robotaccount

package

v1.100.4 Latest Latest Go to latest Published: Jun 11, 2026 License: Apache-2.0 Imports: 9 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/chainloop-dev/chainloop

Documentation ¶

Index ¶

Constants
Variables
type Builder
- func NewBuilder(opts ...NewOpt) (*Builder, error)
- func (ra *Builder) GenerateJWT(backendType, secretID, audience string, role Role, maxBytes int64, ...) (string, error)
type Claims
- func InfoFromAuth(ctx context.Context) (*Claims, error)
- func (c *Claims) CheckRole(r Role) error
- func (c *Claims) Valid() error
type GenerateOpt
- func WithSourceInternal() GenerateOpt
type NewOpt
type Role

Constants ¶

View Source

const JWTAudience = "artifact-cas.chainloop"

Variables ¶

View Source

var SigningMethod = jwt.SigningMethodES512

Functions ¶

This section is empty.

Types ¶

type Builder ¶

type Builder struct {
	// contains filtered or unexported fields
}

func NewBuilder ¶

func NewBuilder(opts ...NewOpt) (*Builder, error)

func (*Builder) GenerateJWT ¶

func (ra *Builder) GenerateJWT(backendType, secretID, audience string, role Role, maxBytes int64, orgID string, opts ...GenerateOpt) (string, error)

GenerateJWT mints a CAS token. All fields are required, including orgID — managed providers (e.g. AWS-S3-ACCESS-POINT) need it to scope per-tenant STS sessions and other providers still record it for audit. The token always carries the CAS audience and a short expiry window.

type Claims ¶

type Claims struct {
	jwt.RegisteredClaims
	Role           Role   `json:"role"`      // either downloader or uploader
	StoredSecretID string `json:"secret-id"` // path to the OCI secret in the vault
	BackendType    string `json:"backend"`   // backend to use, i.e OCI
	MaxBytes       int64  `json:"maxbytes"`  // max bytes to upload
	// OrgID identifies the authenticated org this token was minted for.
	// Managed providers (e.g. AWS-S3-ACCESS-POINT) require it to scope
	// per-tenant STS sessions; the non-managed providers ignore it but
	// it is still carried for audit traceability.
	OrgID string `json:"org-id"`
	// SourceInternal is true when the token was minted for the control plane's
	// own CAS client (e.g. attestation storage, policy material reads).
	// The CAS skips audit event emission for this traffic so it doesn't
	// pollute per-org usage numbers. The zero value (false) means client traffic.
	SourceInternal bool `json:"source-internal,omitempty"`
}

func InfoFromAuth ¶ added in v1.98.0

func InfoFromAuth(ctx context.Context) (*Claims, error)

InfoFromAuth extracts the JWT claims from the context, note that the JWT verification has happened in the middleware

func (*Claims) CheckRole ¶

func (c *Claims) CheckRole(r Role) error

func (*Claims) Valid ¶

func (c *Claims) Valid() error

Additional validation checks

type GenerateOpt ¶ added in v1.100.4

type GenerateOpt func(c *Claims)

GenerateOpt tweaks optional claims of the minted token

func WithSourceInternal ¶ added in v1.100.4

func WithSourceInternal() GenerateOpt

WithSourceInternal flags the token as minted for the control plane's own CAS client, so the CAS can tell internal traffic apart from client traffic

type NewOpt ¶

type NewOpt func(b *Builder) error

func WithExpiration ¶

func WithExpiration(d time.Duration) NewOpt

func WithIssuer ¶

func WithIssuer(issuer string) NewOpt

func WithPrivateKey ¶

func WithPrivateKey(path string) NewOpt

type Role ¶

type Role string

const (
	Downloader Role = "downloader"
	Uploader   Role = "uploader"
)

Source Files ¶

View all Source files

robotaccount.go

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL