auth

package
v0.1.5-alpha Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: May 24, 2026 License: AGPL-3.0 Imports: 12 Imported by: 0

Documentation

Overview

Package auth stores the credentials hpcc uses for distributed compilation. The on-disk token file is written by `hpcc auth login` and read by the daemon's dispatcher — keeping passwords out of config.toml and off the user's filesystem long-term.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func DefaultPath 

func DefaultPath() (string, error)

DefaultPath returns the canonical token path, sibling of config.toml. Honors XDG_CONFIG_HOME on Unix.

func Delete 

func Delete(path string) error

Delete removes the token file. A missing file is not an error — `hpcc auth logout` is idempotent.

func Save 

func Save(path string, t Token) error

Save writes the token atomically with 0600 perms. The rename guards against a crash mid-write leaving a truncated token — "no token" is recoverable (re-login), "garbage token" is not.

Types

type IdP 

type IdP struct {
	TokenURL string
	ClientID string
	Scope    string
}

IdP carries the per-tenant discovery info that the OAuth grants need. It mirrors the fields scheduler.GetTenantIdP returns — copied into this package so auth doesn't depend on the protobuf bindings.

type Token 

type Token struct {
	Username     string    `json:"username"`
	AccessToken  string    `json:"access_token"`
	RefreshToken string    `json:"refresh_token,omitempty"`
	ExpiresAt    time.Time `json:"expires_at"`
	ClientSecret string    `json:"client_secret,omitempty"`
}

Token is the cached result of a successful OAuth2 password grant. We persist the refresh_token (when the IdP returns one) so the daemon can renew expired access tokens silently; if it can't, the dispatcher surfaces a "run `hpcc auth login`" error.

ClientSecret is held alongside the rest because the daemon needs it to drive the refresh grant and the only place a user would have supplied it is `hpcc auth login --client-secret=…`. Most public-grant IdPs leave it empty.

func Load 

func Load(path string) (Token, error)

Load reads the token file. Returns fs.ErrNotExist (wrapped) when no token has been saved yet; callers should treat that as "the user has not run `hpcc auth login` on this machine".

func (Token) ExpiredWithin 

func (t Token) ExpiredWithin(skew time.Duration) bool

ExpiredWithin reports whether the access token has less than skew of life remaining. Callers refresh proactively rather than waiting for the IdP to reject — an in-flight compile that fails on a just-expired token is a poor UX.

type TokenResponse 

type TokenResponse struct {
	AccessToken  string `json:"access_token"`
	RefreshToken string `json:"refresh_token"`
	ExpiresIn    int    `json:"expires_in"`
	Error        string `json:"error"`
	ErrorDesc    string `json:"error_description"`
}

TokenResponse is the standard RFC 6749 §5.1 success/error payload.

func PasswordGrant 

func PasswordGrant(ctx context.Context, idp IdP, username, password, clientSecret string) (TokenResponse, error)

PasswordGrant runs an RFC 6749 §4.3 password grant against idp. Used only by `hpcc auth login`; the daemon never performs this at compile time because it would need the user's plaintext password in process memory.

func RefreshGrant 

func RefreshGrant(ctx context.Context, idp IdP, refreshToken, clientSecret string) (TokenResponse, error)

RefreshGrant runs an RFC 6749 §6 refresh grant. The IdP may rotate the refresh token in the response — callers should persist whatever comes back rather than reusing the old one.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.