auth

package

v0.5.9 Latest Latest Go to latest Published: Jan 17, 2026 License: Apache-2.0 Imports: 28 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/dployr-io/dployr

Links

Open Source Insights

Documentation ¶

Overview ¶

Package auth implements authentication primitives and middleware for the daemon's HTTP API. It defines core token validation, claims, and user role handling, with middleware supporting authentication and permission checks for protected endpoints. Concrete authentication logic and helpers are provided within this package.

Index ¶

Variables
func BuildPinnedTLSConfig(clientCert tls.Certificate, wsCertPath string, embeddedCACert string) (*tls.Config, error)
func CertToPEM(cert tls.Certificate) (string, error)
func ComputeAuthHealth(ctx context.Context, instStore store.InstanceStore) (health string, debug *system.AuthDebug)
func ComputeCertFingerprint(cert tls.Certificate) (string, error)
func DefaultClientCertPaths() (certPath, keyPath string)
func EnsureClientCertificate(instanceID string) (tls.Certificate, error)
func FetchAgentToken(ctx context.Context, baseURL, bootstrapToken string) (string, error)
func GetCurrentUserSystemRole() (store.Role, error)
func GetUserSystemRole(username string) (store.Role, error)
func IsPermitted(actual, required string) bool
func ObtainAgentTokenWithBackoff(ctx context.Context, baseURL, bootstrapToken string, ...) (string, error)
func PublishClientCertificate(ctx context.Context, baseURL, instanceID, agentToken string, ...) error
type Authenticator
type Claims
type HTTPError
- func (e *HTTPError) Error() string
type Middleware
- func NewMiddleware(auth Authenticator) *Middleware
- func (m *Middleware) Auth(next http.Handler) http.Handler
- func (m *Middleware) RequireRole(required string) func(http.Handler) http.Handler
- func (m *Middleware) Trace(next http.Handler) http.Handler
type Role

Constants ¶

This section is empty.

Variables ¶

View Source

var SystemGroupToRole = map[string]store.Role{
	"dployr-owner":  store.RoleOwner,
	"dployr-admin":  store.RoleAdmin,
	"dployr-dev":    store.RoleDeveloper,
	"dployr-viewer": store.RoleViewer,
}

System group to role mapping

Functions ¶

func BuildPinnedTLSConfig ¶ added in v0.5.9

func BuildPinnedTLSConfig(clientCert tls.Certificate, wsCertPath string, embeddedCACert string) (*tls.Config, error)

func CertToPEM ¶ added in v0.5.9

func CertToPEM(cert tls.Certificate) (string, error)

func ComputeAuthHealth ¶ added in v0.5.9

func ComputeAuthHealth(ctx context.Context, instStore store.InstanceStore) (health string, debug *system.AuthDebug)

func ComputeCertFingerprint ¶ added in v0.5.9

func ComputeCertFingerprint(cert tls.Certificate) (string, error)

func DefaultClientCertPaths ¶ added in v0.5.9

func DefaultClientCertPaths() (certPath, keyPath string)

func EnsureClientCertificate ¶ added in v0.5.9

func EnsureClientCertificate(instanceID string) (tls.Certificate, error)

func FetchAgentToken ¶ added in v0.5.9

func FetchAgentToken(ctx context.Context, baseURL, bootstrapToken string) (string, error)

func GetCurrentUserSystemRole ¶

func GetCurrentUserSystemRole() (store.Role, error)

GetCurrentUserSystemRole returns the current user's highest system role

Example: dployr-admin returns store.RoleAdmin

func GetUserSystemRole ¶

func GetUserSystemRole(username string) (store.Role, error)

GetUserSystemRole returns the highest system role for a specific user

func IsPermitted ¶

func IsPermitted(actual, required string) bool

IsPermitted is a public wrapper for checking role permissions.

func ObtainAgentTokenWithBackoff ¶ added in v0.5.9

func ObtainAgentTokenWithBackoff(ctx context.Context, baseURL, bootstrapToken string, backoffDuration *time.Duration) (string, error)

func PublishClientCertificate ¶ added in v0.5.9

func PublishClientCertificate(ctx context.Context, baseURL, instanceID, agentToken string, cert tls.Certificate) error

Types ¶

type Authenticator ¶

type Authenticator interface {
	ValidateToken(ctx context.Context, inputToken string) (*Claims, error)
}

type Claims ¶

type Claims struct {
	Subject    string   `json:"sub,omitempty"`
	InstanceID string   `json:"instance_id,omitempty"`
	Perm       string   `json:"perm,omitempty"` // one of: viewer, developer, admin, owner
	Scopes     []string `json:"scopes,omitempty"`
	ExpiresAt  int64    `json:"exp"`
	IssuedAt   int64    `json:"iat"`
	jwt.RegisteredClaims
}

Claims represents the token structure used across the system

type HTTPError ¶ added in v0.5.9

type HTTPError struct {
	StatusCode int
	Msg        string
}

func (*HTTPError) Error ¶ added in v0.5.9

func (e *HTTPError) Error() string

type Middleware ¶

type Middleware struct {
	// contains filtered or unexported fields
}

func NewMiddleware ¶

func NewMiddleware(auth Authenticator) *Middleware

func (*Middleware) Auth ¶

func (m *Middleware) Auth(next http.Handler) http.Handler

func (*Middleware) RequireRole ¶

func (m *Middleware) RequireRole(required string) func(http.Handler) http.Handler

func (*Middleware) Trace ¶

func (m *Middleware) Trace(next http.Handler) http.Handler

type Role ¶

type Role string

const (
	RoleViewer    Role = "viewer"
	RoleDeveloper Role = "developer"
	RoleAdmin     Role = "admin"
	RoleOwner     Role = "owner"
	RoleAgent     Role = "agent" // M2M role for daemon-to-base communication
)

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL