Documentation
¶
Overview ¶
Package auth provides Authenticator implementations for HTTP CONNECT proxy authentication. An Authenticator drives a multi-round Proxy-Authorization exchange; the transport layer iterates the Authenticators in [proxykit.Config.Auth] on HTTP 407 until one succeeds or all are exhausted.
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Authenticator ¶
type Authenticator interface {
// Scheme returns the canonical RFC 7235 auth scheme this
// Authenticator implements, lower-cased ("basic", "ntlm",
// "negotiate", ...). The transport matches it against the
// Proxy-Authenticate values the proxy advertised; returning the
// empty string disables scheme matching, which is the right
// behaviour for sentinel implementations that contribute no
// headers.
Scheme() string
// Headers returns the headers to attach to the next CONNECT
// request given the most recent server challenge.
//
// challenge is nil on the first call. On subsequent calls it is
// the payload the proxy supplied alongside its scheme in
// Proxy-Authenticate, base64-decoded for binary schemes such as
// NTLM or Negotiate.
//
// headers entries are complete HTTP header lines, e.g.
// "Proxy-Authorization: Basic dXNlcjpwYXNz".
//
// done=true signals "this was my last round; do not call me
// again". A subsequent HTTP 407 from the proxy is then reported
// as a permanent failure for this Authenticator and the next one
// in the chain is tried.
Headers(challenge []byte) (headers []string, done bool, err error)
}
Authenticator drives a single CONNECT-with-auth handshake against an HTTP CONNECT proxy. Implementations are typically stateful (e.g. NTLM keeps a session struct between rounds) and not safe for concurrent use; the transport layer treats each Authenticator as belonging to a single dial attempt.
func Basic ¶
func Basic(user, pass string) Authenticator
Basic returns an HTTP Basic Authenticator (RFC 7617). It produces a single round emitting "Proxy-Authorization: Basic <base64(user:pass)>". The challenge is ignored — Basic does not depend on it.
Basic transmits the credentials in plaintext (only base64-encoded); it is appropriate over TLS-protected proxy connections (https proxy scheme) but leaks credentials on plain http hops.
func NTLM ¶
func NTLM(domain, user, pass string) Authenticator
NTLM returns an NTLM Authenticator (MS-NLMP / RFC 4559) that drives the standard 3-message Negotiate / Challenge / Authenticate exchange against an HTTP CONNECT proxy.
domain is the NT domain — pass "" for workgroup or implicit-domain hosts. user and pass are the credentials. The workstation name reported in the Type 1 message is taken from os.Hostname(); set the NTLM_WORKSTATION environment variable to override (handy for static binaries with empty hostnames).
NTLM transmits an NTLMv2 hashed response, never the plain password, but is vulnerable to relay attacks; prefer Negotiate (Kerberos) where the proxy advertises it.
The returned Authenticator is stateful and not safe for concurrent use. Sequential reuse across dials is fine — internal state is reset every time Headers is called with a nil challenge.
func Negotiate ¶
func Negotiate(spn string) Authenticator
Negotiate on non-Windows builds returns an Authenticator whose Headers always reports errors.ErrUnsupported. SSPI is Windows-only; Linux/macOS Kerberos via gokrb5 lands in v0.2.
func None ¶
func None() Authenticator
None returns an Authenticator that contributes no Proxy-Authorization header and finishes after a single round. Its Scheme is "" so it never matches a proxy-advertised scheme; it is a sentinel useful for tests and for explicit "no credentials available" entries.
Source Files