clients

package
v1.0.16 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 30, 2026 License: Apache-2.0 Imports: 40 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	// AuthTokenCacheTTLSeconds min validity for auth tokens is 900s. Hard coding to 600s keeps the code simple compared to extracting the expiry time
	// and dynamically setting TTL.
	AuthTokenCacheTTLSeconds            = 600
	AuthTokenStalenessTTLSeconds        = AuthTokenCacheTTLSeconds + 200
	TokenRefresherJobRunFrequencyMillis = 20000
)

Variables

View Source 
var DefaultKeepaliveParams = keepalive.ClientParameters{
	Time:                5 * time.Minute,
	Timeout:             10 * time.Second,
	PermitWithoutStream: true,
}

Functions

func GetUAMEvaluationURL 

func GetUAMEvaluationURL(namespace string, policyFQDN string) string

Types

type AuthZClientOption 

type AuthZClientOption func(u *UAMAuthZClient) error

AuthZClientOption allows for more advanced options during client creation

func WithCachingEnabled 

func WithCachingEnabled(cacheCfg AuthzCacheConfig) AuthZClientOption

WithCachingEnabled - enables caching behavior to improve request latency. When caching is enabled, `size` results from evaluate are cached for `duration` time. This is useful for clients that have policies in place that are not very reactive and the dependencies do not change frequently.

type AuthzCacheConfig 

type AuthzCacheConfig struct {
	CacheDuration string `mapstructure:"duration"`
	CacheSize     int    `mapstructure:"size"`
	// contains filtered or unexported fields
}

AuthzCacheConfig captures configuration to enable caching during authz checks

NOTE: This is for more advanced use-cases where the policy decisions are not very dynamic and not deemed to have critical side-effects.

type BaseClientConfig 

type BaseClientConfig struct {
	// Type of client - grpc/http
	Type string `mapstructure:"type"`
	// Addr is the address of the server to send requests to.
	Addr string `mapstructure:"addr"`
	// TLS holds all TLS configuration options for this client.
	TLS auth.TLSConfigOptions `mapstructure:"tls,omitempty"`
	// AuthnCfg holds any authentication config to use for requests
	AuthnCfg *auth.AuthnConfig `mapstructure:"authn,omitempty"`
}

func (*BaseClientConfig) AddClientFlags 

func (cfg *BaseClientConfig) AddClientFlags(cmd *cobra.Command, clientName string) bool

AddClientFlags add the http client flags with the client prefix

type ClientConfigProvider 

type ClientConfigProvider interface {
	AddClientFlags(cmd *cobra.Command, clientName string) bool
	DialOptions() ([]grpc.DialOption, error)
	Dial() (*grpc.ClientConn, error)
}

type ClientType 

type ClientType string
const (
	ClientTypeGRPC ClientType = "grpc"
	ClientTypeHTTP ClientType = "http"
)

type GRPCClientConfig 

type GRPCClientConfig struct {
	*BaseClientConfig
	// Overrides all client dial options if set.
	DialOptOverrides []grpc.DialOption `mapstructure:"dialOpts,omitempty"`
	// Client metadata to store any client specific information
	Metadata map[string]interface{} `mapstructure:"metadata,omitempty"`
	// Keepalive configuration. If nil, default keepalive parameters will be applied.
	Keepalive *keepalive.ClientParameters `mapstructure:"keepalive,omitempty"`
}

func (*GRPCClientConfig) AddClientFlags 

func (cfg *GRPCClientConfig) AddClientFlags(cmd *cobra.Command, clientName string) bool

func (*GRPCClientConfig) Dial 

func (cfg *GRPCClientConfig) Dial() (*grpc.ClientConn, error)

Dial : creates a connection to the gRPC service specified. Does not attempt to validate this connection until a 

request is made unless a dial option of WithBlock() is specified in DialOptOverrides.

func (*GRPCClientConfig) DialOptions 

func (cfg *GRPCClientConfig) DialOptions() ([]grpc.DialOption, error)

DialOptions : generates common dial options for this client based on values in the config.

type HTTPClient 

type HTTPClient struct {

	// Config holds the config provided during initialization of the client
	Config *HTTPClientConfig `mapstructure:"client"`
	// contains filtered or unexported fields
}

func DefaultHTTPClient 

func DefaultHTTPClient(cfg *HTTPClientConfig, spanFormatter func(operation string, r *http.Request) string) (*HTTPClient, error)

DefaultHTTPClient configures a default http client

func NewHTTPClient 

func NewHTTPClient(client *http.Client, config *HTTPClientConfig) *HTTPClient

NewHTTPClient returns a new HTTPClient type

func (*HTTPClient) Client 

func (c *HTTPClient) Client(ctx context.Context) *http.Client

Client returns the associated http client. If Authn config is provided, then a http.Client with authn injection capabilities is returned.

func (*HTTPClient) Do 

func (c *HTTPClient) Do(ctx context.Context, req *http.Request) (resp *http.Response, err error)

func (*HTTPClient) Get 

func (c *HTTPClient) Get(ctx context.Context, url string) (resp *http.Response, err error)

func (*HTTPClient) Post 

func (c *HTTPClient) Post(ctx context.Context, url string, body io.Reader) (resp *http.Response, err error)

func (*HTTPClient) Put 

func (c *HTTPClient) Put(ctx context.Context, url string, body io.Reader) (resp *http.Response, err error)

func (*HTTPClient) Update 

func (c *HTTPClient) Update(creds *auth.ClientCredentials)

Update implements the auth.AuthnRefresher interface for credential file watching. This method handles credential refresh with proper error handling and logging. Note: The credentials change check is already performed in auth/authn.go before calling this method.

type HTTPClientConfig 

type HTTPClientConfig struct {
	*BaseClientConfig
	NumRetries int
}

func (*HTTPClientConfig) AddClientFlags 

func (cfg *HTTPClientConfig) AddClientFlags(cmd *cobra.Command, clientName string) bool

AddClientFlags add the http client flags with the client prefix

type HTTPClientOption 

type HTTPClientOption func(*httpClientConfigV2)

HTTPClientOption configures HTTPClientV2 using the functional options pattern.

func WithAuthTokenProvider 

func WithAuthTokenProvider(authTokenProvider *TokenRefresher) HTTPClientOption

WithAuthTokenProvider sets the authentication token provider for custom clients. The token is automatically added as a Bearer token in the Authorization header.

For default shared clients, use DefaultHTTPClientV2WithAuth() instead.

Example: 

// Custom client with auth
client := NewHTTPClientV2(WithAuthTokenProvider(tokenRefresher), WithRetryMax(5))

func WithConnectionLimits 

func WithConnectionLimits(maxIdle, maxIdlePerHost, maxPerHost int) HTTPClientOption

WithConnectionLimits sets the connection pool limits. Default values are: maxIdle=100, maxIdlePerHost=5, maxPerHost=0 (unlimited). This option requires a dedicated client - use with NewHTTPClientV2.

Example: 

client := NewHTTPClientV2(WithConnectionLimits(200, 10, 50))

func WithErrorHandler 

func WithErrorHandler(handler retryablehttp.ErrorHandler) HTTPClientOption

WithErrorHandler sets a custom error handler for retries. Default is retryablehttp.PassthroughErrorHandler which retries on connection errors and 5xx status codes. This option requires a dedicated client - use with NewHTTPClientV2.

Example: 

customHandler := func(resp *http.Response, err error, numTries int) (*http.Response, error) {
	// Custom retry logic
	return resp, err
}
client := NewHTTPClientV2(WithErrorHandler(customHandler))

func WithRetryMax 

func WithRetryMax(max int) HTTPClientOption

WithRetryMax sets the maximum number of retries. Default value is 2 retries. This option requires a dedicated client - use with NewHTTPClientV2.

Example: 

client := NewHTTPClientV2(WithRetryMax(5))

func WithRetryWait 

func WithRetryWait(min, max time.Duration) HTTPClientOption

WithRetryWait sets the minimum and maximum retry wait times. Default values are 50ms minimum and 300ms maximum. This option requires a dedicated client - use with NewHTTPClientV2.

Example: 

client := NewHTTPClientV2(WithRetryWait(100*time.Millisecond, 2*time.Second))

type HTTPClientV2 

type HTTPClientV2 struct {
	// contains filtered or unexported fields
}

HTTPClientV2 is an HTTP client with retry logic, authentication, and telemetry support.

Use DefaultHTTPClientV2() or DefaultHTTPClientV2WithAuth() for shared resources, or NewHTTPClientV2() for custom configuration.

Example usage: 

// Default clients (recommended for most use cases)
client := DefaultHTTPClientV2()
authClient := DefaultHTTPClientV2WithAuth(tokenRefresher)

// Custom client (for specialized configuration)
client := NewHTTPClientV2(WithRetryMax(5), WithAuthTokenProvider(tokenRefresher))

func DefaultHTTPClientV2 

func DefaultHTTPClientV2() *HTTPClientV2

DefaultHTTPClientV2 returns an HTTP client with sane defaults that shares a singleton HTTP client. Multiple instances returned by this function will share the same underlying HTTP client for optimal memory usage and connection pool reuse.

Example: 

client := DefaultHTTPClientV2()

func DefaultHTTPClientV2WithAuth 

func DefaultHTTPClientV2WithAuth(authTokenProvider *TokenRefresher) *HTTPClientV2

DefaultHTTPClientV2WithAuth returns an HTTP client with authentication that shares a singleton HTTP client. Multiple instances with different auth tokens will share the same underlying HTTP client for efficiency.

Example: 

tokenRefresher := &TokenRefresher{token: "your-token"}
client := DefaultHTTPClientV2WithAuth(tokenRefresher)

func NewHTTPClientV2 

func NewHTTPClientV2(opts ...HTTPClientOption) *HTTPClientV2

NewHTTPClientV2 creates a new HTTP client with a dedicated underlying HTTP client. Each instance gets its own HTTP client for complete isolation and custom configuration.

Use this constructor when you need custom behavior that differs from defaults:

  • Custom retry settings: WithRetryMax(), WithRetryWait()
  • Custom connection limits: WithConnectionLimits()
  • Custom error handling: WithErrorHandler()
  • Authentication: WithAuthTokenProvider()

Example: 

// Custom retry behavior (gets dedicated HTTP client)
client := NewHTTPClientV2(
	WithRetryMax(10),
	WithRetryWait(100*time.Millisecond, 5*time.Second),
)

// Custom connection limits (gets dedicated HTTP client)
client := NewHTTPClientV2(
	WithConnectionLimits(200, 20, 100),
	WithAuthTokenProvider(tokenRefresher),
)

func NewHTTPClientV2WithClient 

func NewHTTPClientV2WithClient(httpClient *http.Client, opts ...HTTPClientOption) *HTTPClientV2

NewHTTPClientV2WithClient creates a new HTTP client using the provided http.Client. This allows you to use a pre-configured http.Client while still benefiting from HTTPClientV2's authentication features.

Example: 

customHTTPClient := &http.Client{Timeout: 30 * time.Second}
client := NewHTTPClientV2WithClient(customHTTPClient, WithAuthTokenProvider(tokenRefresher))

func (*HTTPClientV2) Do 

func (c *HTTPClientV2) Do(ctx context.Context, req *http.Request) (*http.Response, error)

Do executes an HTTP request with retry logic and optional authentication. If an auth token provider is configured, it automatically adds the Bearer token to the Authorization header.

Example: 

req, _ := http.NewRequest("GET", "https://api.example.com", nil)
resp, err := client.Do(ctx, req)
if err != nil {
	// Handle error
}
defer resp.Body.Close()

type TokenRefresher 

type TokenRefresher struct {
	// contains filtered or unexported fields
}

func NewPassiveTokenRefresher 

func NewPassiveTokenRefresher(oidcConfig *auth.ProviderConfig, metricsNamespace string) (*TokenRefresher, error)

func NewTokenRefresher 

func NewTokenRefresher(oidcConfig *auth.ProviderConfig, metricsNamespace string) (*TokenRefresher, error)

func (*TokenRefresher) EmitErrorMetrics 

func (tr *TokenRefresher) EmitErrorMetrics(statusCode int, err error)

func (*TokenRefresher) GetLastRefreshTimestamp 

func (tr *TokenRefresher) GetLastRefreshTimestamp() int64

func (*TokenRefresher) RefreshToken 

func (tr *TokenRefresher) RefreshToken() (int, error)

func (*TokenRefresher) Token 

func (tr *TokenRefresher) Token() string

type TokenResponse 

type TokenResponse struct {
	AccessToken string `json:"access_token"` //nolint:gosec // G117: false positive - this is a response struct, not a secret storage
}

type UAMAuthZClient 

type UAMAuthZClient struct {
	// contains filtered or unexported fields
}

UAMAuthZClient is a UAM authorization client that evaluates requests against UAM hosted policies

func (*UAMAuthZClient) Evaluate 

func (c *UAMAuthZClient) Evaluate(ctx context.Context, request *pdp_types.RuleRequest) (*pdp_types.RuleResponse, error)

func (*UAMAuthZClient) PolicyConfig 

func (c *UAMAuthZClient) PolicyConfig() *auth.UAMPolicyConfig

type UAMAuthZClientInterface 

type UAMAuthZClientInterface interface {
	UAMAuthorizer
	PolicyConfig() *auth.UAMPolicyConfig
}

UAMAuthZClientInterface wraps the UAMAuthorizer and provides additional client interface functions

func NewUAMAuthzClient 

func NewUAMAuthzClient(config *BaseClientConfig, policyCfg *auth.UAMPolicyConfig, opts ...AuthZClientOption) (UAMAuthZClientInterface, error)

type UAMAuthorizer 

type UAMAuthorizer interface {
	Evaluate(ctx context.Context, request *pdp_types.RuleRequest) (*pdp_types.RuleResponse, error)
}

UAMAuthorizer defines the contract to be qualified as an UAM authorizer

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.