libcontainerssh/auth/protocol.go at cf545cf89d02bafffe8ec084fb99bb95128abd12 · ContainerSSH/libcontainerssh · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
package auth

import "time"

// PasswordAuthRequest is an authentication request for password authentication.
//
// swagger:model PasswordAuthRequest
type PasswordAuthRequest struct {
	// Username is the username provided for authentication.
	//
	// required: true
	Username string `json:"username"`

	// RemoteAddress is the IP address of the user trying to authenticate.
	//
	// required: true
	RemoteAddress string `json:"remoteAddress"`

	// ConnectionID is an opaque ID to identify the SSH connection in question.
	//
	// required: true
	ConnectionID string `json:"connectionId"`

	// SessionID is a deprecated alias for ConnectionID and will be removed in the future.
	//
	// required: true
	SessionID string `json:"sessionId"`

	// Password the user provided for authentication.
	//
	// required: true
	Password string `json:"passwordBase64"`
}

// PublicKeyAuthRequest is an authentication request for public key authentication.
//
// swagger:model PublicKeyAuthRequest
type PublicKeyAuthRequest struct {
	// Username is the username provided for authentication.
	//
	// required: true
	Username string `json:"username"`

	// RemoteAddress is the IP address of the user trying to authenticate.
	//
	// required: true
	RemoteAddress string `json:"remoteAddress"`

	// ConnectionID is an opaque ID to identify the SSH connection in question.
	//
	// required: true
	ConnectionID string `json:"connectionId"`

	// SessionID is a deprecated alias for ConnectionID and will be removed in the future.
	//
	// required: true
	SessionID string `json:"sessionId"`

	// PublicKey is the key in the authorized key format.
	//
	// required: true
	PublicKey string `json:"publicKey"`

	// CACertificate contains information about the SSH certificate presented by a connecting client. This certificate
	// is not an SSL/TLS/x509 certificate and has a much simpler structure. However, this can be used to verify if the
	// connecting client belongs to an organization.
	//
	// required: false
	CACertificate *CACertificate `json:"caCertificate,omitempty"`
}

// ResponseBody is a response to authentication requests.
//
// swagger:model AuthResponseBody
type ResponseBody struct {
	// Success indicates if the authentication was successful.
	//
	// required: true
	Success bool `json:"success"`

	// Metadata is a set of key-value pairs that can be returned and either consumed by the configuration server or
	// exposed in the backend as environment variables.
	//
	// required: false
	Metadata map[string]string `json:"metadata,omitempty"`
}

// Response is the full HTTP authentication response.
//
// swagger:response AuthResponse
type Response struct {
	// The response body
	//
	// in: body
	ResponseBody
}

// CACertificate contains information about the SSH certificate presented by a connecting client. This certificate
// is not an SSL/TLS/x509 certificate and has a much simpler structure. However, this can be used to verify if the
// connecting client belongs to an organization.
//
// swagger:model CACertificate
type CACertificate struct {
	// PublicKey contains the public key of the CA signing the public key presented in the OpenSSH authorized key
	// format.
	PublicKey string `json:"key"`
	// KeyID contains an identifier for the key.
	KeyID string `json:"keyID"`
	// ValidPrincipals contains a list of principals for which this CA certificate is valid.
	ValidPrincipals []string `json:"validPrincipals"`
	// ValidAfter contains the time after which this certificate is valid.
	ValidAfter time.Time `json:"validAfter"`
	// ValidBefore contains the time when this certificate expires.
	ValidBefore time.Time `json:"validBefore"`
}