to the config string are "+localhost" and "vivify=pass", where pass will be the alternative password which only allows the vivify operation.

                                          func (*UserPass) AddAuthHeader

                                          func (up *UserPass) AddAuthHeader(req *http.Request)

                                          func (*UserPass) AllowedAccess

                                          func (up *UserPass) AllowedAccess(req *http.Request) Operation

                                          Source Files