auth

package
v0.0.0-...-704f996 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 28, 2026 License: AGPL-3.0 Imports: 20 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func ExtractTokenFromRequest 

func ExtractTokenFromRequest(c *fiber.Ctx) string

ExtractTokenFromRequest extracts auth token from Fiber request. Checks in order: Authorization Bearer, Authorization Token, Authorization plain, x-api-key header, p= query parameter (InfluxDB 1.x compatibility).

func IsValidPermission 

func IsValidPermission(p string) bool

IsValidPermission checks if a permission string is valid

func NewMiddleware 

func NewMiddleware(config MiddlewareConfig) fiber.Handler

NewMiddleware creates authentication middleware for Fiber

func RequireAdmin 

func RequireAdmin(am *AuthManager) fiber.Handler

RequireAdmin creates middleware requiring admin permission

func RequireDelete 

func RequireDelete(am *AuthManager) fiber.Handler

RequireDelete creates middleware requiring delete permission

func RequirePermission 

func RequirePermission(am *AuthManager, permission string) fiber.Handler

RequirePermission creates middleware that requires a specific permission

func RequireRead 

func RequireRead(am *AuthManager) fiber.Handler

RequireRead creates middleware requiring read permission

func RequireResourceDelete 

func RequireResourceDelete(am *AuthManager, rm *RBACManager) fiber.Handler

RequireResourceDelete creates middleware requiring delete permission with resource context

func RequireResourcePermission 

func RequireResourcePermission(am *AuthManager, rm *RBACManager, permission string) fiber.Handler

RequireResourcePermission creates middleware that checks resource-scoped permissions using RBAC when enabled, with fallback to OSS token permissions. The database and measurement are extracted from request headers or path.

func RequireResourceRead 

func RequireResourceRead(am *AuthManager, rm *RBACManager) fiber.Handler

RequireResourceRead creates middleware requiring read permission with resource context

func RequireResourceWrite 

func RequireResourceWrite(am *AuthManager, rm *RBACManager) fiber.Handler

RequireResourceWrite creates middleware requiring write permission with resource context

func RequireWrite 

func RequireWrite(am *AuthManager) fiber.Handler

RequireWrite creates middleware requiring write permission

Types

type AddTokenToTeamRequest 

type AddTokenToTeamRequest struct {
	TeamID int64 `json:"team_id"`
}

AddTokenToTeamRequest represents a request to add a token to a team

type AuthManager 

type AuthManager struct {
	// contains filtered or unexported fields
}

AuthManager handles API token authentication with SQLite storage

func NewAuthManager 

func NewAuthManager(dbPath string, cacheTTL time.Duration, maxCacheSize int, logger zerolog.Logger) (*AuthManager, error)

NewAuthManager creates a new authentication manager

func (*AuthManager) Close 

func (am *AuthManager) Close() error

Close shuts down the auth manager

func (*AuthManager) CreateToken 

func (am *AuthManager) CreateToken(name, description, permissions string, expiresAt *time.Time) (string, error)

CreateToken creates a new API token

func (*AuthManager) CreateTokenWithValue 

func (am *AuthManager) CreateTokenWithValue(tokenValue, name, description, permissions string, expiresAt *time.Time) (string, error)

CreateTokenWithValue creates a new API token using a caller-provided token value instead of generating one. The value must be at least 32 characters long to ensure adequate entropy.

func (*AuthManager) DeleteToken 

func (am *AuthManager) DeleteToken(id int64) error

DeleteToken deletes a token by ID

func (*AuthManager) EnsureInitialToken 

func (am *AuthManager) EnsureInitialToken() (string, error)

EnsureInitialToken creates an admin token if no tokens exist

func (*AuthManager) EnsureInitialTokenWithValue 

func (am *AuthManager) EnsureInitialTokenWithValue(tokenValue string) (string, error)

EnsureInitialTokenWithValue creates the initial admin token using a caller-provided value. If tokens already exist, this is a no-op (returns empty string).

func (*AuthManager) ForceAddRecoveryToken 

func (am *AuthManager) ForceAddRecoveryToken(tokenValue string) (string, error)

ForceAddRecoveryToken adds a new admin token with the provided value without removing existing tokens. This is a recovery path for when the admin token has been lost. Requires ARC_AUTH_FORCE_BOOTSTRAP=true. Existing tokens are preserved so that legitimate admins can still revoke the recovery token if it was injected by a bad actor.

func (*AuthManager) GetCacheStats 

func (am *AuthManager) GetCacheStats() map[string]interface{}

GetCacheStats returns cache statistics

func (*AuthManager) GetDB 

func (am *AuthManager) GetDB() *sql.DB

GetDB returns the underlying database connection for use by RBACManager

func (*AuthManager) GetTokenByID 

func (am *AuthManager) GetTokenByID(id int64) (*TokenInfo, error)

GetTokenByID returns token info by ID

func (*AuthManager) HasPermission 

func (am *AuthManager) HasPermission(info *TokenInfo, permission string) bool

HasPermission checks if a token has a specific permission

func (*AuthManager) InvalidateCache 

func (am *AuthManager) InvalidateCache()

InvalidateCache clears the token cache

func (*AuthManager) ListTokens 

func (am *AuthManager) ListTokens() ([]TokenInfo, error)

ListTokens returns all tokens (without revealing hashes)

func (*AuthManager) Logger 

func (am *AuthManager) Logger() zerolog.Logger

Logger returns the auth component logger.

func (*AuthManager) RevokeToken 

func (am *AuthManager) RevokeToken(id int64) error

RevokeToken disables a token

func (*AuthManager) RotateToken 

func (am *AuthManager) RotateToken(id int64) (string, error)

RotateToken generates a new token value while keeping metadata

func (*AuthManager) UpdateToken 

func (am *AuthManager) UpdateToken(id int64, name, description, permissions *string, expiresAt *time.Time) error

UpdateToken updates token metadata

func (*AuthManager) VerifyToken 

func (am *AuthManager) VerifyToken(token string) *TokenInfo

VerifyToken verifies a token and returns token info if valid

type CreateMeasurementPermissionRequest 

type CreateMeasurementPermissionRequest struct {
	MeasurementPattern string   `json:"measurement_pattern"`
	Permissions        []string `json:"permissions"`
}

CreateMeasurementPermissionRequest represents a request to create measurement permissions

type CreateOrganizationRequest 

type CreateOrganizationRequest struct {
	Name        string `json:"name"`
	Description string `json:"description,omitempty"`
}

CreateOrganizationRequest represents a request to create an organization

type CreateRoleRequest 

type CreateRoleRequest struct {
	DatabasePattern string   `json:"database_pattern"`
	Permissions     []string `json:"permissions"`
}

CreateRoleRequest represents a request to create a role

type CreateTeamRequest 

type CreateTeamRequest struct {
	Name        string `json:"name"`
	Description string `json:"description,omitempty"`
}

CreateTeamRequest represents a request to create a team

type EffectivePermission 

type EffectivePermission struct {
	Database    string   `json:"database"`
	Measurement string   `json:"measurement,omitempty"`
	Permissions []string `json:"permissions"`
	Source      string   `json:"source"` // "token" (OSS) or "rbac" (Enterprise)
}

EffectivePermission represents resolved permissions for a specific resource

type MeasurementPermission 

type MeasurementPermission struct {
	ID                 int64     `json:"id"`
	RoleID             int64     `json:"role_id"`
	MeasurementPattern string    `json:"measurement_pattern"` // e.g., "metrics_*", "events_*"
	Permissions        []string  `json:"permissions"`
	CreatedAt          time.Time `json:"created_at"`
}

MeasurementPermission represents granular permissions at measurement level

type MiddlewareConfig 

type MiddlewareConfig struct {
	// AuthManager instance
	AuthManager *AuthManager

	// Routes that don't require authentication
	PublicRoutes []string

	// Route prefixes that don't require authentication
	PublicPrefixes []string

	// Required permission for protected routes (empty means any valid token)
	RequiredPermission string

	// Skip authentication entirely (for development/testing)
	Skip bool
}

Middleware configuration

func DefaultMiddlewareConfig 

func DefaultMiddlewareConfig() MiddlewareConfig

DefaultMiddlewareConfig returns default middleware config

type Organization 

type Organization struct {
	ID          int64     `json:"id"`
	Name        string    `json:"name"`
	Description string    `json:"description,omitempty"`
	CreatedAt   time.Time `json:"created_at"`
	UpdatedAt   time.Time `json:"updated_at"`
	Enabled     bool      `json:"enabled"`
	Teams       []Team    `json:"teams,omitempty"` // Populated on request
}

Organization represents a top-level tenant in RBAC

type PermissionCheckRequest 

type PermissionCheckRequest struct {
	TokenInfo   *TokenInfo
	Database    string
	Measurement string
	Permission  string // "read", "write", "delete", "admin"
}

PermissionCheckRequest represents a request to check permissions

type PermissionCheckResult 

type PermissionCheckResult struct {
	Allowed bool   `json:"allowed"`
	Source  string `json:"source"` // "token", "rbac", or "denied"
	Reason  string `json:"reason,omitempty"`
}

