1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
|
package proxy
import (
"errors"
"net"
"strings"
"time"
)
var authIface AuthBackend
var (
ErrAuthBackendExists = errors.New("auth backend already set")
ErrInvalidSRPHeader = errors.New("encoded password is not SRP")
ErrLastSrvNotSupported = errors.New("auth backend does not support server information")
)
type User struct {
Name string
Salt []byte
Verifier []byte
Timestamp time.Time
}
type Ban struct {
Addr string
Name string
}
// An AuthBackend provides authentication and moderation functionality.
// This typically includes persistent storage.
// It does not handle authorization, i.e. permission checks.
// All methods are safe for concurrent use.
type AuthBackend interface {
// Exists reports whether a user with the specified name exists.
// The result is false if an error is encountered.
Exists(name string) bool
// Passwd returns the SRP verifier and salt of the user
// with the specified name or an error.
Passwd(name string) (salt, verifier []byte, err error)
// SetPasswd sets the SRP verifier and salt of the user
// with the specified name.
SetPasswd(name string, salt, verifier []byte) error
// LastSrv returns the name of the last server the user
// with the specified name intentionally connected to or an error.
// This method should return an error if this feature is unsupported.
// Errors are handled gracefully (by connecting the user
// to the default server or group) and aren't logged.
LastSrv(name string) (string, error)
// SetLastSrv sets the name of the last server the user
// with the specified name intentionally connected to.
// This method should not return an error if this feature is unsupported.
// Errors will make server hopping fail.
SetLastSrv(name, srv string) error
// Timestamp returns the last time the user with the specified name
// connected to the proxy or an error.
Timestamp(name string) (time.Time, error)
// Import adds or modifies authentication entries in bulk.
Import(in []User) error
// Export returns all authentication entries or an error.
Export() ([]User, error)
// Ban adds a ban entry for a network address and an associated name.
// Only the specified network address is banned from connecting.
// Existing connections are not kicked.
Ban(addr, name string) error
// Unban deletes a ban entry by network address or username.
Unban(id string) error
// Banned reports whether a network address is banned.
// The result is true if an error is encountered.
Banned(addr *net.UDPAddr) bool
// ImportBans adds or modifies ban entries in bulk.
ImportBans(in []Ban) error
// Export returns all ban entries or an error.
ExportBans() ([]Ban, error)
}
// DefaultAuth returns the authentication backend that is currently in use
// or nil during initialization time.
func DefaultAuth() AuthBackend {
return authIface
}
func setAuthBackend(ab AuthBackend) error {
if authIface != nil {
return ErrAuthBackendExists
}
authIface = ab
return nil
}
func EncodeVerifierAndSalt(salt, verifier []byte) string {
return "#1#" + b64.EncodeToString(salt) + "#" + b64.EncodeToString(verifier)
}
func DecodeVerifierAndSalt(encodedPasswd string) ([]byte, []byte, error) {
if !strings.HasPrefix(encodedPasswd, "#1#") {
return nil, nil, ErrInvalidSRPHeader
}
salt, err := b64.DecodeString(strings.Split(encodedPasswd, "#")[2])
if err != nil {
return nil, nil, err
}
verifier, err := b64.DecodeString(strings.Split(encodedPasswd, "#")[3])
if err != nil {
return nil, nil, err
}
return salt, verifier, nil
}
|
