auth

package
v0.42.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 17, 2026 License: GPL-3.0 Imports: 13 Imported by: 0

Documentation

Index

Constants

View Source 
const PublicKeyHex = "7cb0bcc1d8e91e51f631c9ad6025e8e6e0222a27c3eeaf8608cf1c8430a6c6b0"

PublicKeyHex is the Ed25519 public key used for verifying binary signatures. This is hardcoded into the binary and used by the upgrade/update commands.

Variables

View Source 
var (
	ErrUnsupportedMech = errors.New("Unsupported SASL mechanism")
	ErrInvalidAuthCred = errors.New("auth: invalid credentials")
)

Functions

func CheckDomainAuth 

func CheckDomainAuth(username string, perDomain bool, allowedDomains []string) (loginName string, allowed bool)

func GetPublicKey 

func GetPublicKey() []byte

GetPublicKey returns the decoded Ed25519 public key.

func NormalizeUsername 

func NormalizeUsername(username string) string

func ValidateLoginDomain added in v0.20.0 

func ValidateLoginDomain(username, expectedDomain string) error

ValidateLoginDomain checks that a username is in the format localpart@domain where domain exactly matches the expected domain (case-insensitive). This prevents JIT account creation for arbitrary usernames like:

  • x@y@z (multiple @ signs)
  • user@%5b1.2.3.4%5d (URL-encoded brackets)
  • user@wrongdomain
  • user@abcd (random domain)

The expectedDomain should already be in the canonical form, e.g. "[1.1.1.1]". The username is normalized before comparison (bare IPs get brackets added).

func WrapIP 

func WrapIP(domain string) string

Types

type ContextData 

type ContextData struct {
	// Authentication username. May be different from identity.
	Username string

	// Password used for password-based mechanisms.
	Password string
}

type FailingSASLServ 

type FailingSASLServ struct{ Err error }

func (FailingSASLServ) Next 

func (s FailingSASLServ) Next([]byte) ([]byte, bool, error)

type SASLAuth 

type SASLAuth struct {
	Log         log.Logger
	OnlyFirstID bool
	EnableLogin bool

	AuthMap       module.Table
	AuthNormalize authz.NormalizeFunc

	Plain []module.PlainAuth
}

SASLAuth is a wrapper that initializes sasl.Server using authenticators that call maddy module objects.

It also handles username translation using auth_map and auth_map_normalize (AuthMap and AuthMapNormalize should be set).

It supports reporting of multiple authorization identities so multiple accounts can be associated with a single set of credentials.

func (*SASLAuth) AddProvider 

func (s *SASLAuth) AddProvider(m *config.Map, node config.Node) error

AddProvider adds the SASL authentication provider to its mapping by parsing the 'auth' configuration directive.

func (*SASLAuth) AuthPlain 

func (s *SASLAuth) AuthPlain(username, password string) error

func (*SASLAuth) CreateSASL 

func (s *SASLAuth) CreateSASL(mech string, remoteAddr net.Addr, successCb func(identity string, data ContextData) error) sasl.Server

CreateSASL creates the sasl.Server instance for the corresponding mechanism.

func (*SASLAuth) IsRegistrationOpen 

func (s *SASLAuth) IsRegistrationOpen() bool

func (*SASLAuth) IsTurnEnabled 

func (s *SASLAuth) IsTurnEnabled() bool

func (*SASLAuth) SASLMechanisms 

func (s *SASLAuth) SASLMechanisms() []string

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.