tlsserver

package

v0.0.0-...-a67a4a9 Latest Latest Go to latest Published: May 15, 2022 License: MIT Imports: 17 Imported by: 2

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/wostzone/hub

README ¶

httpauthenticator

This package provides a wrapper around the http request and authenticates the sender of the request.

Server Usage

NewAuthenticator provides a handler that verifies provided credentials supporting multiple protocols.

Client Certificate authentication

The client includes a client certificate in its TLS connection that includes its clientID in the CN and role in the OU field. The certificate is signed by the Hub CA.
BASIC authentication. See also: https://www.alexedwards.net/blog/basic-authentication-in-go

Parse the Authorization header, where base64 is a function that encodes the "username:password" string in base64 format.

Authorization: Basic base64("username:password")
DIGEST authentication
1. Client performs GET request
2. Server responds with 401, header: WWW-authenticate: Digest, and fields real, qop, algorithm, none and opaque.
3. Client gets login credentials username and password from user
4. Client repeats request including the header: "Authorization: Digest username="", realm=, nonce=, qop=, opaque=, algorithm=, response=, cnonce=, userhash=
JWT authentication

The client makes a login request providing its credentials and a requested Hash algorithm. The server returns a bearer token which is a hash of The default hash is MD5. A different algorithm can be configured. All future request include a Authentication header with bearer token:

Authorization: Bearer asldkasdwerpwoierwperowepr

pwStore := unpwstore.NewPasswordFileStore(path)
httpAuthenticator := authenticator.NewHttpAuthenticator(pwStore)
router.HandleFunc(path, httpauth.NewAuthHandler(httpAuthenticator.Authenticate))

For JWT authentication also add a login handler to obtain a token

router.HandleFunc("/login", httpauth.LoginHandler)

Client Usage

... todo .. describe authentication clients

Documentation ¶

Overview ¶

Package tlsserver with TLS server for use by plugins and testing

Index ¶

type BasicAuthenticator
- func NewBasicAuthenticator(verifyUsernamePassword func(loginID, secret string) bool) *BasicAuthenticator
- func (bauth *BasicAuthenticator) AuthenticateRequest(resp http.ResponseWriter, req *http.Request) (userID string, match bool)
type CertAuthenticator
- func NewCertAuthenticator() *CertAuthenticator
- func (hauth *CertAuthenticator) AuthenticateRequest(resp http.ResponseWriter, req *http.Request) (userID string, ok bool)
- func (hauth *CertAuthenticator) GetClientOU(request *http.Request) (certOU string)
type HttpAuthenticator
- func NewHttpAuthenticator() *HttpAuthenticator
type JWTAuthenticator
- func NewJWTAuthenticator(publicKey *ecdsa.PublicKey) *JWTAuthenticator
- func (jauth *JWTAuthenticator) AuthenticateRequest(resp http.ResponseWriter, req *http.Request) (userID string, match bool)
- func (jauth *JWTAuthenticator) DecodeToken(tokenString string) (jwtToken *jwt.Token, claims *JwtClaims, err error)
type JwtClaims
type TLSServer
- func NewTLSServer(address string, port uint, serverCert *tls.Certificate, ...) *TLSServer

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

This section is empty.

Types ¶

type BasicAuthenticator ¶

type BasicAuthenticator struct {
	// contains filtered or unexported fields
}

BasicAuthenticator decodes the authentication method used in the request and authenticates the user

func NewBasicAuthenticator ¶

func NewBasicAuthenticator(verifyUsernamePassword func(loginID, secret string) bool) *BasicAuthenticator

NewBasicAuthenticator creates a new HTTP Basic authenticator

verifyUsernamePassword is the handler that validates the loginID and secret

func (*BasicAuthenticator) AuthenticateRequest ¶

func (bauth *BasicAuthenticator) AuthenticateRequest(resp http.ResponseWriter, req *http.Request) (userID string, match bool)

AuthenticateRequest Checks in order: client certificate, JWT bearer, Basic Returns the authenticated userID or an error if authentication failed

type CertAuthenticator ¶

type CertAuthenticator struct {
}

CertAuthenticator verifies the client certificate authentication is used This simply checks if a client certificate is active and assumes that having one is sufficient to pass auth

func NewCertAuthenticator ¶

func NewCertAuthenticator() *CertAuthenticator

NewCertAuthenticator creates a new HTTP authenticator Use .AuthenticateRequest() to authenticate the incoming request

func (*CertAuthenticator) AuthenticateRequest ¶

func (hauth *CertAuthenticator) AuthenticateRequest(resp http.ResponseWriter, req *http.Request) (userID string, ok bool)

AuthenticateRequest The real check happens by the TLS server that verifies it is signed by the CA. If the certificate is a plugin, then no userID is returned Returns the userID of the certificate (CN) or an error if no client certificate is used

func (*CertAuthenticator) GetClientOU ¶

func (hauth *CertAuthenticator) GetClientOU(request *http.Request) (certOU string)

GetClientOU returns the authorization OU of the client certificate, if any. Returns OUNone if the request has no client certificate or the certificate has no OU client certificate.

type HttpAuthenticator ¶

type HttpAuthenticator struct {
	BasicAuth *BasicAuthenticator
	CertAuth  *CertAuthenticator
	JwtAuth   *JWTAuthenticator
}

HttpAuthenticator chains the selected authenticators

func NewHttpAuthenticator ¶

func NewHttpAuthenticator() *HttpAuthenticator

NewHttpAuthenticator creates a container to apply HTTP request authenticators By default the certificate authenticator is enabled. Additional authenticators can be enabled using the Enable... functions

Use .AuthenticateRequest() to authenticate the incoming request

func (*HttpAuthenticator) AuthenticateRequest ¶

func (hauth *HttpAuthenticator) AuthenticateRequest(resp http.ResponseWriter, req *http.Request) (userID string, match bool)

AuthenticateRequest Checks in order: client certificate, JWT bearer, Basic Returns the authenticated userID or an error if authentication failed

func (*HttpAuthenticator) EnableBasicAuth ¶

func (hauth *HttpAuthenticator) EnableBasicAuth(validateCredentials func(loginName string, password string) bool)

EnableBasicAuth enables BASIC authentication Basic auth is a legacy authentication scheme and not recommended as it requires each service to have access to the credentials store. Use of JwtAuth is preferred.

validateCredentials is the function that verifies the given credentials

func (*HttpAuthenticator) EnableJwtAuth ¶

func (hauth *HttpAuthenticator) EnableJwtAuth(verificationKey *ecdsa.PublicKey)

EnableJwtAuth enables JWT authentication using asymmetric keys JWT tokens are included in the request header authorization field and signed by an issuing authentication server using the server's private key. The provided verification key is the server's public key needed to verify that signature.

func (*HttpAuthenticator) GetClientOU ¶

func (hauth *HttpAuthenticator) GetClientOU(request *http.Request) string

GetClientOU returns the authorization OU of the requester's client certificate, if any. Returns OUNone if the request has no client certificate or the certificate has no OU

type JWTAuthenticator ¶

type JWTAuthenticator struct {
	// contains filtered or unexported fields
}

JWTAuthenticator verifies issued JWT access token using the provided public key. See JWTIssuer for test cases of the authenticator. The application must use .AuthenticateRequest() to authenticate the incoming request using the access token.

func NewJWTAuthenticator ¶

func NewJWTAuthenticator(publicKey *ecdsa.PublicKey) *JWTAuthenticator

NewJWTAuthenticator creates a new JWT authenticator publicKey is the public key for verifying the private key signature

func (*JWTAuthenticator) AuthenticateRequest ¶

func (jauth *JWTAuthenticator) AuthenticateRequest(resp http.ResponseWriter, req *http.Request) (userID string, match bool)

AuthenticateRequest validates the access token The access token is provided in the request header using the Bearer schema:

Authorization: Bearer <token>

Returns the authenticated user and true if there is a match, of false if authentication failed

func (*JWTAuthenticator) DecodeToken ¶

func (jauth *JWTAuthenticator) DecodeToken(tokenString string) (
	jwtToken *jwt.Token, claims *JwtClaims, err error)

DecodeToken and return its claims

If the token is invalid then claims will be empty and an error is returned If the token is valid but has an incorrect signature, the token and claims will be returned with an error

type JwtClaims ¶

type JwtClaims struct {
	Username string `json:"username"`
	jwt.StandardClaims
}

JwtClaims this is temporary while figuring things out

type TLSServer ¶

type TLSServer struct {
	// contains filtered or unexported fields
}

TLSServer is a simple TLS Server supporting BASIC, Jwt and client certificate authentication

func NewTLSServer ¶

func NewTLSServer(address string, port uint,
	serverCert *tls.Certificate,
	caCert *x509.Certificate,
) *TLSServer

NewTLSServer creates a new TLS Server instance with authentication support. Use AddHandler to handle incoming requests for the given route and indicate if authentication is required.

The following authentication methods are supported:

Certificate based auth using the caCert to verify client certificates
Basic authentication if 'EnableBasicAuth' is used.
JWT asymmetric token authentication if EnableJwtAuth is used.

address        server listening address
port           listening port
serverCert     Server TLS certificate
caCert         CA certificate to verify client certificates

returns TLS server for handling requests

func (*TLSServer) AddHandler ¶

func (srv *TLSServer) AddHandler(path string,
	handler func(userID string, resp http.ResponseWriter, req *http.Request)) *mux.Route

AddHandler adds a new handler for a path.

The server authenticates the request before passing it to this handler. The handler's userID is that of the authenticated user, and is intended for authorization of the request. If authentication is not enabled then the userID is empty.

apply .Method(http.MethodXyz) to restrict the accepted HTTP methods

path to listen on. See https://github.com/gorilla/mux
handler to invoke with the request. The userID is only provided when an authenticator is used

Returns the route. Apply '.Method(http.MethodPut|Post|Get)' to restrict the accepted HTTP methods

func (*TLSServer) AddHandlerNoAuth ¶

func (srv *TLSServer) AddHandlerNoAuth(path string,
	handler func(resp http.ResponseWriter, req *http.Request)) *mux.Route

AddHandlerNoAuth adds a new handler for a path that does not require authentication The server passes the request directly to the handler

path to listen on. This supports wildcards
handler to invoke with the request. The userID is only provided when an authenticator is used

Returns the route. Apply '.Method(http.MethodPut|Post|Get)' to restrict the accepted HTTP methods

func (*TLSServer) Authenticator ¶

func (srv *TLSServer) Authenticator() *HttpAuthenticator

Authenticator returns the authenticator used for this server

func (*TLSServer) EnableBasicAuth ¶

func (srv *TLSServer) EnableBasicAuth(validateCredentials func(loginName string, password string) bool)

EnableBasicAuth enables BASIC authentication on this server Basic auth is a legacy authentication scheme and not recommended as it requires each service to have access to the credentials store. Use of JwtAuth is preferred.

validateCredentials is the function that verifies the given credentials

func (*TLSServer) EnableJwtAuth ¶

func (srv *TLSServer) EnableJwtAuth(verificationKey *ecdsa.PublicKey)

EnableJwtAuth enables JWT authentication using asymmetric keys.

JWT access token is expected to be included in the http header authorization field, and signed by an issuing authentication server using the server's private key.

verificationKey is the public key used to verify tokens. Use nil to use the TLS server own public key

func (*TLSServer) GetQueryInt ¶

func (srv *TLSServer) GetQueryInt(
	request *http.Request, paramName string, defaultValue int) (value int, err error)

GetQueryInt reads the request query parameter and convert it to an integer

request is the request with the query parameter
paramName is the name of the parameter
defaultValue to use if parameter not provided

Returns an integer value, error if conversion failed (bad request)

func (*TLSServer) GetQueryLimitOffset ¶

func (srv *TLSServer) GetQueryLimitOffset(request *http.Request, defaultLimit int) (limit int, offset int, err error)

GetQueryLimitOffset reads the limit and offset query parameters of a given request. These query parameters have standardized names to limit the size of API results. Provide a defaultLimit for use if limit is not provided. This is also the maximum limit. Offset is 0 by default. Returns limit and offset or an error if the query parameter is incorrect

func (*TLSServer) GetQueryString ¶

func (srv *TLSServer) GetQueryString(
	request *http.Request, paramName string, defaultValue string) string

GetQueryString reads the request query parameter and returns the first string

request is the request with the query parameter
paramName is the name of the parameter
defaultValue to use if parameter not provided

Returns a single string, with defaultValue if not found

func (*TLSServer) Start ¶

func (srv *TLSServer) Start() error

Start the TLS server using the provided CA and Server certificates. If a client certificate is provided it must be valid. This configures handling of CORS requests to allow:

any origin by returning the requested origin (not using wildcard '*').
any method, eg PUT, POST, GET, PATCH,
headers "Origin", "Accept", "Content-Type", "X-Requested-With"

func (*TLSServer) Stop ¶

func (srv *TLSServer) Stop()

Stop the TLS server and close all connections

func (*TLSServer) WriteBadRequest ¶

func (srv *TLSServer) WriteBadRequest(resp http.ResponseWriter, errMsg string)

WriteBadRequest logs and respond with bad request error status code and log error

func (*TLSServer) WriteForbidden ¶

func (srv *TLSServer) WriteForbidden(resp http.ResponseWriter, errMsg string)

WriteForbidden logs and respond with forbidden (403) code and log http error Use this when access a resource without sufficient credentials

func (*TLSServer) WriteInternalError ¶

func (srv *TLSServer) WriteInternalError(resp http.ResponseWriter, errMsg string)

WriteInternalError logs and responds with internal server error status code and log error

func (*TLSServer) WriteNotFound ¶

func (srv *TLSServer) WriteNotFound(resp http.ResponseWriter, errMsg string)

WriteNotFound logs and respond with 404 resource not found

func (*TLSServer) WriteNotImplemented ¶

func (srv *TLSServer) WriteNotImplemented(resp http.ResponseWriter, errMsg string)

WriteNotImplemented respond with 501 not implemented

func (*TLSServer) WriteUnauthorized ¶

func (srv *TLSServer) WriteUnauthorized(resp http.ResponseWriter, errMsg string)

WriteUnauthorized responds with unauthorized (401) status code and log http error Use this when login fails

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL