Documentation
¶
Index ¶
Constants ¶
View Source
const JWTAudience = "artifact-cas.chainloop"
Variables ¶
View Source
var SigningMethod = jwt.SigningMethodES512
Functions ¶
This section is empty.
Types ¶
type Builder ¶
type Builder struct {
// contains filtered or unexported fields
}
func NewBuilder ¶
func (*Builder) GenerateJWT ¶
func (ra *Builder) GenerateJWT(backendType, secretID, audience string, role Role, maxBytes int64, orgID string) (string, error)
GenerateJWT mints a CAS token. All fields are required, including orgID — managed providers (e.g. AWS-S3-ACCESS-POINT) need it to scope per-tenant STS sessions and other providers still record it for audit. The token always carries the CAS audience and a short expiry window.
type Claims ¶
type Claims struct {
jwt.RegisteredClaims
Role Role `json:"role"` // either downloader or uploader
StoredSecretID string `json:"secret-id"` // path to the OCI secret in the vault
BackendType string `json:"backend"` // backend to use, i.e OCI
MaxBytes int64 `json:"maxbytes"` // max bytes to upload
// OrgID identifies the authenticated org this token was minted for.
// Managed providers (e.g. AWS-S3-ACCESS-POINT) require it to scope
// per-tenant STS sessions; the non-managed providers ignore it but
// it is still carried for audit traceability.
OrgID string `json:"org-id"`
}
func InfoFromAuth ¶ added in v1.98.0
InfoFromAuth extracts the JWT claims from the context, note that the JWT verification has happened in the middleware
Source Files
Click to show internal directories.
Click to hide internal directories.