Documentation
¶
Index ¶
- Constants
- func ValidUsername(u string, maxLen int) bool
- func ValidUsernameDefault(u string) bool
- type AuthRequest
- type AuthResponse
- type Claims
- func (c *Claims) CanAct() bool
- func (c *Claims) CanConfig() bool
- func (c *Claims) CanModify() bool
- func (c *Claims) CanRead() bool
- func (c *Claims) CanViewLogs() bool
- func (c *Claims) HasAllGroups(groups ...string) bool
- func (c *Claims) HasAnyGroup(groups ...string) bool
- func (c *Claims) HasGroup(group string) bool
- func (c *Claims) IsAdmin() bool
- func (c *Claims) IsAuditor() bool
- func (c *Claims) IsOperator() bool
- func (c *Claims) IsPanelOperator() bool
- type PAMAuth
- type User
Constants ¶
const MaxUsernameLength = 32
MaxUsernameLength is the default maximum username length
const MinJWTSecretLength = 32
MinJWTSecretLength is the minimum required length for JWT secrets (32 bytes = 256 bits)
Variables ¶
This section is empty.
Functions ¶
func ValidUsername ¶
ValidUsername checks if a username is valid using strict allowlist validation - Not empty - Not too long (maxLen, default 32) - Matches strict allowlist: only letters, numbers, underscore, hyphen - Blocks shell metacharacters: ; & | ( ) $ ` < > etc.
SECURITY: This strict validation prevents command injection attacks when usernames are passed to any of the shell scripts in the codebase.
func ValidUsernameDefault ¶
ValidUsernameDefault checks username with default max length
Types ¶
type AuthRequest ¶
type AuthRequest = authproto.AuthRequest
AuthRequest is an alias to shared authproto.AuthRequest
type AuthResponse ¶
type AuthResponse = authproto.AuthResponse
AuthResponse is an alias to shared authproto.AuthResponse
type Claims ¶
type Claims struct {
Username string `json:"username"`
Groups []string `json:"groups"`
jwt.RegisteredClaims
}
Claims represents JWT claims
func (*Claims) CanAct ¶ added in v1.11.0
CanAct checks if the user can perform runtime actions (ban/unban/whitelist) Only admins and panel operators - NOT auditors
func (*Claims) CanConfig ¶ added in v1.11.0
CanConfig checks if the user can modify configuration Only admins (nftban group) - NOT panel operators or auditors
func (*Claims) CanModify ¶
CanModify is an alias for CanAct (runtime action permission) Deprecated: Use CanAct() for actions or CanConfig() for configuration
func (*Claims) CanRead ¶ added in v1.11.0
CanRead checks if the user can view logs, reports, and status All authenticated users with valid groups can read
func (*Claims) CanViewLogs ¶
CanViewLogs checks if the user can view log files
func (*Claims) HasAllGroups ¶
HasAllGroups checks if the user belongs to all of the specified groups
func (*Claims) HasAnyGroup ¶
HasAnyGroup checks if the user belongs to any of the specified groups
func (*Claims) IsAdmin ¶
IsAdmin checks if the user has admin privileges (nftban group) Admins have full access: config changes, service management, all actions
func (*Claims) IsAuditor ¶ added in v1.11.0
IsAuditor checks if the user is a read-only auditor Auditors can view logs/reports/status but CANNOT perform any actions
func (*Claims) IsOperator ¶
IsOperator checks if the user can perform runtime actions (ban/unban/status) Includes: nftban (admin) and nftban-panel (panel operators) Excludes: nftban-auditor (auditors are read-only, NOT operators)
func (*Claims) IsPanelOperator ¶ added in v1.11.0
IsPanelOperator checks if the user is a panel integration account Panel operators can perform runtime actions but NOT config changes
type PAMAuth ¶
type PAMAuth struct {
// contains filtered or unexported fields
}
PAMAuth handles PAM-based authentication
func NewPAMAuth ¶
NewPAMAuth creates a new PAM authentication handler Returns error if JWT secret is too short (security requirement)
func (*PAMAuth) Authenticate ¶
Authenticate validates user credentials via Unix socket to auth service
func (*PAMAuth) GenerateToken ¶
GenerateToken creates a JWT token for authenticated user
Source Files