authn

package
v1.0.2 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jan 7, 2026 License: Apache-2.0 Imports: 42 Imported by: 0

Documentation

Index

Constants

View Source 
const ParsedTokenCtxKey common.ContextKey = "parsed_token"

ParsedTokenCtxKey is the context key for the parsed JWT token

Variables

This section is empty.

Functions

func GetParsedTokenFromContext added in v1.0.0 

func GetParsedTokenFromContext(ctx context.Context) (jwt.Token, bool)

GetParsedTokenFromContext retrieves the parsed JWT token from the context if it exists

func ValidateRoleAssignment added in v1.0.0 

func ValidateRoleAssignment(roleAssignment api.AuthRoleAssignment) error

ValidateRoleAssignment validates a role assignment configuration

Types

type AAPGatewayUserIdentity added in v0.10.0 

type AAPGatewayUserIdentity interface {
	common.Identity
	IsSuperuser() bool
	IsPlatformAuditor() bool
}

type AAPIdentity added in v0.10.0 

type AAPIdentity struct {
	common.BaseIdentity
	// contains filtered or unexported fields
}

AAPIdentity extends common.Identity with AAP-specific fields

func (*AAPIdentity) IsPlatformAuditor added in v0.10.0 

func (a *AAPIdentity) IsPlatformAuditor() bool

func (*AAPIdentity) IsSuperuser added in v0.10.0 

func (a *AAPIdentity) IsSuperuser() bool

type AapGatewayAuth added in v0.6.0 

type AapGatewayAuth struct {
	// contains filtered or unexported fields
}

func NewAapGatewayAuth added in v0.6.0 

func NewAapGatewayAuth(metadata api.ObjectMeta, spec api.AapProviderSpec, clientTlsConfig *tls.Config) (*AapGatewayAuth, error)

func (*AapGatewayAuth) GetAapSpec added in v1.0.0 

func (a *AapGatewayAuth) GetAapSpec() api.AapProviderSpec

func (*AapGatewayAuth) GetAuthConfig added in v0.6.0 

func (a *AapGatewayAuth) GetAuthConfig() *api.AuthConfig

func (*AapGatewayAuth) GetAuthToken added in v0.6.0 

func (*AapGatewayAuth) GetAuthToken(r *http.Request) (string, error)

func (*AapGatewayAuth) GetIdentity added in v0.6.0 

func (a *AapGatewayAuth) GetIdentity(ctx context.Context, token string) (common.Identity, error)

func (*AapGatewayAuth) IsEnabled added in v1.0.0 

func (a *AapGatewayAuth) IsEnabled() bool

func (*AapGatewayAuth) Start added in v1.0.0 

func (a *AapGatewayAuth) Start(ctx context.Context) error

Start starts the identity cache background cleanup Creates a child context that can be independently canceled via Stop()

func (*AapGatewayAuth) Stop added in v1.0.0 

func (a *AapGatewayAuth) Stop()

Stop stops the identity cache and cancels the provider's context

func (*AapGatewayAuth) ValidateToken added in v0.6.0 

func (a *AapGatewayAuth) ValidateToken(ctx context.Context, token string) error

type AuthProviderCacheKey added in v1.0.0 

type AuthProviderCacheKey struct {
	Issuer   string
	ClientId string
}

AuthProviderCacheKey is a composite key for caching auth providers

type AuthProviderService added in v1.0.0 

type AuthProviderService interface {
	ListAuthProviders(ctx context.Context, orgId uuid.UUID, params api.ListAuthProvidersParams) (*api.AuthProviderList, api.Status)
	ListAllAuthProviders(ctx context.Context, params api.ListAuthProvidersParams) (*api.AuthProviderList, api.Status)
	GetAuthProvider(ctx context.Context, orgId uuid.UUID, name string) (*api.AuthProvider, api.Status)
	GetAuthProviderByIssuerAndClientId(ctx context.Context, orgId uuid.UUID, issuer string, clientId string) (*api.AuthProvider, api.Status)
}

AuthProviderService interface for auth provider operations

type AuthProviderWithLifecycle added in v1.0.0 

type AuthProviderWithLifecycle interface {
	common.AuthNMiddleware
	Start(ctx context.Context) error
	Stop()
}

AuthProviderWithLifecycle is an optional interface that providers can implement if they need lifecycle management (e.g., starting background caches)

type JWTGenerator added in v1.0.0 

type JWTGenerator struct {
	// contains filtered or unexported fields
}

JWTGenerator handles JWT token generation for Linux authentication

func NewJWTGenerator added in v1.0.0 

func NewJWTGenerator(caClient *fccrypto.CAClient) (*JWTGenerator, error)

NewJWTGenerator creates a new JWT generator using the existing CA key

func (*JWTGenerator) GenerateTokenWithType added in v1.0.0 

func (g *JWTGenerator) GenerateTokenWithType(request TokenGenerationRequest, expiration time.Duration, tokenType string) (string, error)

GenerateTokenWithType creates a JWT token for the given identity with a specific token type

func (*JWTGenerator) GetJWKS added in v1.0.0 

func (g *JWTGenerator) GetJWKS() (*pamapi.JWKSResponse, error)

GetJWKS returns the JWKS (JSON Web Key Set) for this generator

func (*JWTGenerator) GetPublicKeyPEM added in v1.0.0 

func (g *JWTGenerator) GetPublicKeyPEM() (string, error)

GetPublicKeyPEM returns the public key in PEM format for JWKS endpoint

func (*JWTGenerator) ValidateToken added in v1.0.0 

func (g *JWTGenerator) ValidateToken(tokenString string) (*JWTIdentity, error)

ValidateToken validates a JWT token using the generator's public key

func (*JWTGenerator) ValidateTokenWithType added in v1.0.0 

func (g *JWTGenerator) ValidateTokenWithType(tokenString string, expectedTokenType string) (*JWTIdentity, error)

ValidateTokenWithType validates a JWT token and ensures it has the correct token type

type JWTIdentity added in v0.10.0 

type JWTIdentity struct {
	common.BaseIdentity
	// contains filtered or unexported fields
}

JWTIdentity extends common.Identity with JWT-specific fields

func (*JWTIdentity) GetClaim added in v0.10.0 

func (i *JWTIdentity) GetClaim(claim string) (interface{}, bool)

type K8sAuthN added in v0.4.0 

type K8sAuthN struct {
	// contains filtered or unexported fields
}

func NewK8sAuthN added in v0.4.0 

func NewK8sAuthN(metadata api.ObjectMeta, spec api.K8sProviderSpec, k8sClient k8sclient.K8SClient) (*K8sAuthN, error)

func (*K8sAuthN) GetAuthConfig added in v0.4.0 

func (o *K8sAuthN) GetAuthConfig() *api.AuthConfig

func (*K8sAuthN) GetAuthToken added in v0.6.0 

func (o *K8sAuthN) GetAuthToken(r *http.Request) (string, error)

func (*K8sAuthN) GetIdentity added in v0.4.0 

func (o *K8sAuthN) GetIdentity(ctx context.Context, token string) (common.Identity, error)

func (*K8sAuthN) IsEnabled added in v1.0.0 

func (o *K8sAuthN) IsEnabled() bool

func (*K8sAuthN) Start added in v1.0.0 

func (o *K8sAuthN) Start(ctx context.Context) error

Start starts the cache background cleanup Creates a child context that can be independently canceled via Stop()

func (*K8sAuthN) Stop added in v1.0.0 

func (o *K8sAuthN) Stop()

Stop stops the caches and cancels the provider's context

func (*K8sAuthN) ValidateToken added in v0.4.0 

func (o *K8sAuthN) ValidateToken(ctx context.Context, token string) error

type MultiAuth added in v1.0.0 

type MultiAuth struct {
	// contains filtered or unexported fields
}

MultiAuth implements authentication using multiple providers with issuer-based routing

func NewMultiAuth added in v1.0.0 

func NewMultiAuth(authProviderService AuthProviderService, tlsConfig *tls.Config, log logrus.FieldLogger) *MultiAuth

NewMultiAuth creates a new MultiAuth instance

func (*MultiAuth) AddStaticProvider added in v1.0.0 

func (m *MultiAuth) AddStaticProvider(issuer string, provider common.AuthNMiddleware)

AddStaticProvider adds a static authentication provider with its issuer

func (*MultiAuth) GetAuthConfig added in v1.0.0 

func (m *MultiAuth) GetAuthConfig() *api.AuthConfig

GetAuthConfig returns the auth configuration with all available providers

func (*MultiAuth) GetAuthToken added in v1.0.0 

func (m *MultiAuth) GetAuthToken(r *http.Request) (string, error)

GetAuthToken extracts the auth token from the request

func (*MultiAuth) GetIdentity added in v1.0.0 

func (m *MultiAuth) GetIdentity(ctx context.Context, token string) (common.Identity, error)

GetIdentity extracts identity from a token using issuer-based routing

func (*MultiAuth) GetLogger added in v1.0.0 

func (m *MultiAuth) GetLogger() logrus.FieldLogger

GetLogger returns the logger

func (*MultiAuth) GetProviderMiddleware added in v1.0.0 

func (m *MultiAuth) GetProviderMiddleware(name string) (common.AuthNMiddleware, api.Status)

GetProviderMiddleware retrieves the provider middleware directly by name (for internal use with secrets intact)

func (*MultiAuth) GetTLSConfig added in v1.0.0 

func (m *MultiAuth) GetTLSConfig() *tls.Config

GetTLSConfig returns the TLS configuration

func (*MultiAuth) HasProviders added in v1.0.0 

func (m *MultiAuth) HasProviders() bool

HasProviders returns true if any providers are configured

func (*MultiAuth) IsEnabled added in v1.0.0 

func (m *MultiAuth) IsEnabled() bool

func (*MultiAuth) LoadAllAuthProviders added in v1.0.0 

func (m *MultiAuth) LoadAllAuthProviders(ctx context.Context) error

LoadAllAuthProviders reloads auth providers from the database with change detection

func (*MultiAuth) Start added in v1.0.0 

func (m *MultiAuth) Start(ctx context.Context) error

Start starts the background loader goroutine and blocks until context is cancelled

func (*MultiAuth) ValidateToken added in v1.0.0 

func (m *MultiAuth) ValidateToken(ctx context.Context, token string) error

func (*MultiAuth) ValidateTokenAndGetProvider added in v1.0.0 

func (m *MultiAuth) ValidateTokenAndGetProvider(ctx context.Context, token string) (common.AuthNMiddleware, error)

ValidateTokenAndGetProvider validates a token using issuer-based routing and returns the provider that validated the token

type OAuth2Auth added in v1.0.0 

type OAuth2Auth struct {
	// contains filtered or unexported fields
}

OAuth2Auth implements OAuth2 authentication using userinfo endpoint validation

func NewOAuth2Auth added in v1.0.0 

func NewOAuth2Auth(metadata api.ObjectMeta, spec api.OAuth2ProviderSpec, tlsConfig *tls.Config, log logrus.FieldLogger) (*OAuth2Auth, error)

NewOAuth2Auth creates a new OAuth2 authentication instance

func (*OAuth2Auth) GetAuthConfig added in v1.0.0 

func (o *OAuth2Auth) GetAuthConfig() *api.AuthConfig

GetAuthConfig returns the OAuth2 authentication configuration

func (*OAuth2Auth) GetAuthToken added in v1.0.0 

func (o *OAuth2Auth) GetAuthToken(r *http.Request) (string, error)

GetAuthToken extracts the OAuth2 access token from the HTTP request

func (*OAuth2Auth) GetIdentity added in v1.0.0 

func (o *OAuth2Auth) GetIdentity(ctx context.Context, token string) (common.Identity, error)

