Documentation
¶
Index ¶
- func EncodeExtKeyUsage(extKeyUsages []x509.ExtKeyUsage) []string
- func EncodeKeyUsage(keyUsage x509.KeyUsage) []string
- func InitEcho(config Config, challengeManager *ChallengeManager) (*echo.Echo, error)
- func InitInternalServer(config InternalServerConfig, challengeManager *ChallengeManager) (func() error, error)
- func InitInternalServerClient(commonName string, dnsSans []string, ipSans []net.IP, ...) (*certRes, error)
- func InitInternalServerPki(serverCommonName string, serverDnsSans []string, serverIpSans []net.IP, ...) error
- func InitOAuthServer(config OAuthServerConfig, handler http.Handler) (func() error, error)
- func LoadCertificateAllowList(name string, relative string) (certificateAllowList, error)
- func SaveCertificateAllowList(list certificateAllowList, name string, relative string, ...) error
- func SaveConfig(config Config, name string, relative string, mode common.SafeOpenMode) error
- type AuthService
- func (service *AuthService) GetChallengeInfo(ctx context.Context, req *api.GetChallengeInfoRequest) (*api.GetChallengeInfoResponse, error)
- func (service *AuthService) IssueChallenge(ctx context.Context, req *api.IssueChallengeRequest) (*api.IssueChallengeResponse, error)
- func (service *AuthService) VerifyChallenge(ctx context.Context, req *api.VerifyChallengeRequest) (*api.VerifyChallengeResponse, error)
- type ChallengeManager
- func (challengeManager *ChallengeManager) Step1(username string) (string, string, error)
- func (challengeManager *ChallengeManager) Step2(challengeId string) (string, error)
- func (challengeManager *ChallengeManager) Step3(challengeId string, oauthCode string) (string, string, error)
- func (challengeManager *ChallengeManager) Step4(challengeId string, verificationCode string) (bool, error)
- func (challengeManager *ChallengeManager) Step5(challengeId string) (string, map[string]string, error)
- type Config
- type InternalServerConfig
- type LogConfig
- type OAuthClientConfig
- type OAuthServerConfig
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func EncodeExtKeyUsage ¶
func EncodeExtKeyUsage(extKeyUsages []x509.ExtKeyUsage) []string
EncodeExtKeyUsage encodes the extended key usage (See https://github.com/golang/go/issues/56866)
func EncodeKeyUsage ¶
EncodeKeyUsage encodes the key usage (See https://github.com/golang/go/issues/56866)
func InitEcho ¶
func InitEcho(config Config, challengeManager *ChallengeManager) (*echo.Echo, error)
InitEcho initializes a new Echo instance
func InitInternalServer ¶
func InitInternalServer(config InternalServerConfig, challengeManager *ChallengeManager) (func() error, error)
InitInternalServer initializes the internal gRPC server, returning a shutdown function and an error (if any)
func InitInternalServerClient ¶
func InitInternalServerClient(commonName string, dnsSans []string, ipSans []net.IP, config InternalServerConfig) (*certRes, error)
InitInternalServerClient initializes the internal server client certificate
func InitInternalServerPki ¶
func InitInternalServerPki(serverCommonName string, serverDnsSans []string, serverIpSans []net.IP, config InternalServerConfig, configDir string, mode common.SafeOpenMode) error
InitInternalServerPki initializes the internal server PKI
func InitOAuthServer ¶
func InitOAuthServer(config OAuthServerConfig, handler http.Handler) (func() error, error)
InitOAuthServer initializes a new HTTP server, returning a shutdown function and an error (if any)
func LoadCertificateAllowList ¶
LoadCertificateAllowList loads a certificate allow list file
func SaveCertificateAllowList ¶
func SaveCertificateAllowList(list certificateAllowList, name string, relative string, mode common.SafeOpenMode) error
SaveCertificateAllowList saves a certificate allow list file
func SaveConfig ¶
SaveConfig saves a configuration file
Types ¶
type AuthService ¶
type AuthService struct {
api.UnimplementedAuthServiceServer
// contains filtered or unexported fields
}
AuthService is the gRPC authentication service
func (*AuthService) GetChallengeInfo ¶
func (service *AuthService) GetChallengeInfo(ctx context.Context, req *api.GetChallengeInfoRequest) (*api.GetChallengeInfoResponse, error)
GetChallengeInfo gets challenge environment variables
func (*AuthService) IssueChallenge ¶
func (service *AuthService) IssueChallenge(ctx context.Context, req *api.IssueChallengeRequest) (*api.IssueChallengeResponse, error)
IssueChallenge issues a challenge for the client to verify its identity
func (*AuthService) VerifyChallenge ¶
func (service *AuthService) VerifyChallenge(ctx context.Context, req *api.VerifyChallengeRequest) (*api.VerifyChallengeResponse, error)
VerifyChallenge verifies a challenge
type ChallengeManager ¶
type ChallengeManager struct {
// contains filtered or unexported fields
}
ChallengeManager is the global challenge manager
func NewChallengeManager ¶
func NewChallengeManager(config Config) (*ChallengeManager, error)
NewChallengeManager creates a new challenge manager
func (*ChallengeManager) Step1 ¶
func (challengeManager *ChallengeManager) Step1(username string) (string, string, error)
Step1 issues a challenge for the user to verify its identity, returning the challenge ID and flow begin URL (Called by the gRPC server)
func (*ChallengeManager) Step2 ¶
func (challengeManager *ChallengeManager) Step2(challengeId string) (string, error)
Step2 returns the OAuth URL (Called by the web server)
func (*ChallengeManager) Step3 ¶
func (challengeManager *ChallengeManager) Step3(challengeId string, oauthCode string) (string, string, error)
Step3 exchanges the specified OAuth code, invokes the callback expression, generates the challenge info, generates the verification code, and returns the verification code and/or if the challenge is succesful (Called by the web server)
type Config ¶
type Config struct {
Version *version.Version `toml:"version,omitempty" comment:"The configuration version (DO NOT CHANGE)"`
InternalServerConfig InternalServerConfig `toml:"internal_server" comment:"Internal server configuration"`
Log LogConfig `toml:"log" comment:"Logging configuration"`
OAuthClient OAuthClientConfig `toml:"oauth_client" comment:"OAuth client configuration"`
OAuthServer OAuthServerConfig `toml:"oauth_server" comment:"OAuth callback server configuration"`
}
Config is the global server configuration
type InternalServerConfig ¶
type InternalServerConfig struct {
Address string `toml:"address" comment:"The address to listen on for the internal server" default:"127.0.0.1"`
Port uint16 `toml:"port" comment:"The port to listen on for the internal server" default:"8081"`
ClientAllowListPath string `` /* 133-byte string literal not displayed */
RootTlsCertPath string `toml:"root_cert" comment:"The path to the root TLS certificate file (for client verification)" default:"./internal-root.crt"`
RootTlsKeyPath string `toml:"root_key" comment:"The path to the root TLS key file" default:"./internal-root.key"`
ServerTlsCertPath string `toml:"server_cert" comment:"The path to the server TLS certificate file" default:"./internal-server.crt"`
ServerTlsKeyPath string `toml:"server_key" comment:"The path to the server TLS key file" default:"./internal-server.key"`
Callback string `` /* 196-byte string literal not displayed */
Timeout int `toml:"timeout" comment:"The challenge timeout (in seconds)" default:"300"`
// The client certificate allow list
ClientAllowList certificateAllowList `toml:"-"`
// The root TLS keypair
RootTlsCert *tls.Certificate `toml:"-"`
// The interal server TLS kepair
ServerTlsKeypair *tls.Certificate `toml:"-"`
}
InternalServerConfig is the internal server configuration
type LogConfig ¶
type LogConfig struct {
File string `toml:"file" comment:"Log file (if output is file)" default:"/var/log/pam-oauth-server.log"`
Level common.LogLevel `toml:"level" comment:"Log level (One of debug, info, warn, or error)" default:"info"`
Output common.LogOutput `toml:"output" comment:"Log output (One of file, stdout, or stderr)" default:"stderr"`
}
LogConfig is the logging configuration
type OAuthClientConfig ¶
type OAuthClientConfig struct {
ClientID string `toml:"client_id" comment:"The OAuth client ID"`
ClientSecret string `toml:"client_secret" comment:"The OAuth client secret"`
Scopes []string `toml:"scopes" comment:"The OAuth scopes (openid scope is required if oidc_url is set)" default:"[openid,profile,email]"`
OidcUrl string `` /* 156-byte string literal not displayed */
AuthURL string `toml:"auth_url" comment:"The OAuth endpoint auth URL (Mutually exclusive with oidc_url)"`
TokenURL string `toml:"token_url" comment:"The OAuth endpoint token URL (Mutually exclusive with oidc_url)"`
}
OAuthClientConfig is the OAuth client configuration
type OAuthServerConfig ¶
type OAuthServerConfig struct {
Address string `toml:"address" comment:"The address to listen on for the OAuth callback server" default:"0.0.0.0"`
Port uint16 `toml:"port" comment:"The port to listen on for the OAuth callback server" default:"8080"`
ServerTlsAuto bool `toml:"tls_auto" comment:"Automatically enable TLS via LetsEncrypt" default:"false"`
ServerTlsAutoPath string `toml:"tls_auto_path" comment:"The path to the automatic TLS cache directory" default:"./letsencrypt"`
ServerTlsCertPath string `toml:"tls_cert" comment:"The path to the server TLS certificate file"`
ServerTlsKeyPath string `toml:"tls_key" comment:"The path to the server TLS key file"`
ExternalBaseUrl string `toml:"external_base_url" comment:"The external base URL for the OAuth callback server" default:"http://localhost:8080"`
// The TLS certificate and key
ServerTlsKeypair *tls.Certificate `toml:"-"`
}
OAuthServerConfig is the OAuth callback server configuration
Source Files
Click to show internal directories.
Click to hide internal directories.