auxdata

package

v0.49.0 Latest Latest Go to latest Published: Dec 10, 2025 License: Apache-2.0 Imports: 20 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/cerbos/cerbos

Links

Documentation ¶

Index ¶

Variables
type AuxData
- func (ad *AuxData) Extract(ctx context.Context, adProto *requestv1.AuxData) (*enginev1.AuxData, error)
type Conf
- func (c *Conf) Key() string
- func (c *Conf) Validate() (errs error)
type InsecureKeySetOpt
type JWTConf
type JWTKeySet
type LocalSource
type RemoteSource

Constants ¶

This section is empty.

Variables ¶

View Source

var ErrFailedToExtractJWT = errors.New("failed to extract JWT")

Functions ¶

This section is empty.

Types ¶

type AuxData ¶

type AuxData struct {
	// contains filtered or unexported fields
}

func New ¶

func New(ctx context.Context) (*AuxData, error)

func NewFromConf ¶

func NewFromConf(ctx context.Context, conf *Conf) *AuxData

func NewWithoutVerification ¶

func NewWithoutVerification(ctx context.Context) *AuxData

func (*AuxData) Extract ¶

func (ad *AuxData) Extract(ctx context.Context, adProto *requestv1.AuxData) (*enginev1.AuxData, error)

Extract auxiliary data and convert to format expected by the engine.

type Conf ¶

type Conf struct {
	// JWT holds the configuration for JWTs used as an auxiliary data source for the engine.
	JWT *JWTConf `yaml:"jwt"`
}

Conf is optional configuration for Auxdata.

func (*Conf) Key ¶

func (c *Conf) Key() string

func (*Conf) Validate ¶

func (c *Conf) Validate() (errs error)

type InsecureKeySetOpt ¶ added in v0.31.0

type InsecureKeySetOpt struct {
	// OptionalAlg configures Cerbos to not require the alg field to be set in the key set.
	OptionalAlg bool `yaml:"optionalAlg" conf:",example=false"`
	// OptionalKid configures Cerbos to not require the kid field to be set in the key set.
	OptionalKid bool `yaml:"optionalKid" conf:",example=false"`
}

type JWTConf ¶

type JWTConf struct {
	// KeySets is the list of keysets to be used to verify tokens.
	KeySets []JWTKeySet `yaml:"keySets"`
	// DisableVerification disables JWT verification.
	DisableVerification bool `yaml:"disableVerification" conf:",example=false"`
	// CacheSize sets the number of verified tokens cached in memory. Set to negative value to disable caching.
	CacheSize int `yaml:"cacheSize" conf:",example=256"`
	// AcceptableTimeSkew sets the acceptable skew when checking exp and nbf claims.
	AcceptableTimeSkew time.Duration `yaml:"acceptableTimeSkew" conf:",example=2s"`
}

type JWTKeySet ¶

type JWTKeySet struct {
	// Remote defines a remote keyset. Mutually exclusive with Local.
	Remote *RemoteSource `yaml:"remote"`
	// Local defines a local keyset. Mutually exclusive with Remote.
	Local *LocalSource `yaml:"local"`
	// ID is the unique reference to this keyset.
	ID string `yaml:"id" conf:"required,example=ks1"`
	// Insecure options for relaxing security. Not recommended for production use. Use with caution.
	Insecure InsecureKeySetOpt `yaml:"insecure"`
}

type LocalSource ¶

type LocalSource struct {
	// Data is the encoded JWK data for this keyset. Mutually exclusive with File.
	Data string `yaml:"data" conf:",example=base64encodedJWK"`
	// File is the path to file containing JWK data. Mutually exclusive with Data.
	File string `yaml:"file" conf:",example=/path/to/keys.jwk"`
	// PEM indicates that the data is PEM encoded.
	PEM bool `yaml:"pem" conf:",example=true"`
}

type RemoteSource ¶

type RemoteSource struct {
	// URL is the JWKS URL to fetch the keyset from.
	URL string `yaml:"url" conf:"required,example=https://domain.tld/.well-known/keys.jwks"`
	// RefreshInterval is the refresh interval for the keyset.
	RefreshInterval time.Duration `yaml:"refreshInterval" conf:",example=1h"`
}

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL