sessions

package
v2.11.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: May 1, 2024 License: MIT Imports: 17 Imported by: 1

Documentation

Index

Constants

View Source 
const (
	MaxBcryptPasswordLength = 50
)

https://security.stackexchange.com/questions/39849/does-bcrypt-have-a-maximum-password-length

Variables

View Source 
var ErrEmptySessionID = errors.New("session ID cannot be empty")

ErrEmptySessionID captures the empty case error message

View Source 
var ErrNotSupported = fmt.Errorf("functionality not supported with current authentication provider: %w", errors.ErrUnsupported)

ErrNotSupported defines the error where interface functionality doesn't align with the underlying Auth Provider

View Source 
var ErrUserSessionExpired = errors.New("session missing or expired, please login again")

ErrUserSessionExpired defines the error triggered when the user session has expired

Functions

func AddCredentialToUser 

func AddCredentialToUser(ap AuthenticationProvider, email string, credential *webauthn.Credential) error

func AuthenticateUserByToken 

func AuthenticateUserByToken(token *auth.Token, user *User) (bool, error)

AuthenticateUserByToken returns true on successful authentication of the user against the given Authentication Token.

func BeginWebAuthnLogin 

func BeginWebAuthnLogin(user User, uwas []WebAuthn, sr SessionRequest) (*protocol.CredentialAssertion, error)

func FinishWebAuthnLogin 

func FinishWebAuthnLogin(user User, uwas []WebAuthn, sr SessionRequest) error

func ValidateAndHashPassword 

func ValidateAndHashPassword(plainPwd string) (string, error)

ValidateAndHashPassword is the single point of logic for user password validations

func ValidateEmail 

func ValidateEmail(email string) error

ValidateEmail is the single point of logic for user email validations

Types

type AuthenticationProvider added in v2.8.0 

type AuthenticationProvider interface {
	FindUser(email string) (User, error)
	FindUserByAPIToken(apiToken string) (User, error)
	ListUsers() ([]User, error)
	AuthorizedUserWithSession(sessionID string) (User, error)
	DeleteUser(email string) error
	DeleteUserSession(sessionID string) error
	CreateSession(sr SessionRequest) (string, error)
	ClearNonCurrentSessions(sessionID string) error
	CreateUser(user *User) error
	UpdateRole(email, newRole string) (User, error)
	SetAuthToken(user *User, token *auth.Token) error
	CreateAndSetAuthToken(user *User) (*auth.Token, error)
	DeleteAuthToken(user *User) error
	SetPassword(user *User, newPassword string) error
	TestPassword(email, password string) error
	Sessions(offset, limit int) ([]Session, error)
	GetUserWebAuthn(email string) ([]WebAuthn, error)
	SaveWebAuthn(token *WebAuthn) error

	FindExternalInitiator(eia *auth.Token) (initiator *bridges.ExternalInitiator, err error)
}

AuthenticationProvider is an interface that abstracts the required application calls to a user management backend Currently localauth (users table DB) or LDAP server (readonly)

type AuthenticationProviderName added in v2.8.0 

type AuthenticationProviderName string

Application config constant options 

const (
	LocalAuth AuthenticationProviderName = "local"
	LDAPAuth  AuthenticationProviderName = "ldap"
)

type BasicAdminUsersORM added in v2.8.0 

type BasicAdminUsersORM interface {
	ListUsers() ([]User, error)
	CreateUser(user *User) error
	FindUser(email string) (User, error)
}

BasicAdminUsersORM is the interface that defines the functionality required for supporting basic admin functionality adjacent to the identity provider authentication provider implementation. It is currently implemented by the local users/sessions ORM containing local admin CLI actions. This is separate from the AuthenticationProvider, as local admin management (ie initial core node setup, initial admin user creation), is always required no matter what the pluggable AuthenticationProvider implementation is.

type ChangeAuthTokenRequest 

type ChangeAuthTokenRequest struct {
	Password string `json:"password"`
}

Changeauth.TokenRequest is sent when updating a User's authentication token.

type Session 

type Session struct {
	ID        string    `json:"id"`
	Email     string    `json:"email"`
	LastUsed  time.Time `json:"lastUsed"`
	CreatedAt time.Time `json:"createdAt"`
}

Session holds the unique id for the authenticated session.

func NewSession 

func NewSession() Session

NewSession returns a session instance with ID set to a random ID and LastUsed to now.

type SessionRequest 

type SessionRequest struct {
	Email          string `json:"email"`
	Password       string `json:"password"`
	WebAuthnData   string `json:"webauthndata"`
	WebAuthnConfig WebAuthnConfiguration
	SessionStore   *WebAuthnSessionStore
}

SessionRequest encapsulates the fields needed to generate a new SessionID, including the hashed password.

type User 

type User struct {
	Email             string
	HashedPassword    string
	Role              UserRole
	CreatedAt         time.Time
	TokenKey          null.String
	TokenSalt         null.String
	TokenHashedSecret null.String
	UpdatedAt         time.Time
}

User holds the credentials for API user.

func NewUser 

func NewUser(email string, plainPwd string, role UserRole) (User, error)

NewUser creates a new user by hashing the passed plainPwd with bcrypt.

func (*User) GenerateAuthToken 

func (u *User) GenerateAuthToken() (*auth.Token, error)

GenerateAuthToken randomly generates and sets the users Authentication Token.

func (*User) SetAuthToken 

func (u *User) SetAuthToken(token *auth.Token) error

SetAuthToken updates the user to use the given Authentication Token.

type UserRole 

type UserRole string
const (
	UserRoleAdmin UserRole = "admin"
	UserRoleEdit  UserRole = "edit"
	UserRoleRun   UserRole = "run"
	UserRoleView  UserRole = "view"
)

func GetUserRole 

func GetUserRole(role string) (UserRole, error)

GetUserRole is the single point of logic for mapping role string to UserRole

type WebAuthn 

type WebAuthn struct {
	Email         string
	PublicKeyData sqlxTypes.JSONText
}

WebAuthn holds the credentials for API user.

type WebAuthnConfiguration 

type WebAuthnConfiguration struct {
	RPID     string
	RPOrigin string
}

type WebAuthnSessionStore 

type WebAuthnSessionStore struct {
	// contains filtered or unexported fields
}

WebAuthnSessionStore is a wrapper around an in memory key value store which provides some helper methods related to webauthn operations.

func NewWebAuthnSessionStore 

func NewWebAuthnSessionStore() *WebAuthnSessionStore

NewWebAuthnSessionStore returns a new session store.

func (*WebAuthnSessionStore) BeginWebAuthnRegistration 

func (store *WebAuthnSessionStore) BeginWebAuthnRegistration(user User, uwas []WebAuthn, config WebAuthnConfiguration) (*protocol.CredentialCreation, error)

func (*WebAuthnSessionStore) FinishWebAuthnRegistration 

func (store *WebAuthnSessionStore) FinishWebAuthnRegistration(user User, uwas []WebAuthn, response *http.Request, config WebAuthnConfiguration) (*webauthn.Credential, error)

func (*WebAuthnSessionStore) GetWebauthnSession 

func (store *WebAuthnSessionStore) GetWebauthnSession(key string) (data webauthn.SessionData, err error)

GetWebauthnSession unmarshals and returns the webauthn session information from the session cookie, which is removed.

func (*WebAuthnSessionStore) SaveWebauthnSession 

func (store *WebAuthnSessionStore) SaveWebauthnSession(key string, data *webauthn.SessionData) error

SaveWebauthnSession marshals and saves the webauthn data to the provided key given the request and responsewriter

type WebAuthnUser 

type WebAuthnUser struct {
	Email         string
	WACredentials []webauthn.Credential
}

WebAuthnUser implements the required duo-labs/webauthn/ 'User' interface kept separate from our internal 'User' struct

func (WebAuthnUser) CredentialExcludeList 

func (u WebAuthnUser) CredentialExcludeList() []protocol.CredentialDescriptor

CredentialExcludeList returns a CredentialDescriptor array filled with all the user's credentials to prevent them from re-registering keys

func (*WebAuthnUser) LoadWebAuthnCredentials 

func (u *WebAuthnUser) LoadWebAuthnCredentials(uwas []WebAuthn) error

func (WebAuthnUser) WebAuthnCredentials 

func (u WebAuthnUser) WebAuthnCredentials() []webauthn.Credential

WebAuthnCredentials returns credentials owned by the user

func (WebAuthnUser) WebAuthnDisplayName 

func (u WebAuthnUser) WebAuthnDisplayName() string

WebAuthnDisplayName returns the user's display name. In this case we just return the email

func (WebAuthnUser) WebAuthnID 

func (u WebAuthnUser) WebAuthnID() []byte

WebAuthnID returns the user's ID

func (WebAuthnUser) WebAuthnIcon 

func (u WebAuthnUser) WebAuthnIcon() string

WebAuthnIcon should be the logo in some form. How it should be is currently unclear to me.

func (WebAuthnUser) WebAuthnName 

func (u WebAuthnUser) WebAuthnName() string

WebAuthnName returns the user's email

Source Files

View all Source files

Directories

Path Synopsis
The LDAP authentication package forwards the credentials in the user session request for authentication with a configured upstream LDAP server
 The LDAP authentication package forwards the credentials in the user session request for authentication with a configured upstream LDAP server
mocks

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.