pam

package
v1.0.2 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jan 7, 2026 License: Apache-2.0 Imports: 29 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	// ScopeOfflineAccess is the OAuth2 scope for requesting refresh tokens
	ScopeOfflineAccess = "offline_access"
	// ScopeOpenID is the OpenID Connect scope
	ScopeOpenID = "openid"
	// ScopeProfile is the scope for accessing user profile information
	ScopeProfile = "profile"
	// ScopeEmail is the scope for accessing user email
	ScopeEmail = "email"
	// ScopeRoles is the scope for accessing user roles
	ScopeRoles = "roles"
	// DefaultScopes is the default set of scopes for authenticated users
	DefaultScopes = "openid profile email"
)

OAuth2 Scopes

View Source 
const (
	// TokenTypeAccess identifies an access token in JWT claims
	TokenTypeAccess = "access_token"
	// TokenTypeRefresh identifies a refresh token in JWT claims
	TokenTypeRefresh = "refresh_token"
)

Token Type Identifiers (used in JWT claims, not grant types)

View Source 
const (
	// AuthMethodNone indicates no client authentication (public client)
	AuthMethodNone = "none"
	// AuthMethodClientSecretPost indicates client_secret_post authentication
	AuthMethodClientSecretPost = "client_secret_post"
)

Token Endpoint Authentication Methods

View Source 
const (
	// CookieNameAuth is the name of the cookie storing encrypted authorization/session data
	// The cookie contains EncryptedAuthData which can represent either:
	// - Pending authorization requests (IsLoggedIn = false)
	// - Authenticated sessions (IsLoggedIn = true)
	CookieNameAuth = "auth"
)

Cookie names

View Source 
const (
	// OrgPrefix is the prefix for organization group names
	OrgPrefix = "org-"
)

Organization and Group Prefixes

View Source 
const SessionCookieCtxKey common.ContextKey = "session_cookie"

SessionCookieCtxKey is the context key for storing session cookies

View Source 
const (
	// SigningAlgRS256 is the RS256 signing algorithm
	SigningAlgRS256 = "RS256"
)

Default Signing Algorithms

Variables

This section is empty.

Functions

This section is empty.

Types

type Authenticator 

type Authenticator interface {
	Authenticate(username, password string) error
	LookupUser(username string) (*user.User, error)
	GetUserGroups(systemUser *user.User) ([]string, error)
	Close() error
}

Authenticator interface for PAM authentication and NSS user lookup

type AuthorizationCodeData 

type AuthorizationCodeData struct {
	Code                string
	ClientID            string
	RedirectURI         string
	Scope               string
	State               string
	Username            string
	ExpiresAt           time.Time
	CreatedAt           time.Time
	CodeChallenge       string                                        // PKCE code challenge
	CodeChallengeMethod pamapi.AuthAuthorizeParamsCodeChallengeMethod // PKCE code challenge method (plain or S256)
}

AuthorizationCodeData represents stored authorization code data

type AuthorizationCodeStore 

type AuthorizationCodeStore struct {
	// contains filtered or unexported fields
}

AuthorizationCodeStore manages temporary authorization codes

func NewAuthorizationCodeStore 

func NewAuthorizationCodeStore() *AuthorizationCodeStore

NewAuthorizationCodeStore creates a new authorization code store

func (*AuthorizationCodeStore) CleanupExpiredCodes 

func (s *AuthorizationCodeStore) CleanupExpiredCodes()

CleanupExpiredCodes removes expired codes

func (*AuthorizationCodeStore) GetCode 

func (s *AuthorizationCodeStore) GetCode(code string) (*AuthorizationCodeData, bool)

GetCode retrieves and removes an authorization code

func (*AuthorizationCodeStore) StoreCode 

func (s *AuthorizationCodeStore) StoreCode(codeData *AuthorizationCodeData)

StoreCode stores an authorization code with expiration

type AuthorizeResponse 

type AuthorizeResponse struct {
	Type      AuthorizeResponseType
	Content   string
	SessionID string // Session ID to set as cookie (for pending sessions)
}

AuthorizeResponse wraps the authorize endpoint response with metadata

type AuthorizeResponseType 

type AuthorizeResponseType string

AuthorizeResponseType indicates the type of response from the authorize endpoint 

const (
	AuthorizeResponseTypeHTML     AuthorizeResponseType = "html"     // HTML login form
	AuthorizeResponseTypeRedirect AuthorizeResponseType = "redirect" // Redirect URL
)

type EncryptedAuthData 

type EncryptedAuthData struct {
	// Common fields for both pending auth and authenticated sessions
	ClientID            string
	RedirectURI         string
	Scope               string
	State               string
	CodeChallenge       string
	CodeChallengeMethod string
	ExpiresAt           int64 // Unix timestamp

	// Session-specific fields (only set when IsLoggedIn is true)
	Username   string
	IsLoggedIn bool
	LoginTime  int64 // Unix timestamp (only set when IsLoggedIn is true)
}

EncryptedAuthData represents encrypted authorization/session data stored in cookie When IsLoggedIn is false (or Username is empty), it represents a pending authorization request When IsLoggedIn is true and Username is set, it represents an authenticated session

type Logger 

type Logger = *logrus.Logger

Logger is a type alias for logrus.Logger

type LoginFormData 

type LoginFormData struct {
}

LoginFormData represents the data used to populate the login form template Currently empty as all authorization parameters are stored in encrypted cookie

type LoginResult 

type LoginResult struct {
	RedirectURL string
	SessionID   string
}

LoginResult contains the result of a successful login

type OIDCIssuer 

type OIDCIssuer interface {
	// Token Issuance (OAuth2/OIDC flows)
	// Returns TokenResponse on success, or OAuth2Error (implements error interface) on failure
	Token(ctx context.Context, req *pamapi.TokenRequest) (*pamapi.TokenResponse, error)

	// UserInfo (OIDC endpoint)
	// Returns UserInfoResponse on success, or OAuth2Error (implements error interface) on failure
	UserInfo(ctx context.Context, accessToken string) (*pamapi.UserInfoResponse, error)

	// Authorization Code Flow (browser-based, uses redirects/HTML for errors)
	Authorize(ctx context.Context, req *pamapi.AuthAuthorizeParams) (*AuthorizeResponse, error)

	// Login handles the login form submission (browser-based)
	// encryptedCookie contains the encrypted authorization request parameters
	Login(ctx context.Context, username, password, encryptedCookie string) (*LoginResult, error)

	// Discovery and Configuration (system errors only)
	GetOpenIDConfiguration() (*pamapi.OpenIDConfiguration, error)
	GetJWKS() (*pamapi.JWKSResponse, error)
}

OIDCIssuer defines the interface for OIDC token issuers This handles token issuance only - validation is handled by existing auth modules

type PAMOIDCProvider 

type PAMOIDCProvider struct {
	// contains filtered or unexported fields
}

PAMOIDCProvider represents a PAM-based OIDC issuer

func NewPAMOIDCProvider 

func NewPAMOIDCProvider(caClient *fccrypto.CAClient, config *config.PAMOIDCIssuer) (*PAMOIDCProvider, error)

NewPAMOIDCProvider creates a new PAM-based OIDC provider

func NewPAMOIDCProviderWithAuthenticator 

func NewPAMOIDCProviderWithAuthenticator(caClient *fccrypto.CAClient, config *config.PAMOIDCIssuer, pamAuth Authenticator) (*PAMOIDCProvider, error)

NewPAMOIDCProviderWithAuthenticator creates a new PAM-based OIDC provider with a custom authenticator

func (*PAMOIDCProvider) Authorize 

func (s *PAMOIDCProvider) Authorize(ctx context.Context, req *pamapi.AuthAuthorizeParams) (*AuthorizeResponse, error)

Authorize handles the authorization endpoint for authorization code flow

func (*PAMOIDCProvider) CleanupExpiredCodes 

func (s *PAMOIDCProvider) CleanupExpiredCodes()

CleanupExpiredCodes removes expired authorization codes

func (*PAMOIDCProvider) Close 

func (s *PAMOIDCProvider) Close() error

Close closes the PAM authenticator connection

func (*PAMOIDCProvider) CreateUserSession 

func (s *PAMOIDCProvider) CreateUserSession(username string, pendingReq *EncryptedAuthData) (string, error)

CreateUserSession creates a new encrypted session cookie from pending auth data Returns the encrypted cookie value to be set in the client's browser

func (*PAMOIDCProvider) DecryptCookieData 

func (s *PAMOIDCProvider) DecryptCookieData(encrypted string) (*EncryptedAuthData, error)

DecryptCookieData decrypts the auth data from cookie Returns the decrypted data which may represent either a pending auth request or authenticated session

func (*PAMOIDCProvider) DecryptSessionData 

func (s *PAMOIDCProvider) DecryptSessionData(encrypted string) (*EncryptedAuthData, error)

DecryptSessionData is a convenience method that decrypts session data It's an alias for DecryptCookieData but with a clearer name for session data

func (*PAMOIDCProvider) EncryptCookieData 

func (s *PAMOIDCProvider) EncryptCookieData(data *EncryptedAuthData) (string, error)

EncryptCookieData encrypts the auth data using AES-256-GCM This is used to store authorization parameters (pending or authenticated) in a secure cookie

func (*PAMOIDCProvider) EncryptSessionData 

func (s *PAMOIDCProvider) EncryptSessionData(data *EncryptedAuthData) (string, error)

EncryptSessionData is a convenience method that encrypts session data It's an alias for EncryptCookieData but with a clearer name for session data

func (*PAMOIDCProvider) GetJWKS 

func (s *PAMOIDCProvider) GetJWKS() (*pamapi.JWKSResponse, error)

GetJWKS returns the JSON Web Key Set

func (*PAMOIDCProvider) GetLoginForm 

func (s *PAMOIDCProvider) GetLoginForm() string

GetLoginForm returns the HTML for the login form Uses html/template to safely escape user input and prevent XSS attacks All authorization parameters are stored in encrypted cookie, form doesn't need them

func (*PAMOIDCProvider) GetLoginFormTemplate 

func (s *PAMOIDCProvider) GetLoginFormTemplate() *template.Template

GetLoginFormTemplate returns the login form template for safe execution The template uses html/template which automatically escapes all user input

func (*PAMOIDCProvider) GetOpenIDConfiguration 

func (s *PAMOIDCProvider) GetOpenIDConfiguration() (*pamapi.OpenIDConfiguration, error)

GetOpenIDConfiguration returns the OpenID Connect configuration

func (*PAMOIDCProvider) GetPendingAuthExpiration 

func (s *PAMOIDCProvider) GetPendingAuthExpiration() time.Duration

GetPendingAuthExpiration returns the pending auth cookie expiration duration from config This is a public method for use by handlers

func (*PAMOIDCProvider) GetSessionExpiration 

func (s *PAMOIDCProvider) GetSessionExpiration() time.Duration

GetSessionExpiration returns the session cookie expiration duration from config This is a public method for use by handlers

func (*PAMOIDCProvider) IsUserAuthenticated 

func (s *PAMOIDCProvider) IsUserAuthenticated(encryptedCookie string) (*EncryptedAuthData, bool)

IsUserAuthenticated checks if a user is authenticated via encrypted session cookie Returns the decrypted auth data if valid, or nil if invalid/expired

func (*PAMOIDCProvider) Login 

func (s *PAMOIDCProvider) Login(ctx context.Context, username, password, encryptedCookie string) (*LoginResult, error)

Login handles the login form submission encryptedCookie contains the encrypted authorization request parameters

func (*PAMOIDCProvider) Token 

func (s *PAMOIDCProvider) Token(ctx context.Context, req *pamapi.TokenRequest) (*pamapi.TokenResponse, error)

Token implements OIDCProvider interface - handles OAuth2 token requests

func (*PAMOIDCProvider) UserInfo 

func (s *PAMOIDCProvider) UserInfo(ctx context.Context, accessToken string) (*pamapi.UserInfoResponse, error)

UserInfo implements OIDCProvider interface - returns user information

type PamAuthenticator 

type PamAuthenticator struct {
	// contains filtered or unexported fields
}

PamAuthenticator implements Linux authentication using PAM and NSS PAM (Pluggable Authentication Modules) handles authentication NSS (Name Service Switch) handles user/group lookups via user.Lookup() Works with any system-configured authentication backend

func NewPAMAuthenticator 

func NewPAMAuthenticator() (*PamAuthenticator, error)

NewPAMAuthenticator creates a new Linux authenticator Uses PAM for authentication and NSS for user/group information Automatically works with any configured Linux authentication backend

func (*PamAuthenticator) Authenticate 

func (r *PamAuthenticator) Authenticate(username, password string) error

Authenticate performs authentication using PAM PAM automatically uses the system-configured authentication backend

func (*PamAuthenticator) Close 

func (r *PamAuthenticator) Close() error

Close is a no-op since we don't hold any resources

func (*PamAuthenticator) GetUserGroups 

func (r *PamAuthenticator) GetUserGroups(systemUser *user.User) ([]string, error)

GetUserGroups gets the groups for a user using NSS NSS (Name Service Switch) automatically uses the appropriate backend

func (*PamAuthenticator) LookupUser 

func (r *PamAuthenticator) LookupUser(username string) (*user.User, error)

LookupUser looks up a user by username using NSS NSS (Name Service Switch) automatically uses the appropriate backend

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.