mirror of
https://github.com/0rangebananaspy/authelia.git
synced 2024-09-14 22:47:21 +07:00
a3b14871ba
This change means we only check the filters for the existence of placeholders that cannot be replaced at startup. We then utilized cached results of that lookup for subsequent replacements.
78 lines
2.4 KiB
Go
78 lines
2.4 KiB
Go
package authentication
|
|
|
|
import (
|
|
"errors"
|
|
)
|
|
|
|
// Level is the type representing a level of authentication.
|
|
type Level int
|
|
|
|
const (
|
|
// NotAuthenticated if the user is not authenticated yet.
|
|
NotAuthenticated Level = iota
|
|
// OneFactor if the user has passed first factor only.
|
|
OneFactor Level = iota
|
|
// TwoFactor if the user has passed two factors.
|
|
TwoFactor Level = iota
|
|
)
|
|
|
|
const (
|
|
// TOTP Method using Time-Based One-Time Password applications like Google Authenticator.
|
|
TOTP = "totp"
|
|
// U2F Method using U2F devices like Yubikeys.
|
|
U2F = "u2f"
|
|
// Push Method using Duo application to receive push notifications.
|
|
Push = "mobile_push"
|
|
)
|
|
|
|
const (
|
|
ldapSupportedExtensionAttribute = "supportedExtension"
|
|
ldapOIDPasswdModifyExtension = "1.3.6.1.4.1.4203.1.11.1" // http://oidref.com/1.3.6.1.4.1.4203.1.11.1
|
|
)
|
|
|
|
const (
|
|
ldapPlaceholderInput = "{input}"
|
|
ldapPlaceholderDistinguishedName = "{dn}"
|
|
ldapPlaceholderUsername = "{username}"
|
|
)
|
|
|
|
// PossibleMethods is the set of all possible 2FA methods.
|
|
var PossibleMethods = []string{TOTP, U2F, Push}
|
|
|
|
// CryptAlgo the crypt representation of an algorithm used in the prefix of the hash.
|
|
type CryptAlgo string
|
|
|
|
const (
|
|
// HashingAlgorithmArgon2id Argon2id hash identifier.
|
|
HashingAlgorithmArgon2id CryptAlgo = argon2id
|
|
// HashingAlgorithmSHA512 SHA512 hash identifier.
|
|
HashingAlgorithmSHA512 CryptAlgo = "6"
|
|
)
|
|
|
|
// These are the default values from the upstream crypt module we use them to for GetInt
|
|
// and they need to be checked when updating github.com/simia-tech/crypt.
|
|
const (
|
|
HashingDefaultArgon2idTime = 1
|
|
HashingDefaultArgon2idMemory = 32 * 1024
|
|
HashingDefaultArgon2idParallelism = 4
|
|
HashingDefaultArgon2idKeyLength = 32
|
|
HashingDefaultSHA512Iterations = 5000
|
|
)
|
|
|
|
// HashingPossibleSaltCharacters represents valid hashing runes.
|
|
var HashingPossibleSaltCharacters = []rune("abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/")
|
|
|
|
// ErrUserNotFound indicates the user wasn't found in the authentication backend.
|
|
var ErrUserNotFound = errors.New("user not found")
|
|
|
|
const argon2id = "argon2id"
|
|
const sha512 = "sha512"
|
|
|
|
const testPassword = "my;secure*password"
|
|
|
|
const fileAuthenticationMode = 0600
|
|
|
|
// OWASP recommends to escape some special characters.
|
|
// https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/LDAP_Injection_Prevention_Cheat_Sheet.md
|
|
const specialLDAPRunes = ",#+<>;\"="
|