diff options
-rw-r--r-- | client/keys.go | 2 | ||||
-rw-r--r-- | server/auth/google/google.go | 10 | ||||
-rw-r--r-- | server/auth/provider.go | 4 | ||||
-rw-r--r-- | server/main.go | 2 | ||||
-rw-r--r-- | server/signer/signer.go | 5 |
5 files changed, 20 insertions, 3 deletions
diff --git a/client/keys.go b/client/keys.go index 866b062..d2f14f7 100644 --- a/client/keys.go +++ b/client/keys.go @@ -59,7 +59,7 @@ func generateKey(keytype string, bits int) (key, ssh.PublicKey, error) { f, ok := keytypes[keytype] if !ok { var valid []string - for k, _ := range keytypes { + for k := range keytypes { valid = append(valid, k) } return nil, nil, fmt.Errorf("Unsupported key type %s. Valid choices are %s", keytype, valid) diff --git a/server/auth/google/google.go b/server/auth/google/google.go index 5580002..d464b14 100644 --- a/server/auth/google/google.go +++ b/server/auth/google/google.go @@ -18,11 +18,14 @@ const ( name = "google" ) +// Config is an implementation of `auth.Provider` for authenticating using a +// Google account. type Config struct { config *oauth2.Config domain string } +// New creates a new Google provider from a configuration. func New(c *config.Auth) auth.Provider { return &Config{ config: &oauth2.Config{ @@ -36,14 +39,17 @@ func New(c *config.Auth) auth.Provider { } } +// A new oauth2 http client. func (c *Config) newClient(token *oauth2.Token) *http.Client { return c.config.Client(oauth2.NoContext, token) } +// Name returns the name of the provider. func (c *Config) Name() string { return name } +// Valid validates the oauth token. func (c *Config) Valid(token *oauth2.Token) bool { if !token.Valid() { return false @@ -70,12 +76,14 @@ func (c *Config) Valid(token *oauth2.Token) bool { return true } +// Revoke disables the access token. func (c *Config) Revoke(token *oauth2.Token) error { h := c.newClient(token) _, err := h.Get(fmt.Sprintf(revokeURL, token.AccessToken)) return err } +// StartSession retrieves an authentication endpoint from Google. func (c *Config) StartSession(state string) *auth.Session { return &auth.Session{ AuthURL: c.config.AuthCodeURL(state, oauth2.SetAuthURLParam("hd", c.domain)), @@ -83,10 +91,12 @@ func (c *Config) StartSession(state string) *auth.Session { } } +// Exchange authorizes the session and returns an access token. func (c *Config) Exchange(code string) (*oauth2.Token, error) { return c.config.Exchange(oauth2.NoContext, code) } +// Username retrieves the username portion of the user's email address. func (c *Config) Username(token *oauth2.Token) string { svc, err := googleapi.New(c.newClient(token)) if err != nil { diff --git a/server/auth/provider.go b/server/auth/provider.go index ae512bd..d7d5ed5 100644 --- a/server/auth/provider.go +++ b/server/auth/provider.go @@ -2,6 +2,7 @@ package auth import "golang.org/x/oauth2" +// Provider is an abstraction of different auth methods. type Provider interface { Name() string StartSession(string) *Session @@ -11,12 +12,15 @@ type Provider interface { Revoke(*oauth2.Token) error } +// Session stores authentication state. type Session struct { AuthURL string Token *oauth2.Token State string } +// Authorize obtains data from the provider and retains an access token that +// can be stored for later access. func (s *Session) Authorize(provider Provider, code string) error { t, err := provider.Exchange(code) if err != nil { diff --git a/server/main.go b/server/main.go index 500e713..6530343 100644 --- a/server/main.go +++ b/server/main.go @@ -184,7 +184,7 @@ func main() { if err != nil { log.Fatal(err) } - signer, err := signer.NewSigner(config.SSH) + signer, err := signer.New(config.SSH) if err != nil { log.Fatal(err) } diff --git a/server/signer/signer.go b/server/signer/signer.go index 4594c35..f897195 100644 --- a/server/signer/signer.go +++ b/server/signer/signer.go @@ -11,6 +11,7 @@ import ( "golang.org/x/crypto/ssh" ) +// KeySigner does the work of signing a ssh public key with the CA key. type KeySigner struct { ca ssh.Signer validity time.Duration @@ -18,6 +19,7 @@ type KeySigner struct { permissions map[string]string } +// SignUserKey returns a signed ssh certificate. func (s *KeySigner) SignUserKey(req *lib.SignRequest) (string, error) { pubkey, _, _, _, err := ssh.ParseAuthorizedKey([]byte(req.Key)) if err != nil { @@ -63,7 +65,8 @@ func makeperms(perms []string) map[string]string { } } -func NewSigner(conf config.SSH) (*KeySigner, error) { +// New creates a new KeySigner from the supplied configuration. +func New(conf config.SSH) (*KeySigner, error) { data, err := ioutil.ReadFile(conf.SigningKey) if err != nil { return nil, fmt.Errorf("unable to read CA key %s: %v", conf.SigningKey, err) |