api

package
v0.4.1 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: May 31, 2026 License: Apache-2.0 Imports: 39 Imported by: 0

Documentation

Overview

Package api implements the HTTP server for the IdP.

Index

Constants

View Source
const (
	ActionLogin          = "auth.login"
	ActionLoginFailed    = "auth.login.failed"
	ActionLoginMFA       = "auth.login.mfa"
	ActionLoginMFAFailed = "auth.login.mfa.failed"
	ActionLogout         = "auth.logout"
	ActionTokenIssued    = "auth.token.issued"
	ActionTokenRevoked   = "auth.token.revoked"
	ActionTokenRefreshed = "auth.token.refreshed"
	// ActionBackchannelLogout records each OIDC Back-Channel Logout 1.0
	// notification auth POSTs to an RP's backchannel_logout_uri. One entry
	// per RP per notification; failures (HTTP non-2xx, dial errors) are
	// recorded with the http status / error in metadata. The push is best-
	// effort so a failure does NOT cause the originating logout to roll back.
	ActionBackchannelLogout = "auth.logout.backchannel"
	ActionUserCreated       = "admin.user.created"
	ActionUserUpdated       = "admin.user.updated"
	ActionUserDeleted       = "admin.user.deleted"
	// ActionUserCompromisedReset bundles the "assume credentials are
	// leaked, invalidate everything" admin action: temp password issued
	// + must_change_password set, MFA wiped, auth sessions deleted,
	// back-channel logout broadcast, AWS federation sessions revoked.
	// One audit row covers the whole sequence so investigations see the
	// intentional bundled action rather than five disconnected events.
	ActionUserCompromisedReset = "admin.user.compromised_reset"
	ActionClientCreated        = "admin.client.created"
	ActionClientUpdated        = "admin.client.updated"
	ActionClientDeleted        = "admin.client.deleted"
	ActionClientSecretRotated  = "admin.client.secret.rotated"
	// Group lifecycle — managed via portal; fanned out to downstream SCIM/IAM provisioners.
	ActionGroupCreated        = "admin.group.created"
	ActionGroupUpdated        = "admin.group.updated"
	ActionGroupDeleted        = "admin.group.deleted"
	ActionMFATOTPEnrolled     = "mfa.totp.enrolled"
	ActionMFATOTPDeleted      = "mfa.totp.deleted"
	ActionMFAWebAuthnEnrolled = "mfa.webauthn.enrolled"
	ActionMFAWebAuthnDeleted  = "mfa.webauthn.deleted"
	ActionIntegrationCreated  = "admin.integration.created"
	ActionIntegrationUpdated  = "admin.integration.updated"
	ActionIntegrationDeleted  = "admin.integration.deleted"
	ActionIntegrationTested   = "admin.integration.tested"
	ActionIntegrationSynced   = "admin.integration.synced"
	// AWS OIDC federation events — separate from admin.integration.* because
	// these touch the federation catalog (accounts/roles/assignments) and
	// the federation runtime (token exchange + role-side revocation), not
	// the generic app_integrations row.
	ActionAWSAccountCreated      = "admin.aws.account.created"
	ActionAWSAccountUpdated      = "admin.aws.account.updated"
	ActionAWSAccountDeleted      = "admin.aws.account.deleted"
	ActionAWSRoleCreated         = "admin.aws.role.created"
	ActionAWSRoleUpdated         = "admin.aws.role.updated"
	ActionAWSRoleDeleted         = "admin.aws.role.deleted"
	ActionAWSAssignmentCreated   = "admin.aws.assignment.created"
	ActionAWSAssignmentDeleted   = "admin.aws.assignment.deleted"
	ActionAWSConsoleAssumed      = "aws.console.assumed"
	ActionAWSConsoleAssumeFailed = "aws.console.assume.failed"
	ActionAWSFederationRevoked   = "aws.federation.revoked"
	// ActionAWSFederationRevokedManual is the operator-triggered variant
	// (the "Revoke AWS sessions" button on the user edit page). Distinct
	// from the auto-revoke that runs on full deactivation so investigations
	// can tell "admin pulled the cord intentionally" apart from "user was
	// deactivated and revocation came along for the ride."
	ActionAWSFederationRevokedManual = "aws.federation.revoked.manual"
	ActionAWSFederationRevokeReaped  = "aws.federation.revoke.reaped"
	// Device authorization grant (RFC 8628) lifecycle. Four distinct
	// events keyed off the device_grants state machine — separate so
	// investigations can distinguish "code created but never approved"
	// (likely user gave up) from "approved then denied at /token"
	// (likely replay attempt) at audit-tail time.
	ActionDeviceAuthorizationCreated = "auth.device.authorization.created"
	ActionDeviceCodeApproved         = "auth.device.code.approved"
	ActionDeviceCodeDenied           = "auth.device.code.denied"
	ActionDeviceCodeRedeemed         = "auth.device.code.redeemed"
)

Variables

This section is empty.

Functions

This section is empty.

Types

type Config

type Config struct {
	Store        store.Store
	Signer       *internaljwt.Signer
	Policy       *policy.Engine
	WAHandler    *mfa.WAHandler
	KP           bcrypto.KeyProvider
	Provisioners *provision.Registry
	OutboundTLS  *tls.Config
	Audit        audit.Sink
	AuditSource  journal.Source
	Issuer       string
	AWSAudience  string
	// StepUpMFATTL bounds how recently the user must have completed an
	// MFA challenge for sensitive role assumption to proceed without
	// re-prompting. Zero or negative falls back to the package default.
	StepUpMFATTL      time.Duration
	MasterKey         []byte
	Log               *slog.Logger
	AllowRegistration bool
}

Config holds server constructor options.

type Server

type Server struct {
	// contains filtered or unexported fields
}

Server holds all dependencies for the HTTP API.

func New

func New(cfg Config) (*Server, error)

New creates a Server.

func (*Server) Routes

func (s *Server) Routes() http.Handler

Routes returns the root HTTP handler with all routes registered.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL