auth

package

v0.6.35 Latest Latest Go to latest Published: May 20, 2026 License: Apache-2.0 Imports: 27 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/dployr-io/dployr

Links

Open Source Insights

Documentation ¶

Overview ¶

Package auth implements authentication primitives and middleware for the daemon's HTTP API. It defines core token validation, claims, and user role handling, with middleware supporting authentication and permission checks for protected endpoints. Concrete authentication logic and helpers are provided within this package.

Index ¶

Variables
func BuildPinnedTLSConfig(clientCert tls.Certificate, wsCertPath string, embeddedCACert string) (*tls.Config, error)
func CertToPEM(cert tls.Certificate) (string, error)
func ComputeAuthHealth(ctx context.Context, instStore store.InstanceStore) (health string, debug *system.AuthDebug)
func ComputeCertFingerprint(cert tls.Certificate) (string, error)
func DefaultClientCertPaths() (certPath, keyPath string)
func EnsureClientCertificate(instanceID string) (tls.Certificate, error)
func FetchNodeToken(ctx context.Context, baseURL, bootstrapToken string) (string, error)
func GetCurrentUserSystemRole() (store.Role, error)
func GetUserSystemRole(username string) (store.Role, error)
func IsPermitted(actual, required string) bool
func ObtainNodeTokenWithBackoff(ctx context.Context, baseURL, bootstrapToken string, ...) (string, error)
func PublishClientCertificate(ctx context.Context, baseURL, instanceID, nodeToken string, ...) error
type Authenticator
type Claims
type HTTPError
- func (e *HTTPError) Error() string
type Middleware
- func NewMiddleware(auth Authenticator) *Middleware
- func (m *Middleware) Auth(next http.Handler) http.Handler
- func (m *Middleware) RequireRole(required string) func(http.Handler) http.Handler
- func (m *Middleware) Trace(next http.Handler) http.Handler
type Role

Constants ¶

This section is empty.

Variables ¶

View Source

var SystemGroupToRole = map[string]store.Role{
	"dployr-owner":  store.RoleOwner,
	"dployr-admin":  store.RoleAdmin,
	"dployr-dev":    store.RoleDeveloper,
	"dployr-viewer": store.RoleViewer,
}

SystemGroupToRole maps Unix group names to dployr roles.

Functions ¶

func BuildPinnedTLSConfig ¶ added in v0.5.9

func BuildPinnedTLSConfig(clientCert tls.Certificate, wsCertPath string, embeddedCACert string) (*tls.Config, error)

func CertToPEM ¶ added in v0.5.9

func CertToPEM(cert tls.Certificate) (string, error)

func ComputeAuthHealth ¶ added in v0.5.9

func ComputeAuthHealth(ctx context.Context, instStore store.InstanceStore) (health string, debug *system.AuthDebug)

func ComputeCertFingerprint ¶ added in v0.5.9

func ComputeCertFingerprint(cert tls.Certificate) (string, error)

func DefaultClientCertPaths ¶ added in v0.5.9

func DefaultClientCertPaths() (certPath, keyPath string)

func EnsureClientCertificate ¶ added in v0.5.9

func EnsureClientCertificate(instanceID string) (tls.Certificate, error)

func FetchNodeToken ¶ added in v0.6.0

func FetchNodeToken(ctx context.Context, baseURL, bootstrapToken string) (string, error)

func GetCurrentUserSystemRole ¶

func GetCurrentUserSystemRole() (store.Role, error)

GetCurrentUserSystemRole returns the current process user's highest dployr role.

func GetUserSystemRole ¶

func GetUserSystemRole(username string) (store.Role, error)

GetUserSystemRole returns the highest dployr role for username derived from Unix group membership. Defaults to RoleViewer if no dployr group is found.

func IsPermitted ¶

func IsPermitted(actual, required string) bool

IsPermitted is a public wrapper for checking role permissions.

func ObtainNodeTokenWithBackoff ¶ added in v0.6.0

func ObtainNodeTokenWithBackoff(ctx context.Context, baseURL, bootstrapToken string, backoffDuration *time.Duration, logger *shared.Logger) (string, error)

func PublishClientCertificate ¶ added in v0.5.9

func PublishClientCertificate(ctx context.Context, baseURL, instanceID, nodeToken string, cert tls.Certificate) error

Types ¶

type Authenticator ¶

type Authenticator interface {
	ValidateToken(ctx context.Context, inputToken string) (*Claims, error)
}

type Claims ¶

type Claims struct {
	Subject    string   `json:"sub,omitempty"`
	InstanceID string   `json:"instance_id,omitempty"`
	Perm       string   `json:"perm,omitempty"` // one of: viewer, developer, admin, owner
	Scopes     []string `json:"scopes,omitempty"`
	ExpiresAt  int64    `json:"exp"`
	IssuedAt   int64    `json:"iat"`
	jwt.RegisteredClaims
}

Claims represents the token structure used across the system

type HTTPError ¶ added in v0.5.9

type HTTPError struct {
	StatusCode int
	Msg        string
}

func (*HTTPError) Error ¶ added in v0.5.9

func (e *HTTPError) Error() string

type Middleware ¶

type Middleware struct {
	// contains filtered or unexported fields
}

func NewMiddleware ¶

func NewMiddleware(auth Authenticator) *Middleware

func (*Middleware) Auth ¶

func (m *Middleware) Auth(next http.Handler) http.Handler

func (*Middleware) RequireRole ¶

func (m *Middleware) RequireRole(required string) func(http.Handler) http.Handler

func (*Middleware) Trace ¶

func (m *Middleware) Trace(next http.Handler) http.Handler

type Role ¶

type Role string

const (
	RoleViewer    Role = "viewer"
	RoleDeveloper Role = "developer"
	RoleAdmin     Role = "admin"
	RoleOwner     Role = "owner"
	RoleNode      Role = "node" // M2M role for daemon-to-base communication
)

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL