pam

package
v1.0.0-rc2 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Dec 9, 2025 License: Apache-2.0 Imports: 21 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	// ScopeOfflineAccess is the OAuth2 scope for requesting refresh tokens
	ScopeOfflineAccess = "offline_access"
	// ScopeOpenID is the OpenID Connect scope
	ScopeOpenID = "openid"
	// ScopeProfile is the scope for accessing user profile information
	ScopeProfile = "profile"
	// ScopeEmail is the scope for accessing user email
	ScopeEmail = "email"
	// ScopeRoles is the scope for accessing user roles
	ScopeRoles = "roles"
	// DefaultScopes is the default set of scopes for authenticated users
	DefaultScopes = "openid profile email"
)

OAuth2 Scopes

View Source 
const (
	// TokenTypeAccess identifies an access token in JWT claims
	TokenTypeAccess = "access_token"
	// TokenTypeRefresh identifies a refresh token in JWT claims
	TokenTypeRefresh = "refresh_token"
)

Token Type Identifiers (used in JWT claims, not grant types)

View Source 
const (
	// AuthMethodNone indicates no client authentication (public client)
	AuthMethodNone = "none"
	// AuthMethodClientSecretPost indicates client_secret_post authentication
	AuthMethodClientSecretPost = "client_secret_post"
)

Token Endpoint Authentication Methods

View Source 
const (
	// OrgPrefix is the prefix for organization group names
	OrgPrefix = "org-"
)

Organization and Group Prefixes

View Source 
const SessionCookieCtxKey common.ContextKey = "session_cookie"

SessionCookieCtxKey is the context key for storing session cookies

View Source 
const (
	// SigningAlgRS256 is the RS256 signing algorithm
	SigningAlgRS256 = "RS256"
)

Default Signing Algorithms

Variables

This section is empty.

Functions

This section is empty.

Types

type Authenticator 

type Authenticator interface {
	Authenticate(username, password string) error
	LookupUser(username string) (*user.User, error)
	GetUserGroups(systemUser *user.User) ([]string, error)
	Close() error
}

Authenticator interface for PAM authentication and NSS user lookup

type AuthorizationCodeData 

type AuthorizationCodeData struct {
	Code                string
	ClientID            string
	RedirectURI         string
	Scope               string
	State               string
	Username            string
	ExpiresAt           time.Time
	CreatedAt           time.Time
	CodeChallenge       string                                        // PKCE code challenge
	CodeChallengeMethod pamapi.AuthAuthorizeParamsCodeChallengeMethod // PKCE code challenge method (plain or S256)
}

AuthorizationCodeData represents stored authorization code data

type AuthorizationCodeStore 

type AuthorizationCodeStore struct {
	// contains filtered or unexported fields
}

AuthorizationCodeStore manages temporary authorization codes

func NewAuthorizationCodeStore 

func NewAuthorizationCodeStore() *AuthorizationCodeStore

NewAuthorizationCodeStore creates a new authorization code store

func (*AuthorizationCodeStore) CleanupExpiredCodes 

func (s *AuthorizationCodeStore) CleanupExpiredCodes()

CleanupExpiredCodes removes expired codes

func (*AuthorizationCodeStore) GetCode 

func (s *AuthorizationCodeStore) GetCode(code string) (*AuthorizationCodeData, bool)

GetCode retrieves and removes an authorization code

func (*AuthorizationCodeStore) StoreCode 

func (s *AuthorizationCodeStore) StoreCode(codeData *AuthorizationCodeData)

StoreCode stores an authorization code with expiration

type AuthorizeResponse 

type AuthorizeResponse struct {
	Type    AuthorizeResponseType
	Content string
}

AuthorizeResponse wraps the authorize endpoint response with metadata

type AuthorizeResponseType 

type AuthorizeResponseType string

AuthorizeResponseType indicates the type of response from the authorize endpoint 

const (
	AuthorizeResponseTypeHTML     AuthorizeResponseType = "html"     // HTML login form
	AuthorizeResponseTypeRedirect AuthorizeResponseType = "redirect" // Redirect URL
)

type Logger 

type Logger = *logrus.Logger

Logger is a type alias for logrus.Logger

type LoginResult 

type LoginResult struct {
	RedirectURL string
	SessionID   string
}

LoginResult contains the result of a successful login

type OIDCIssuer 

type OIDCIssuer interface {
	// Token Issuance (OAuth2/OIDC flows)
	// Returns TokenResponse on success, or OAuth2Error (implements error interface) on failure
	Token(ctx context.Context, req *pamapi.TokenRequest) (*pamapi.TokenResponse, error)

	// UserInfo (OIDC endpoint)
	// Returns UserInfoResponse on success, or OAuth2Error (implements error interface) on failure
	UserInfo(ctx context.Context, accessToken string) (*pamapi.UserInfoResponse, error)

	// Authorization Code Flow (browser-based, uses redirects/HTML for errors)
	Authorize(ctx context.Context, req *pamapi.AuthAuthorizeParams) (*AuthorizeResponse, error)

	// Login handles the login form submission (browser-based)
	Login(ctx context.Context, username, password, clientID, redirectURI, state, codeChallenge, codeChallengeMethod string) (*LoginResult, error)

	// Discovery and Configuration (system errors only)
	GetOpenIDConfiguration() (*pamapi.OpenIDConfiguration, error)
	GetJWKS() (*pamapi.JWKSResponse, error)
}

OIDCIssuer defines the interface for OIDC token issuers This handles token issuance only - validation is handled by existing auth modules

type PAMOIDCProvider 

type PAMOIDCProvider struct {
	// contains filtered or unexported fields
}

PAMOIDCProvider represents a PAM-based OIDC issuer

func NewPAMOIDCProvider 

func NewPAMOIDCProvider(caClient *fccrypto.CAClient, config *config.PAMOIDCIssuer) (*PAMOIDCProvider, error)

NewPAMOIDCProvider creates a new PAM-based OIDC provider

func NewPAMOIDCProviderWithAuthenticator 

func NewPAMOIDCProviderWithAuthenticator(caClient *fccrypto.CAClient, config *config.PAMOIDCIssuer, pamAuth Authenticator) (*PAMOIDCProvider, error)

NewPAMOIDCProviderWithAuthenticator creates a new PAM-based OIDC provider with a custom authenticator

func (*PAMOIDCProvider) Authorize 

func (s *PAMOIDCProvider) Authorize(ctx context.Context, req *pamapi.AuthAuthorizeParams) (*AuthorizeResponse, error)

Authorize handles the authorization endpoint for authorization code flow

func (*PAMOIDCProvider) CleanupExpiredCodes 

func (s *PAMOIDCProvider) CleanupExpiredCodes()

CleanupExpiredCodes removes expired authorization codes

func (*PAMOIDCProvider) CleanupExpiredSessions 

func (s *PAMOIDCProvider) CleanupExpiredSessions()

CleanupExpiredSessions removes expired sessions

func (*PAMOIDCProvider) Close 

func (s *PAMOIDCProvider) Close() error

Close closes the PAM authenticator connection

func (*PAMOIDCProvider) CreateUserSession 

func (s *PAMOIDCProvider) CreateUserSession(sessionID string, username, clientID, redirectURI, state, codeChallenge, codeChallengeMethod string)

CreateUserSession creates a new user session

func (*PAMOIDCProvider) GetJWKS 

func (s *PAMOIDCProvider) GetJWKS() (*pamapi.JWKSResponse, error)

GetJWKS returns the JSON Web Key Set

func (*PAMOIDCProvider) GetLoginForm 

func (s *PAMOIDCProvider) GetLoginForm(clientID, redirectURI, state, codeChallenge, codeChallengeMethod string) string

GetLoginForm returns the HTML for the login form

func (*PAMOIDCProvider) GetOpenIDConfiguration 

func (s *PAMOIDCProvider) GetOpenIDConfiguration() (*pamapi.OpenIDConfiguration, error)

GetOpenIDConfiguration returns the OpenID Connect configuration

func (*PAMOIDCProvider) IsUserAuthenticated 

func (s *PAMOIDCProvider) IsUserAuthenticated(sessionID string) (*SessionData, bool)

IsUserAuthenticated checks if a user is authenticated via session

func (*PAMOIDCProvider) Login 

func (s *PAMOIDCProvider) Login(ctx context.Context, username, password, clientID, redirectURI, state, codeChallenge, codeChallengeMethod string) (*LoginResult, error)

Login handles the login form submission

func (*PAMOIDCProvider) Token 

func (s *PAMOIDCProvider) Token(ctx context.Context, req *pamapi.TokenRequest) (*pamapi.TokenResponse, error)

Token implements OIDCProvider interface - handles OAuth2 token requests

func (*PAMOIDCProvider) UserInfo 

func (s *PAMOIDCProvider) UserInfo(ctx context.Context, accessToken string) (*pamapi.UserInfoResponse, error)

UserInfo implements OIDCProvider interface - returns user information

type PamAuthenticator 

type PamAuthenticator struct {
	// contains filtered or unexported fields
}

PamAuthenticator implements Linux authentication using PAM and NSS PAM (Pluggable Authentication Modules) handles authentication NSS (Name Service Switch) handles user/group lookups via user.Lookup() Works with any system-configured authentication backend

func NewPAMAuthenticator 

func NewPAMAuthenticator() (*PamAuthenticator, error)

NewPAMAuthenticator creates a new Linux authenticator Uses PAM for authentication and NSS for user/group information Automatically works with any configured Linux authentication backend

func (*PamAuthenticator) Authenticate 

func (r *PamAuthenticator) Authenticate(username, password string) error

Authenticate performs authentication using PAM PAM automatically uses the system-configured authentication backend

func (*PamAuthenticator) Close 

func (r *PamAuthenticator) Close() error

Close is a no-op since we don't hold any resources

func (*PamAuthenticator) GetUserGroups 

func (r *PamAuthenticator) GetUserGroups(systemUser *user.User) ([]string, error)

GetUserGroups gets the groups for a user using NSS NSS (Name Service Switch) automatically uses the appropriate backend

func (*PamAuthenticator) LookupUser 

func (r *PamAuthenticator) LookupUser(username string) (*user.User, error)

LookupUser looks up a user by username using NSS NSS (Name Service Switch) automatically uses the appropriate backend

type SessionData 

type SessionData struct {
	Username            string
	LoginTime           time.Time
	ExpiresAt           time.Time
	ClientID            string
	RedirectURI         string
	State               string
	CodeChallenge       string                                        // PKCE code challenge
	CodeChallengeMethod pamapi.AuthAuthorizeParamsCodeChallengeMethod // PKCE code challenge method
}

SessionData represents user session information

type SessionStore 

type SessionStore struct {
	// contains filtered or unexported fields
}

SessionStore manages user sessions

func NewSessionStore 

func NewSessionStore() *SessionStore

NewSessionStore creates a new session store

func (*SessionStore) CleanupExpiredSessions 

func (s *SessionStore) CleanupExpiredSessions()

CleanupExpiredSessions removes expired sessions

func (*SessionStore) CreateSession 

func (s *SessionStore) CreateSession(sessionID string, data *SessionData)

CreateSession creates a new user session

func (*SessionStore) DeleteSession 

func (s *SessionStore) DeleteSession(sessionID string)

DeleteSession removes a session

func (*SessionStore) GetSession 

func (s *SessionStore) GetSession(sessionID string) (*SessionData, bool)

GetSession retrieves a session by ID

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.