Implement AuthenticationHandler for custom auth mechanisms
#1072
Conversation
ramnes
force-pushed
the
ramnes/credentials-passwords
branch
from
6ec779a to
fb6703a
Compare
ramnes
changed the title
CredentialProvider with a more powerful AuthHandlerAuthenticationHandler for custom auth mechanisms
ramnes
force-pushed
the
ramnes/credentials-passwords
branch
from
fb6703a to
55d7dfb
Compare
|
(This PR is a bit large than the other one you opened, I'll take a look later) |
|
Yeah, the PR is a bit too large for my taste too. :) I didn’t mean for it to be merged as-is, more as a starting point for discussion around the issues I opened. Happy to split it up once we have a clearer idea of what we want to do for each one! |
ramnes
force-pushed
the
ramnes/credentials-passwords
branch
from
c650a68 to
8c72c7d
Compare
lance6716
left a comment
lance6716
left a comment
There was a problem hiding this comment.
6 / 11 viewed, will review later
| } | ||
|
|
||
| // HashPassword computes the password hash for a given password using the credential's auth plugin. | ||
| func (c Credential) HashPassword(password string) (string, error) { |
There was a problem hiding this comment.
seems it can be unexported
| } | ||
|
|
||
| // HasEmptyPassword returns true if any password in the credential is empty. | ||
| func (c Credential) HasEmptyPassword() bool { |
|
|
||
| // HasEmptyPassword returns true if any password in the credential is empty. | ||
| func (c Credential) HasEmptyPassword() bool { | ||
| for _, p := range c.Passwords { |
There was a problem hiding this comment.
Can use https://pkg.go.dev/slices#Contains now
| } | ||
|
|
||
| func (h *InMemoryAuthenticationHandler) GetCredential(username string) (credential Credential, found bool, err error) { | ||
| v, ok := h.userPool.Load(username) |
There was a problem hiding this comment.
please add comment for AuthenticationHandler.GetCredential that it should be concurrent safe
| authPluginName = optionalAuthPluginName[0] | ||
| } | ||
|
|
||
| if !isAuthMethodSupported(authPluginName) { |
There was a problem hiding this comment.
seems in the old code we also support AUTH_CLEAR_PASSWORD. @dveeden Should we change isAuthMethodSupported to add that?
2 participants
Hey team,
Here is some work around #1069 and #1071 to allow a discussion based on an actual implementation.
I think the changes here are pretty obvious:
Credentialcan have multiple passwords now;OnAuthSuccessandOnAuthFailureto the newAuthenticationHandler.One side effect of the multiple passwords per user is that we can't have
Xorupdate inplace anymore, because otherwise we would XOR the password we received every time we compare it to a new hash in the list of hashes to try.About hashes – I moved the
Credentialpasswords hash at comparison-time to avoid paying the full price for every connection. Let's say you have 1000 passwords to match against but match after 5 comparisons: it's better to hash only 5 passwords, not 1000.