gocbcore/auth.go at master · couchbase/gocbcore · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
package gocbcore

import (
	"crypto/tls"
	"fmt"
)

// UserPassPair represents a username and password pair.
type UserPassPair struct {
	Username string
	Password string
}

// AuthCredsRequest represents an authentication details request from the agent.
type AuthCredsRequest struct {
	Service  ServiceType
	Endpoint string
}

// AuthCertRequest represents a certificate details request from the agent.
type AuthCertRequest struct {
	Service  ServiceType
	Endpoint string
}

// AuthProvider is an interface to allow the agent to fetch authentication
// credentials on-demand from the application.
type AuthProvider interface {
	SupportsTLS() bool
	SupportsNonTLS() bool
	Certificate(req AuthCertRequest) (*tls.Certificate, error)
	Credentials(req AuthCredsRequest) ([]UserPassPair, error)
}

// UNCOMMITTED: This API may change in the future.
type JWT = string

// UNCOMMITTED: This API may change in the future.
type AuthProviderJWT interface {
	AuthMechanismProvider
	JWT(req AuthCredsRequest) (JWT, error)

	// ContainsJWT allows Authenticator implementations to implement AuthProviderJWT whilst not actually
	// providing JWTs. This is primarily useful for composite authenticators that are used for multiple auth
	// methods.
	ContainsJWT() bool
}

type AuthMechanismProvider interface {
	DefaultAuthMechanisms(tlsEnabled bool) []AuthMechanism
}

type authCreds struct {
	UserPass UserPassPair
	JWT      JWT
}

func (k *authCreds) ContainsCreds() bool {
	return k.IsJWT() || k.IsUserPass()
}

func (k *authCreds) IsJWT() bool {
	return len(k.JWT) > 0
}

func (k *authCreds) IsUserPass() bool {
	return len(k.UserPass.Username) > 0 || len(k.UserPass.Password) > 0
}

func getKvAuthCreds(auth AuthProvider, endpoint string) (*authCreds, error) {
	if a, ok := auth.(AuthProviderJWT); ok {
		if a.ContainsJWT() {
			jwt, err := a.JWT(AuthCredsRequest{
				Service:  MemdService,
				Endpoint: endpoint,
			})
			if err != nil {
				return nil, err
			}

			if len(jwt) == 0 {
				return nil, errInvalidCredentials
			}

			return &authCreds{
				JWT: jwt,
			}, nil
		}
	}

	creds, err := auth.Credentials(AuthCredsRequest{
		Service:  MemdService,
		Endpoint: endpoint,
	})
	if err != nil {
		return nil, err
	}

	if len(creds) != 1 {
		return nil, errInvalidCredentials
	}

	return &authCreds{
		UserPass: creds[0],
	}, nil
}

// PasswordAuthProvider provides a standard AuthProvider implementation
// for use with a standard username/password pair (for example, RBAC).
type PasswordAuthProvider struct {
	Username string
	Password string
}

// SupportsNonTLS specifies whether this authenticator supports non-TLS connections.
func (auth PasswordAuthProvider) SupportsNonTLS() bool {
	return true
}

// SupportsTLS specifies whether this authenticator supports TLS connections.
func (auth PasswordAuthProvider) SupportsTLS() bool {
	return true
}

// Certificate directly returns a certificate chain to present for the connection.
func (auth PasswordAuthProvider) Certificate(req AuthCertRequest) (*tls.Certificate, error) {
	return nil, nil
}

// Credentials directly returns the username/password from the provider.
func (auth PasswordAuthProvider) Credentials(req AuthCredsRequest) ([]UserPassPair, error) {
	return []UserPassPair{{
		Username: auth.Username,
		Password: auth.Password,
	}}, nil
}

func (auth PasswordAuthProvider) String() string {
	return fmt.Sprintf("%p", &auth)
}

func (auth PasswordAuthProvider) DefaultAuthMechanisms(tlsEnabled bool) []AuthMechanism {
	if tlsEnabled {
		return []AuthMechanism{ScramSha512AuthMechanism, ScramSha256AuthMechanism, ScramSha1AuthMechanism}
	}

	return []AuthMechanism{PlainAuthMechanism}
}

// UNCOMMITTED: This API may change in the future.
type JWTAuthProvider struct {
	Token string
}

func (j JWTAuthProvider) SupportsTLS() bool {
	return true
}

func (j JWTAuthProvider) SupportsNonTLS() bool {
	return false
}

func (j JWTAuthProvider) Certificate(req AuthCertRequest) (*tls.Certificate, error) {
	return nil, nil
}

func (j JWTAuthProvider) Credentials(req AuthCredsRequest) ([]UserPassPair, error) {
	return nil, nil
}

func (j JWTAuthProvider) JWT(req AuthCredsRequest) (string, error) {
	return j.Token, nil
}

func (j JWTAuthProvider) ContainsJWT() bool {
	return true
}

func (j JWTAuthProvider) DefaultAuthMechanisms(_tlsEnabled bool) []AuthMechanism {
	return []AuthMechanism{OAuthBearerAuthMechanism}
}