GO-2025-4040: NetBird VPN does not remove the default password of an admin account in github.com/netbirdio/netbird

middleware

package

v0.11.2 Latest Latest Go to latest Published: Nov 26, 2022 License: BSD-3-Clause Imports: 11 Imported by: 3

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/netbirdio/netbird

Links

Open Source Insights

Documentation ¶

Index ¶

func FromAuthHeader(r *http.Request) (string, error)
func OnError(w http.ResponseWriter, r *http.Request, err string)
type AccessControl
- func NewAccessControl(audience string, isUserAdmin IsUserAdminFunc) *AccessControl
- func (a *AccessControl) Handler(h http.Handler) http.Handler
type IsUserAdminFunc
type JSONWebKeys
type JWTMiddleware
- func New(options ...Options) *JWTMiddleware
- func NewJwtMiddleware(issuer string, audience string, keysLocation string) (*JWTMiddleware, error)
type Jwks
type Options
type TokenExtractor
- func FromFirst(extractors ...TokenExtractor) TokenExtractor
- func FromParameter(param string) TokenExtractor

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func FromAuthHeader ¶

func FromAuthHeader(r *http.Request) (string, error)

FromAuthHeader is a "TokenExtractor" that takes a give request and extracts the JWT token from the Authorization header.

func OnError ¶

func OnError(w http.ResponseWriter, r *http.Request, err string)

Types ¶

type AccessControl ¶ added in v0.10.4

type AccessControl struct {
	// contains filtered or unexported fields
}

AccessControl middleware to restrict to make POST/PUT/DELETE requests by admin only

func NewAccessControl ¶ added in v0.10.4

func NewAccessControl(audience string, isUserAdmin IsUserAdminFunc) *AccessControl

NewAccessControl instance constructor

func (*AccessControl) Handler ¶ added in v0.10.4

func (a *AccessControl) Handler(h http.Handler) http.Handler

Handler method of the middleware which forbids all modify requests for non admin users It also adds

type IsUserAdminFunc ¶ added in v0.6.0

type IsUserAdminFunc func(claims jwtclaims.AuthorizationClaims) (bool, error)

type JSONWebKeys ¶

type JSONWebKeys struct {
	Kty string   `json:"kty"`
	Kid string   `json:"kid"`
	Use string   `json:"use"`
	N   string   `json:"n"`
	E   string   `json:"e"`
	X5c []string `json:"x5c"`
}

JSONWebKeys is a representation of a Jason Web Key

type JWTMiddleware ¶

type JWTMiddleware struct {
	Options Options
}

func New ¶

func New(options ...Options) *JWTMiddleware

New constructs a new Secure instance with supplied options.

func NewJwtMiddleware ¶

func NewJwtMiddleware(issuer string, audience string, keysLocation string) (*JWTMiddleware, error)

NewJwtMiddleware creates new middleware to verify the JWT token sent via Authorization header

func (*JWTMiddleware) CheckJWTFromRequest ¶

func (m *JWTMiddleware) CheckJWTFromRequest(w http.ResponseWriter, r *http.Request) error

func (*JWTMiddleware) Handler ¶

func (m *JWTMiddleware) Handler(h http.Handler) http.Handler

func (*JWTMiddleware) HandlerWithNext ¶

func (m *JWTMiddleware) HandlerWithNext(w http.ResponseWriter, r *http.Request, next http.HandlerFunc)

HandlerWithNext is a special implementation for Negroni, but could be used elsewhere.

func (*JWTMiddleware) ValidateAndParse ¶

func (m *JWTMiddleware) ValidateAndParse(token string) (*jwt.Token, error)

ValidateAndParse validates and parses a given access token against jwt standards and signing methods

type Jwks ¶

type Jwks struct {
	Keys []JSONWebKeys `json:"keys"`
}

Jwks is a collection of JSONWebKeys obtained from Config.HttpServerConfig.AuthKeysLocation

type Options ¶

type Options struct {
	// The function that will return the Key to validate the JWT.
	// It can be either a shared secret or a public key.
	// Default value: nil
	ValidationKeyGetter jwt.Keyfunc
	// The name of the property in the request where the user information
	// from the JWT will be stored.
	// Default value: "user"
	UserProperty string
	// The function that will be called when there's an error validating the token
	// Default value:
	ErrorHandler errorHandler
	// A boolean indicating if the credentials are required or not
	// Default value: false
	CredentialsOptional bool
	// A function that extracts the token from the request
	// Default: FromAuthHeader (i.e., from Authorization header as bearer token)
	Extractor TokenExtractor
	// Debug flag turns on debugging output
	// Default: false
	Debug bool
	// When set, all requests with the OPTIONS method will use authentication
	// Default: false
	EnableAuthOnOptions bool
	// When set, the middelware verifies that tokens are signed with the specific signing algorithm
	// If the signing method is not constant the ValidationKeyGetter callback can be used to implement additional checks
	// Important to avoid security issues described here: https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/
	// Default: nil
	SigningMethod jwt.SigningMethod
}

Options is a struct for specifying configuration options for the middleware.

type TokenExtractor ¶

type TokenExtractor func(r *http.Request) (string, error)

TokenExtractor is a function that takes a request as input and returns either a token or an error. An error should only be returned if an attempt to specify a token was found, but the information was somehow incorrectly formed. In the case where a token is simply not present, this should not be treated as an error. An empty string should be returned in that case.

func FromFirst ¶

func FromFirst(extractors ...TokenExtractor) TokenExtractor

FromFirst returns a function that runs multiple token extractors and takes the first token it finds

func FromParameter ¶

func FromParameter(param string) TokenExtractor

FromParameter returns a function that extracts the token from the specified query string parameter

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL