auth

package
v2.3.6+incompatible Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Sep 15, 2021 License: AGPL-3.0 Imports: 57 Imported by: 213

Documentation

Overview

Package auth provides tools related to authentication of pydio services

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func AddContextVerifier 

func AddContextVerifier(v ContextVerifier)

AddContextVerifier registers an additional verifier

func ClaimsFromMetadata 

func ClaimsFromMetadata(ctx context.Context) (c claim.Claims, o bool)

ClaimsFromMetadata loads Claims from metadata (be passed along by grpc queries)

func ContextFromClaims 

func ContextFromClaims(ctx context.Context, claims claim.Claims) context.Context

ContextFromClaims feeds context with correct Keys and Metadata for a given Claims

func DuplicateRegistryForConf 

func DuplicateRegistryForConf(c ConfigurationProvider) driver.Registry

func GetRegistry 

func GetRegistry() driver.Registry

func GetRegistrySQL 

func GetRegistrySQL() *driver.RegistrySQL

func InitConfiguration 

func InitConfiguration(values configx.Values)

func InitRegistry 

func InitRegistry(dao sql.DAO)

func OnConfigurationInit 

func OnConfigurationInit(f func(scanner common.Scanner))

func OnRegistryInit 

func OnRegistryInit(f func())

func RegisterConnector 

func RegisterConnector(id, name, connectorType string, data proto.Message)

RegisterConnector to the auth registry and opens up the connection

func RegisterConnectorType 

func RegisterConnectorType(connType string, openerFunc OpenerFunc)

RegisterConnectorType registers how to set an opener for a connector type

func RegisterGRPCProvider 

func RegisterGRPCProvider(pType ProviderType, service string)

func RegisterOryProvider 

func RegisterOryProvider(o fosite.OAuth2Provider)

func SubjectsForResourcePolicyQuery 

func SubjectsForResourcePolicyQuery(ctx context.Context, q *rest.ResourcePolicyQuery) (subjects []string, err error)

SubjectsForResourcePolicyQuery prepares a slice of strings that will be used to check for resource ownership. Can be extracted either from context or by loading a given user ID from database.

func SubjectsFromClaim 

func SubjectsFromClaim(claim claim.Claims) (subjects []string)

SubjectsFromClaim builds a list of subjects based on Claim attributes.

func VerifyContext 

func VerifyContext(ctx context.Context, user *idm.User) error

VerifyContext ranges over registered ContextVerifiers and check if one of them returns an error.

func WithImpersonate 

func WithImpersonate(ctx context.Context, user *idm.User) context.Context

WithImpersonate Add a fake Claims in context to impersonate a user.

Types

type BasicAuthenticator 

type BasicAuthenticator struct {
	TTL   time.Duration
	Realm string
	// contains filtered or unexported fields
}

func NewBasicAuthenticator 

func NewBasicAuthenticator(realm string, ttl time.Duration) *BasicAuthenticator

func (*BasicAuthenticator) Wrap 

func (b *BasicAuthenticator) Wrap(handler http.Handler) http.HandlerFunc

type CallbackConnector 

type CallbackConnector interface {
	// The initial URL to redirect the user to.
	//
	// OAuth2 implementations should request different scopes from the upstream
	// identity provider based on the scopes requested by the downstream client.
	// For example, if the downstream client requests a refresh token from the
	// server, the connector should also request a token from the provider.
	//
	// Many identity providers have arbitrary restrictions on refresh tokens. For
	// example Google only allows a single refresh token per client/user/scopes
	// combination, and wont return a refresh token even if offline access is
	// requested if one has already been issues. There's no good general answer
	// for these kind of restrictions, and may require this package to become more
	// aware of the global set of user/connector interactions.
	LoginURL(s Scopes, callbackURL, state string) (string, error)

	// Handle the callback to the server and return an identity.
	HandleCallback(s Scopes, r *http.Request) (identity Identity, err error)
}

CallbackConnector is an interface implemented by connectors which use an OAuth style redirect flow to determine user information.

type ConfigurationProvider 

type ConfigurationProvider interface {
	configuration.Provider
	Clients() common.Scanner
	Connectors() common.Scanner
}

func GetConfigurationProvider 

func GetConfigurationProvider(hostname ...string) ConfigurationProvider

func NewProvider 

func NewProvider(rootURL string, values configx.Values) ConfigurationProvider

type Connector 

type Connector interface{}

type ConnectorConfig 

type ConnectorConfig interface {
	ID() string
	Name() string
	Type() string
	Conn() Connector
}

func GetConnectors 

func GetConnectors() []ConnectorConfig

GetConnectors list all the connectors correctly configured

type ContextVerifier 

type ContextVerifier interface {
	Verify(ctx context.Context, user *idm.User) error
}

type Exchanger 

type Exchanger interface {
	Exchange(context.Context, string) (*oauth2.Token, error)
}

type IDToken 

type IDToken interface {
	Claims(interface{}) error
	ScopedClaims(claims *claim.Claims) error
}

type Identity 

type Identity struct {
	UserID        string
	Username      string
	Email         string
	EmailVerified bool
	Claims        map[string]interface{}

	Groups []string

	// ConnectorData holds data used by the connector for subsequent requests after initial
	// authentication, such as access tokens for upstream provides.
	//
	// This data is never shared with end users, OAuth clients, or through the API.
	ConnectorData []byte
}

Identity represents the ID Token claims supported by the server.

type JWTVerifier 

type JWTVerifier struct {
	// contains filtered or unexported fields
}

func DefaultJWTVerifier 

func DefaultJWTVerifier() *JWTVerifier

DefaultJWTVerifier creates a ready to use JWTVerifier

func LocalJWTVerifier 

func LocalJWTVerifier() *JWTVerifier

func (*JWTVerifier) Exchange 

func (j *JWTVerifier) Exchange(ctx context.Context, code string) (*oauth2.Token, error)

Exchange retrieves an oauth2 Token from a code.

func (*JWTVerifier) LoginChallengeCode 

func (j *JWTVerifier) LoginChallengeCode(ctx context.Context, claims claim.Claims, opts ...TokenOption) (string, error)

LoginChallengeCode will perform an implicit flow to get a valid code from given claims and challenge

func (*JWTVerifier) Logout 

func (j *JWTVerifier) Logout(ctx context.Context, url, subject, sessionID string, opts ...TokenOption) error

Logout calls logout on underlying provider

func (*JWTVerifier) PasswordCredentialsCode 

func (j *JWTVerifier) PasswordCredentialsCode(ctx context.Context, username, password string, opts ...TokenOption) (string, error)

PasswordCredentialsCode will perform an implicit flow to get a valid code from given claims and challenge

func (*JWTVerifier) PasswordCredentialsToken 

func (j *JWTVerifier) PasswordCredentialsToken(ctx context.Context, userName string, password string) (*oauth2.Token, error)

PasswordCredentialsToken will perform a call to the OIDC service with grantType "password" to get a valid token from a given user/pass credentials

func (*JWTVerifier) Verify 

func (j *JWTVerifier) Verify(ctx context.Context, rawIDToken string) (context.Context, claim.Claims, error)

Verify validates an existing JWT token against the OIDC service that issued it

type LockVerifier 

type LockVerifier struct{}

func (LockVerifier) Verify 

func (l LockVerifier) Verify(ctx context.Context, user *idm.User) error

type LoginChallengeCodeExchanger 

type LoginChallengeCodeExchanger interface {
	LoginChallengeCode(context.Context, claim.Claims, ...TokenOption) (string, error)
}

type LogoutProvider 

type LogoutProvider interface {
	Logout(context.Context, string, string, string, ...TokenOption) error
}

type MappingRule 

type MappingRule struct {
	RuleName string

	// Left Attribute is attribute of external user (ldap, sql, api ...)
	// For example: displayName, mail, memberOf
	LeftAttribute string

	// Right Attribute is attribute of standard user
	// For example: displayName, email
	// Two reserved attributes: Roles, GroupPath
	RightAttribute string

	// Rule string define an acceptable list of right value
	// It can be:
	// * Empty
	// * A list of accepted values separated by comma , . For example: teacher,researcher,employee
	// * preg string
	RuleString string

	// RolePrefix
	// AuthSourceName_Prefix_RoleID
	RolePrefix string
}

func (MappingRule) AddPrefix 

func (m MappingRule) AddPrefix(prefix string, strs []string) []string

func (MappingRule) ConvertDNtoName 

func (m MappingRule) ConvertDNtoName(strs []string) []string

ConvertDNtoName tries to extract value from distinguishedName For example: member: uid=user01,dc=com,dc=fr member: uid=user02,dc=com,dc=fr member: uid=user03,dc=com,dc=fr return an array like: 

user01
user02
user03

func (MappingRule) FilterList 

func (m MappingRule) FilterList(list []string, strs []string) []string

func (MappingRule) FilterPreg 

func (m MappingRule) FilterPreg(preg string, strs []string) []string

func (MappingRule) IsDnFormat 

func (m MappingRule) IsDnFormat(str string) bool

IsDnFormat simply checks if the passed string is valid. See: https://www.ietf.org/rfc/rfc2253.txt

func (MappingRule) RemoveLdapEscape 

func (m MappingRule) RemoveLdapEscape(strs []string) []string

RemoveLdapEscape remove LDAP escape characters but except '\,'.

func (MappingRule) SanitizeValues 

func (m MappingRule) SanitizeValues(strs []string) []string

type OIDCPoliciesVerifier 

type OIDCPoliciesVerifier struct{}

func (OIDCPoliciesVerifier) Verify 

func (O OIDCPoliciesVerifier) Verify(ctx context.Context, user *idm.User) error

type Opener 

type Opener interface {
	Open(string, dlog.Logger) (Connector, error)
}

type OpenerFunc 

type OpenerFunc func(proto.Message) (Opener, error)

type PasswordConnector 

type PasswordConnector interface {
	Prompt() string
	Login(ctx context.Context, s Scopes, username, password string) (identity Identity, validPassword bool, err error)
}

PasswordConnector is an interface implemented by connectors which take a username and password. Prompt() is used to inform the handler what to display in the password template. If this returns an empty string, it'll default to "Username".

type PasswordCredentialsCodeExchanger 

type PasswordCredentialsCodeExchanger interface {
	PasswordCredentialsCode(context.Context, string, string, ...TokenOption) (string, error)
}

type PasswordCredentialsTokenExchanger 

type PasswordCredentialsTokenExchanger interface {
	PasswordCredentialsToken(context.Context, string, string) (*oauth2.Token, error)
}

type Provider 

type Provider interface {
	GetType() ProviderType
}

type ProviderType 

type ProviderType int
const (
	ProviderTypeOry ProviderType = iota
	ProviderTypeGrpc
	ProviderTypePAT
)

type PydioPW 

type PydioPW struct {
	PBKDF2_HASH_ALGORITHM string
	PBKDF2_ITERATIONS     int
	PBKDF2_SALT_BYTE_SIZE int
	PBKDF2_HASH_BYTE_SIZE int
	HASH_SECTIONS         int
	HASH_ALGORITHM_INDEX  int
	HASH_ITERATION_INDEX  int
	HASH_SALT_INDEX       int
	HASH_PBKDF2_INDEX     int
}

func (PydioPW) CheckDBKDF2PydioPwd 

func (p PydioPW) CheckDBKDF2PydioPwd(password string, hashedPw string, legacySalt ...bool) (bool, error)

func (PydioPW) CreateHash 

func (p PydioPW) CreateHash(password string) (base64Pw string)

type RefreshConnector 

type RefreshConnector interface {
	// Refresh is called when a client attempts to claim a refresh token. The
	// connector should attempt to update the identity object to reflect any
	// changes since the token was last refreshed.
	Refresh(ctx context.Context, s Scopes, identity Identity) (Identity, error)
}

RefreshConnector is a connector that can update the client claims.

type SAMLConnector 

type SAMLConnector interface {
	// POSTData returns an encoded SAML request and SSO URL for the server to
	// render a POST form with.
	//
	// POSTData should encode the provided request ID in the returned serialized
	// SAML request.
	POSTData(s Scopes, requestID string) (ssoURL, samlRequest string, err error)

	// HandlePOST decodes, verifies, and maps attributes from the SAML response.
	// It passes the expected value of the "InResponseTo" response field, which
	// the connector must ensure matches the response value.
	//
	// See: https://www.oasis-open.org/committees/download.php/35711/sstc-saml-core-errata-2.0-wd-06-diff.pdf
	// "3.2.2 Complex Type StatusResponseType"
	HandlePOST(s Scopes, samlResponse, inResponseTo string) (identity Identity, err error)
}

SAMLConnector represents SAML connectors which implement the HTTP POST binding. 

RelayState is handled by the server.

See: https://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf "3.5 HTTP POST Binding"

type Scopes 

type Scopes struct {
	// The client has requested a refresh token from the server.
	OfflineAccess bool

	// The client has requested group information about the end user.
	Groups bool
}

Scopes represents additional data requested by the clients about the end user.

type TokenOption 

type TokenOption interface {
	// contains filtered or unexported methods
}

TokenOption is an AuthCodeOption is passed to Config.AuthCodeURL.

func SetAccessToken 

func SetAccessToken(value string) TokenOption

SetAccessToken builds a TokenOption for passing the access token.

func SetChallenge 

func SetChallenge(value string) TokenOption

SetChallenge builds a TokenOption which passes key/value parameters to a provider's token exchange endpoint.

func SetRefreshToken 

func SetRefreshToken(value string) TokenOption

SetRefreshToken builds a TokenOption for passing the refresh_token.

type Verifier 

type Verifier interface {
	Verify(context.Context, string) (IDToken, error)
}

Source Files

View all Source files

Directories

Path Synopsis
Package claim wraps the JWT claims with util functions
 Package claim wraps the JWT claims with util functions

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.