Categorygithub.com/hiveot/hublibtlsserver
package
2024.3.0+incompatible
Repository: https://github.com/hiveot/hub.git
Documentation: pkg.go.dev
Overview
Versions
2
Dependencies
16
Dependents
2
Files
445 SLOC

# README

tlsserver

This package provides a wrapper around the http TLS server and authenticates the sender of the request using Basic, Certificate or JWT.

Status

Functional. This has been moved over from an older project and still needs to be brought in line with the HiveOT Hub project.

Server Usage

NewAuthenticator provides a handler that verifies provided credentials supporting multiple protocols.

  • Client Certificate authentication

    The client includes a client certificate in its TLS connection that includes its clientID in the CN and role in the OU field. The certificate is signed by the Hub CA.

  • BASIC authentication. See also: https://www.alexedwards.net/blog/basic-authentication-in-go

    Parse the Authorization header, where base64 is a function that encodes the "username:password" string in base64 format.

    Authorization: Basic base64("username:password")

  • DIGEST authentication

    1. Client performs GET request
    2. Server responds with 401, header: WWW-authenticate: Digest, and fields real, qop, algorithm, none and opaque.
    3. Client gets login credentials username and password from user
    4. Client repeats request including the header: "Authorization: Digest username="", realm=, nonce=, qop=, opaque=, algorithm=, response=, cnonce=, userhash=

  • JWT authentication

    The client makes a login request providing its credentials and a requested Hash algorithm. The server returns a bearer token which is a hash of The default hash is MD5. A different algorithm can be configured. All future request include a Authentication header with bearer token:

    Authorization: Bearer asldkasdwerpwoierwperowepr

pwStore := unpwstore.NewPasswordFileStore(path)
httpAuthenticator := authenticator.NewHttpAuthenticator(pwStore)
router.HandleFunc(path, httpauth.NewAuthHandler(httpAuthenticator.Authenticate))

For JWT authentication also add a login handler to obtain a token

router.HandleFunc("/login", httpauth.LoginHandler)

Client Usage

... todo .. describe authentication clients

# Functions

GetBearerToken returns the bearer token from the HTTP request authorization header Returns an error if no token present or token isn't a bearer token.
NewBasicAuthenticator creates a new HTTP Basic authenticator verifyUsernamePassword is the handler that validates the loginID and secret.
NewCertAuthenticator creates a new HTTP authenticator Use .AuthenticateRequest() to authenticate the incoming request.
NewHttpAuthenticator creates a container to apply HTTP request authenticators By default the certificate authenticator is enabled.
NewJWTAuthenticator creates a new JWT authenticator publicKey is the public key for verifying the private key signature.
NewTLSServer creates a new TLS MsgServer instance with authentication support.

# Structs

BasicAuthenticator decodes the authentication method used in the request and authenticates the user.
CertAuthenticator verifies the client certificate authentication is used This simply checks if a client certificate is active and assumes that having one is sufficient to pass auth.
HttpAuthenticator chains the selected authenticators.
JWTAuthenticator verifies issued JWT access token using the provided public key.
JwtClaims this is temporary while figuring things out.
TLSServer is a simple TLS MsgServer supporting BASIC, Jwt and client certificate authentication.