namekclient

package
v0.1.6 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 29, 2026 License: AGPL-3.0 Imports: 17 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type APIError added in v0.1.5 

type APIError struct {
	StatusCode int
	Message    string
	RetryAfter time.Duration // parsed from Retry-After header; zero if absent
}

APIError represents an HTTP error response from the namek server.

func (*APIError) Error added in v0.1.5 

func (e *APIError) Error() string

func (*APIError) IsRetryable added in v0.1.5 

func (e *APIError) IsRetryable() bool

IsRetryable returns true for status codes that indicate the request can be retried.

type ChallengeResult 

type ChallengeResult struct {
	ID   string `json:"id"`
	FQDN string `json:"fqdn"`
}

ChallengeResult is returned from POST /acme/challenges.

type Client 

type Client struct {
	// contains filtered or unexported fields
}

Client is an HTTP client for the namek server API.

func New 

func New(baseURL string, tpm tpmdevice.Device, opts ...Option) *Client

New creates a namekclient that uses the given TPM device for attestation.

func (*Client) AssignDomain added in v0.1.2 

func (c *Client) AssignDomain(ctx context.Context, domainID string, deviceIDs []string) ([]DomainAssignment, error)

AssignDomain calls POST /api/v1/domains/:id/assignments (authenticated).

func (*Client) CreateACMEChallenge 

func (c *Client) CreateACMEChallenge(ctx context.Context, digest, hostname string) (*ChallengeResult, error)

CreateACMEChallenge calls POST /api/v1/acme/challenges (authenticated). hostname is optional: if empty, the challenge targets the device's canonical hostname. To target a custom hostname, pass the full FQDN (e.g. "mydevice.example.com").

func (*Client) CreateInvite added in v0.1.4 

func (c *Client) CreateInvite(ctx context.Context) (*InviteResult, error)

CreateInvite calls POST /api/v1/accounts/invite (authenticated).

func (*Client) DeleteACMEChallenge 

func (c *Client) DeleteACMEChallenge(ctx context.Context, id string) error

DeleteACMEChallenge calls DELETE /api/v1/acme/challenges/:id (authenticated).

func (*Client) DeleteDomain added in v0.1.2 

func (c *Client) DeleteDomain(ctx context.Context, domainID string) error

DeleteDomain calls DELETE /api/v1/domains/:id (authenticated).

func (*Client) DeviceID 

func (c *Client) DeviceID() string

DeviceID returns the current device ID, or empty if not yet enrolled.

func (*Client) Enroll 

func (c *Client) Enroll(ctx context.Context) (*EnrollResult, error)

Enroll performs the 2-phase enrollment flow.

func (*Client) EnrollWithRecovery added in v0.1.4 

func (c *Client) EnrollWithRecovery(ctx context.Context, bundle *RecoveryBundleInput) (*EnrollResult, error)

EnrollWithRecovery performs the 2-phase enrollment flow with a recovery bundle.

func (*Client) GetDeviceInfo 

func (c *Client) GetDeviceInfo(ctx context.Context) (*DeviceInfo, error)

GetDeviceInfo calls GET /api/v1/devices/me (authenticated).

func (*Client) GetVouchers added in v0.1.4 

func (c *Client) GetVouchers(ctx context.Context) ([]VoucherArtifact, error)

GetVouchers calls GET /api/v1/vouchers (authenticated).

func (*Client) Health 

func (c *Client) Health(ctx context.Context) error

Health calls GET /health. Bypasses jitter and degraded tracking intentionally — health probes should not be delayed, and are typically used as readiness gates.

func (*Client) JoinAccount added in v0.1.4 

func (c *Client) JoinAccount(ctx context.Context, inviteCode string) error

JoinAccount calls POST /api/v1/accounts/join (authenticated).

func (*Client) LeaveAccount added in v0.1.4 

func (c *Client) LeaveAccount(ctx context.Context) error

LeaveAccount calls DELETE /api/v1/accounts/leave (authenticated).

func (*Client) ListAssignments added in v0.1.2 

func (c *Client) ListAssignments(ctx context.Context, domainID string) ([]DomainAssignment, error)

ListAssignments calls GET /api/v1/domains/:id/assignments (authenticated).

func (*Client) ListDomains added in v0.1.2 

func (c *Client) ListDomains(ctx context.Context) ([]DomainInfo, error)

ListDomains calls GET /api/v1/domains (authenticated).

func (*Client) Ready 

func (c *Client) Ready(ctx context.Context) error

Ready calls GET /ready. Bypasses jitter and degraded tracking (same rationale as Health).

func (*Client) RegisterDomain added in v0.1.2 

func (c *Client) RegisterDomain(ctx context.Context, domain string) (*DomainInfo, error)

RegisterDomain calls POST /api/v1/domains (authenticated).

func (*Client) RequestNexusToken 

func (c *Client) RequestNexusToken(ctx context.Context, stage int, sessionNonce string) (string, error)

RequestNexusToken calls POST /api/v1/tokens/nexus (authenticated).

func (*Client) SetHostname 

func (c *Client) SetHostname(ctx context.Context, hostname string) error

SetHostname calls PATCH /api/v1/devices/me/hostname (authenticated).

func (*Client) SignVoucher added in v0.1.4 

func (c *Client) SignVoucher(ctx context.Context, requestID, quoteB64 string) error

SignVoucher calls POST /api/v1/vouchers/sign (authenticated).

func (*Client) UnassignDomain added in v0.1.2 

func (c *Client) UnassignDomain(ctx context.Context, domainID, deviceID string) error

UnassignDomain calls DELETE /api/v1/domains/:id/assignments/:device_id (authenticated).

func (*Client) VerifyDomain added in v0.1.2 

func (c *Client) VerifyDomain(ctx context.Context, domainID string) (*DomainInfo, error)

VerifyDomain calls POST /api/v1/domains/:id/verify (authenticated).

func (*Client) VerifyToken 

func (c *Client) VerifyToken(ctx context.Context, token string) (*VerifyResult, error)

VerifyToken calls POST /internal/v1/tokens/verify (Nexus mTLS-authenticated).

type DeviceInfo 

type DeviceInfo struct {
	DeviceID               string                  `json:"device_id"`
	Hostname               string                  `json:"hostname"`
	CustomHostname         *string                 `json:"custom_hostname"`
	AccountID              string                  `json:"account_id"`
	Status                 string                  `json:"status"`
	IdentityClass          string                  `json:"identity_class"`
	TrustLevel             string                  `json:"trust_level"`
	IssuerFingerprint      *string                 `json:"issuer_fingerprint,omitempty"`
	OSVersion              *string                 `json:"os_version,omitempty"`
	RecoveryStatus         string                  `json:"recovery_status"`
	NexusEndpoints         []string                `json:"nexus_endpoints"`
	RelayServices          map[string][]string     `json:"relay_services,omitempty"`
	AliasDomains           []string                `json:"alias_domains,omitempty"`
	PendingVoucherRequests []PendingVoucherRequest `json:"pending_voucher_requests,omitempty"`
	NewVouchers            []VoucherArtifact       `json:"new_vouchers,omitempty"`
}

DeviceInfo is returned from GET /devices/me.

type DomainAssignment added in v0.1.2 

type DomainAssignment struct {
	DeviceID  string `json:"device_id"`
	Domain    string `json:"domain"`
	CreatedAt string `json:"created_at"`
}

DomainAssignment represents a device-to-domain assignment.

type DomainInfo added in v0.1.2 

type DomainInfo struct {
	ID                 string   `json:"id"`
	AccountID          string   `json:"account_id"`
	Domain             string   `json:"domain"`
	Status             string   `json:"status"` // "pending" or "verified"
	CNAMETarget        string   `json:"cname_target"`
	AssignedDevices    []string `json:"assigned_devices,omitempty"`
	CreatedAt          string   `json:"created_at"`
	ExpiresAt          string   `json:"expires_at,omitempty"`
	VerifiedAt         string   `json:"verified_at,omitempty"`
	VerifiedByDeviceID string   `json:"verified_by_device_id,omitempty"`
}

DomainInfo represents an alias domain registered with the namek server.

type EnrollResult 

type EnrollResult struct {
	DeviceID       string              `json:"device_id"`
	Hostname       string              `json:"hostname"`
	IdentityClass  string              `json:"identity_class"`
	TrustLevel     string              `json:"trust_level"`
	NexusEndpoints []string            `json:"nexus_endpoints"`
	RelayServices  map[string][]string `json:"relay_services,omitempty"`
	Reenrolled     bool                `json:"reenrolled,omitempty"`
}

EnrollResult is returned after successful enrollment.

type InviteResult added in v0.1.4 

type InviteResult struct {
	InviteCode string `json:"invite_code"`
	AccountID  string `json:"account_id"`
	ExpiresAt  string `json:"expires_at"`
}

InviteResult is returned from POST /accounts/invite.

type Option 

type Option func(*Client)

Option configures a Client.

func WithDeviceID 

func WithDeviceID(id string) Option

WithDeviceID restores a previously-enrolled device ID, allowing the client to make authenticated requests without re-enrolling.

func WithHTTPClient 

func WithHTTPClient(hc *http.Client) Option

WithHTTPClient sets a custom HTTP client.

func WithInsecureSkipVerify 

func WithInsecureSkipVerify() Option

WithInsecureSkipVerify disables TLS certificate verification. Must be applied after WithHTTPClient if both are used.

func WithNoRetry added in v0.1.5 

func WithNoRetry() Option

WithNoRetry disables automatic retry (useful for testing).

func WithRateLimit added in v0.1.5 

func WithRateLimit(requestsPerSecond float64, burst int) Option

WithRateLimit enables client-side rate limiting to prevent overwhelming the server. requestsPerSecond is the sustained rate, burst is the maximum concurrent burst.

func WithReconnectJitter added in v0.1.5 

func WithReconnectJitter(maxDelay time.Duration) Option

WithReconnectJitter sets the maximum random delay applied before the first request after a failure. This spreads the thundering herd when many clients recover simultaneously (e.g., after a server outage). Default: disabled.

func WithRetry added in v0.1.5 

func WithRetry(maxAttempts int, baseDelay, maxDelay time.Duration) Option

WithRetry configures automatic retry with exponential backoff for retryable errors (429 Too Many Requests, 503 Service Unavailable). Respects Retry-After headers.

type PendingVoucherRequest added in v0.1.4 

type PendingVoucherRequest struct {
	RequestID   string `json:"request_id"`
	VoucherData string `json:"voucher_data"`
	Nonce       string `json:"nonce"`
}

PendingVoucherRequest is a voucher that needs signing.

type RecoveryBundleInput added in v0.1.4 

type RecoveryBundleInput struct {
	AccountID      string
	Vouchers       []VoucherArtifact
	CustomHostname string
	AliasDomains   []string
}

RecoveryBundleInput is the recovery bundle included in the attest request.

type VerifyResult 

type VerifyResult struct {
	Valid bool   `json:"valid"`
	Error string `json:"error,omitempty"`
}

VerifyResult is returned from POST /tokens/verify.

type VoucherArtifact added in v0.1.4 

type VoucherArtifact struct {
	Data           string `json:"data"`
	Quote          string `json:"quote"`
	IssuerAKPubKey string `json:"issuer_ak_public_key"`
	IssuerEKCert   string `json:"issuer_ek_cert,omitempty"`
}

VoucherArtifact is a signed voucher received from a peer.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.