stdcrpcaccess

package
v0.0.107 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Mar 14, 2025 License: MIT Imports: 14 Imported by: 0

Documentation

Overview

Package stdcrpcaccess implements an access control layer for Connect RPC.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func SignTestToken added in v0.0.100

func SignTestToken(tok jwt.Token) (string, error)

SignTestToken signs a valid JWT against a well-known private key for testing.

func WithSignedTestToken added in v0.0.100

func WithSignedTestToken(base connect.HTTPClient, createToken func(r *http.Request) jwt.Token) connect.HTTPClient

WithSignedTestToken is a http client middleware that always adds a valid (self signed) token for testing.

func WithTestAuthBackend added in v0.0.100

func WithTestAuthBackend() fx.Option

WithTestAuthBackend injects dependencies for allowing tests to sign and validate access tokens.

Types

type AccessControl

type AccessControl[T any] struct {
	// contains filtered or unexported fields
}

AccessControl implements a simple access control scheme.

func New

func New[T any](
	logic Logic[T],
	back AuthBackend,
	signing jwk.Set,
	audience string,
	authBackendIssuer, signingIssuer string,
	extraValidators []jwt.Validator,
) *AccessControl[T]

New inits the access control.

func (*AccessControl[T]) Close

func (ac *AccessControl[T]) Close(context.Context) error

Close cancels the lifecycle context.

func (*AccessControl[T]) SignAccessToken added in v0.0.102

func (ac *AccessControl[T]) SignAccessToken(
	bldr *jwt.Builder,
	signingKeyID string,
) ([]byte, error)

SignAccessToken turns auth information T into an access token that is accepted by auth checks. The audience claim is overwritten with what is configured for this access control instance.

func (*AccessControl[T]) Wrap

func (ac *AccessControl[T]) Wrap(next http.Handler) http.Handler

type AuthBackend

type AuthBackend interface {
	JWKSEndpoint() string
}

AuthBackend represents and OIDC service that we don't control the signing process of.

type Logic added in v0.0.103

type Logic[T any] interface {
	// ProcedurePermissions is implemented to turn the claims into permissions for connect RPC procedure annotation.
	ProcedurePermissions(info T) []string
	// DecorateContext implements how auth information is stored in the context for the rest of the application to use.
	DecorateContext(ctx context.Context, info T) context.Context
	// InitAsAnonymous is called to initialize auth information when there is no access token.
	InitAsAnonymous(ctx context.Context, req *http.Request) (T, bool)
	// InitFromAccessToken is called to initialize a auth information when there is a valid access token.
	InitFromAccessToken(ctx context.Context, tok jwt.Token) (T, error)
}

Logic defines the auth logic to implement in order to customize the auth process.

type RealAuthBackend

type RealAuthBackend string

RealAuthBackend is used when actually deploying.

func (RealAuthBackend) JWKSEndpoint

func (ap RealAuthBackend) JWKSEndpoint() string

type TestAuthBackend added in v0.0.100

type TestAuthBackend struct {
	// contains filtered or unexported fields
}

TestAuthBackend is an auth backend that is run locally and we control the signing process for.

func NewTestAuthBackend added in v0.0.100

func NewTestAuthBackend() *TestAuthBackend

NewTestAuthBackend starts a server for testing that serves the key set.

func (TestAuthBackend) JWKSEndpoint added in v0.0.100

func (ap TestAuthBackend) JWKSEndpoint() string

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL