Documentation ¶
Index ¶
Constants ¶
const ( SecretLength = 8 GeneratedSecretByteLength = 8 // N , R, P are used by scrypt, see scrypt docs below // https://godoc.org/golang.org/x/crypto/scrypt#Key N = 32768 R = 8 P = 1 SeedSize = 32 )
Variables ¶
var ( DefaultSHA256Producer = &SHA256Producer{} DefaultArgon2IDProducer = &Argon2IDProducer{ Time: 1, Memory: 64 * 1024, Threads: 4, KeyLength: models.SecretLength, } )
var ( RequiredTokenCause = errors.NewCause(errors.BadRequestCategory, "required_token") RequiredSigCause = errors.NewCause(errors.BadRequestCategory, "required_signature") RequiredPrivateKeyCause = errors.NewCause(errors.BadRequestCategory, "required_private_key") RequiredPublicKeyCause = errors.NewCause(errors.BadRequestCategory, "required_public_key") SignatureNotValid = errors.NewCause(errors.UnauthorizedCategory, "signature_not_valid") BadAPITokenVersion = errors.NewCause(errors.BadRequestCategory, "bad_apitoken_version") BadSaltLength = errors.NewCause(errors.BadRequestCategory, "bad_salt_length") BadSecretLength = errors.NewCause(errors.BadRequestCategory, "bad_secret_length") BadPackagedKeypair = errors.NewCause(errors.BadRequestCategory, "bad_packaged_keypair") MissingKeyPair = errors.NewCause(errors.BadRequestCategory, "missing_keypair") BadAlgType = errors.NewCause(errors.BadRequestCategory, "bad_alg_type") BadPublicKeyLength = errors.NewCause(errors.BadRequestCategory, "bad_public_key_length") // BadTokenFormat happens when an APIToken has a bad format BadTokenFormat = errors.NewCause(errors.BadRequestCategory, "bad_token_format") // InvalidAuthHeader occurs when the auth header is in the wrong format InvalidAuthHeader = errors.NewCause(errors.BadRequestCategory, "invalid_auth_header") InvalidInfo = errors.NewCause(errors.BadRequestCategory, "invalid_auth_info") // AuthenticationFailure is caused by authentication failing AuthenticationFailure = errors.NewCause(errors.UnauthorizedCategory, "authentication_failure") // AuthorizationFailure is caused by authorization not being given AuthorizationFailure = errors.NewCause(errors.UnauthorizedCategory, "authorization_failure") // MismatchingCredentials is caused when the provided secret does not match MismatchingCredentials = errors.NewCause(errors.BadRequestCategory, "mismatching_credentials") ErrBadCredentials = errors.New(MismatchingCredentials, "The credentials you provided do not match.") // ErrAuthentication is the error wrapping the AuthenticationFailure cause ErrAuthentication = errors.New(AuthenticationFailure, "Failed to authenticate") // ErrAuthorization is the error wrapping the AuthorizationFailure cause ErrAuthorization = errors.New(AuthorizationFailure, "Access denied") // ErrNoMatchingPolicies occurs when there are no policies matching the query submitted by the user ErrNoMatchingPolicies = errors.New(AuthorizationFailure, "No policies match the provided query") // UnsupportedAlgorithm occurs when the wrong credential algorithm type is specified UnsupportedAlgorithm = errors.NewCause(errors.BadRequestCategory, "unsupported_algorithm") )
var ( // TokenDuration how long auth tokens last TokenDuration = time.Hour * 24 )
Functions ¶
This section is empty.
Types ¶
type APIToken ¶
APIToken represents a token that is used by a user to authenticate with a coordinator.
func NewAPIToken ¶
NewAPIToken returns a new api token from email and url
func (*APIToken) Marshal ¶
Marshal marshals the api token into a string. Format of the output is {email},{version}|{secret}|{url} {version}|{secret}|{url} are bytes concatenated together and encoded as base64
type Argon2IDProducer ¶
Argon2IDProducer implements the CredentialProducer interface.
This producer is designed for production usage as it focuses on a memory-hard hashing algorithm which makes it harder to bruteforce in the case of a lost database.
func (*Argon2IDProducer) Alg ¶
func (a *Argon2IDProducer) Alg() models.CredentialsAlgType
func (*Argon2IDProducer) Compare ¶
func (a *Argon2IDProducer) Compare(secret models.Password, creds *models.Credentials) error
func (*Argon2IDProducer) Generate ¶
func (a *Argon2IDProducer) Generate(secret models.Password) (*models.Credentials, error)
type CredentialProducer ¶
type CredentialProducer interface { Generate(models.Password) (*models.Credentials, error) Compare(models.Password, *models.Credentials) error Alg() models.CredentialsAlgType }
CredentialProducer represents an interface for generating credentials and comparing credentials based on a pre-shared key.
type Keypair ¶
type Keypair struct { PrivateKey ed25519.PrivateKey `json:"-"` PublicKey ed25519.PublicKey `json:"-"` Alg models.CredentialsAlgType `json:"-"` // contains filtered or unexported fields }
Keypair represents a ed25519 Private and Public Keypair. This struct is used by our TokenAuthority.
It is a wrapper around ed25519 and implements functionality for packaging up and rederiving keypairs. This is particularly useful for creating and recreating Token Authorities.
func DeriveKeypair ¶
DeriveKeypair deterministically dervies a keypair using the provided secret & salt
func NewKeypair ¶
NewKeypair returns a keypair generated from a newly created secret and salt!
func (*Keypair) MarshalJSON ¶
func (*Keypair) Package ¶
func (k *Keypair) Package() KeypairPackage
Package returns a KeypairPackage which can be serialized to JSON
func (*Keypair) UnmarshalJSON ¶
type KeypairPackage ¶
type KeypairPackage struct { Secret *base64.Value `json:"secret"` Salt *base64.Value `json:"salt"` Alg models.CredentialsAlgType `json:"alg"` }
KeypairPackage represents a packaged keypair that can be shared outside of the Auth package.
func (*KeypairPackage) Unpackage ¶
func (kp *KeypairPackage) Unpackage() (*Keypair, error)
Unpackage returns a Keypair from the packaging
func (*KeypairPackage) Validate ¶
func (kp *KeypairPackage) Validate() error
Validate returns an error if the packaged keypair is invalid
type SHA256Producer ¶
type SHA256Producer struct{}
SHA256Producer implements the CredentialProducer interface. The SHA256Producer is designed for _fast_ hashing scenarios and thus should only ever be used in development situations
func (*SHA256Producer) Alg ¶
func (s *SHA256Producer) Alg() models.CredentialsAlgType
func (*SHA256Producer) Compare ¶
func (s *SHA256Producer) Compare(secret models.Password, creds *models.Credentials) error
func (*SHA256Producer) Generate ¶
func (s *SHA256Producer) Generate(secret models.Password) (*models.Credentials, error)
type Session ¶
Session holds information related to authenticating and authorizing the contained user
type TokenAuthority ¶
type TokenAuthority struct {
// contains filtered or unexported fields
}
TokenAuthority is the authority over token, it generates and verifies tokens based on the private/public keys it owns
func NewTokenAuthority ¶
func NewTokenAuthority(keypair *Keypair, serviceEmail string) (*TokenAuthority, error)
NewTokenAuthority returns a new token authority
func (*TokenAuthority) Generate ¶
func (t *TokenAuthority) Generate(session models.Session) (*base64.Value, error)
Generate generates a JWT with 4 claims:
- Expiry: time the JWT expires recommend 5 minutes for login sessions and 24 hours for general authenticated sessions
- IssuedAt: time the JWT was issued
- NotBefore: the JWT will not be accepted before this time has passed
- Issuer: the service email of the issuing coordinator
func (*TokenAuthority) PublicKey ¶
func (t *TokenAuthority) PublicKey() ed25519.PublicKey
PublicKey returns a copy of the ed25519 PublicKey
func (*TokenAuthority) Verify ¶
func (t *TokenAuthority) Verify(signedToken *base64.Value) (string, error)
Verify verifies that a JWT token was signed by the correct private key. Returns the session ID contained inside of the token.