middleware

package
v1.0.0-rc1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Nov 27, 2025 License: Apache-2.0 Imports: 33 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func AddEventMetadataToCtx added in v0.7.0 

func AddEventMetadataToCtx(next http.Handler) http.Handler

func CreateRouteExistsMiddleware added in v0.6.0 

func CreateRouteExistsMiddleware(router chi.Router) func(http.Handler) http.Handler

func ExtractOrgIDToCtx 

func ExtractOrgIDToCtx(extractor OrgIDExtractor, logger logrus.FieldLogger) func(http.Handler) http.Handler

ExtractOrgIDToCtx extracts organization ID using the supplied extractor and sets it in the request context. This middleware only extracts and sets the org ID - it does not validate membership.

func GrpcAuthMiddleware 

func GrpcAuthMiddleware(ctx context.Context) (context.Context, error)

client has to present client TLS certificate

func InstallRateLimiter added in v0.9.0 

func InstallRateLimiter(r chi.Router, opts RateLimitOptions)

InstallRateLimiter installs RealIP + custom rate limiter.

func NewHTTPServer 

func NewHTTPServer(router http.Handler, log logrus.FieldLogger, address string, cfg *config.Config) *http.Server

func NewHTTPServerWithTLSContext 

func NewHTTPServerWithTLSContext(router http.Handler, log logrus.FieldLogger, address string, cfg *config.Config) *http.Server

func NewTLSListener 

func NewTLSListener(address string, tlsConfig *tls.Config) (net.Listener, error)

NewTLSListener returns a new TLS listener. If the address is empty, it will listen on localhost's next available port.

func RequestID added in v0.6.0 

func RequestID(next http.Handler) http.Handler

func RequestSizeLimiter added in v0.4.0 

func RequestSizeLimiter(maxURLLength int, maxNumHeaders int) func(http.Handler) http.Handler

RequestSizeLimiter returns a middleware that limits the URL length and the number of request headers.

func SecurityHeaders added in v1.0.0 

func SecurityHeaders(next http.Handler) http.Handler

SecurityHeaders adds security headers to all HTTP responses. This middleware should be applied early in the middleware chain to ensure all responses include these headers.

func TrustedRealIP added in v0.9.0 

func TrustedRealIP(trustedCIDRs []string) func(http.Handler) http.Handler

TrustedRealIP only rewrites RemoteAddr when the immediate peer is in one of your LB CIDRs

func UserAgentLogger added in v1.0.0 

func UserAgentLogger(logger logrus.FieldLogger) func(http.Handler) http.Handler

UserAgentLogger logs the User-Agent header from incoming requests and sets it in the request context.

func ValidateClientTlsCert 

func ValidateClientTlsCert(ctx context.Context) (context.Context, error)

func ValidateOrgMembership 

func ValidateOrgMembership(logger logrus.FieldLogger) func(http.Handler) http.Handler

ValidateOrgMembership validates that the user is a member of the organization in the context. This middleware only validates membership - it does not extract the org ID.

Types

type AgentAuthMiddleware added in v1.0.0 

type AgentAuthMiddleware struct {
	// contains filtered or unexported fields
}

AgentAuthMiddleware handles certificate-based authentication for device agents This middleware is specifically for device operations that use DeviceEnrollmentSignerName

func NewAgentAuthMiddleware added in v1.0.0 

func NewAgentAuthMiddleware(ca *crypto.CAClient, log logrus.FieldLogger) *AgentAuthMiddleware

NewAgentAuthMiddleware creates a new device agent authentication middleware

func (*AgentAuthMiddleware) AuthenticateAgent added in v1.0.0 

func (m *AgentAuthMiddleware) AuthenticateAgent(next http.Handler) http.Handler

AuthenticateAgent is the middleware function that authenticates agents using certificates

func (*AgentAuthMiddleware) Start added in v1.0.0 

func (m *AgentAuthMiddleware) Start()

Start starts the cache background cleanup

func (*AgentAuthMiddleware) Stop added in v1.0.0 

func (m *AgentAuthMiddleware) Stop()

Stop stops the cache background cleanup

type AgentIdentity added in v1.0.0 

type AgentIdentity struct {
	// contains filtered or unexported fields
}

AgentIdentity implements the common.Identity interface for agents This is fundamentally different from user identities: - Uses device fingerprint as identity (not human username) - Has direct database organization ID (not external org names) - No traditional roles (agents are authenticated by certificate) - Certificate-based issuer (not OIDC/AAP/K8s)

func (*AgentIdentity) GetCommonName added in v1.0.0 

func (a *AgentIdentity) GetCommonName() string

GetCommonName returns the certificate common name

func (*AgentIdentity) GetExpirationDate added in v1.0.0 

func (a *AgentIdentity) GetExpirationDate() time.Time

GetExpirationDate returns the certificate expiration date

func (*AgentIdentity) GetIssuer added in v1.0.0 

func (a *AgentIdentity) GetIssuer() *identity.Issuer

GetIssuer returns the certificate issuer Agents use certificate-based authentication, not OIDC/AAP/K8s

func (*AgentIdentity) GetOrgID added in v1.0.0 

func (a *AgentIdentity) GetOrgID() string

GetOrgID returns the organization ID from the certificate This is the actual database organization ID (UUID)

func (*AgentIdentity) GetOrganizations added in v1.0.0 

func (a *AgentIdentity) GetOrganizations() []common.ReportedOrganization

GetOrganizations returns the organization ID as a single organization For agents, this is the actual database organization ID (UUID) Unlike users who have external org names that get mapped to DB orgs

func (*AgentIdentity) GetUID added in v1.0.0 

func (a *AgentIdentity) GetUID() string

GetUID returns the device fingerprint as the UID For agents, this is the device identifier, not a human user ID

func (*AgentIdentity) GetUsername added in v1.0.0 

func (a *AgentIdentity) GetUsername() string

GetUsername returns the device fingerprint as the username For agents, this is the device identifier, not a human username

func (*AgentIdentity) IsAgent added in v1.0.0 

func (a *AgentIdentity) IsAgent() bool

IsAgent returns true to identify this as an agent identity

func (*AgentIdentity) IsSuperAdmin added in v1.0.0 

func (a *AgentIdentity) IsSuperAdmin() bool

IsSuperAdmin returns false for agent identities (agents have no super admin concept)

func (*AgentIdentity) SetSuperAdmin added in v1.0.0 

func (a *AgentIdentity) SetSuperAdmin(superAdmin bool)

SetSuperAdmin is a no-op for agent identities (agents have no super admin concept)

type CertificateInfo added in v1.0.0 

type CertificateInfo struct {
	CommonName     string
	ExpirationDate time.Time
}

CertificateInfo contains information extracted from the enrollment certificate

type DeviceInfo added in v1.0.0 

type DeviceInfo struct {
	DeviceFingerprint string
	OrgID             string
	CommonName        string
	ExpirationDate    time.Time
}

DeviceInfo contains information extracted from the agent certificate

type EnrollmentAuthMiddleware added in v1.0.0 

type EnrollmentAuthMiddleware struct {
	// contains filtered or unexported fields
}

EnrollmentAuthMiddleware handles certificate-based authentication for enrollment/bootstrap requests

func NewEnrollmentAuthMiddleware added in v1.0.0 

func NewEnrollmentAuthMiddleware(ca *crypto.CAClient, log logrus.FieldLogger) *EnrollmentAuthMiddleware

NewEnrollmentAuthMiddleware creates a new enrollment authentication middleware

func (*EnrollmentAuthMiddleware) AuthenticateEnrollment added in v1.0.0 

func (m *EnrollmentAuthMiddleware) AuthenticateEnrollment(next http.Handler) http.Handler

AuthenticateEnrollment is the middleware function that authenticates enrollment requests using certificates

func (*EnrollmentAuthMiddleware) Start added in v1.0.0 

func (m *EnrollmentAuthMiddleware) Start()

Start starts the cache background cleanup

func (*EnrollmentAuthMiddleware) Stop added in v1.0.0 

func (m *EnrollmentAuthMiddleware) Stop()

Stop stops the cache background cleanup

type EnrollmentIdentity added in v1.0.0 

type EnrollmentIdentity struct {
	// contains filtered or unexported fields
}

EnrollmentIdentity implements the common.Identity interface for enrollment requests This is different from device identities: - Uses certificate common name as identity (not device fingerprint) - No organization ID (enrollment is pre-organization) - No traditional roles (enrollment requests are authenticated by certificate) - Certificate-based issuer (not OIDC/AAP/K8s)

func (*EnrollmentIdentity) GetCommonName added in v1.0.0 

func (e *EnrollmentIdentity) GetCommonName() string

GetCommonName returns the certificate common name

func (*EnrollmentIdentity) GetExpirationDate added in v1.0.0 

func (e *EnrollmentIdentity) GetExpirationDate() time.Time

GetExpirationDate returns the certificate expiration date

func (*EnrollmentIdentity) GetIssuer added in v1.0.0 

func (e *EnrollmentIdentity) GetIssuer() *identity.Issuer

GetIssuer returns the certificate issuer Enrollment uses certificate-based authentication

func (*EnrollmentIdentity) GetOrgID added in v1.0.0 

func (e *EnrollmentIdentity) GetOrgID() string

GetOrgID returns the organization ID from the certificate Uses the orgID extracted from the certificate extension

func (*EnrollmentIdentity) GetOrganizations added in v1.0.0 

func (e *EnrollmentIdentity) GetOrganizations() []common.ReportedOrganization

GetOrganizations returns the organization from the certificate Uses the orgID extracted from the certificate extension

func (*EnrollmentIdentity) GetUID added in v1.0.0 

func (e *EnrollmentIdentity) GetUID() string

GetUID returns the certificate common name as the UID For enrollment, this is the certificate identifier

func (*EnrollmentIdentity) GetUsername added in v1.0.0 

func (e *EnrollmentIdentity) GetUsername() string

GetUsername returns the certificate common name as the username For enrollment, this is the certificate identifier

func (*EnrollmentIdentity) IsAgent added in v1.0.0 

func (e *EnrollmentIdentity) IsAgent() bool

IsAgent returns false to identify this as an enrollment identity (not an agent)

func (*EnrollmentIdentity) IsSuperAdmin added in v1.0.0 

func (e *EnrollmentIdentity) IsSuperAdmin() bool

IsSuperAdmin returns false for enrollment identities (enrollment has no super admin concept)

func (*EnrollmentIdentity) SetSuperAdmin added in v1.0.0 

func (e *EnrollmentIdentity) SetSuperAdmin(superAdmin bool)

SetSuperAdmin is a no-op for enrollment identities (enrollment has no super admin concept)

type IdentityMappingMiddleware added in v1.0.0 

type IdentityMappingMiddleware struct {
	// contains filtered or unexported fields
}

IdentityMappingMiddleware maps identity information to local database objects This middleware sits between authentication and organization middleware

func NewIdentityMappingMiddleware added in v1.0.0 

func NewIdentityMappingMiddleware(identityMapper *service.IdentityMapper, log logrus.FieldLogger) *IdentityMappingMiddleware

NewIdentityMappingMiddleware creates a new identity mapping middleware

func (*IdentityMappingMiddleware) MapIdentityToDB added in v1.0.0 

func (m *IdentityMappingMiddleware) MapIdentityToDB(next http.Handler) http.Handler

MapIdentityToDB is the middleware function that maps identity to database objects

type OrgIDExtractor added in v0.10.0 

type OrgIDExtractor func(context.Context, *http.Request) (uuid.UUID, error)

OrgIDExtractor extracts an organization ID from an HTTP request. 

var CertOrgIDExtractor OrgIDExtractor = extractOrgIDFromRequestCert

CertOrgIDExtractor reads the org_id from the client certificate. 

var QueryOrgIDExtractor OrgIDExtractor = extractOrgIDFromRequestQuery

QueryOrgIDExtractor is the default extractor that reads the org_id from the query string.

type RateLimitOptions added in v0.9.0 

type RateLimitOptions struct {
	Requests       int
	Window         time.Duration
	Message        string
	TrustedProxies []string
}

RateLimitOptions configures rate limiting behavior

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.