roles

package
v0.36.389 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 28, 2026 License: MIT Imports: 24 Imported by: 2

Documentation

Index

Constants

View Source 
const (
	// GuestRoleName defines role name for an unauthenticated user
	GuestRoleName = "guest"

	// TLSUserRoleName defines a generic role name for an authenticated user
	TLSUserRoleName = "tls_user"

	// JWTUserRoleName defines a generic role name for an authenticated user
	JWTUserRoleName = "jwt_user"

	// DPoPUserRoleName defines a generic role name for an authenticated user
	DPoPUserRoleName = "dpop_user"

	// AWSUserRoleName defines a generic role name for an authenticated user
	AWSUserRoleName = "aws_user"

	// DefaultSubjectClaim defines default JWT Subject claim
	DefaultSubjectClaim = "sub"

	// DefaultRoleClaim defines default Role claim
	DefaultRoleClaim = "email"

	// DefaultTenantClaim defines default Tenant claim
	DefaultTenantClaim = "tenant"
)

Variables

This section is empty.

Functions

func ParseSTSTokenExpiration added in v0.27.269 

func ParseSTSTokenExpiration(presignedURL string) (*time.Time, string, string, error)

Types

type AWSIdentityMap added in v0.17.0 

type AWSIdentityMap struct {
	// DefaultAuthenticatedRole specifies role name for identity, if not found in maps
	DefaultAuthenticatedRole string `json:"default_authenticated_role" yaml:"default_authenticated_role"`
	// Enable TLS identities
	Enabled bool `json:"enabled" yaml:"enabled"`
	// Roles is a map of role to TLS identity
	Roles map[string][]string `json:"roles" yaml:"roles"`
	// AllowedAccounts is a list of allowed AWS accounts,
	// if empty, all accounts are allowed
	AllowedAccounts []string `json:"allowed_accounts" yaml:"allowed_accounts"`
}

AWSIdentityMap provides roles for AWS

type CallerIdentity added in v0.17.0 

type CallerIdentity struct {
	GetCallerIdentityResponse struct {
		GetCallerIdentityResult struct {
			Account string `json:"Account"`
			Arn     string `json:"Arn"`
			UserID  string `json:"UserId"`
		} `json:"GetCallerIdentityResult"`
		ResponseMetadata struct {
			RequestID string `json:"RequestId"`
		} `json:"ResponseMetadata"`
	} `json:"GetCallerIdentityResponse"`

	Expires time.Time `json:"-"`
}

CallerIdentity represents the Identity of the caller AWS Caller Identity Response documentation: https://docs.aws.amazon.com/STS/latest/APIReference/API_GetCallerIdentity.html

type GenericIdentityMap added in v0.17.0 

type GenericIdentityMap struct {
	// DefaultAuthenticatedRole specifies role name for identity, if not found in maps
	DefaultAuthenticatedRole string `json:"default_authenticated_role" yaml:"default_authenticated_role"`
	// Enable TLS identities
	Enabled bool `json:"enabled" yaml:"enabled"`
	// Roles is a map of role to TLS identity
	Roles map[string][]string `json:"roles" yaml:"roles"`
}

GenericIdentityMap provides roles mapping

type IdentityMap 

type IdentityMap struct {
	// DebugLogs allows to add extra debog logs
	DebugLogs bool `json:"debug_logs" yaml:"debug_logs"`
	// Strict mode returns error if any Auth method fails,
	// without strict mode, it will try all methods and return
	Strict bool `json:"strict" yaml:"strict"`

	// TLS identity map
	TLS GenericIdentityMap `json:"tls" yaml:"tls"`
	// JWT identity map
	JWT JWTIdentityMap `json:"jwt" yaml:"jwt"`
	// DPoP identity map
	DPoP JWTIdentityMap `json:"jwt_dpop" yaml:"jwt_dpop"`
	// AWS identity map
	AWS AWSIdentityMap `json:"aws" yaml:"aws"`
}

IdentityMap contains configuration for the roles

type IdentityProvider 

type IdentityProvider interface {
	// ApplicableForRequest returns true if the provider is applicable for the request
	ApplicableForRequest(*http.Request) bool
	// IdentityFromRequest returns identity from the request
	IdentityFromRequest(*http.Request) (identity.Identity, error)

	// ApplicableForContext returns true if the provider is applicable for the request
	ApplicableForContext(ctx context.Context) bool
	// IdentityFromContext returns identity from the request
	IdentityFromContext(ctx context.Context, uri string) (identity.Identity, error)
}

IdentityProvider interface to extract identity from requests

func New 

func New(config *IdentityMap, jwt jwt.Parser) (IdentityProvider, error)

New returns Authz provider instance

type JWTIdentityMap 

type JWTIdentityMap struct {
	// DefaultAuthenticatedRole specifies role name for identity, if not found in maps
	DefaultAuthenticatedRole string `json:"default_authenticated_role" yaml:"default_authenticated_role"`
	// Enable JWT identities
	Enabled bool `json:"enabled" yaml:"enabled"`
	// Issuer specifies the token issuer to check for
	Issuer string `json:"issuer" yaml:"issuer"`
	// Audience specifies the token audience to check for
	Audience string `json:"audience" yaml:"audience"`
	// SubjectClaim specifies claim name to be used as Subject,
	// by default it's `sub`, but can be changed to `email` etc
	SubjectClaim string `json:"subject_claim" yaml:"subject_claim"`
	// RoleClaim specifies claim name to be used for role mapping,
	// by default it's `email`, but can be changed to `sub` etc
	RoleClaim string `json:"role_claim" yaml:"role_claim"`
	// TenantClaim specifies claim name to be used for tenant mapping,
	// by default it's `tenant`, but can be changed to `org` etc
	TenantClaim string `json:"tenant_claim" yaml:"tenant_claim"`
	// Roles is a map of role to JWT identity
	Roles map[string][]string `json:"roles" yaml:"roles"`
}

JWTIdentityMap provides roles for JWT

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.