Documentation
¶
Index ¶
- Constants
- func GetEmail(claims jwt.MapClaims) string
- func GetNames(claims jwt.MapClaims) (firstName, lastName string)
- func GetUpdatedUserFromHeaders(c echo.Context, existingUser cdbm.User, ngcOrgName string, ...) (*cdbm.User, *util.APIError)
- func GetUserWithUpdatedOrgData(existingUser cdbm.User, tokenOrgData cdbm.OrgData, reqOrgName string, ...) (*cdbm.User, *util.APIError)
- func InitializeProcessors(joCfg *config.JWTOriginConfig, dbSession *cdb.Session, ...)
- func NewCustomProcessor(dbSession *cdb.Session) config.TokenProcessor
- func NewKASProcessor(dbSession *cdb.Session, tc temporalClient.Client, ...) config.TokenProcessor
- func NewKeycloakProcessor(dbSession *cdb.Session, kcfg *config.KeycloakConfig) config.TokenProcessor
- func NewSSAProcessor(dbSession *cdb.Session) config.TokenProcessor
- type CustomProcessor
- type KASProcessor
- type KeycloakProcessor
- type SSAProcessor
Constants ¶
const MaxUserDataStalePeriod = time.Minute
MaxUserDataStalePeriod specifies the length of time between user data refresh
const ( // OrgDataStalePeriod is the duration after which an org's Updated field is considered stale OrgDataStalePeriod = time.Minute )
Variables ¶
This section is empty.
Functions ¶
func GetNames ¶
GetNames extracts firstName and lastName from claims, splitting firstName if lastName is empty.
func GetUpdatedUserFromHeaders ¶
func GetUpdatedUserFromHeaders(c echo.Context, existingUser cdbm.User, ngcOrgName string, logger zerolog.Logger) (*cdbm.User, *util.APIError)
GetUpdatedUserFromHeaders extracts user information from headers sent by KAS Steps include 1. Extract NGC user name and email from headers 2. Extract NGC roles from headers 3. Extract NGC org display name from headers 4. Update user record if necessary 5. Return updated user record Returns updated user record and API error if any
func GetUserWithUpdatedOrgData ¶
func GetUserWithUpdatedOrgData(existingUser cdbm.User, tokenOrgData cdbm.OrgData, reqOrgName string, logger zerolog.Logger) (*cdbm.User, *util.APIError)
GetUserWithUpdatedOrgData merges the requested org from tokenOrgData into the existing user's OrgData. It only updates the specific org from the request, preserving other orgs. Returns a partial User with updated OrgData if update is needed, or nil if no update needed. Returns an error if the requested org is not found in token claims.
Update is needed if: - Requested org doesn't exist in user's OrgData - Requested org data has changed - Requested org's Updated field is nil or stale (> OrgDataStalePeriod)
func InitializeProcessors ¶
func InitializeProcessors(joCfg *config.JWTOriginConfig, dbSession *cdb.Session, tc temporalClient.Client, encCfg *commonConfig.PayloadEncryptionConfig, kcfg *config.KeycloakConfig)
InitializeProcessors sets up all token processors in the JWTOriginConfig
func NewCustomProcessor ¶
func NewCustomProcessor(dbSession *cdb.Session) config.TokenProcessor
NewCustomProcessor creates a new custom token processor
func NewKASProcessor ¶
func NewKASProcessor(dbSession *cdb.Session, tc temporalClient.Client, encCfg *commonConfig.PayloadEncryptionConfig) config.TokenProcessor
NewKASProcessor creates a new KAS token processor
func NewKeycloakProcessor ¶
func NewKeycloakProcessor(dbSession *cdb.Session, kcfg *config.KeycloakConfig) config.TokenProcessor
NewKeycloakProcessor creates a new Keycloak token processor
func NewSSAProcessor ¶
func NewSSAProcessor(dbSession *cdb.Session) config.TokenProcessor
NewSSAProcessor creates a new SSA token processor
Types ¶
type CustomProcessor ¶
type CustomProcessor struct {
// contains filtered or unexported fields
}
CustomProcessor processes custom external issuer JWT tokens. Supports both service accounts and user tokens with claim mappings.
func (*CustomProcessor) ProcessToken ¶
func (h *CustomProcessor) ProcessToken(c echo.Context, tokenStr string, jwksConfig *config.JwksConfig, logger zerolog.Logger) (*cdbm.User, *util.APIError)
ProcessToken processes custom external issuer JWT tokens Supports: - Service accounts with static roles - User tokens with dynamic roles from claims (via rolesAttribute) - User tokens with static roles (via roles list) - Dynamic org extraction from claims (via orgAttribute) - Static org assignment from config (via orgName) - Issuer-level audience and scope validation (validated FIRST) - Org access validation BEFORE any DB operations
type KASProcessor ¶
type KASProcessor struct {
// contains filtered or unexported fields
}
KASProcessor processes KAS JWT tokens
func (*KASProcessor) ProcessToken ¶
func (h *KASProcessor) ProcessToken(c echo.Context, tokenStr string, jwksCfg *config.JwksConfig, logger zerolog.Logger) (*cdbm.User, *util.APIError)
HandleToken processes KAS JWT tokens
type KeycloakProcessor ¶
type KeycloakProcessor struct {
// contains filtered or unexported fields
}
KeycloakProcessor processes Keycloak JWT tokens
func (*KeycloakProcessor) ProcessToken ¶
func (h *KeycloakProcessor) ProcessToken(c echo.Context, tokenStr string, jwksConfig *config.JwksConfig, logger zerolog.Logger) (*cdbm.User, *util.APIError)
HandleToken processes Keycloak JWT tokens
type SSAProcessor ¶
type SSAProcessor struct {
// contains filtered or unexported fields
}
SSAProcessor processes SSA JWT tokens
func (*SSAProcessor) ProcessToken ¶
func (h *SSAProcessor) ProcessToken(c echo.Context, tokenStr string, jwksCfg *config.JwksConfig, logger zerolog.Logger) (*cdbm.User, *util.APIError)
HandleToken processes SSA JWT tokens
Source Files