Documentation
¶
Index ¶
- Constants
- Variables
- func GobRegister()
- func IsSamePrincipal(username string, currentAuth security.Authentication) bool
- type AccountLockingPostProcessor
- type AccountStatusChecker
- type AccountStatusPostProcessor
- type AdditionalDetailsPostProcessor
- type AuthenticationDecisionMaker
- type AuthenticationResult
- type Authenticator
- type AuthenticatorBuilder
- type AuthenticatorOptions
- type AuthenticatorOptionsFunc
- type ConditionalDecisionMaker
- type DecisionMakerConditionFunc
- type MFAEvent
- type MFAEventListenerFunc
- type MFAMode
- type MFAOtpRefresh
- type MFAOtpVerification
- type MfaRefreshAuthenticator
- type MfaVerifyAuthenticator
- type OTP
- type OTPManager
- type OTPStore
- type PasswordAuthConfigurer
- type PasswordAuthFeature
- func (f *PasswordAuthFeature) AccountStore(as security.AccountStore) *PasswordAuthFeature
- func (f *PasswordAuthFeature) Identifier() security.FeatureIdentifier
- func (f *PasswordAuthFeature) MFA(enabled bool) *PasswordAuthFeature
- func (f *PasswordAuthFeature) MFAEventListeners(handlers ...MFAEventListenerFunc) *PasswordAuthFeature
- func (f *PasswordAuthFeature) OtpLength(v uint) *PasswordAuthFeature
- func (f *PasswordAuthFeature) OtpRefreshLimit(v uint) *PasswordAuthFeature
- func (f *PasswordAuthFeature) OtpSecretSize(v uint) *PasswordAuthFeature
- func (f *PasswordAuthFeature) OtpTTL(ttl time.Duration) *PasswordAuthFeature
- func (f *PasswordAuthFeature) OtpVerifyLimit(v uint) *PasswordAuthFeature
- func (f *PasswordAuthFeature) PasswordEncoder(pe PasswordEncoder) *PasswordAuthFeature
- type PasswordEncoder
- type PasswordPolicyChecker
- type PersistAccountPostProcessor
- type PostAuthenticationProcessor
- type TOTP
- type TOTPFactory
- type UsernamePasswordAuthentication
- type UsernamePasswordPair
Constants ¶
View Source
const ( SpecialPermissionMFAPending = "MFAPending" SpecialPermissionOtpId = "OtpId" )
View Source
const ( MessageUserNotFound = "Mismatched Username and Password" MessageBadCredential = "Mismatched Username and Password" MessageOtpNotAvailable = "MFA required but temprorily unavailable" MessageAccountStatus = "Inactive Account" MessageInvalidPasscode = "Bad Verification Code" MessagePasscodeExpired = "Verification Code Expired" MessageCannotRefresh = "Unable to Refresh" MessageMaxAttemptsReached = "No More Verification Attempts Allowed" MessageMaxRefreshAttemptsReached = "No More Resend Attempts Allowed" MessageInvalidAccountStatus = "Issue with current account status" MessageAccountDisabled = "Account Disabled" MessageAccountLocked = "Account Locked" MessagePasswordLoginNotAllowed = "Password Login not Allowed" MessageLockedDueToBadCredential = "Mismatched Username and Password. Account locked due to too many failed attempts" MessagePasswordExpired = "User credentials have expired" )
View Source
const ( MFAEventOtpCreate MFAEventOtpRefresh MFAEventVerificationSuccess MFAEventVerificationFailure )
Variables ¶
View Source
var Module = &bootstrap.Module{ Name: "passwd authenticator", Precedence: security.MinSecurityPrecedence + 30, Options: []fx.Option{ fx.Invoke(register), }, }
View Source
var (
PasswordAuthenticatorFeatureId = security.FeatureId("passwdAuth", security.FeatureOrderAuthenticator)
)
Functions ¶
func GobRegister ¶
func GobRegister()
func IsSamePrincipal ¶
func IsSamePrincipal(username string, currentAuth security.Authentication) bool
Types ¶
type AccountLockingPostProcessor ¶
type AccountLockingPostProcessor struct {
// contains filtered or unexported fields
}
AccountLockingPostProcessor react on failed authentication. Lock account if necessary
func NewAccountLockingPostProcessor ¶
func NewAccountLockingPostProcessor(store security.AccountStore) *AccountLockingPostProcessor
func (*AccountLockingPostProcessor) Order ¶
func (p *AccountLockingPostProcessor) Order() int
Order the processor run between AccountStatusPostProcessor and PersistAccountPostProcessor
func (*AccountLockingPostProcessor) Process ¶
func (p *AccountLockingPostProcessor) Process(ctx context.Context, acct security.Account, result AuthenticationResult) AuthenticationResult
type AccountStatusChecker ¶
type AccountStatusChecker struct {
// contains filtered or unexported fields
}
AccountStatusChecker check account status and also auto unlock account if locking rules allows
func NewAccountStatusChecker ¶
func NewAccountStatusChecker(store security.AccountStore) *AccountStatusChecker
type AccountStatusPostProcessor ¶
type AccountStatusPostProcessor struct {
// contains filtered or unexported fields
}
AccountStatusPostProcessor updates account based on authentication result. It could update last login status, failed login status, etc.
func NewAccountStatusPostProcessor ¶
func NewAccountStatusPostProcessor(store security.AccountStore) *AccountStatusPostProcessor
func (*AccountStatusPostProcessor) Order ¶
func (p *AccountStatusPostProcessor) Order() int
Order the processor run first (reversed ordering)
func (*AccountStatusPostProcessor) Process ¶
func (p *AccountStatusPostProcessor) Process(ctx context.Context, acct security.Account, result AuthenticationResult) AuthenticationResult
type AdditionalDetailsPostProcessor ¶
type AdditionalDetailsPostProcessor struct{}
AdditionalDetailsPostProcessor populate additional authentication details if the authentication is granted. It's implement order.Ordered Note: post-processors executed in reversed order
func NewAdditionalDetailsPostProcessor ¶
func NewAdditionalDetailsPostProcessor() *AdditionalDetailsPostProcessor
func (*AdditionalDetailsPostProcessor) Order ¶
func (p *AdditionalDetailsPostProcessor) Order() int
Order the processor run last
func (*AdditionalDetailsPostProcessor) Process ¶
func (p *AdditionalDetailsPostProcessor) Process(_ context.Context, _ security.Account, result AuthenticationResult) AuthenticationResult
type AuthenticationDecisionMaker ¶
type AuthenticationDecisionMaker interface {
// Decide makes decision on whether the Authenticator should approve the auth request.
// the returned error indicate the reason of rejection. returns nil when approved
// - The security.Authentication is nil when credentials has not been validated (pre check)
// - The security.Authentication is non-nil when credentials has been validated (post check).
// The non-nil value is the proposed authentication to be returned by Authenticator
//
// If any of input parameters are mutable, AuthenticationDecisionMaker is allowed to change it
Decide(context.Context, security.Candidate, security.Account, security.Authentication) error
}
AuthenticationDecisionMaker is invoked at various stages of authentication decision making process. If AuthenticationDecisionMaker implement order.Ordered interface, its order is respected using order.OrderedFirstCompare. This means highest priority is executed first and non-ordered decision makers run at last.
Note: each AuthenticationDecisionMaker will get invoked multiple times during the authentication process.
So implementations should check stage before making desisions. Or use ConditionalDecisionMaker
func FinalCheck ¶
func FinalCheck(delegate AuthenticationDecisionMaker) AuthenticationDecisionMaker
func PostCredentialsCheck ¶
func PostCredentialsCheck(delegate AuthenticationDecisionMaker) AuthenticationDecisionMaker
func PreCredentialsCheck ¶
func PreCredentialsCheck(delegate AuthenticationDecisionMaker) AuthenticationDecisionMaker
type AuthenticationResult ¶
type AuthenticationResult struct {
Candidate security.Candidate
Auth security.Authentication
Error error
}
AuthenticationResult is a values carrier for PostAuthenticationProcessor
type Authenticator ¶
type Authenticator struct {
// contains filtered or unexported fields
}
func NewAuthenticator ¶
func NewAuthenticator(optionFuncs ...AuthenticatorOptionsFunc) *Authenticator
func (*Authenticator) Authenticate ¶
func (a *Authenticator) Authenticate(ctx context.Context, candidate security.Candidate) (auth security.Authentication, err error)
func (*Authenticator) CreateSuccessAuthentication ¶
func (a *Authenticator) CreateSuccessAuthentication(candidate *UsernamePasswordPair, account security.Account) (security.Authentication, error)
CreateSuccessAuthentication exported for override posibility
type AuthenticatorBuilder ¶
type AuthenticatorBuilder struct {
// contains filtered or unexported fields
}
AuthenticatorBuilder implements security.AuthenticatorBuilder
func NewAuthenticatorBuilder ¶
func NewAuthenticatorBuilder(f *PasswordAuthFeature, defaults ...*builderDefaults) *AuthenticatorBuilder
func (*AuthenticatorBuilder) Build ¶
func (b *AuthenticatorBuilder) Build(_ context.Context) (security.Authenticator, error)
type AuthenticatorOptions ¶
type AuthenticatorOptions struct {
AccountStore security.AccountStore
PasswordEncoder PasswordEncoder
OTPManager OTPManager
MFAEventListeners []MFAEventListenerFunc
Checkers []AuthenticationDecisionMaker
PostProcessors []PostAuthenticationProcessor
}
type AuthenticatorOptionsFunc ¶
type AuthenticatorOptionsFunc func(*AuthenticatorOptions)
type ConditionalDecisionMaker ¶
type ConditionalDecisionMaker struct {
// contains filtered or unexported fields
}
ConditionalDecisionMaker implements AuthenticationDecisionMaker with ability to skip based on condiitons
type MFAEventListenerFunc ¶
type MFAOtpRefresh ¶
type MFAOtpRefresh struct {
CurrentAuth UsernamePasswordAuthentication
DetailsMap map[string]interface{}
}
MFAOtpRefresh is the supported security.Candidate for MFA OTP refresh
func (*MFAOtpRefresh) Credentials ¶
func (uop *MFAOtpRefresh) Credentials() interface{}
Credentials implements security.Candidate
func (*MFAOtpRefresh) Details ¶
func (uop *MFAOtpRefresh) Details() interface{}
Details implements security.Candidate
func (*MFAOtpRefresh) Principal ¶
func (uop *MFAOtpRefresh) Principal() interface{}
Principal implements security.Candidate
type MFAOtpVerification ¶
type MFAOtpVerification struct {
CurrentAuth UsernamePasswordAuthentication
OTP string
DetailsMap map[string]interface{}
}
MFAOtpVerification is the supported security.Candidate for MFA authentication
func (*MFAOtpVerification) Credentials ¶
func (uop *MFAOtpVerification) Credentials() interface{}
Credentials implements security.Candidate
func (*MFAOtpVerification) Details ¶
func (uop *MFAOtpVerification) Details() interface{}
Details implements security.Candidate
func (*MFAOtpVerification) Principal ¶
func (uop *MFAOtpVerification) Principal() interface{}
Principal implements security.Candidate
type MfaRefreshAuthenticator ¶
type MfaRefreshAuthenticator struct {
// contains filtered or unexported fields
}
func NewMFARefreshAuthenticator ¶
func NewMFARefreshAuthenticator(optionFuncs ...AuthenticatorOptionsFunc) *MfaRefreshAuthenticator
func (*MfaRefreshAuthenticator) Authenticate ¶
func (a *MfaRefreshAuthenticator) Authenticate(ctx context.Context, candidate security.Candidate) (auth security.Authentication, err error)
func (*MfaRefreshAuthenticator) CreateSuccessAuthentication ¶
func (a *MfaRefreshAuthenticator) CreateSuccessAuthentication(candidate *MFAOtpRefresh, _ security.Account) (security.Authentication, error)
CreateSuccessAuthentication exported for override possibility
type MfaVerifyAuthenticator ¶
type MfaVerifyAuthenticator struct {
// contains filtered or unexported fields
}
func NewMFAVerifyAuthenticator ¶
func NewMFAVerifyAuthenticator(optionFuncs ...AuthenticatorOptionsFunc) *MfaVerifyAuthenticator
func (*MfaVerifyAuthenticator) Authenticate ¶
func (a *MfaVerifyAuthenticator) Authenticate(ctx context.Context, candidate security.Candidate) (auth security.Authentication, err error)
func (*MfaVerifyAuthenticator) CreateSuccessAuthentication ¶
func (a *MfaVerifyAuthenticator) CreateSuccessAuthentication(candidate *MFAOtpVerification, account security.Account) (security.Authentication, error)
CreateSuccessAuthentication exported for override posibility
type OTPManager ¶
type OTPManager interface {
// New create new OTP and save it
New() (OTP, error)
// Get loads OTP by Domain
Get(id string) (OTP, error)
// Verify use Get to load OTP and check the given passcode against the loaded OTP.
// It returns the loaded OTP regardless the verification result.
// It returns false if it reaches maximum attempts limit. otherwise returns true
// error parameter indicate wether the given passcode is valid. It's nil if it's valid
Verify(id, passcode string) (loaded OTP, hasMoreChances bool, err error)
// Refresh regenerate OTP passcode without changing secret and Domain
// It returns the loaded or refreshed OTP regardless the verification result.
// It returns false if it reaches maximum attempts limit. otherwise returns true
// error parameter indicate wether the passcode is refreshed
Refresh(id string) (refreshed OTP, hasMoreChances bool, err error)
// Delete delete OTP by Domain
Delete(id string) error
}
type PasswordAuthConfigurer ¶
type PasswordAuthConfigurer struct {
// contains filtered or unexported fields
}
func (*PasswordAuthConfigurer) Apply ¶
func (pac *PasswordAuthConfigurer) Apply(feature security.Feature, ws security.WebSecurity) error
type PasswordAuthFeature ¶
type PasswordAuthFeature struct {
// contains filtered or unexported fields
}
func Configure ¶
func Configure(ws security.WebSecurity) *PasswordAuthFeature
Configure is Standard security.Feature entrypoint
func New ¶
func New() *PasswordAuthFeature
New is Standard security.Feature entrypoint, DSL style. Used with security.WebSecurity
func (*PasswordAuthFeature) AccountStore ¶
func (f *PasswordAuthFeature) AccountStore(as security.AccountStore) *PasswordAuthFeature
func (*PasswordAuthFeature) Identifier ¶
func (f *PasswordAuthFeature) Identifier() security.FeatureIdentifier
func (*PasswordAuthFeature) MFA ¶
func (f *PasswordAuthFeature) MFA(enabled bool) *PasswordAuthFeature
func (*PasswordAuthFeature) MFAEventListeners ¶
func (f *PasswordAuthFeature) MFAEventListeners(handlers ...MFAEventListenerFunc) *PasswordAuthFeature
func (*PasswordAuthFeature) OtpLength ¶
func (f *PasswordAuthFeature) OtpLength(v uint) *PasswordAuthFeature
func (*PasswordAuthFeature) OtpRefreshLimit ¶
func (f *PasswordAuthFeature) OtpRefreshLimit(v uint) *PasswordAuthFeature
func (*PasswordAuthFeature) OtpSecretSize ¶
func (f *PasswordAuthFeature) OtpSecretSize(v uint) *PasswordAuthFeature
func (*PasswordAuthFeature) OtpTTL ¶
func (f *PasswordAuthFeature) OtpTTL(ttl time.Duration) *PasswordAuthFeature
func (*PasswordAuthFeature) OtpVerifyLimit ¶
func (f *PasswordAuthFeature) OtpVerifyLimit(v uint) *PasswordAuthFeature
func (*PasswordAuthFeature) PasswordEncoder ¶
func (f *PasswordAuthFeature) PasswordEncoder(pe PasswordEncoder) *PasswordAuthFeature
type PasswordEncoder ¶
type PasswordEncoder interface {
Encode(rawPassword string) string
Matches(raw, encoded string) bool
}
func NewBcryptPasswordEncoder ¶
func NewBcryptPasswordEncoder() PasswordEncoder
func NewNoopPasswordEncoder ¶
func NewNoopPasswordEncoder() PasswordEncoder
type PasswordPolicyChecker ¶
type PasswordPolicyChecker struct {
// contains filtered or unexported fields
}
PasswordPolicyChecker takes account password policy into consideration
func NewPasswordPolicyChecker ¶
func NewPasswordPolicyChecker(store security.AccountStore) *PasswordPolicyChecker
type PersistAccountPostProcessor ¶
type PersistAccountPostProcessor struct {
// contains filtered or unexported fields
}
PersistAccountPostProcessor saves Account. It's implement order.Ordered with highest priority Note: post-processors executed in reversed order
func NewPersistAccountPostProcessor ¶
func NewPersistAccountPostProcessor(store security.AccountStore) *PersistAccountPostProcessor
func (*PersistAccountPostProcessor) Order ¶
func (p *PersistAccountPostProcessor) Order() int
Order the processor run last
func (*PersistAccountPostProcessor) Process ¶
func (p *PersistAccountPostProcessor) Process(ctx context.Context, acct security.Account, result AuthenticationResult) AuthenticationResult
type PostAuthenticationProcessor ¶
type PostAuthenticationProcessor interface {
// Process is invoked at the end of authentication process by the Authenticator to perform post-auth action.
// The method is invoked regardless if the authentication is granted:
// - If the authentication is granted, the AuthenticationResult.Auth is non-nil and AuthenticationResult.Error is nil
// - If the authentication is rejected, the AuthenticationResult.Error is non-nil and AuthenticationResult.Auth should be ignored
//
// If the context.Context and security.Account parameters are mutable, PostAuthenticationProcessor is allowed to change it
// Note: PostAuthenticationProcessor typically shouldn't overwrite authentication decision (rejected or approved)
// However, it is allowed to modify result by returning different AuthenticationResult.
// This is useful when PostAuthenticationProcessor want to returns different error or add more details to authentication
Process(context.Context, security.Account, AuthenticationResult) AuthenticationResult
}
PostAuthenticationProcessor is invoked at the end of authentication process regardless of authentication decisions (granted or rejected) If PostAuthenticationProcessor implement order.Ordered interface, its order is respected using order.OrderedFirstCompareReverse. This means highest priority is executed last
type TOTPFactory ¶
type UsernamePasswordAuthentication ¶
type UsernamePasswordAuthentication interface {
security.Authentication
Username() string
IsMFAPending() bool
OTPIdentifier() string
}
UsernamePasswordAuthentication implements security.Authentication
type UsernamePasswordPair ¶
type UsernamePasswordPair struct {
Username string
Password string
DetailsMap map[string]interface{}
EnforceMFA MFAMode
}
UsernamePasswordPair is the supported security.Candidate of this authenticator
func (*UsernamePasswordPair) Credentials ¶
func (upp *UsernamePasswordPair) Credentials() interface{}
Credentials implements security.Candidate
func (*UsernamePasswordPair) Details ¶
func (upp *UsernamePasswordPair) Details() interface{}
Details implements security.Candidate
func (*UsernamePasswordPair) Principal ¶
func (upp *UsernamePasswordPair) Principal() interface{}
Principal implements security.Candidate
Source Files
Click to show internal directories.
Click to hide internal directories.