PermissionCheckResult represents the result of a permission check

type RBACManager 

type RBACManager struct {
	// contains filtered or unexported fields
}

RBACManager handles role-based access control operations

func NewRBACManager 

func NewRBACManager(cfg *RBACManagerConfig) *RBACManager

NewRBACManager creates a new RBAC manager

func (*RBACManager) AddTokenToTeam 

func (rm *RBACManager) AddTokenToTeam(tokenID, teamID int64) (*TokenMembership, error)

AddTokenToTeam adds a token to a team

func (*RBACManager) CheckPermission 

func (rm *RBACManager) CheckPermission(req *PermissionCheckRequest) *PermissionCheckResult

CheckPermission checks if a token has a specific permission for a resource Uses two-level caching: permission result cache + token RBAC data cache

func (*RBACManager) CheckPermissionsBatch 

func (rm *RBACManager) CheckPermissionsBatch(reqs []*PermissionCheckRequest) []*PermissionCheckResult

CheckPermissionsBatch checks permissions for multiple resources in a single call. This is more efficient than multiple CheckPermission calls when checking permissions for the same token across multiple tables (e.g., multi-table queries). It loads the token's RBAC data once and checks all permissions against it.

func (*RBACManager) Close 

func (rm *RBACManager) Close() error

Close stops the background cleanup goroutine.

func (*RBACManager) CreateMeasurementPermission 

func (rm *RBACManager) CreateMeasurementPermission(roleID int64, req *CreateMeasurementPermissionRequest) (*MeasurementPermission, error)

CreateMeasurementPermission creates measurement-level permissions for a role

func (*RBACManager) CreateOrganization 

func (rm *RBACManager) CreateOrganization(req *CreateOrganizationRequest) (*Organization, error)

CreateOrganization creates a new organization

func (*RBACManager) CreateRole 

func (rm *RBACManager) CreateRole(teamID int64, req *CreateRoleRequest) (*Role, error)

CreateRole creates a new role for a team

func (*RBACManager) CreateTeam 

func (rm *RBACManager) CreateTeam(orgID int64, req *CreateTeamRequest) (*Team, error)

CreateTeam creates a new team in an organization

func (*RBACManager) DeleteMeasurementPermission 

func (rm *RBACManager) DeleteMeasurementPermission(id int64) error

DeleteMeasurementPermission deletes a measurement permission

func (*RBACManager) DeleteOrganization 

func (rm *RBACManager) DeleteOrganization(id int64) error

DeleteOrganization deletes an organization (cascades to teams, roles, etc.)

func (*RBACManager) DeleteRole 

func (rm *RBACManager) DeleteRole(id int64) error

DeleteRole deletes a role (cascades to measurement permissions)

func (*RBACManager) DeleteTeam 

func (rm *RBACManager) DeleteTeam(id int64) error

DeleteTeam deletes a team (cascades to roles and memberships)

func (*RBACManager) GetCacheStats 

func (rm *RBACManager) GetCacheStats() map[string]int64

GetCacheStats returns cache hit/miss statistics

func (*RBACManager) GetEffectivePermissions 

func (rm *RBACManager) GetEffectivePermissions(tokenID int64, tokenInfo *TokenInfo) ([]EffectivePermission, error)

GetEffectivePermissions returns all effective permissions for a token

func (*RBACManager) GetOrganization 

func (rm *RBACManager) GetOrganization(id int64) (*Organization, error)

GetOrganization retrieves an organization by ID

func (*RBACManager) GetRole 

func (rm *RBACManager) GetRole(id int64) (*Role, error)

GetRole retrieves a role by ID

func (*RBACManager) GetTeam 

func (rm *RBACManager) GetTeam(id int64) (*Team, error)

GetTeam retrieves a team by ID

func (*RBACManager) GetTokenTeams 

func (rm *RBACManager) GetTokenTeams(tokenID int64) ([]Team, error)

GetTokenTeams returns all teams a token belongs to

func (*RBACManager) InvalidateAllCache 

func (rm *RBACManager) InvalidateAllCache()

InvalidateAllCache clears all RBAC caches (call after role/permission changes)

func (*RBACManager) InvalidateTokenCache 

func (rm *RBACManager) InvalidateTokenCache(tokenID int64)

InvalidateTokenCache clears cached RBAC data for a specific token

func (*RBACManager) IsRBACEnabled 

func (rm *RBACManager) IsRBACEnabled() bool

IsRBACEnabled returns true if RBAC feature is available

func (*RBACManager) ListMeasurementPermissionsByRole 

func (rm *RBACManager) ListMeasurementPermissionsByRole(roleID int64) ([]MeasurementPermission, error)

ListMeasurementPermissionsByRole returns measurement permissions for a role

func (*RBACManager) ListOrganizations 

func (rm *RBACManager) ListOrganizations() ([]Organization, error)

ListOrganizations returns all organizations

func (*RBACManager) ListRolesByTeam 

func (rm *RBACManager) ListRolesByTeam(teamID int64) ([]Role, error)

ListRolesByTeam returns all roles for a team

func (*RBACManager) ListTeamsByOrganization 

func (rm *RBACManager) ListTeamsByOrganization(orgID int64) ([]Team, error)

ListTeamsByOrganization returns all teams in an organization

func (*RBACManager) RemoveTokenFromTeam 

func (rm *RBACManager) RemoveTokenFromTeam(tokenID, teamID int64) error

RemoveTokenFromTeam removes a token from a team

func (*RBACManager) UpdateOrganization 

func (rm *RBACManager) UpdateOrganization(id int64, req *UpdateOrganizationRequest) error

UpdateOrganization updates an organization

func (*RBACManager) UpdateRole 

func (rm *RBACManager) UpdateRole(id int64, req *UpdateRoleRequest) error

UpdateRole updates a role

func (*RBACManager) UpdateTeam 

func (rm *RBACManager) UpdateTeam(id int64, req *UpdateTeamRequest) error

UpdateTeam updates a team

type RBACManagerConfig 

type RBACManagerConfig struct {
	DB            *sql.DB
	LicenseClient *license.Client
	Logger        zerolog.Logger
	CacheTTL      time.Duration // TTL for permission cache (default: 30s)
	MaxCacheSize  int           // Max entries per cache (default: 10000)
}

RBACManagerConfig holds configuration for the RBAC manager

type Role 

type Role struct {
	ID                     int64                   `json:"id"`
	TeamID                 int64                   `json:"team_id"`
	DatabasePattern        string                  `json:"database_pattern"` // e.g., "production", "*", "analytics_*"
	Permissions            []string                `json:"permissions"`      // ["read", "write", "delete"]
	CreatedAt              time.Time               `json:"created_at"`
	MeasurementPermissions []MeasurementPermission `json:"measurement_permissions,omitempty"` // Populated on request
}

Role represents a set of permissions for a database pattern

type Team 

type Team struct {
	ID             int64     `json:"id"`
	OrganizationID int64     `json:"organization_id"`
	Name           string    `json:"name"`
	Description    string    `json:"description,omitempty"`
	CreatedAt      time.Time `json:"created_at"`
	UpdatedAt      time.Time `json:"updated_at"`
	Enabled        bool      `json:"enabled"`
	Roles          []Role    `json:"roles,omitempty"` // Populated on request
}

Team represents a group within an organization

type TokenInfo 

type TokenInfo struct {
	ID          int64      `json:"id"`
	Name        string     `json:"name"`
	Description string     `json:"description,omitempty"`
	Permissions []string   `json:"permissions"`
	CreatedAt   time.Time  `json:"created_at"`
	LastUsedAt  time.Time  `json:"last_used_at,omitempty"`
	Enabled     bool       `json:"enabled"`
	ExpiresAt   *time.Time `json:"expires_at"`
}

TokenInfo represents token metadata returned by verify

func GetTokenInfo 

func GetTokenInfo(c *fiber.Ctx) *TokenInfo

GetTokenInfo retrieves token info from Fiber context

type TokenMembership 

type TokenMembership struct {
	ID        int64     `json:"id"`
	TokenID   int64     `json:"token_id"`
	TeamID    int64     `json:"team_id"`
	CreatedAt time.Time `json:"created_at"`
}

TokenMembership links a token to a team for RBAC

type UpdateOrganizationRequest 

type UpdateOrganizationRequest struct {
	Name        *string `json:"name,omitempty"`
	Description *string `json:"description,omitempty"`
	Enabled     *bool   `json:"enabled,omitempty"`
}

UpdateOrganizationRequest represents a request to update an organization

type UpdateRoleRequest 

type UpdateRoleRequest struct {
	DatabasePattern *string  `json:"database_pattern,omitempty"`
	Permissions     []string `json:"permissions,omitempty"`
}

UpdateRoleRequest represents a request to update a role

type UpdateTeamRequest 

type UpdateTeamRequest struct {
	Name        *string `json:"name,omitempty"`
	Description *string `json:"description,omitempty"`
	Enabled     *bool   `json:"enabled,omitempty"`
}

UpdateTeamRequest represents a request to update a team

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.