httphelpers

package

v0.5.9 Latest Latest Go to latest Published: May 21, 2026 License: BSD-2-Clause Imports: 37 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/SUNET/vc

Links

Open Source Insights

Documentation ¶

Index ¶

func AllowedAuthenticSources(engine *SafeEngine, subject string) []string
func AllowedScopes(engine *SafeEngine, subject string) []string
func BuildSPOCPQuery(service, method, path, subject, authenticSource, scope string) sexp.Element
func StatusCode(ctx context.Context, err error) int
type Client
- func New(ctx context.Context, tracer *trace.Tracer, cfg *model.Cfg, log *logger.Log) (*Client, error)
type DefaultValidator
- func (v *DefaultValidator) Engine() any
- func (v *DefaultValidator) ValidateStruct(obj any) error
type JWKSCache
type RateLimiter
- func (rl *RateLimiter) Middleware() gin.HandlerFunc
type ResourcePair
- func ResolveAllowedResources(engine *SafeEngine, subject string) []ResourcePair
type SafeEngine
- func BuildSPOCPEngine(cfg model.APIAuth) (*SafeEngine, error)
- func (s *SafeEngine) QueryElement(q sexp.Element) bool
- func (s *SafeEngine) RuleCount() int

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func AllowedAuthenticSources ¶ added in v0.5.7

func AllowedAuthenticSources(engine *SafeEngine, subject string) []string

AllowedAuthenticSources returns the distinct authentic_source values the subject is permitted to access. Returns nil for unrestricted access (wildcard rule or no resource rules).

func AllowedScopes ¶ added in v0.5.7

func AllowedScopes(engine *SafeEngine, subject string) []string

AllowedScopes returns the distinct scope values the subject is permitted to access. Returns nil for unrestricted access (wildcard rule or no resource rules).

func BuildSPOCPQuery ¶ added in v0.5.7

func BuildSPOCPQuery(service, method, path, subject, authenticSource, scope string) sexp.Element

BuildSPOCPQuery constructs a SPOCP query S-expression for the current HTTP request, including service, method, path, subject, authentic source and scope:

(vc (service apigw)(method POST)(path /api/v1/upload)(subject alice@sunet.se)(authentic_source SUNET)(scope eduid))

The service dimension ensures that rules written for one service do not accidentally grant access to another service sharing the same endpoints.

func StatusCode ¶

func StatusCode(ctx context.Context, err error) int

StatusCode returns the status code of the error

Types ¶

type Client ¶

type Client struct {
	Binding    *bindingHandler
	Middleware *middlewareHandler
	Rendering  *renderingHandler
	TLS        *tlsHandler
	Server     *serverHandler
	Validator  *validatorHandler
	// contains filtered or unexported fields
}

Client is the client object for httphelpers

func New ¶

func New(ctx context.Context, tracer *trace.Tracer, cfg *model.Cfg, log *logger.Log) (*Client, error)

New creates a new httphelpers client

type DefaultValidator ¶

type DefaultValidator struct {
	Validate *validator.Validate
}

DefaultValidator is the default validator for httphelpers

func (*DefaultValidator) Engine ¶

func (v *DefaultValidator) Engine() any

Engine satisfy the binding.Validator interface

func (*DefaultValidator) ValidateStruct ¶

func (v *DefaultValidator) ValidateStruct(obj any) error

ValidateStruct satisfies the binding.StructValidator interface

type JWKSCache ¶

type JWKSCache interface {
	Get(ctx context.Context, key string) ([]byte, bool)
	Set(ctx context.Context, key string, value []byte)
}

JWKSCache is the generic cache interface used to store raw JWKS JSON. It is satisfied by both MemoryCache and MongoCache from pkg/cache.

type RateLimiter ¶

type RateLimiter struct {
	// contains filtered or unexported fields
}

RateLimiter implements a token bucket rate limiter using gin-ratelimit

func (*RateLimiter) Middleware ¶

func (rl *RateLimiter) Middleware() gin.HandlerFunc

Middleware returns a Gin middleware handler that enforces rate limiting by IP

type ResourcePair ¶ added in v0.5.7

type ResourcePair struct {
	AuthenticSource string
	Scope           string
}

ResourcePair represents an allowed (authentic_source, scope) combination.

func ResolveAllowedResources ¶ added in v0.5.7

func ResolveAllowedResources(engine *SafeEngine, subject string) []ResourcePair

ResolveAllowedResources returns all (authentic_source, scope) pairs that the given subject is authorized for, by inspecting the SPOCP rules directly. A wildcard in the rule position means "any value" — represented as "*" in the result. Returns nil when engine is nil (no authorization configured).

type SafeEngine ¶

type SafeEngine struct {
	// contains filtered or unexported fields
}

SafeEngine wraps a SPOCP AdaptiveEngine with a sync.RWMutex so that concurrent request handlers can safely call QueryElement while still allowing future rule hot-reloading under a write lock.

func BuildSPOCPEngine ¶ added in v0.5.7

func BuildSPOCPEngine(cfg model.APIAuth) (*SafeEngine, error)

BuildSPOCPEngine creates a SPOCP engine from the APIAuth rules. Returns nil when no rules are configured (authentication-only mode).

func (*SafeEngine) QueryElement ¶

func (s *SafeEngine) QueryElement(q sexp.Element) bool

QueryElement checks if the query is authorized (read-locked).

func (*SafeEngine) RuleCount ¶

func (s *SafeEngine) RuleCount() int

RuleCount returns the number of loaded rules (read-locked).

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL