Commit d86999d8 authored by ale's avatar ale
Browse files

Unify configuration of short-term storage

Add the related documentation to the README. Include a nullU2FStorage
handler to prevent nil pointer dereferences in U2F code.
parent 21484927
Pipeline #1346 failed with stage
in 11 seconds
......@@ -40,6 +40,18 @@ The authentication server data model is based on the concept of a
in LDAP, but it has to be told the specific details of how to find
them and how to map the information there to what it needs.
## Other Dependencies
The auth-server can optionally use *memcached* to store short-term
data with a relatively high probability of retrieval. This is used to
store U2F challenges, and used OTP tokens for replay protection. If no
memcache servers are configured, such functionality will be disabled
but the auth-server will still run (useful for tests, or simpler
It is possible to specify multiple memcached servers for HA purposes,
with a *write-all / read-any* model.
# Configuration
The behavior of auth-server can be configured with a YAML file.
......@@ -65,6 +77,8 @@ The YAML file should contain a dictionary with the following attributes:
* `cert` is the path to the client certificate
* `key` is the path to the client private key
* `ca` is the path to the CA store to verify the server certificate
* `memcache_servers` contains a list of memcached server addresses (in
host:port format)
## Rate limiting
......@@ -206,10 +206,6 @@ func (c *ServiceConfig) notifyBlacklists(user *User, req *auth.Request, resp *au
type shortTermStorageConfig struct {
Servers []string `yaml:"memcache_servers"`
// Config for the authentication server.
type Config struct {
// Global configuration for backends.
......@@ -230,13 +226,8 @@ type Config struct {
// Configuration for the user-meta-server backend.
UserMetaDBConfig *clientutil.BackendConfig `yaml:"user_meta_server"`
// Configuration for the U2F short-term challenge storage
// (backed by memcached).
U2FShortTerm *shortTermStorageConfig `yaml:"u2f_short_term_storage"`
// Configuration for the OTP short-term replay protection
// storage (backed by memcached).
OTPShortTerm *shortTermStorageConfig `yaml:"otp_short_term_storage"`
// Memcache servers used for short-term storage.
MemcacheServers []string `yaml:"memcache_servers"`
// Runtime versions of the above. These objects are shared by
// all services, as they contain the actual map data.
......@@ -404,12 +395,11 @@ func NewServer(config *Config) (*Server, error) {
config: config,
if config.U2FShortTerm != nil {
s.u2fShortTerm = newMemcacheU2FStorage(config.U2FShortTerm.Servers)
if config.OTPShortTerm != nil {
s.otpShortTerm = newMemcacheOTPStorage(config.OTPShortTerm.Servers)
if len(config.MemcacheServers) != nil {
s.u2fShortTerm = newMemcacheU2FStorage(config.MemcacheServers)
s.otpShortTerm = newMemcacheOTPStorage(config.MemcacheServers)
} else {
s.u2fShortTerm = &nullU2FStorage{}
s.otpShortTerm = &nullOTPStorage{}
......@@ -71,3 +71,8 @@ func deserializeU2FChallenge(data []byte) (*u2f.Challenge, error) {
return &chal, nil
type nullU2FStorage struct{}
func (s *nullU2FStorage) SetUserChallenge(user string, chal *u2f.Challenge) error { return nil }
func (s *nullU2FStorage) GetUserChallenge(user string) (*u2f.Challenge, bool) { return nil, false }
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment