auth

package
v0.1.16 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jan 29, 2026 License: Apache-2.0 Imports: 12 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

View Source 
var (
	// ErrUnauthenticated is returned when authentication is required but not provided.
	// This should be mapped to HTTP 401 Unauthorized in handlers.
	ErrUnauthenticated = errors.New("unauthenticated")

	// ErrForbidden is returned when a user is authenticated but lacks permission.
	// This should be mapped to HTTP 403 Forbidden in handlers (or 404 to prevent info leakage).
	ErrForbidden = errors.New("forbidden")
)
View Source 
var BlockedNamespaces = []string{}

BlockedNamespaces contains a list of namespaces that are not allowed to publish packages. This is used as a denylist mechanism to prevent abuse.

View Source 
var PublicActions = map[PermissionAction]bool{
	PermissionActionRead:    true,
	PermissionActionPush:    true,
	PermissionActionPublish: true,

	PermissionActionDelete: true,
	PermissionActionDeploy: true,
}

PublicActions defines which actions are allowed without authentication (non-destructive actions). NOTE: In the meantime, we'll allow all actions to be performed locally without authentication. Once we implement better authN/authZ handling, we'll want to remove these, and just have read-only (above) actions as "public".

Functions

func AuthSessionTo 

func AuthSessionTo(ctx context.Context, session Session) context.Context

func AuthnMiddleware 

func AuthnMiddleware(authn AuthnProvider) func(ctx huma.Context, next func(huma.Context))

func IsSystemSession 

func IsSystemSession(s Session) bool

IsSystemSession checks if a session is the SystemSession type.

func WithSystemContext 

func WithSystemContext(ctx context.Context) context.Context

WithSystemContext creates a context for internal system operations.

Types

type AuthnProvider 

type AuthnProvider interface {
	Authenticate(ctx context.Context, reqHeaders func(name string) string, query url.Values) (Session, error)
}

type Authorizer 

type Authorizer struct {
	Authz AuthzProvider
}

func (*Authorizer) Check 

func (a *Authorizer) Check(ctx context.Context, verb PermissionAction, resource Resource) error

func (*Authorizer) IsRegistryAdmin 

func (a *Authorizer) IsRegistryAdmin(ctx context.Context) bool

type AuthzProvider 

type AuthzProvider interface {
	// Check verifies if the session can perform the action on the resource.
	// Used for single-resource operations (get, update, delete).
	Check(ctx context.Context, s Session, verb PermissionAction, resource Resource) error
	// IsRegistryAdmin checks if the session has global permissions (i.e. "*") for the registry
	// Also used by internal operations and database queries that need to bypass filtering.
	IsRegistryAdmin(ctx context.Context, s Session) bool
}

AuthzProvider defines the authorization interface.

type JWTClaims 

type JWTClaims struct {
	jwt.RegisteredClaims
	// Authentication method used to obtain this token
	AuthMethod        Method       `json:"auth_method"`
	AuthMethodSubject string       `json:"auth_method_sub"`
	Permissions       []Permission `json:"permissions"`
}

JWTClaims represents the claims for the Registry JWT token

type JWTManager 

type JWTManager struct {
	// contains filtered or unexported fields
}

JWTManager handles JWT token operations

func NewJWTManager 

func NewJWTManager(cfg *config.Config) *JWTManager

func (*JWTManager) Authenticate 

func (j *JWTManager) Authenticate(ctx context.Context, reqHeaders func(name string) string, query url.Values) (Session, error)

func (*JWTManager) Check 

func (j *JWTManager) Check(ctx context.Context, s Session, verb PermissionAction, resource Resource) error

func (*JWTManager) GenerateTokenResponse 

func (j *JWTManager) GenerateTokenResponse(_ context.Context, claims JWTClaims) (*TokenResponse, error)

GenerateToken generates a new Registry JWT token

func (*JWTManager) HasPermission 

func (j *JWTManager) HasPermission(resource string, action PermissionAction, permissions []Permission) bool

func (*JWTManager) ValidateToken 

func (j *JWTManager) ValidateToken(_ context.Context, tokenString string) (*JWTClaims, error)

ValidateToken validates a Registry JWT token and returns the claims

type Method 

type Method string

Method represents the authentication method used 

const (
	// GitHub OAuth authentication (access token)
	MethodGitHubAT Method = "github-at"
	// GitHub Actions OIDC authentication
	MethodGitHubOIDC Method = "github-oidc"
	// Generic OIDC authentication
	MethodOIDC Method = "oidc"
	// DNS-based public/private key authentication
	MethodDNS Method = "dns"
	// HTTP-based public/private key authentication
	MethodHTTP Method = "http"
	// No authentication - should only be used for local development and testing
	MethodNone Method = "none"
)

type Permission 

type Permission struct {
	Action          PermissionAction `json:"action"`   // The action type (e.g. publish, edit, delete, etc.)
	ResourcePattern string           `json:"resource"` // e.g., "io.github.username/*"
}

type PermissionAction 

type PermissionAction string

PermissionAction represents the type of action that can be performed 

const (
	PermissionActionRead    PermissionAction = "read"
	PermissionActionPush    PermissionAction = "push"
	PermissionActionPublish PermissionAction = "publish"
	PermissionActionEdit    PermissionAction = "edit"
	PermissionActionDelete  PermissionAction = "delete"
	PermissionActionDeploy  PermissionAction = "deploy"
)

type PermissionArtifactType 

type PermissionArtifactType string

PermissionArtifactType represents the type of artifact that a permission is for 

const (
	PermissionArtifactTypeAgent  PermissionArtifactType = "agent"
	PermissionArtifactTypeSkill  PermissionArtifactType = "skill"
	PermissionArtifactTypeServer PermissionArtifactType = "server"
)

type Principal 

type Principal struct {
	User User
}

Authn

type PublicAuthzProvider 

type PublicAuthzProvider struct {
	// contains filtered or unexported fields
}

PublicAuthzProvider implements AuthzProvider for the public version.

func NewPublicAuthzProvider 

func NewPublicAuthzProvider(jwtManager *JWTManager) *PublicAuthzProvider

NewPublicAuthzProvider creates a new public authorization provider.

func (*PublicAuthzProvider) Check 

func (o *PublicAuthzProvider) Check(ctx context.Context, s Session, verb PermissionAction, resource Resource) error

Check verifies if the session can perform the action on the resource.

func (*PublicAuthzProvider) IsRegistryAdmin 

func (o *PublicAuthzProvider) IsRegistryAdmin(ctx context.Context, s Session) bool

type Resource 

type Resource struct {
	Name string
	Type PermissionArtifactType
}

type Session 

type Session interface {
	Principal() Principal
}

func AuthSessionFrom 

func AuthSessionFrom(ctx context.Context) (Session, bool)

type SystemSession 

type SystemSession struct{}

SystemSession is used for internal system operations (importers, reconciliation).

func (*SystemSession) Principal 

func (s *SystemSession) Principal() Principal

type TokenResponse 

type TokenResponse struct {
	RegistryToken string `json:"registry_token"`
	ExpiresAt     int    `json:"expires_at"`
}

type User 

type User struct {
	Permissions []Permission
}

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.