Documentation

Index

Constants

View Source
const (
	MaxEmailLength = 200

	// ClaimPasswordResetPassword represents the hash of the password to be
	// reset; in other words, the old password
	ClaimPasswordResetPassword = "http://coreos.com/password/old-hash"

	// ClaimEmailVerificationEmail represents the email to be verified. Note
	// that we are intentionally not using the "email" claim for this purpose.
	ClaimEmailVerificationEmail = "http://coreos.com/email/verificationEmail"

	// ClaimPasswordResetCallback represents where a user should be sent after
	// resetting their password.
	ClaimPasswordResetCallback = "http://coreos.com/password/reset-callback"

	// Claim representing where a user should be sent after verifying their email address.
	ClaimEmailVerificationCallback = "http://coreos.com/email/verification-callback"

	// Claim representing where a user should be sent after responding to an invitation
	ClaimInvitationCallback = "http://coreos.com/invitation/callback"
)

Variables

View Source
var (
	PasswordHasher = DefaultPasswordHasher

	ErrorInvalidPassword     = errors.New("invalid Password")
	ErrorPasswordHashNoMatch = errors.New("password and hash don't match")
	ErrorPasswordExpired     = errors.New("password has expired")
)
View Source
var (
	ErrorDuplicateID    = errors.New("ID not available")
	ErrorDuplicateEmail = errors.New("email not available")

	ErrorDuplicateRemoteIdentity = errors.New("remote identity already in use for another user")
	ErrorInvalidEmail            = errors.New("invalid Email")
	ErrorInvalidID               = errors.New("invalid ID")
	ErrorNotFound                = errors.New("user not found in repository")
)

Functions

func DefaultPasswordHasher

func DefaultPasswordHasher(s string) ([]byte, error)

func DefaultUserIDGenerator

func DefaultUserIDGenerator() (string, error)

func EncodeNextPageToken

func EncodeNextPageToken(filter UserFilter, maxResults int, offset int) (string, error)

func LoadPasswordInfos

func LoadPasswordInfos(repo PasswordInfoRepo, pws []PasswordInfo) error

func ValidEmail

func ValidEmail(email string) bool

func ValidPassword

func ValidPassword(plaintext string) bool

Types

type EmailVerification

type EmailVerification struct {
	Claims jose.Claims
}

func NewEmailVerification

func NewEmailVerification(user User, clientID string, issuer url.URL, callback url.URL, expires time.Duration) EmailVerification

    NewEmailVerification creates an object which can be sent to a user in serialized form to verify that they control an email address. The clientID is the ID of the registering user. The callback is where a user should land after verifying their email.

    func ParseAndVerifyEmailVerificationToken

    func ParseAndVerifyEmailVerificationToken(token string, issuer url.URL, keys []key.PublicKey) (EmailVerification, error)

      ParseAndVerifyEmailVerificationToken parses a string into a an EmailVerification, verifies the signature, and ensures that required claims are present. In addition to the usual claims required by the OIDC spec, "aud" and "sub" must be present as well as ClaimEmailVerificationCallback and ClaimEmailVerificationEmail.

      func (EmailVerification) Callback

      func (e EmailVerification) Callback() *url.URL

      func (EmailVerification) Email

      func (e EmailVerification) Email() string

      func (EmailVerification) UserID

      func (e EmailVerification) UserID() string

      type Hasher

      type Hasher func(string) ([]byte, error)

      type Invitation

      type Invitation struct {
      	Claims jose.Claims
      }

        An Invitation is a token that can be used for verifying an email address and resetting a password in a single stroke. It will be sent as part of a link in an email automatically to newly created users if email is configured.

        func NewInvitation

        func NewInvitation(user User, password Password, issuer url.URL, clientID string, callback url.URL, expires time.Duration) Invitation

        func ParseAndVerifyInvitationToken

        func ParseAndVerifyInvitationToken(token string, issuer url.URL, keys []key.PublicKey) (Invitation, error)

        func (Invitation) Callback

        func (iv Invitation) Callback() *url.URL

        func (Invitation) ClientID

        func (iv Invitation) ClientID() string

        func (Invitation) Email

        func (iv Invitation) Email() string

        func (Invitation) Password

        func (iv Invitation) Password() Password

        func (Invitation) PasswordReset

        func (iv Invitation) PasswordReset(issuer url.URL, expires time.Duration) PasswordReset

        func (Invitation) UserID

        func (iv Invitation) UserID() string

        type Password

        type Password []byte

        func NewPasswordFromPlaintext

        func NewPasswordFromPlaintext(plaintext string) (Password, error)

        type PasswordInfo

        type PasswordInfo struct {
        	UserID string
        
        	Password Password `json:"passwordHash"`
        
        	PasswordExpires time.Time `json:"passwordExpires"`
        }

        func (PasswordInfo) Authenticate

        func (p PasswordInfo) Authenticate(plaintext string) (*oidc.Identity, error)

        func (PasswordInfo) Identity

        func (p PasswordInfo) Identity() oidc.Identity

        func (*PasswordInfo) UnmarshalJSON

        func (u *PasswordInfo) UnmarshalJSON(data []byte) error

        type PasswordInfoRepo

        type PasswordInfoRepo interface {
        	Get(tx repo.Transaction, id string) (PasswordInfo, error)
        	Update(repo.Transaction, PasswordInfo) error
        	Create(repo.Transaction, PasswordInfo) error
        }

        type PasswordReset

        type PasswordReset struct {
        	Claims jose.Claims
        }

        func NewPasswordReset

        func NewPasswordReset(userID string, password Password, issuer url.URL, clientID string, callback url.URL, expires time.Duration) PasswordReset

        func ParseAndVerifyPasswordResetToken

        func ParseAndVerifyPasswordResetToken(token string, issuer url.URL, keys []key.PublicKey) (PasswordReset, error)

          ParseAndVerifyPasswordResetToken parses a string into a an PasswordReset, verifies the signature, and ensures that required claims are present. In addition to the usual claims required by the OIDC spec, "aud" and "sub" must be present as well as ClaimPasswordResetCallback and ClaimPasswordResetPassword.

          func (PasswordReset) Callback

          func (e PasswordReset) Callback() *url.URL

          func (PasswordReset) Password

          func (e PasswordReset) Password() Password

          func (PasswordReset) UserID

          func (e PasswordReset) UserID() string

          type RemoteIdentity

          type RemoteIdentity struct {
          	// IDPCID is the identifier of the IDP which hosts this identity.
          	ConnectorID string
          
          	// ID is the identifier of this User at the IDP.
          	ID string
          }

            RemoteIdentity represents a User's identity at an IDP.

            func (*RemoteIdentity) UnmarshalJSON

            func (u *RemoteIdentity) UnmarshalJSON(data []byte) error

            type TokenClaims

            type TokenClaims struct {
            	Claims jose.Claims
            }

            type User

            type User struct {
            	// ID is the machine-generated, stable, unique identifier for this User.
            	ID string
            
            	// DisplayName is human readable name meant for display purposes.
            	// DisplayName is not neccesarily unique with a UserRepo.
            	DisplayName string
            
            	Email string
            
            	EmailVerified bool
            
            	Admin bool
            
            	Disabled bool
            
            	CreatedAt time.Time
            }

            func (*User) AddToClaims

            func (u *User) AddToClaims(claims jose.Claims)

              AddToClaims adds basic information about the user to the given Claims. http://openid.net/specs/openid-connect-core-1_0.html#StandardClaims

              func (*User) UnmarshalJSON

              func (u *User) UnmarshalJSON(data []byte) error

              type UserFilter

              type UserFilter struct {
              }

              func DecodeNextPageToken

              func DecodeNextPageToken(tok string) (UserFilter, int, int, error)

              type UserIDGenerator

              type UserIDGenerator func() (string, error)

              type UserRepo

              type UserRepo interface {
              	Get(tx repo.Transaction, id string) (User, error)
              
              	// List returns a list of users meeting the given conditions.
              	// A nextPageToken is returned when there are further results to be had,
              	// with the expectation that it will be passed into a subsequent List
              	// call. When nextPageToken is non-empty filter and maxResults are ignored.
              	List(tx repo.Transaction, filter UserFilter, maxResults int, nextPageToken string) ([]User, string, error)
              
              	Create(repo.Transaction, User) error
              
              	GetByEmail(tx repo.Transaction, email string) (User, error)
              
              	Disable(tx repo.Transaction, id string, disabled bool) error
              
              	Update(repo.Transaction, User) error
              
              	GetByRemoteIdentity(repo.Transaction, RemoteIdentity) (User, error)
              
              	AddRemoteIdentity(tx repo.Transaction, userID string, remoteID RemoteIdentity) error
              
              	RemoveRemoteIdentity(tx repo.Transaction, userID string, remoteID RemoteIdentity) error
              
              	GetRemoteIdentities(tx repo.Transaction, userID string) ([]RemoteIdentity, error)
              
              	GetAdminCount(repo.Transaction) (int, error)
              }

                UserRepo implementations maintain a persistent set of users. The following invariants must be maintained:

                * Users must have a unique Email and ID
                * Emails are case insensitive.
                * No other Users may have the same RemoteIdentity as one of the
                  users. (This constraint may be relaxed in the future)
                

                type UserWithRemoteIdentities

                type UserWithRemoteIdentities struct {
                	User             User             `json:"user"`
                	RemoteIdentities []RemoteIdentity `json:"remoteIdentities"`
                }

                Directories

                Path Synopsis