authschemes

package

v0.0.0-...-82cc56b Latest Latest Go to latest Published: May 13, 2024 License: MIT Imports: 18 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/ashirt-ops/ashirt-server

Links

Open Source Insights

Documentation ¶

Index ¶

func CreateNewAuthForUserGeneric(db *database.Connection, authSchemeName, authSchemeType string, ...) error
func GenerateNonce() (string, error)
type AShirtAuthBridge
- func MakeAuthBridge(db *database.Connection, sessionStore *session.Store, ...) AShirtAuthBridge
type AuthScheme
type UserAuthData
type UserProfile
- func (up UserProfile) ToCreateUserInput() services.CreateUserInput

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func CreateNewAuthForUserGeneric ¶

func CreateNewAuthForUserGeneric(db *database.Connection, authSchemeName, authSchemeType string, data UserAuthData) error

CreateNewAuthForUserGeneric provides a mechanism for non-auth providers to generate new authentications on behalf of auth providers. This is only intended for recovery.

Proper usage: authschemes.CreateNewAuthForUser(db, recoveryauth.constants.Code, authschemes.UserAuthData{}) note: you will need to provide your own database instance

func GenerateNonce ¶

func GenerateNonce() (string, error)

GenerateNonce creates a random base64 string. This is used to help prevent replay attacks. see: https://en.wikipedia.org/wiki/Cryptographic_nonce

Types ¶

type AShirtAuthBridge ¶

type AShirtAuthBridge struct {
	// contains filtered or unexported fields
}

AShirtAuthBridge provides a set of functionality that bridges the identity resolution (the AuthScheme) and persistent user/session management

func MakeAuthBridge ¶

func MakeAuthBridge(db *database.Connection, sessionStore *session.Store, authSchemeName, authSchemeType string) AShirtAuthBridge

MakeAuthBridge constructs returns a set of functions to interact with the underlying AShirt authentication scheme

func (AShirtAuthBridge) AddScheduledEmail ¶

func (ah AShirtAuthBridge) AddScheduledEmail(emailAddress string, userID int64, emailTemplate string) error

AddScheduledEmail creates a database entry for an outgoing email, for the given email address and related user_id

func (AShirtAuthBridge) CheckIfUserEmailTaken ¶

func (ah AShirtAuthBridge) CheckIfUserEmailTaken(email string, allowUserID int64, includeDeleted bool) (bool, error)

CheckIfUserEmailTaken attempts to find an account with the provided email. If found, returns true, otherwise, returns false. Note that if the user found is the one with the ID matching allowUserID, then false is returned.

func (AShirtAuthBridge) CreateNewAuthForUser ¶

func (ah AShirtAuthBridge) CreateNewAuthForUser(data UserAuthData) error

CreateNewAuthForUser adds a new entry to the auth_scheme_data table for the given UserAuthData.

Returns nil if no error was occurred, BadInputErr if the user account already exists, or DatabaseErr if any other issue occurs

func (AShirtAuthBridge) CreateNewUser ¶

func (ah AShirtAuthBridge) CreateNewUser(profile UserProfile) (*dtos.CreateUserOutput, error)

CreateNewUser allows new users to be registered into the system, if they do not already exist. Note that slug must be unique

func (AShirtAuthBridge) DeleteSession ¶

func (ah AShirtAuthBridge) DeleteSession(w http.ResponseWriter, r *http.Request) error

DeleteSession removes a user's session. Useful in situtations where authentication fails, and we want to treat the user as not-logged-in

func (AShirtAuthBridge) FindUserAuth ¶

func (ah AShirtAuthBridge) FindUserAuth(username string) (UserAuthData, error)

FindUserAuth retrieves the row (codified by UserAuthData) corresponding to the provided username and the auth scheme name provided from the caller.

Returns a fully populated UserAuthData object, or an error if no such row exists

func (AShirtAuthBridge) FindUserAuthByContext ¶

func (ah AShirtAuthBridge) FindUserAuthByContext(ctx context.Context) (UserAuthData, error)

FindUserAuthByContext acts as a proxy to calling FindUserByUserID with the userID extracted from the provided context

see FindUserAuthByUserID

func (AShirtAuthBridge) FindUserAuthByUserID ¶

func (ah AShirtAuthBridge) FindUserAuthByUserID(userID int64) (UserAuthData, error)

FindUserAuthByUserID retrieves the row (codified by UserAuthData) corresponding to the provided userID

Returns a fully populated UserAuthData object, or nil if no such row exists

func (AShirtAuthBridge) FindUserAuthsByUserEmail ¶

func (ah AShirtAuthBridge) FindUserAuthsByUserEmail(email string) ([]UserAuthData, error)

FindUserAuthsByUserEmail retrieves the rows (codified by UserAuthData) corresponding to the provided userEmail for NON-DELETED accounts. Note that a user may have multiple authentications based on a single email, so each of these records are returned.

See FindUserAuthsByUserEmailIncludeDeleted to retreive all users irrespective of if they have been deleted Returns a fully populated UserAuthData object, or nil if no such row exists

func (AShirtAuthBridge) FindUserAuthsByUserEmailIncludeDeleted ¶

func (ah AShirtAuthBridge) FindUserAuthsByUserEmailIncludeDeleted(email string) ([]UserAuthData, error)

FindUserAuthsByUserEmailIncludeDeleted retrieves the rows (codified by UserAuthData) corresponding to the provided userEmail for ALL accounts. Note that a user may have multiple authentications based on a single email, so each of these records are returned.

Returns a fully populated UserAuthData object, or nil if no such row exists

func (AShirtAuthBridge) FindUserAuthsByUserSlug ¶

func (ah AShirtAuthBridge) FindUserAuthsByUserSlug(slug string) ([]UserAuthData, error)

FindUserAuthsByUserSlug retrieves the row (codified by UserAuthData) corresponding to the provided user slug and the auth scheme name provided from the caller.

Returns a fully populated UserAuthData object, or nil if no such row exists

func (AShirtAuthBridge) FindUserByEmail ¶

func (ah AShirtAuthBridge) FindUserByEmail(email string, includeDeleted bool) (models.User, error)

FindUserByEmail retrieves the user record associated with the specified email address. Returns the found record, or an error if no such record exists

func (AShirtAuthBridge) GetDatabase ¶

func (ah AShirtAuthBridge) GetDatabase() *database.Connection

GetDatabase provides raw access to the database. In general, this should not be used by authschemes, but is provided in situations where unique-access to the database is required.

func (AShirtAuthBridge) GetUserFromAuthnID ¶

func (ah AShirtAuthBridge) GetUserFromAuthnID(authnID string) (models.User, error)

func (AShirtAuthBridge) GetUserFromID ¶

func (ah AShirtAuthBridge) GetUserFromID(userID int64) (models.User, error)

func (AShirtAuthBridge) GetUserIDFromSlug ¶

func (ah AShirtAuthBridge) GetUserIDFromSlug(userSlug string) (int64, error)

GetUserIDFromSlug retrieves a userid from the provided user slug.

func (AShirtAuthBridge) IsAccountEnabled ¶

func (ah AShirtAuthBridge) IsAccountEnabled(userID int64) (bool, error)

IsAccountEnabled checks if the provided userid has an enabled account (specifically, it does not have the disabled flag set) returns (false, err) if the account cannot be found or another database error occurred.

func (AShirtAuthBridge) IsUsernameTaken ¶

func (ah AShirtAuthBridge) IsUsernameTaken(username string, allowUserID int64) (bool, error)

func (AShirtAuthBridge) LoginUser ¶

func (ah AShirtAuthBridge) LoginUser(w http.ResponseWriter, r *http.Request, userID int64, authSchemeSessionData interface{}) error

LoginUser denotes that a user shall be logged in. In addition to the required userID, a user can also provide custom authscheme specific session data

func (AShirtAuthBridge) OneTimeVerification ¶

func (ah AShirtAuthBridge) OneTimeVerification(ctx context.Context, username string, expirationInMinutes int64) (int64, error)

OneTimeVerification looks for a matching record in the auth_scheme_data table with the following conditions: username matches && created_at less than <expirationInMinutes> minutes If this record exists, then the record is deleted. If there is no error _either_ for the lookup OR the deletion, then (userID for the user, nil) is returned. At this point, the user has been validated and LoginUser can be called.

