forked from couchbase/gocb
-
Notifications
You must be signed in to change notification settings - Fork 0
/
auth.go
156 lines (128 loc) · 4.68 KB
/
auth.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
package gocb
import (
"crypto/tls"
gocbcore "github.com/couchbase/gocbcore/v9"
)
// UserPassPair represents a username and password pair.
// VOLATILE: This API is subject to change at any time.
type UserPassPair gocbcore.UserPassPair
// AuthCredsRequest encapsulates the data for a credential request
// from the new Authenticator interface.
// VOLATILE: This API is subject to change at any time.
type AuthCredsRequest struct {
Service ServiceType
Endpoint string
}
// AuthCertRequest encapsulates the data for a certificate request
// from the new Authenticator interface.
// VOLATILE: This API is subject to change at any time.
type AuthCertRequest struct {
Service ServiceType
Endpoint string
}
// Authenticator provides an interface to authenticate to each service. Note that
// only authenticators implemented via the SDK are stable.
type Authenticator interface {
// VOLATILE: This API is subject to change at any time.
SupportsTLS() bool
// VOLATILE: This API is subject to change at any time.
SupportsNonTLS() bool
// VOLATILE: This API is subject to change at any time.
Certificate(req AuthCertRequest) (*tls.Certificate, error)
// VOLATILE: This API is subject to change at any time.
Credentials(req AuthCredsRequest) ([]UserPassPair, error)
}
// PasswordAuthenticator implements an Authenticator which uses an RBAC username and password.
type PasswordAuthenticator struct {
Username string
Password string
}
// SupportsTLS returns whether this authenticator can authenticate a TLS connection.
// VOLATILE: This API is subject to change at any time.
func (ra PasswordAuthenticator) SupportsTLS() bool {
return true
}
// SupportsNonTLS returns whether this authenticator can authenticate a non-TLS connection.
// VOLATILE: This API is subject to change at any time.
func (ra PasswordAuthenticator) SupportsNonTLS() bool {
return true
}
// Certificate returns the certificate to use when connecting to a specified server.
// VOLATILE: This API is subject to change at any time.
func (ra PasswordAuthenticator) Certificate(req AuthCertRequest) (*tls.Certificate, error) {
return nil, nil
}
// Credentials returns the credentials for a particular service.
// VOLATILE: This API is subject to change at any time.
func (ra PasswordAuthenticator) Credentials(req AuthCredsRequest) ([]UserPassPair, error) {
return []UserPassPair{{
Username: ra.Username,
Password: ra.Password,
}}, nil
}
// CertificateAuthenticator implements an Authenticator which can be used with certificate authentication.
type CertificateAuthenticator struct {
ClientCertificate *tls.Certificate
}
// SupportsTLS returns whether this authenticator can authenticate a TLS connection.
// VOLATILE: This API is subject to change at any time.
func (ca CertificateAuthenticator) SupportsTLS() bool {
return true
}
// SupportsNonTLS returns whether this authenticator can authenticate a non-TLS connection.
// VOLATILE: This API is subject to change at any time.
func (ca CertificateAuthenticator) SupportsNonTLS() bool {
return false
}
// Certificate returns the certificate to use when connecting to a specified server.
// VOLATILE: This API is subject to change at any time.
func (ca CertificateAuthenticator) Certificate(req AuthCertRequest) (*tls.Certificate, error) {
return ca.ClientCertificate, nil
}
// Credentials returns the credentials for a particular service.
// VOLATILE: This API is subject to change at any time.
func (ca CertificateAuthenticator) Credentials(req AuthCredsRequest) ([]UserPassPair, error) {
return []UserPassPair{{
Username: "",
Password: "",
}}, nil
}
func getSingleCredential(auth Authenticator, req AuthCredsRequest) (UserPassPair, error) {
creds, err := auth.Credentials(req)
if err != nil {
return UserPassPair{}, err
}
if len(creds) != 1 {
return UserPassPair{}, gocbcore.ErrInvalidCredentials
}
return creds[0], nil
}
type coreAuthWrapper struct {
auth Authenticator
}
func (auth *coreAuthWrapper) SupportsTLS() bool {
return auth.auth.SupportsTLS()
}
func (auth *coreAuthWrapper) SupportsNonTLS() bool {
return auth.auth.SupportsNonTLS()
}
func (auth *coreAuthWrapper) Certificate(req gocbcore.AuthCertRequest) (*tls.Certificate, error) {
return auth.auth.Certificate(AuthCertRequest{
Service: ServiceType(req.Service),
Endpoint: req.Endpoint,
})
}
func (auth *coreAuthWrapper) Credentials(req gocbcore.AuthCredsRequest) ([]gocbcore.UserPassPair, error) {
creds, err := auth.auth.Credentials(AuthCredsRequest{
Service: ServiceType(req.Service),
Endpoint: req.Endpoint,
})
if err != nil {
return nil, err
}
coreCreds := make([]gocbcore.UserPassPair, len(creds))
for credIdx, userPass := range creds {
coreCreds[credIdx] = gocbcore.UserPassPair(userPass)
}
return coreCreds, nil
}