pam

package
v1.1.0-rc3 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 19, 2026 License: Apache-2.0 Imports: 29 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	// ScopeOfflineAccess is the OAuth2 scope for requesting refresh tokens
	ScopeOfflineAccess = "offline_access"
	// ScopeOpenID is the OpenID Connect scope
	ScopeOpenID = "openid"
	// ScopeProfile is the scope for accessing user profile information
	ScopeProfile = "profile"
	// ScopeEmail is the scope for accessing user email
	ScopeEmail = "email"
	// ScopeRoles is the scope for accessing user roles
	ScopeRoles = "roles"
	// DefaultScopes is the default set of scopes for authenticated users
	DefaultScopes = "openid profile email"
)

OAuth2 Scopes

View Source 
const (
	// TokenTypeAccess identifies an access token in JWT claims
	TokenTypeAccess = "access_token"
	// TokenTypeRefresh identifies a refresh token in JWT claims
	TokenTypeRefresh = "refresh_token"
)

Token Type Identifiers (used in JWT claims, not grant types)

View Source 
const (
	// AuthMethodNone indicates no client authentication (public client)
	AuthMethodNone = "none"
	// AuthMethodClientSecretPost indicates client_secret_post authentication
	AuthMethodClientSecretPost = "client_secret_post"
)

Token Endpoint Authentication Methods

View Source 
const (
	// CookieNameAuth is the name of the cookie storing encrypted authorization/session data
	// The cookie contains EncryptedAuthData which can represent either:
	// - Pending authorization requests (IsLoggedIn = false)
	// - Authenticated sessions (IsLoggedIn = true)
	CookieNameAuth = "auth"
)

Cookie names

View Source 
const (
	// OrgPrefix is the prefix for organization group names
	OrgPrefix = "org-"
)

Organization and Group Prefixes

View Source 
const SessionCookieCtxKey common.ContextKey = "session_cookie"

SessionCookieCtxKey is the context key for storing session cookies

View Source 
const (
	// SigningAlgRS256 is the RS256 signing algorithm
	SigningAlgRS256 = "RS256"
)

Default Signing Algorithms

Variables

View Source 
var FlightControlFavicon []byte
View Source
View Source 
var FontAssets embed.FS
View Source 
var LoginCSS string
View Source 
var LoginJS string
View Source 
var PatternFlyCSS string

Functions

This section is empty.

Types

type Authenticator 

type Authenticator interface {
	Authenticate(username, password string) error
	LookupUser(username string) (*user.User, error)
	GetUserGroups(systemUser *user.User) ([]string, error)
	Close() error
}

Authenticator interface for PAM authentication and NSS user lookup

type AuthorizationCodeData 

type AuthorizationCodeData struct {
	Code                string
	ClientID            string
	RedirectURI         string
	Scope               string
	State               string
	Username            string
	ExpiresAt           time.Time
	CreatedAt           time.Time
	CodeChallenge       string                                        // PKCE code challenge
	CodeChallengeMethod pamapi.AuthAuthorizeParamsCodeChallengeMethod // PKCE code challenge method (plain or S256)
}

AuthorizationCodeData represents stored authorization code data

type AuthorizationCodeStore 

type AuthorizationCodeStore struct {
	// contains filtered or unexported fields
}

AuthorizationCodeStore manages temporary authorization codes

func NewAuthorizationCodeStore 

func NewAuthorizationCodeStore() *AuthorizationCodeStore

NewAuthorizationCodeStore creates a new authorization code store

func (*AuthorizationCodeStore) CleanupExpiredCodes 

func (s *AuthorizationCodeStore) CleanupExpiredCodes()

CleanupExpiredCodes removes expired codes

func (*AuthorizationCodeStore) GetCode 

func (s *AuthorizationCodeStore) GetCode(code string) (*AuthorizationCodeData, bool)

GetCode retrieves and removes an authorization code

func (*AuthorizationCodeStore) StoreCode 

func (s *AuthorizationCodeStore) StoreCode(codeData *AuthorizationCodeData)

StoreCode stores an authorization code with expiration

type AuthorizeResponse 

type AuthorizeResponse struct {
	Type      AuthorizeResponseType
	Content   string
	SessionID string // Session ID to set as cookie (for pending sessions)
}

AuthorizeResponse wraps the authorize endpoint response with metadata

type AuthorizeResponseType 

type AuthorizeResponseType string

AuthorizeResponseType indicates the type of response from the authorize endpoint 

const (
	AuthorizeResponseTypeHTML     AuthorizeResponseType = "html"     // HTML login form
	AuthorizeResponseTypeRedirect AuthorizeResponseType = "redirect" // Redirect URL
)

type EncryptedAuthData 

type EncryptedAuthData struct {
	// Common fields for both pending auth and authenticated sessions
	ClientID            string
	RedirectURI         string
	Scope               string
	State               string
	CodeChallenge       string
	CodeChallengeMethod string
	ExpiresAt           int64 // Unix timestamp

	// Session-specific fields (only set when IsLoggedIn is true)
	Username   string
	IsLoggedIn bool
	LoginTime  int64 // Unix timestamp (only set when IsLoggedIn is true)
}

EncryptedAuthData represents encrypted authorization/session data stored in cookie When IsLoggedIn is false (or Username is empty), it represents a pending authorization request When IsLoggedIn is true and Username is set, it represents an authenticated session

type Logger 

type Logger = *logrus.Logger

Logger is a type alias for logrus.Logger

type LoginFormData 

type LoginFormData struct {
	// DisplayName is the branded name shown in the title and heading
	DisplayName string
	// FaviconSrc is the favicon href. Typed as template.URL so html/template does not filter data: URIs.
	FaviconSrc template.URL
	// LightLogoSrc is the logo src for light mode. Typed as template.URL so html/template does not filter data: URIs.
	LightLogoSrc template.URL
	// DarkLogoSrc is the logo src for dark mode. Typed as template.URL so html/template does not filter data: URIs.
	DarkLogoSrc template.URL
	// LightTheme holds CSS color overrides for light mode (nil = no overrides)
	LightTheme *config.ThemeColors
	// DarkTheme holds CSS color overrides for dark mode (nil = no overrides)
	DarkTheme *config.ThemeColors
}

LoginFormData represents the data used to populate the login form template. All fields are always populated with resolved values (defaults applied in Go code).

type LoginResult 

type LoginResult struct {
	RedirectURL string
	SessionID   string
}

LoginResult contains the result of a successful login

type OIDCIssuer 

type OIDCIssuer interface {
	// Token Issuance (OAuth2/OIDC flows)
	// Returns TokenResponse on success, or OAuth2Error (implements error interface) on failure
	Token(ctx context.Context, req *pamapi.TokenRequest) (*pamapi.TokenResponse, error)

	// UserInfo (OIDC endpoint)
	// Returns UserInfoResponse on success, or OAuth2Error (implements error interface) on failure
	UserInfo(ctx context.Context, accessToken string) (*pamapi.UserInfoResponse, error)

	// Authorization Code Flow (browser-based, uses redirects/HTML for errors)
	Authorize(ctx context.Context, req *pamapi.AuthAuthorizeParams) (*AuthorizeResponse, error)

	// Login handles the login form submission (browser-based)
	// encryptedCookie contains the encrypted authorization request parameters
	Login(ctx context.Context, username, password, encryptedCookie string) (*LoginResult, error)

	// Discovery and Configuration (system errors only)
	GetOpenIDConfiguration() (*pamapi.OpenIDConfiguration, error)
	GetJWKS() (*pamapi.JWKSResponse, error)
}

OIDCIssuer defines the interface for OIDC token issuers This handles token issuance only - validation is handled by existing auth modules

type PAMOIDCProvider 

type PAMOIDCProvider struct {
	// contains filtered or unexported fields
}

PAMOIDCProvider represents a PAM-based OIDC issuer

func NewPAMOIDCProvider 

func NewPAMOIDCProvider(caClient *fccrypto.CAClient, config *config.PAMOIDCIssuer) (*PAMOIDCProvider, error)

NewPAMOIDCProvider creates a new PAM-based OIDC provider

func NewPAMOIDCProviderWithAuthenticator 

func NewPAMOIDCProviderWithAuthenticator(caClient *fccrypto.CAClient, config *config.PAMOIDCIssuer, pamAuth Authenticator) (*PAMOIDCProvider, error)

NewPAMOIDCProviderWithAuthenticator creates a new PAM-based OIDC provider with a custom authenticator

func (*PAMOIDCProvider) Authorize 

func (s *PAMOIDCProvider) Authorize(ctx context.Context, req *pamapi.AuthAuthorizeParams) (*AuthorizeResponse, error)

Authorize handles the authorization endpoint for authorization code flow

func (*PAMOIDCProvider) CleanupExpiredCodes 

func (s *PAMOIDCProvider) CleanupExpiredCodes()

CleanupExpiredCodes removes expired authorization codes

func (*PAMOIDCProvider) Close 

func (s *PAMOIDCProvider) Close() error

Close closes the PAM authenticator connection

func (*PAMOIDCProvider) CreateUserSession 

func (s *PAMOIDCProvider) CreateUserSession(username string, pendingReq *EncryptedAuthData) (string, error)

CreateUserSession creates a new encrypted session cookie from pending auth data Returns the encrypted cookie value to be set in the client's browser

func (*PAMOIDCProvider) DecryptCookieData 

func (s *PAMOIDCProvider) DecryptCookieData(encrypted string) (*EncryptedAuthData, error)

DecryptCookieData decrypts the auth data from cookie Returns the decrypted data which may represent either a pending auth request or authenticated session

func (*PAMOIDCProvider) DecryptSessionData 

func (s *PAMOIDCProvider) DecryptSessionData(encrypted string) (*EncryptedAuthData, error)

DecryptSessionData is a convenience method that decrypts session data It's an alias for DecryptCookieData but with a clearer name for session data

func (*PAMOIDCProvider) EncryptCookieData 

func (s *PAMOIDCProvider) EncryptCookieData(data *EncryptedAuthData) (string, error)

EncryptCookieData encrypts the auth data using AES-256-GCM This is used to store authorization parameters (pending or authenticated) in a secure cookie

func (*PAMOIDCProvider) EncryptSessionData 

func (s *PAMOIDCProvider) EncryptSessionData(data *EncryptedAuthData) (string, error)

EncryptSessionData is a convenience method that encrypts session data It's an alias for EncryptCookieData but with a clearer name for session data

func (*PAMOIDCProvider) GetJWKS 

func (s *PAMOIDCProvider) GetJWKS() (*pamapi.JWKSResponse, error)

GetJWKS returns the JSON Web Key Set

func (*PAMOIDCProvider) GetLoginCSS 

func (s *PAMOIDCProvider) GetLoginCSS() string

GetLoginCSS renders the login CSS template with branding data (theme color overrides).

func (*PAMOIDCProvider) GetLoginForm 

func (s *PAMOIDCProvider) GetLoginForm() string

GetLoginForm returns the HTML for the login form Uses html/template to safely escape user input and prevent XSS attacks All authorization parameters are stored in encrypted cookie, form doesn't need them

func (*PAMOIDCProvider) GetLoginFormTemplate 

func (s *PAMOIDCProvider) GetLoginFormTemplate() *template.Template

GetLoginFormTemplate returns the login form template for safe execution The template uses html/template which automatically escapes all user input

func (*PAMOIDCProvider) GetOpenIDConfiguration 

func (s *PAMOIDCProvider) GetOpenIDConfiguration() (*pamapi.OpenIDConfiguration, error)

GetOpenIDConfiguration returns the OpenID Connect configuration

func (*PAMOIDCProvider) GetPendingAuthExpiration 

func (s *PAMOIDCProvider) GetPendingAuthExpiration() time.Duration

GetPendingAuthExpiration returns the pending auth cookie expiration duration from config This is a public method for use by handlers

func (*PAMOIDCProvider) GetSessionExpiration 

func (s *PAMOIDCProvider) GetSessionExpiration() time.Duration

GetSessionExpiration returns the session cookie expiration duration from config This is a public method for use by handlers

func (*PAMOIDCProvider) IsUserAuthenticated 

func (s *PAMOIDCProvider) IsUserAuthenticated(encryptedCookie string) (*EncryptedAuthData, bool)

IsUserAuthenticated checks if a user is authenticated via encrypted session cookie Returns the decrypted auth data if valid, or nil if invalid/expired

func (*PAMOIDCProvider) Login 

func (s *PAMOIDCProvider) Login(ctx context.Context, username, password, encryptedCookie string) (*LoginResult, error)

Login handles the login form submission encryptedCookie contains the encrypted authorization request parameters

func (*PAMOIDCProvider) Token 

func (s *PAMOIDCProvider) Token(ctx context.Context, req *pamapi.TokenRequest) (*pamapi.TokenResponse, error)

Token implements OIDCProvider interface - handles OAuth2 token requests

func (*PAMOIDCProvider) UserInfo 

func (s *PAMOIDCProvider) UserInfo(ctx context.Context, accessToken string) (*pamapi.UserInfoResponse, error)

UserInfo implements OIDCProvider interface - returns user information

type PamAuthenticator 

type PamAuthenticator struct {
	// contains filtered or unexported fields
}

PamAuthenticator implements Linux authentication using PAM and NSS PAM (Pluggable Authentication Modules) handles authentication NSS (Name Service Switch) handles user/group lookups via user.Lookup() Works with any system-configured authentication backend

func NewPAMAuthenticator 

func NewPAMAuthenticator() (*PamAuthenticator, error)

NewPAMAuthenticator creates a new Linux authenticator Uses PAM for authentication and NSS for user/group information Automatically works with any configured Linux authentication backend

func (*PamAuthenticator) Authenticate 

func (r *PamAuthenticator) Authenticate(username, password string) error

Authenticate performs authentication using PAM PAM automatically uses the system-configured authentication backend

func (*PamAuthenticator) Close 

func (r *PamAuthenticator) Close() error

Close is a no-op since we don't hold any resources

func (*PamAuthenticator) GetUserGroups 

func (r *PamAuthenticator) GetUserGroups(systemUser *user.User) ([]string, error)

GetUserGroups gets the groups for a user using NSS NSS (Name Service Switch) automatically uses the appropriate backend

func (*PamAuthenticator) LookupUser 

func (r *PamAuthenticator) LookupUser(username string) (*user.User, error)

LookupUser looks up a user by username using NSS NSS (Name Service Switch) automatically uses the appropriate backend

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.