If an error occurs, _either_ the record does not exist, or some database issue prevented deletion, and in either event, the user cannot be approved. In this case (0, <error>) will be returned

func (AShirtAuthBridge) ReadAuthSchemeSession ¶

func (ah AShirtAuthBridge) ReadAuthSchemeSession(r *http.Request) interface{}

ReadAuthSchemeSession retrieves previously saved session data set by SetAuthSchemeSession

func (AShirtAuthBridge) SetAuthSchemeSession ¶

func (ah AShirtAuthBridge) SetAuthSchemeSession(w http.ResponseWriter, r *http.Request, data interface{}) error

SetAuthSchemeSession sets authscheme specific session data to the current user session. Session data should be a struct and registered with `gob.Register` in an init function of the authscheme

func (AShirtAuthBridge) UpdateAuthForUser ¶

func (ah AShirtAuthBridge) UpdateAuthForUser(data UserAuthData) error

UpdateAuthForUser updates a user's authentication password, and can flag whether the user needs to change their password on the next login.

func (AShirtAuthBridge) ValidateLinkingInfo ¶

func (ah AShirtAuthBridge) ValidateLinkingInfo(username string, allowUserID int64) error

ValidateLinkingInfo checks if the user is linking with an unused username (for the auth scheme). This is only intended for services that register locally and do not need to access another service.

Note: this will leak info back to the user, to help indicate how to correct their registration data. This should be less of an issue generally, as the user should have an idea of who else is using ashirt

func (AShirtAuthBridge) ValidateRegistrationInfo ¶

func (ah AShirtAuthBridge) ValidateRegistrationInfo(email, username string) error

ValidateRegistrationInfo checks if the user is registering with an unused email and an unused username (for the auth scheme). This is only intended for services that register locally and do not need to access another service

Note: this will leak info back to the user, to help indicate how to correct their registration data. TODO: should we actually specify why they can't register?

type AuthScheme ¶

type AuthScheme interface {
	BindRoutes(chi.Router, AShirtAuthBridge)
	Name() string
	FriendlyName() string
	Flags() []string

	// Type provides a way to identify how a scheme works apart from its name. Currently this has two
	// "categories". First is "oidc", which is used for any generic OIDC provider. Second is the name
	// of the method (e.g. "local"), which is used when there's no real alternative to speak of.
	Type() string
}

AuthScheme provides a small interface into interacting with the AShirt backend authentication. The interface consists of two methods:

Name() string: This method shall return a string that identifies the authentication scheme being used. It shall be distinct from any other authentication system being used within this project.

FriendlyName() string: This method shall return a friendly version of the authentication that endusers will understand. It should, but is not strictly required, that the value be different from any other scheme. Likewise, it should be a "friendlier" version of Name(), though it need not be.

BindRoutes(router, authBridge): BindRoutes exposes a _namespaced_ router that the authentication system can use to register custom endpoints. Each router is prefixed with /auth/{name} (as determined by the Name() method)

type UserAuthData ¶

type UserAuthData struct {
	UserID             int64   `db:"user_id"`
	AuthnID            []byte  `db:"authn_id"`
	Username           string  `db:"username"`
	EncryptedPassword  []byte  `db:"encrypted_password"`
	NeedsPasswordReset bool    `db:"must_reset_password"`
	TOTPSecret         *string `db:"totp_secret"`
	JSONData           *string `db:"json_data"`
}

UserAuthData is a small structure capturing data relevant to a user for authentication purposes

type UserProfile ¶

type UserProfile struct {
	FirstName string
	LastName  string
	Slug      string
	Email     string
}

UserProfile containes the necessary information to create a new user

func (UserProfile) ToCreateUserInput ¶

func (up UserProfile) ToCreateUserInput() services.CreateUserInput

ToCreateUserInput converts the given UserProfile into a more useful services.CreateUserInput

Source Files ¶

View all Source files

Directories ¶

Path	Synopsis
localauth
constants
oidcauth
recoveryauth
constants
helpers
webauthn
constants

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL