auth

package

v1.0.27 Latest Latest Go to latest Published: Jan 7, 2026 License: MPL-2.0 Imports: 12 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/itcmsgr/nftban

Links

Open Source Insights

Documentation ¶

Index ¶

Constants
func ValidUsername(u string, maxLen int) bool
func ValidUsernameDefault(u string) bool
type AuthRequest
type AuthResponse
type Claims
type PAMAuth
- func NewPAMAuth(cfg *config.Config) (*PAMAuth, error)
type User

Constants ¶

View Source

const MaxUsernameLength = 32

MaxUsernameLength is the default maximum username length

View Source

const MinJWTSecretLength = 32

MinJWTSecretLength is the minimum required length for JWT secrets (32 bytes = 256 bits)

Variables ¶

This section is empty.

Functions ¶

func ValidUsername ¶

func ValidUsername(u string, maxLen int) bool

ValidUsername checks if a username is valid using strict allowlist validation - Not empty - Not too long (maxLen, default 32) - Matches strict allowlist: only letters, numbers, underscore, hyphen - Blocks shell metacharacters: ; & | ( ) $ ` < > etc.

SECURITY: This strict validation prevents command injection attacks when usernames are passed to any of the shell scripts in the codebase.

func ValidUsernameDefault ¶

func ValidUsernameDefault(u string) bool

ValidUsernameDefault checks username with default max length

Types ¶

type AuthRequest ¶

type AuthRequest = authproto.AuthRequest

AuthRequest is an alias to shared authproto.AuthRequest

type AuthResponse ¶

type AuthResponse = authproto.AuthResponse

AuthResponse is an alias to shared authproto.AuthResponse

type Claims ¶

type Claims struct {
	Username string   `json:"username"`
	Groups   []string `json:"groups"`
	jwt.RegisteredClaims
}

Claims represents JWT claims

func (*Claims) CanModify ¶

func (c *Claims) CanModify() bool

CanModify checks if the user can modify firewall rules (ban/unban/whitelist)

func (*Claims) CanViewLogs ¶

func (c *Claims) CanViewLogs() bool

CanViewLogs checks if the user can view log files

func (*Claims) HasAllGroups ¶

func (c *Claims) HasAllGroups(groups ...string) bool

HasAllGroups checks if the user belongs to all of the specified groups

func (*Claims) HasAnyGroup ¶

func (c *Claims) HasAnyGroup(groups ...string) bool

HasAnyGroup checks if the user belongs to any of the specified groups

func (*Claims) HasGroup ¶

func (c *Claims) HasGroup(group string) bool

HasGroup checks if the user belongs to a specific group

func (*Claims) IsAdmin ¶

func (c *Claims) IsAdmin() bool

IsAdmin checks if the user has admin privileges (root, wheel, sudo, or nftban-admin)

func (*Claims) IsOperator ¶

func (c *Claims) IsOperator() bool

IsOperator checks if the user has operator privileges (can view/search but not modify)

type PAMAuth ¶

type PAMAuth struct {
	// contains filtered or unexported fields
}

PAMAuth handles PAM-based authentication

func NewPAMAuth ¶

func NewPAMAuth(cfg *config.Config) (*PAMAuth, error)

NewPAMAuth creates a new PAM authentication handler Returns error if JWT secret is too short (security requirement)

func (*PAMAuth) AuditLog ¶

func (p *PAMAuth) AuditLog(username, action, result, clientIP string)

AuditLog writes an audit log entry

func (*PAMAuth) Authenticate ¶

func (p *PAMAuth) Authenticate(username, password string) (*User, error)

Authenticate validates user credentials via Unix socket to auth service

func (*PAMAuth) GenerateToken ¶

func (p *PAMAuth) GenerateToken(user *User) (string, error)

GenerateToken creates a JWT token for authenticated user

func (*PAMAuth) ValidateToken ¶

func (p *PAMAuth) ValidateToken(tokenString string) (*Claims, error)

ValidateToken verifies and parses a JWT token

type User ¶

type User struct {
	Username string
	UID      string
	GID      string
	Groups   []string
}

User represents an authenticated user

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL