Documentation
¶
Index ¶
- Constants
- Variables
- func InboundRequestBinding(req *integration.InboundRequest) map[string]any
- func ValidateInboundAuth(registry *InboundRegistry, cfg *integration.InboundAuthConfig) error
- func ValidateOutboundAuth(cfg *integration.OutboundAuthConfig) error
- type InboundRegistry
- type OutboundAuthError
- type OutboundRegistry
Constants ¶
const ( InboundSchemeNone = "none" InboundSchemeIP = "ip" InboundSchemeHTTPBasic = "http_basic" InboundSchemeBearer = "bearer" InboundSchemeHeader = "header" InboundSchemeQuery = "query" InboundSchemeSignature = "signature" InboundSchemeScript = "script" )
Built-in inbound scheme names. They mirror the outbound vocabulary — the same name verifies the wire format its outbound counterpart sends; ip is inbound-only because a source address is only verifiable on receive.
const ( OutboundSchemeNone = "none" OutboundSchemeHTTPBasic = "http_basic" OutboundSchemeBearer = "bearer" OutboundSchemeHeader = "header" OutboundSchemeQuery = "query" OutboundSchemeSignature = "signature" OutboundSchemeScript = "script" )
Built-in outbound scheme names. They mirror the inbound vocabulary — the same name authenticates the same wire format in the opposite direction; ip stays inbound-only because a source address is only verifiable on receive.
Variables ¶
var ErrMissingParam = errors.New("integration auth: missing parameter")
ErrMissingParam indicates a required auth parameter is absent or empty.
var ErrSigningScriptReturn = errors.New("integration auth: signing script must return a header object")
ErrSigningScriptReturn rejects a signing script whose return value is not a header object.
var ErrVerificationFailed = errors.New("integration inbound auth: verification failed")
ErrVerificationFailed is the uniform inbound credential rejection. Schemes return it (or wrap it) for every mismatch so callers cannot probe which part of a credential was wrong; configuration faults use ErrMissingParam instead and classify as config, not auth.
Functions ¶
func InboundRequestBinding ¶
func InboundRequestBinding(req *integration.InboundRequest) map[string]any
InboundRequestBinding is the read-only view of the request exposed to verification and adapter scripts.
func ValidateInboundAuth ¶
func ValidateInboundAuth(registry *InboundRegistry, cfg *integration.InboundAuthConfig) error
ValidateInboundAuth rejects an inbound auth config referencing an unknown scheme, a script scheme without a compilable verification body, or a verification body on a scheme that will never run one. Params must already be in their submitted form — the check runs before encryption.
func ValidateOutboundAuth ¶
func ValidateOutboundAuth(cfg *integration.OutboundAuthConfig) error
ValidateOutboundAuth rejects a signing body on an outbound scheme that will never run one, mirroring the inbound structural check. Scheme existence and parameter validation stay in definition.ValidateSystem, which exercises the scheme's Apply against the decrypted config.
Types ¶
type InboundRegistry ¶
type InboundRegistry struct {
// contains filtered or unexported fields
}
InboundRegistry resolves inbound auth schemes by name: the built-in schemes overlaid by application-provided ones (group "vef:integration:inbound_auth_schemes"). An application scheme whose name matches a built-in replaces it.
func NewInboundRegistry ¶
func NewInboundRegistry(engine *js.Engine, cfg *config.IntegrationConfig, nonceStore security.NonceStore, appSchemes []integration.InboundAuthScheme) *InboundRegistry
NewInboundRegistry builds the registry from the built-in schemes and the application-provided overlays. The engine powers the built-in script scheme's verification runtimes.
func (*InboundRegistry) Get ¶
func (r *InboundRegistry) Get(name string) (integration.InboundAuthScheme, bool)
Get returns the scheme registered under name.
func (*InboundRegistry) Resolve ¶
func (r *InboundRegistry) Resolve(cfg *integration.InboundAuthConfig) (integration.InboundAuthScheme, bool)
Resolve returns the scheme for cfg. Unlike the outbound registry there is no implicit default: inbound delivery is fail-closed, so a nil config or a blank scheme name resolves to nothing and the caller denies.
type OutboundAuthError ¶
type OutboundAuthError struct {
// contains filtered or unexported fields
}
OutboundAuthError marks a failure inside an outbound auth scheme's request hook (signing script, signature computation). The invoker classifies it as a configuration fault — the system's auth definition is broken — rather than a transport failure of the upstream.
func (*OutboundAuthError) Error ¶
func (e *OutboundAuthError) Error() string
func (*OutboundAuthError) Unwrap ¶
func (e *OutboundAuthError) Unwrap() error
type OutboundRegistry ¶
type OutboundRegistry struct {
// contains filtered or unexported fields
}
OutboundRegistry resolves auth schemes by name: the built-in schemes overlaid by application-provided ones (group "vef:integration:outbound_auth_schemes"). An application scheme whose name matches a built-in replaces it.
func NewOutboundRegistry ¶
func NewOutboundRegistry(engine *js.Engine, cfg *config.IntegrationConfig, appSchemes []integration.OutboundAuthScheme) *OutboundRegistry
NewOutboundRegistry builds the registry from the built-in schemes and the application-provided overlays. The engine powers the script scheme's signing runtimes.
func (*OutboundRegistry) Get ¶
func (r *OutboundRegistry) Get(name string) (integration.OutboundAuthScheme, bool)
Get returns the scheme registered under name.
func (*OutboundRegistry) Resolve ¶
func (r *OutboundRegistry) Resolve(cfg *integration.OutboundAuthConfig) (integration.OutboundAuthScheme, bool)
Resolve returns the scheme for cfg: the none scheme for a nil config, else the scheme cfg names. An unknown name reports ok=false.