Documentation
¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
View Source
var ( ErrNotFound = fmt.Errorf("auth: %w", commonerrors.ErrNotFound) ErrAlreadyExists = fmt.Errorf("auth: %w", commonerrors.ErrAlreadyExists) ErrHasDependents = fmt.Errorf("auth: %w", commonerrors.ErrHasDependents) ErrInvalidName = fmt.Errorf("auth: invalid name: %w", commonerrors.ErrValidation) ErrInvalidGatewayID = fmt.Errorf("auth: invalid gateway_id: %w", commonerrors.ErrValidation) ErrInvalidType = fmt.Errorf("auth: invalid type: %w", commonerrors.ErrValidation) ErrInvalidConfig = fmt.Errorf("auth: invalid config: %w", commonerrors.ErrValidation) ErrDuplicateOAuth2 = fmt.Errorf("auth: another enabled oauth2 auth already covers this issuer and audience: %w", commonerrors.ErrAlreadyExists) )
Functions ¶
func GenerateAPIKey ¶
func HashAPIKey ¶
func IsValidType ¶
Types ¶
type Auth ¶
type Auth struct {
ID ids.AuthID `json:"id"`
GatewayID ids.GatewayID `json:"gateway_id"`
Name string `json:"name"`
Type Type `json:"type"`
Enabled bool `json:"enabled"`
Config Config `json:"config"`
KeyHash string `json:"-"`
RawKey string `json:"-"`
CreatedAt time.Time `json:"created_at"`
UpdatedAt time.Time `json:"updated_at"`
}
func NewAPIKeyAuth ¶
type Config ¶
type Config struct {
OAuth2 *OAuth2Config `json:"oauth2,omitempty"`
OIDC *OIDCConfig `json:"oidc,omitempty"`
MTLS *MTLSConfig `json:"mtls,omitempty"`
}
func (*Config) ResolveSecretsFrom ¶
type ListFilter ¶
type MTLSConfig ¶
type OAuth2Config ¶
type OAuth2Config struct {
Issuer string `json:"issuer"`
Audiences []string `json:"audiences,omitempty"`
JWKSURL string `json:"jwks_url,omitempty"`
IntrospectionURL string `json:"introspection_url,omitempty"`
ClientID string `json:"client_id,omitempty"`
ClientSecret string `json:"client_secret,omitempty"`
RequiredScopes []string `json:"required_scopes,omitempty"`
Algorithms []string `json:"allowed_algorithms,omitempty"`
}
func (*OAuth2Config) ConflictsWith ¶
func (c *OAuth2Config) ConflictsWith(other *OAuth2Config) bool
ConflictsWith reports whether two oauth2 configs cover the same inbound tokens: same issuer and at least one audience in common. An entry without audiences accepts any audience of its issuer, so it conflicts with every other entry on that issuer. Used as an admin-time guardrail; the request path disambiguates at runtime, but duplicate (issuer, audience) pairs make token attribution ambiguous everywhere else.
type OIDCConfig ¶
type OIDCConfig struct {
Issuer string `json:"issuer"`
Audiences []string `json:"audiences"`
JWKSURL string `json:"jwks_url,omitempty"`
PublicKeys []string `json:"public_keys,omitempty"`
RequiredScopes []string `json:"required_scopes,omitempty"`
AllowedAlgorithms []string `json:"allowed_algorithms,omitempty"`
SubjectClaim string `json:"subject_claim,omitempty"`
}
type Repository ¶
type Repository interface {
Save(ctx context.Context, a *Auth) error
Update(ctx context.Context, a *Auth) error
Delete(ctx context.Context, gatewayID ids.GatewayID, id ids.AuthID) error
FindByID(ctx context.Context, id ids.AuthID) (*Auth, error)
FindByIDs(ctx context.Context, gatewayID ids.GatewayID, authIDs []ids.AuthID) ([]*Auth, error)
FindByAPIKeyHash(ctx context.Context, keyHash string) (*Auth, error)
FindEnabledByTypes(ctx context.Context, types []Type) ([]*Auth, error)
ListEnabledByGatewayAndType(ctx context.Context, gatewayID ids.GatewayID, authType Type) ([]*Auth, error)
List(ctx context.Context, filter ListFilter) (items []*Auth, total int, err error)
}
Click to show internal directories.
Click to hide internal directories.