Skip to content

Latest commit

 

History

History
212 lines (172 loc) · 4.82 KB

README.md

File metadata and controls

212 lines (172 loc) · 4.82 KB

Go Report Card

Running

openssl req -new -newkey rsa:2048 -days 365 -nodes -x509 -keyout tls.key -out tls.crt -subj /CN=localhost
TLS_CRT="$(<test/tls.crt)" TLS_KEY="$(<test/tls.key)" SIGNING_METHOD=RS256 ./autentigo

Request examples

Simple authentication:

$ curl -H'Content-Type: application/json' localhost:8080/simple -d'{"user":"test-user","password":"test-password"}' |jq .
{
  "token": "<TOKEN>",
  "claims": {
    "exp": 1531110508,
    "iat": 1531106908,
    "sub": "test-user",
    "display_name": "Display Name",
    "email": "email@example.com",
    "email_verified": true,
    "groups": [
      "group1",
      "group2"
    ]
  }
  "claims":
}

Basic authentication:

$ curl -i localhost:8080/basic
HTTP/1.1 401 Unauthorized
Www-Authenticate: Basic realm="Autorizo"
Date: Wed, 27 Jun 2018 06:50:59 GMT
Content-Length: 14
Content-Type: text/plain; charset=utf-8

Unauthorized.
$ curl --basic --user test-user:test-password localhost:8080/basic |jq .
{
  "token": "<TOKEN>",
  "claims": {
    "exp": 1531110508,
    "iat": 1531106908,
    "sub": "test-user",
    "display_name": "Display Name",
    "email": "email@example.com",
    "email_verified": true,
    "groups": [
      "group1",
      "group2"
    ]
  }
}

Basic authentication, setting only a cookie (also supported on /simple):

$ curl --basic --user test-user:test-password localhost:8080/basic -H'X-Set-Cookie: token' -i
HTTP/1.1 200 OK
Content-Type: application/json
Set-Cookie: token=<TOKEN>; HttpOnly; Secure
Date: Thu, 28 Jun 2018 22:59:57 GMT
Content-Length: 67

{
  "exp": 1530230397,
  "iat": 1530226797,
  "sub": "test-user",
  ...
 }

Flags

autentigo --help

Environment

Variable Description
TLS_CRT The certificate to check tokens
TLS_KEY The key to sign tokens
SIGNING_METHOD The signing method to use (https://tools.ietf.org/html/rfc7518#section-3.1)
AUTH_BACKEND choose an authentication backend (default: stupid)

Auth backends

stupid

Always accept the given credentials.

file

Reads a file, defined by the AUTH_FILE env, in the format:

<user name>:<password SHA256 (hex)>:email:email_validated:groups

Only user and password are required.

Adding an entry can be done this way:

echo test-user:$(echo -n test-password |sha256sum |awk '{print $1}'):Display Name:email@example.com:yes:group1,group2 >>users

LDAP simple bind

Tries to bind to an LDAP server, defined by the LDAP_SERVER env, with the given credentials and using LDAP_USER as a username template.

Example:

AUTH_BACKEND=ldap-bind \
LDAP_SERVER=ldap://localhost:389 \
LDAP_USER=uid=%s,ou=users,dc=example,dc=com \
autentigo

etcd lookup

Looks up the user in etcd, with a key like prefix/user-name. Takes an optionnal ETCD_TIMEOUT to change the lookup timeout.

Example:

AUTH_BACKEND=etcd \
ETCD_ENDPOINTS=http://localhost:2379 \
ETCD_PREFIX=/users \
autentigo

Allowed extra claims in the etcd object:

{
    "password_hash": "<password sha256, hex encoded)>",
    "groups": [ "app1-admin", "app2-reader" ],
    "display_name": "Display Name",
    "email": "user@host",
    "email_verified": true
}

SQL database lookup

Looks up the user in the SQL database.

Example:

docker run --name autentigo-postgres --network host -e POSTGRES_PASSWORD=password -e POSTGRES_USER=postgres -e POSTGRES_DB=postgres -p 5432:5432 -d postgres:12-alpine
CREATE TABLE IF NOT EXISTS auth_users(
ID VARCHAR PRIMARY KEY NOT NULL,
PASSWORD_HASH VARCHAR NOT NULL,
DISPLAY_NAME VARCHAR NOT NULL,
EMAIL VARCHAR NOT NULL,
EMAIL_VERIFIED BOOLEAN,
GROUPS VARCHAR NOT NULL
);
INSERT INTO auth_users(id,password_hash, display_name, email, email_verified, groups) VALUES('test-user','5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8','Test User','user@test.com',false,'group1,group2,group3');
AUTH_BACKEND=sql \
SQL_DRIVER=postgres\
SQL_DSN="user=postgres password=postgres host=localhost dbname=postgres sslmode=disable"\
SQL_USER_TABLE=users \
autentigo

Allowed extra claims in the object:

{
    "password_hash": "<password sha256, hex encoded)>",
    "groups": [ "app1-admin", "app2-reader" ],
    "display_name": "Display Name",
    "email": "user@host",
    "email_verified": true
}

mongo lookup

Looks up the user in mongo, with a key defined on MONGO_FIELD.

Example:

AUTH_BACKEND=mongo \
MONGO_ENDPOINT=mongodb://mongodb:27017 \
MONGO_DATABASE=projectx \
MONGO_COLLECTION=users \
MONGO_FIELD=email \
autentigo

Testing

You need docker to test because it will automatically download and start a postgres server.