Documentation
¶
Overview ¶
security contains implementation of authentication and authorization methods.
Index ¶
Constants ¶
View Source
const ( AuthMethodBasic = "basic" AuthMethodApiKey = "apikey" AuthMethodCas = "cas" AuthMethodSaml = "saml" AuthMethodLdap = "ldap" AuthMethodOAuth2 = "oauth2" )
View Source
const ( // QueryParamApiKey is the user api key for auth. QueryParamApiKey = "authkey" // HeaderApiKey is the user api key for auth. HeaderApiKey = "x-canopsis-authkey" //nolint:gosec // QueryParamCasTicket is CAS ticket for auth. QueryParamCasTicket = "ticket" // QueryParamCasService is CAS service for auth. QueryParamCasService = "service" // SessionKey is the session name in cookies. SessionKey = "session-id" )
View Source
const ( SourceLdap = "ldap" SourceCas = "cas" SourceSaml = "saml" SourceOauth2 = "oauth2" )
View Source
const ( UserName = "name" UserFirstName = "firstname" UserLastName = "lastname" UserEmail = "email" UserRole = "role" )
User field constants to unify values to map fields from external identity providers.
View Source
const DefaultInactivityInterval = 24 // hours
View Source
const RoleAdmin = "admin"
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type BasicConfig ¶
type CasConfig ¶
type Config ¶
type Config struct {
Security struct {
AuthProviders []string `yaml:"auth_providers"`
Basic BasicConfig `yaml:"basic"`
Ldap LdapConfig `yaml:"ldap"`
Cas CasConfig `yaml:"cas"`
Saml SamlConfig `yaml:"saml"`
OAuth2 OAuth2Config `yaml:"oauth2"`
} `yaml:"security"`
}
Config providers which auth methods must be used.
func LoadConfig ¶
LoadConfig creates Config by config file.
type Enforcer ¶
type Enforcer interface {
Enforce(rvals ...interface{}) (bool, error)
StartAutoLoadPolicy(context.Context, time.Duration)
LoadPolicy() error
GetRolesForUser(name string, domain ...string) ([]string, error)
GetPermissionsForUser(user string, domain ...string) ([][]string, error)
HasPermissionForUser(user string, permission ...string) (bool, error)
}
Enforcer is the API interface of casbin enforcer. Interface casbin.IEnforcer is not used because if cannot be mocked by mockgen.
type HttpProvider ¶
HttpProvider interface is used to implement user authentication by credentials which are retrieved from http request.
type LdapConfig ¶
type LdapConfig struct {
InactivityInterval string `yaml:"inactivity_interval"`
ExpirationInterval string `yaml:"expiration_interval"`
Url string `yaml:"url"`
AdminUsername string `yaml:"admin_dn"`
AdminPassword string `yaml:"admin_passwd"`
BaseDN string `yaml:"user_dn"`
Attributes map[string]string `yaml:"attrs"`
UsernameAttr string `yaml:"username_attr"`
Filter string `yaml:"ufilter"`
DefaultRole string `yaml:"default_role"`
InsecureSkipVerify bool `yaml:"insecure_skip_verify"`
MinTLSVersion string `yaml:"min_tls_ver"`
MaxTLSVersion string `yaml:"max_tls_ver"`
}
type OAuth2Config ¶
type OAuth2Config struct {
Providers map[string]OAuth2ProviderConfig `yaml:"providers"`
}
type OAuth2ProviderConfig ¶
type OAuth2ProviderConfig struct {
InactivityInterval string `yaml:"inactivity_interval"`
ExpirationInterval string `yaml:"expiration_interval"`
Issuer string `yaml:"issuer"`
ClientID string `yaml:"client_id"`
ClientSecret string `yaml:"client_secret"`
RedirectURL string `yaml:"redirect_url"`
DefaultRole string `yaml:"default_role"`
AllowExtraRoles bool `yaml:"allow_extra_roles"`
AuthURL string `yaml:"auth_url"`
TokenURL string `yaml:"token_url"`
UserURL string `yaml:"user_url"`
UserID string `yaml:"user_id"`
Scopes []string `yaml:"scopes"`
AttributesMap map[string]string `yaml:"attributes_map"`
OpenID bool `yaml:"open_id"`
PKCE bool `yaml:"pkce"`
}
type Provider ¶
type Provider interface {
GetName() string
Auth(ctx context.Context, username, password string) (*User, error)
}
Provider interface is used to implement user authentication by username and password.
type RoleProvider ¶
type RoleProvider interface {
// GetValidRoleIDs checks if potentialRoles slice contains valid role names and returns at least one valid role ID.
// If no roles found, then it check if default role is valid and returns its ID. Return ErrDefaultRoleNotFound error if default role not found.
GetValidRoleIDs(ctx context.Context, potentialRoles []string, defaultRole string) ([]string, error)
// GetRoleID returns role ID by role name.
GetRoleID(ctx context.Context, name string) (string, error)
}
type SamlConfig ¶
type SamlConfig struct {
InactivityInterval string `yaml:"inactivity_interval"`
ExpirationInterval string `yaml:"expiration_interval"`
Title string `yaml:"title"`
X509Cert string `yaml:"x509_cert"`
X509Key string `yaml:"x509_key"`
IdPMetadataUrl string `yaml:"idp_metadata_url"`
IdPMetadataXml string `yaml:"idp_metadata_xml"`
IdPAttributesMap map[string]string `yaml:"idp_attributes_map"`
CanopsisSamlUrl string `yaml:"canopsis_saml_url"`
DefaultRole string `yaml:"default_role"`
InsecureSkipVerify bool `yaml:"insecure_skip_verify"`
CanopsisSSOBinding string `yaml:"canopsis_sso_binding"`
CanopsisACSBinding string `yaml:"canopsis_acs_binding"`
SignAuthRequest bool `yaml:"sign_auth_request"`
NameIdFormat string `yaml:"name_id_format"`
SkipSignatureValidation bool `yaml:"skip_signature_validation"`
ACSIndex *int `yaml:"acs_index"`
AutoUserRegistration bool `yaml:"auto_user_registration"`
AllowExtraRoles bool `yaml:"allow_extra_roles"`
}
type TokenProvider ¶
TokenProvider interface is used to implement user authentication by token.
type User ¶
type User struct {
ID string `bson:"_id"`
Name string `bson:"name"`
DisplayName string `bson:"display_name,omitempty"`
Firstname string `bson:"firstname"`
Lastname string `bson:"lastname"`
Email string `bson:"email"`
HashedPassword string `bson:"password,omitempty"`
AuthApiKey string `bson:"authkey"`
Roles []string `bson:"roles"`
Contact struct {
Name string `bson:"name"`
Address string `bson:"address"`
} `bson:"contact"`
IsEnabled bool `bson:"enable"`
ExternalID string `bson:"external_id"`
Source string `bson:"source"`
// IdPRoles field show roles from idp, and they should be used ONLY in idp/canopsis role merging, see SetRolesFromIdP.
IdPRoles []string `bson:"idp_roles"`
}
User represents user model.
type UserProvider ¶
type UserProvider interface {
// FindByUsername returns user with username or nil.
FindByUsername(ctx context.Context, username string) (*User, error)
// FindByAuthApiKey returns user with api key or nil.
FindByAuthApiKey(ctx context.Context, apiKey string) (*User, error)
// FindByID returns user with ID or nil.
FindByID(ctx context.Context, id string) (*User, error)
// FindByExternalSource returns user with ID from source or nil.
FindByExternalSource(ctx context.Context, externalID, source string) (*User, error)
// FindWithoutPermission returns users without permission.
FindWithoutPermission(ctx context.Context, perm string) ([]User, error)
// Save updates user or inserts user if not exist.
Save(ctx context.Context, user *User) error
UpdateHashedPassword(ctx context.Context, id, hash string) error
}
UserProvider is decorator for requests to user storage.
Source Files
Directories
¶
| Path | Synopsis |
|---|---|
|
httpprovider contains http authentication methods.
|
httpprovider contains http authentication methods. |
|
Package mongoadapter contains casbin mongo adapter.
|
Package mongoadapter contains casbin mongo adapter. |
|
Package password contains password encoders.
|
Package password contains password encoders. |
|
Package provider contains authentication methods.
|
Package provider contains authentication methods. |
|
Package session contains implementation of http session.
|
Package session contains implementation of http session. |
|
mongostore
mongostore contains gorilla session store.
|
mongostore contains gorilla session store. |
|
Package userprovider contains user storages.
|
Package userprovider contains user storages. |
Click to show internal directories.
Click to hide internal directories.