GetIdentity extracts user identity from the OAuth2 userinfo endpoint

func (*OAuth2Auth) GetOAuth2Spec added in v1.0.0 

func (o *OAuth2Auth) GetOAuth2Spec() api.OAuth2ProviderSpec

GetOAuth2Spec returns the internal OAuth2 spec with client secret intact (for internal use only)

func (*OAuth2Auth) IsEnabled added in v1.0.0 

func (o *OAuth2Auth) IsEnabled() bool

func (*OAuth2Auth) Start added in v1.0.0 

func (o *OAuth2Auth) Start(ctx context.Context) error

Start starts the identity cache background cleanup Creates a child context that can be independently canceled via Stop()

func (*OAuth2Auth) Stop added in v1.0.0 

func (o *OAuth2Auth) Stop()

Stop stops the identity cache and cancels the provider's context

func (*OAuth2Auth) ValidateToken added in v1.0.0 

func (o *OAuth2Auth) ValidateToken(ctx context.Context, token string) error

ValidateToken validates an OAuth2 access token using the configured introspection method

type OIDCAuth added in v1.0.0 

type OIDCAuth struct {
	// contains filtered or unexported fields
}

func NewOIDCAuth added in v1.0.0 

func NewOIDCAuth(metadata api.ObjectMeta, spec api.OIDCProviderSpec, clientTlsConfig *tls.Config, log logrus.FieldLogger) (*OIDCAuth, error)

func (*OIDCAuth) GetAuthConfig added in v1.0.0 

func (o *OIDCAuth) GetAuthConfig() *api.AuthConfig

func (*OIDCAuth) GetAuthToken added in v1.0.0 

func (o *OIDCAuth) GetAuthToken(r *http.Request) (string, error)

func (*OIDCAuth) GetIdentity added in v1.0.0 

func (o *OIDCAuth) GetIdentity(ctx context.Context, token string) (common.Identity, error)

func (*OIDCAuth) GetOIDCSpec added in v1.0.0 

func (o *OIDCAuth) GetOIDCSpec() api.OIDCProviderSpec

GetOIDCSpec returns the internal OIDC spec with client secret intact (for internal use only)

func (*OIDCAuth) IsEnabled added in v1.0.0 

func (o *OIDCAuth) IsEnabled() bool

func (*OIDCAuth) Start added in v1.0.0 

func (o *OIDCAuth) Start(ctx context.Context) error

Start starts the identity cache background cleanup Creates a child context that can be independently canceled via Stop()

func (*OIDCAuth) Stop added in v1.0.0 

func (o *OIDCAuth) Stop()

Stop stops the identity cache and cancels the provider's context

func (*OIDCAuth) ValidateToken added in v1.0.0 

func (o *OIDCAuth) ValidateToken(ctx context.Context, token string) error

type OIDCServerResponse 

type OIDCServerResponse struct {
	TokenEndpoint string `json:"token_endpoint"`
	JwksUri       string `json:"jwks_uri"`
}

type OpenShiftAuth added in v1.0.0 

type OpenShiftAuth struct {
	// contains filtered or unexported fields
}

OpenShiftAuth implements OpenShift OAuth authentication using TokenReview validation

func NewOpenShiftAuth added in v1.0.0 

func NewOpenShiftAuth(metadata api.ObjectMeta, spec api.OpenShiftProviderSpec, k8sClient k8sclient.K8SClient, tlsConfig *tls.Config, log logrus.FieldLogger) (*OpenShiftAuth, error)

NewOpenShiftAuth creates a new OpenShift authentication instance

func (*OpenShiftAuth) GetAuthConfig added in v1.0.0 

func (o *OpenShiftAuth) GetAuthConfig() *api.AuthConfig

GetAuthConfig returns the OpenShift authentication configuration

func (*OpenShiftAuth) GetAuthToken added in v1.0.0 

func (o *OpenShiftAuth) GetAuthToken(r *http.Request) (string, error)

GetAuthToken extracts the Bearer token from the HTTP request

func (*OpenShiftAuth) GetIdentity added in v1.0.0 

func (o *OpenShiftAuth) GetIdentity(ctx context.Context, token string) (common.Identity, error)

GetIdentity extracts user identity from TokenReview, gets projects, and fetches roles per project

func (*OpenShiftAuth) GetOpenShiftSpec added in v1.0.0 

func (o *OpenShiftAuth) GetOpenShiftSpec() api.OpenShiftProviderSpec

GetOpenShiftSpec returns the internal OpenShift spec with client secret intact (for internal use only)

func (*OpenShiftAuth) IsEnabled added in v1.0.0 

func (o *OpenShiftAuth) IsEnabled() bool

func (*OpenShiftAuth) Start added in v1.0.0 

func (o *OpenShiftAuth) Start(ctx context.Context) error

Start starts the cache background cleanup Creates a child context that can be independently canceled via Stop()

func (*OpenShiftAuth) Stop added in v1.0.0 

func (o *OpenShiftAuth) Stop()

Stop stops the caches and cancels the provider's context

func (*OpenShiftAuth) ValidateToken added in v1.0.0 

func (o *OpenShiftAuth) ValidateToken(ctx context.Context, token string) error

ValidateToken validates an OpenShift OAuth token using K8s TokenReview

type OrganizationExtractor added in v1.0.0 

type OrganizationExtractor struct {
	// contains filtered or unexported fields
}

OrganizationExtractor provides shared organization extraction logic for both OIDC and OAuth2 providers

func NewOrganizationExtractor added in v1.0.0 

func NewOrganizationExtractor(orgConfig *common.AuthOrganizationsConfig) *OrganizationExtractor

NewOrganizationExtractor creates a new organization extractor

func (*OrganizationExtractor) ExtractOrganizations added in v1.0.0 

func (e *OrganizationExtractor) ExtractOrganizations(claims map[string]interface{}, username string) []string

ExtractOrganizations extracts organization information based on org config

type RoleExtractor added in v1.0.0 

type RoleExtractor struct {
	// contains filtered or unexported fields
}

RoleExtractor handles role extraction from claims based on role assignment configuration

func NewRoleExtractor added in v1.0.0 

func NewRoleExtractor(roleAssignment api.AuthRoleAssignment, createdBySuperAdmin bool, log logrus.FieldLogger) *RoleExtractor

NewRoleExtractor creates a new role extractor with the given role assignment and super admin flag

func (*RoleExtractor) ExtractOrgRolesFromMap added in v1.0.0 

func (r *RoleExtractor) ExtractOrgRolesFromMap(claims map[string]interface{}) map[string][]string

ExtractOrgRolesFromMap extracts organization-scoped roles from claims Returns a map where: - Keys are organization names (or "*" for global roles) - Values are lists of roles for that organization

func (*RoleExtractor) ExtractRolesFromMap added in v1.0.0 

func (r *RoleExtractor) ExtractRolesFromMap(claims map[string]interface{}) []string

ExtractRolesFromMap extracts roles from a map of claims (for OAuth2 userinfo) Deprecated: Use ExtractOrgRolesFromMap instead

type TokenGenerationRequest added in v1.0.0 

type TokenGenerationRequest struct {
	Username      string
	UID           string
	Organizations []string
	Roles         []string
	Audience      []string // JWT audience claim (aud)
	Issuer        string   // JWT issuer claim (iss)
	Scopes        string   // OAuth2 scopes (space-separated)
}

type TokenIdentity added in v0.10.0 

type TokenIdentity interface {
	common.Identity
	GetClaim(string) (interface{}, bool)
}

type TokenType added in v1.0.0 

type TokenType int

TokenType represents the type of JWT authentication token 

const (
	TokenTypeOIDC TokenType = iota
	TokenTypeK8s
)

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.