lighthouse

package module
v0.20.0-pr2 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 16, 2026 License: MIT Imports: 40 Imported by: 0

README

LightHouse - A Go-Based Trust Anchor / Intermediate Authority / Trust Mark Issuer

LightHouse helps you to navigate the wild and complex sea of OpenID Federation.

LightHouse is a flexible and configurable OpenID Federation Entity. It can be configured and deployed as a Trust Anchor / Intermediate Authority / Resolver / Trust Mark Issuer or everything at the same time. LightHouse uses the go-oidfed/lib oidfed library.

LightHouse also can be used to build your own federation entity on top of the existing implementation.

Documentation

For more information please refer to the Documentation at https://go-oidfed.github.io/lighthouse/

Configuration

The configuration of LightHouse is explained in details at https://go-oidfed.github.io/lighthouse/config/.

Docker Images

Docker images are available at docker hub under oidfed/lighthouse.

  • The go oidfed library at https://github.com/go-oidfed/lib contains:
    • The basic go-oidfed library with the core oidfed functionalities.
    • It can be used to build all kind of oidfed capable entities.
    • LightHouse uses this library
  • The whoami-rp repository at https://github.com/go-oidfed/whoami-rp contains:
    • A simple - but not very useful - example RP.
  • The OFFA repository at https://github.com/go-oidfed/offa:
    • OFFA stands for Openid Federation Forward Auth
    • OFFA can be deployed next to existing services to add oidfed authentication to services that do not natively support it.
    • OFFA can be used with Apache, Caddy, NGINX, and Traefik.

Documentation

Index

Constants

View Source 
const (
	KMSFilesystem = "filesystem"
	KMSPKCS11     = "pkcs11"
)
View Source 
const (
	PKBackendFilesystem = "filesystem"
	PKBackendDatabase   = "db"
)
View Source 
const MaximumEntityConfigurationCachePeriod = 8 * time.Hour

Variables

View Source 
var FiberServerConfig = fiber.Config{
	ReadTimeout:    3 * time.Second,
	WriteTimeout:   20 * time.Second,
	IdleTimeout:    150 * time.Second,
	ReadBufferSize: 8192,

	ErrorHandler: handleError,
	Network:      "tcp",
}

FiberServerConfig is the fiber.Config that is used to init the http fiber.App

Functions

func RegisterEntityChecker 

func RegisterEntityChecker(configTypeName string, constructor func() EntityChecker)

RegisterEntityChecker registers a custom EntityChecker so EntityCheckerFromYAMLConfig knows about it and can return it from a yaml config

Types

type AdminAPIOptions 

type AdminAPIOptions struct {
	Enabled      bool
	UsersEnabled bool
	// Port: 0 mounts on main server under /api/v1/admin; >0 starts a separate server on this port
	Port int
	// ActorHeader is the HTTP header name to extract the actor from for event history.
	// Default: "X-Actor"
	ActorHeader string
	// ActorSource is the preferred source for actor extraction ("basic_auth" or "header").
	// Default: "basic_auth" (tries basic auth username first, then falls back to header)
	ActorSource string
}

AdminAPIOptions controls initialization of the admin API.

type AuthorityHintEntityChecker 

type AuthorityHintEntityChecker struct {
	EntityID string `yaml:"entity_id"`
}

AuthorityHintEntityChecker checks that the entity has a certain entry in its authority_hints

func (AuthorityHintEntityChecker) Check 

func (c AuthorityHintEntityChecker) Check(
	entityConfiguration *oidfed.EntityStatement,
	_ []string,
) (bool, int, *oidfed.Error)

Check implements the EntityChecker interface

func (*AuthorityHintEntityChecker) UnmarshalYAML 

func (c *AuthorityHintEntityChecker) UnmarshalYAML(node *yaml.Node) error

UnmarshalYAML implements the yaml.Unmarshaler and EntityChecker interface

type CheckerContext 

type CheckerContext struct {
	Store         model.TrustMarkedEntitiesStorageBackend
	TrustMarkType string
}

CheckerContext provides runtime context for contextual entity checkers

type ContextualEntityChecker 

type ContextualEntityChecker interface {
	EntityChecker
	// SetContext sets the runtime context for this checker
	SetContext(ctx CheckerContext)
}

ContextualEntityChecker is an EntityChecker that requires runtime context to be set before checking. This is used for checkers that need access to storage backends or other runtime dependencies.

type DBListEntityChecker 

type DBListEntityChecker struct {
	// contains filtered or unexported fields
}

DBListEntityChecker checks if subject is in TrustMarkSubject table with active status. This checker requires SetContext to be called before Check.

func (*DBListEntityChecker) Check 

func (c *DBListEntityChecker) Check(
	entityConfiguration *oidfed.EntityStatement,
	_ []string,
) (bool, int, *oidfed.Error)

Check implements the EntityChecker interface

func (*DBListEntityChecker) SetContext 

func (c *DBListEntityChecker) SetContext(ctx CheckerContext)

SetContext sets the runtime context for this checker

func (*DBListEntityChecker) UnmarshalYAML 

func (*DBListEntityChecker) UnmarshalYAML(_ *yaml.Node) error

UnmarshalYAML implements the yaml.Unmarshaler interface

type DBTrustMarkSpecProvider 

type DBTrustMarkSpecProvider struct {
	// contains filtered or unexported fields
}

DBTrustMarkSpecProvider implements oidfed.TrustMarkSpecProvider by fetching TrustMarkSpecs from the database. It is safe for concurrent use as it delegates to the thread-safe storage layer.

func NewDBTrustMarkSpecProvider 

func NewDBTrustMarkSpecProvider(store model.TrustMarkSpecStore) *DBTrustMarkSpecProvider

NewDBTrustMarkSpecProvider creates a new DBTrustMarkSpecProvider.

func (*DBTrustMarkSpecProvider) GetTrustMarkSpec 

func (p *DBTrustMarkSpecProvider) GetTrustMarkSpec(trustMarkType string) *oidfed.TrustMarkSpec

GetTrustMarkSpec returns the TrustMarkSpec for the given trust mark type. Returns nil if the trust mark type is not found.

func (*DBTrustMarkSpecProvider) TrustMarkTypes 

func (p *DBTrustMarkSpecProvider) TrustMarkTypes() []string

TrustMarkTypes returns all available trust mark types from the database.

type EligibilityCache 

type EligibilityCache struct {
	// contains filtered or unexported fields
}

EligibilityCache caches eligibility check results for trust mark issuance. This reduces the load on external checkers (http_list, http_list_jwt) and database queries for repeated requests.

func NewEligibilityCache 

func NewEligibilityCache() *EligibilityCache

NewEligibilityCache creates a new eligibility cache

func (*EligibilityCache) CleanExpired 

func (c *EligibilityCache) CleanExpired() int

CleanExpired removes all expired entries from the cache This can be called periodically to prevent memory growth

func (*EligibilityCache) Clear 

func (c *EligibilityCache) Clear()

Clear removes all entries from the cache

func (*EligibilityCache) Get 

func (c *EligibilityCache) Get(trustMarkType, subject string) (eligible bool, httpCode int, reason string, found bool)

Get retrieves a cached eligibility result Returns eligible status, HTTP code, reason, and whether a valid entry was found

func (*EligibilityCache) Invalidate 

func (c *EligibilityCache) Invalidate(trustMarkType, subject string)

Invalidate removes a specific entry from the cache This should be called when a subject's status changes (e.g., via admin API)

func (*EligibilityCache) InvalidateAll 

func (c *EligibilityCache) InvalidateAll(trustMarkType string)

InvalidateAll removes all entries for a specific trust mark type This should be called when the eligibility config for a trust mark type changes

func (*EligibilityCache) InvalidateType 

func (c *EligibilityCache) InvalidateType(trustMarkType string)

InvalidateType is an alias for InvalidateAll for clearer semantics

func (*EligibilityCache) Set 

func (c *EligibilityCache) Set(trustMarkType, subject string, eligible bool, httpCode int, reason string, ttl time.Duration)

Set stores an eligibility result in the cache

func (*EligibilityCache) Size 

func (c *EligibilityCache) Size() int

Size returns the current number of entries in the cache

func (*EligibilityCache) StartCleanupRoutine 

func (c *EligibilityCache) StartCleanupRoutine(interval time.Duration) (stop func())

StartCleanupRoutine starts a background goroutine that periodically cleans expired entries from the cache. Returns a stop function that should be called to stop the cleanup routine.

type EndpointConf 

type EndpointConf struct {
	// Path is the internal path for the endpoint.
	// Env: LH_ENDPOINTS_<ENDPOINT>_PATH
	//
	// NOTE: We intentionally omit the envconfig tag here. Using envconfig:"PATH"
	// would cause the library to also check the bare "PATH" env var as a fallback,
	// which collides with the system PATH and corrupts endpoint URLs.
	// By omitting the tag, envconfig uses the field name "Path" directly,
	// resulting in the correct LH_ENDPOINTS_<ENDPOINT>_PATH without fallback issues.
	Path string `yaml:"path"`
	// URL is the external URL for the endpoint.
	// Env: LH_ENDPOINTS_<ENDPOINT>_URL
	URL string `yaml:"url"`
}

EndpointConf is a type for configuring an endpoint with an internal and external path.

Environment variables use the parent endpoint's prefix, e.g.:

  • LH_ENDPOINTS_FETCH_PATH: Internal path for the fetch endpoint
  • LH_ENDPOINTS_FETCH_URL: External URL for the fetch endpoint

func (EndpointConf) IsSet 

func (c EndpointConf) IsSet() bool

IsSet returns a bool indicating if this endpoint was configured or not

func (*EndpointConf) ValidateURL 

func (c *EndpointConf) ValidateURL(rootURL string) string

ValidateURL validates that an external URL is set, and if not prefixes the internal path with the passed rootURL and sets it at the external url

type EntityChecker 

type EntityChecker interface {
	// Check checks if the entity with the passed oidfed.EntityStatement
	// satisfies the requirements of this EntityChecker or not
	// It returns a bool indicating this status,
	// and if not a http status code as well as a oidfed.Error as api response
	Check(
		entityConfiguration *oidfed.EntityStatement,
		entityTypes []string,
	) (bool, int, *oidfed.Error)
	// Unmarshaler is used to load the configuration
	yaml.Unmarshaler
}

EntityChecker is an interface used to check if an entity satisfies some requirements, e.g. to check if an entity should be enrolled in the federation or should be issued a trust mark

func EntityCheckerFromEntityCheckerConfig 

func EntityCheckerFromEntityCheckerConfig(c EntityCheckerConfig) (
	EntityChecker,
	error,
)

EntityCheckerFromEntityCheckerConfig parses the passed EntityCheckerConfig and returns the configured EntityChecker

func EntityCheckerFromJSONConfig 

func EntityCheckerFromJSONConfig(checkerType string, config map[string]any) (EntityChecker, error)

EntityCheckerFromJSONConfig creates an EntityChecker from a JSON-style config (using map[string]any instead of yaml.Node). This is used when loading config from database.

func EntityCheckerFromYAMLConfig 

func EntityCheckerFromYAMLConfig(config []byte) (EntityChecker, error)

EntityCheckerFromYAMLConfig passes the passed yaml config and returns the configured EntityChecker

type EntityCheckerConfig 

type EntityCheckerConfig struct {
	Type   string    `yaml:"type"`
	Config yaml.Node `yaml:"config,omitempty" ignored:"true"`
}

EntityCheckerConfig is a type for configuring an EntityChecker through yaml

type EntityCheckerNone 

type EntityCheckerNone struct{}

EntityCheckerNone is a type implementing EntityChecker but that checks nothing

func (EntityCheckerNone) Check 

func (EntityCheckerNone) Check(_ *oidfed.EntityStatement, _ []string) (
	bool, int, *oidfed.Error,
)

Check implements the EntityChecker interface

func (EntityCheckerNone) UnmarshalYAML 

func (EntityCheckerNone) UnmarshalYAML(_ *yaml.Node) error

UnmarshalYAML implements the EntityChecker interface

type EntityIDEntityChecker 

type EntityIDEntityChecker struct {
	AllowedIDs []string `yaml:"entity_ids"`
}

EntityIDEntityChecker checks that the entity has a certain entity id

func (EntityIDEntityChecker) Check 

func (c EntityIDEntityChecker) Check(
	entityConfiguration *oidfed.EntityStatement,
	_ []string,
) (bool, int, *oidfed.Error)

Check implements the EntityChecker interface

func (*EntityIDEntityChecker) UnmarshalYAML 

func (c *EntityIDEntityChecker) UnmarshalYAML(node *yaml.Node) error

UnmarshalYAML implements the yaml.Unmarshaler and EntityChecker interface

type HTTPListEntityChecker 

type HTTPListEntityChecker struct {
	URL      string            `yaml:"url" json:"url"`
	Method   string            `yaml:"method" json:"method"`       // GET or POST, default GET
	Headers  map[string]string `yaml:"headers" json:"headers"`     // Additional headers
	Timeout  int               `yaml:"timeout" json:"timeout"`     // seconds, default 30
	CacheTTL int               `yaml:"cache_ttl" json:"cache_ttl"` // seconds, default 60
	// contains filtered or unexported fields
}

HTTPListEntityChecker fetches a list of entity IDs from an HTTP endpoint and checks if the requesting entity is in the list. The endpoint should return a JSON array of entity ID strings.

func (*HTTPListEntityChecker) Check 

func (c *HTTPListEntityChecker) Check(
	entityConfiguration *oidfed.EntityStatement,
	_ []string,
) (bool, int, *oidfed.Error)

Check implements the EntityChecker interface

func (*HTTPListEntityChecker) UnmarshalYAML 

func (c *HTTPListEntityChecker) UnmarshalYAML(node *yaml.Node) error

UnmarshalYAML implements the yaml.Unmarshaler interface

type HTTPListJWTEntityChecker 

type HTTPListJWTEntityChecker struct {
	URL          string            `yaml:"url" json:"url"`
	Method       string            `yaml:"method" json:"method"`
	Headers      map[string]string `yaml:"headers" json:"headers"`
	Timeout      int               `yaml:"timeout" json:"timeout"`
	CacheTTL     int               `yaml:"cache_ttl" json:"cache_ttl"`
	ListClaim    string            `yaml:"list_claim" json:"list_claim"` // default "entities"
	Verification JWTVerification   `yaml:"verification" json:"verification"`
	// contains filtered or unexported fields
}

HTTPListJWTEntityChecker fetches a signed JWT containing entity IDs from an HTTP endpoint. The JWT signature is verified either using a configured JWKS or by building a trust chain to federation trust anchors.

func (*HTTPListJWTEntityChecker) Check 

func (c *HTTPListJWTEntityChecker) Check(
	entityConfiguration *oidfed.EntityStatement,
	_ []string,
) (bool, int, *oidfed.Error)

Check implements the EntityChecker interface

func (*HTTPListJWTEntityChecker) UnmarshalYAML 

func (c *HTTPListJWTEntityChecker) UnmarshalYAML(node *yaml.Node) error

UnmarshalYAML implements the yaml.Unmarshaler interface

type IssuedTrustMarkCache 

type IssuedTrustMarkCache struct {
	// contains filtered or unexported fields
}

IssuedTrustMarkCache caches issued trust mark JWTs to avoid repeated signing and database writes for the same (trust_mark_type, subject) combination.

func NewIssuedTrustMarkCache 

func NewIssuedTrustMarkCache() *IssuedTrustMarkCache

NewIssuedTrustMarkCache creates a new issued trust mark cache

func (*IssuedTrustMarkCache) CleanExpired 

func (c *IssuedTrustMarkCache) CleanExpired() int

CleanExpired removes all expired entries from the cache. This can be called periodically to prevent memory growth.

func (*IssuedTrustMarkCache) Clear 

func (c *IssuedTrustMarkCache) Clear()

Clear removes all entries from the cache.

func (*IssuedTrustMarkCache) Get 

func (c *IssuedTrustMarkCache) Get(trustMarkType, subject string) (string, bool)

Get retrieves a cached trust mark JWT. Returns the JWT and true if found and not expired, empty string and false otherwise.

func (*IssuedTrustMarkCache) Invalidate 

func (c *IssuedTrustMarkCache) Invalidate(trustMarkType, subject string)

Invalidate removes a specific entry from the cache. This should be called when a subject's status changes (e.g., blocked/revoked).

func (*IssuedTrustMarkCache) InvalidateAll 

func (c *IssuedTrustMarkCache) InvalidateAll(trustMarkType string)

InvalidateAll removes all entries for a specific trust mark type.

func (*IssuedTrustMarkCache) Set 

func (c *IssuedTrustMarkCache) Set(trustMarkType, subject, trustMarkJWT string, ttl time.Duration)

Set stores a trust mark JWT in the cache with the given TTL. If ttl <= 0, the entry is not cached.

func (*IssuedTrustMarkCache) Size 

func (c *IssuedTrustMarkCache) Size() int

Size returns the current number of entries in the cache.

func (*IssuedTrustMarkCache) StartCleanupRoutine 

func (c *IssuedTrustMarkCache) StartCleanupRoutine(interval time.Duration) (stop func())

StartCleanupRoutine starts a background goroutine that periodically cleans expired entries from the cache. Returns a stop function that should be called to stop the cleanup routine.

type JWTVerification 

type JWTVerification struct {
	Mode         JWTVerificationMode `yaml:"mode" json:"mode"`
	JWKS         *jwx.JWKS           `yaml:"jwks" json:"jwks,omitempty"`
	TrustAnchors oidfed.TrustAnchors `yaml:"trust_anchors" json:"trust_anchors,omitempty"`
}

JWTVerification configures how JWT signatures are verified

type JWTVerificationMode 

type JWTVerificationMode string

JWTVerificationMode defines how JWT signatures are verified 

const (
	// JWTVerificationModeJWKS verifies using a configured JWKS
	JWTVerificationModeJWKS JWTVerificationMode = "jwks"
	// JWTVerificationModeTrustAnchor verifies by building a trust chain to trust anchors
	JWTVerificationModeTrustAnchor JWTVerificationMode = "trust_anchor"
)

type LightHouse 

type LightHouse struct {
	oidfed.FederationEntity
	*oidfed.TrustMarkIssuer
	*jwx.GeneralJWTSigner

	LogoBanner    bool
	VersionBanner bool
	// contains filtered or unexported fields
}

LightHouse is a type a that represents a federation entity that can have multiple purposes (TA/IA + TMI, etc.)

func NewLightHouse 

func NewLightHouse(
	serverConf ServerConf,
	entityID string,
	signingConf SigningConf,
	storages model.Backends,
	admin AdminAPIOptions,
	statsOpts StatsOptions,
) (
	*LightHouse,
	error,
)

NewLightHouse creates a new LightHouse

func (*LightHouse) AddEnrollEndpoint 

func (fed *LightHouse) AddEnrollEndpoint(
	endpoint EndpointConf,
	store model.SubordinateStorageBackend,
	checker EntityChecker,
)

AddEnrollEndpoint adds an endpoint to enroll to this IA/TA

func (*LightHouse) AddEnrollRequestEndpoint 

func (fed *LightHouse) AddEnrollRequestEndpoint(
	endpoint EndpointConf,
	store model.SubordinateStorageBackend,
)

AddEnrollRequestEndpoint adds an endpoint to request enrollment to this IA /TA (this does only add a request to the storage, no automatic enrollment)

func (*LightHouse) AddEntityCollectionEndpoint 

func (fed *LightHouse) AddEntityCollectionEndpoint(
	endpoint EndpointConf, collector oidfed.EntityCollector,
	allowedTrustAnchors []string, paginationSupported bool,
)

AddEntityCollectionEndpoint adds an entity collection endpoint

func (*LightHouse) AddFetchEndpoint 

func (fed *LightHouse) AddFetchEndpoint(endpoint EndpointConf, store model.SubordinateStorageBackend)

AddFetchEndpoint adds a fetch endpoint

func (*LightHouse) AddHistoricalKeysEndpoint added in v0.6.0 

func (fed *LightHouse) AddHistoricalKeysEndpoint(endpoint EndpointConf)

AddHistoricalKeysEndpoint adds the federation historical keys endpoint

func (*LightHouse) AddResolveEndpoint 

func (fed *LightHouse) AddResolveEndpoint(
	endpoint EndpointConf, allowedTrustAnchors []string, proactiveResolver *oidfed.ProactiveResolver,
)

AddResolveEndpoint adds a resolve endpoint

func (*LightHouse) AddSubordinateListingEndpoint 

func (fed *LightHouse) AddSubordinateListingEndpoint(
	endpoint EndpointConf, store model.SubordinateStorageBackend,
	trustMarkStore model.TrustMarkedEntitiesStorageBackend,
)

AddSubordinateListingEndpoint adds a subordinate listing endpoint

func (*LightHouse) AddTrustMarkEndpoint 

func (fed *LightHouse) AddTrustMarkEndpoint(
	endpoint EndpointConf,
	store model.TrustMarkedEntitiesStorageBackend,
	checkers map[string]EntityChecker,
)

AddTrustMarkEndpoint adds a trust mark endpoint

func (*LightHouse) AddTrustMarkEndpointWithConfig 

func (fed *LightHouse) AddTrustMarkEndpointWithConfig(
	endpoint EndpointConf,
	config TrustMarkEndpointConfig,
)

AddTrustMarkEndpointWithConfig adds a trust mark endpoint with full configuration

func (*LightHouse) AddTrustMarkRequestEndpoint 

func (fed *LightHouse) AddTrustMarkRequestEndpoint(
	endpoint EndpointConf,
	store model.TrustMarkedEntitiesStorageBackend,
)

AddTrustMarkRequestEndpoint adds an endpoint where entities can request to be entitled for a trust mark

func (*LightHouse) AddTrustMarkStatusEndpoint 

func (fed *LightHouse) AddTrustMarkStatusEndpoint(
	endpoint EndpointConf,
	config TrustMarkStatusConfig,
)

AddTrustMarkStatusEndpoint adds a trust mark status endpoint compliant with OIDC Federation spec. The endpoint accepts POST requests with a trust_mark parameter containing the JWT to validate. It returns a signed JWT response with the status of the trust mark.

func (*LightHouse) AddTrustMarkedEntitiesListingEndpoint 

func (fed *LightHouse) AddTrustMarkedEntitiesListingEndpoint(
	endpoint EndpointConf,
	instanceStore model.IssuedTrustMarkInstanceStore,
)

AddTrustMarkedEntitiesListingEndpoint adds a trust marked entities listing endpoint. Per OIDC Federation spec, this endpoint lists all entities for which trust marks have been issued and are still valid (non-revoked, non-expired).

func (*LightHouse) CreateSubordinateStatement 

func (fed *LightHouse) CreateSubordinateStatement(subordinate *model.ExtendedSubordinateInfo) oidfed.EntityStatementPayload

CreateSubordinateStatement returns an oidfed.EntityStatementPayload for the passed storage.ExtendedSubordinateInfo

func (*LightHouse) HttpHandlerFunc 

func (fed *LightHouse) HttpHandlerFunc() http.HandlerFunc

HttpHandlerFunc returns an http.HandlerFunc for serving all the necessary endpoints

func (*LightHouse) Listen 

func (fed *LightHouse) Listen(addr string) error

Listen starts an http server at the specific address for serving all the necessary endpoints

func (*LightHouse) Start 

func (fed *LightHouse) Start()

func (*LightHouse) Stop 

func (fed *LightHouse) Stop() error

Stop gracefully shuts down the LightHouse server and its components.

type MultipleEntityCheckerAnd 

type MultipleEntityCheckerAnd struct {
	Checkers []EntityChecker
}

MultipleEntityCheckerAnd is an EntityChecker that combines multiple EntityChecker by requiring all checks to pass

func NewMultipleEntityCheckerAnd 

func NewMultipleEntityCheckerAnd(
	checkers ...EntityChecker,
) *MultipleEntityCheckerAnd

NewMultipleEntityCheckerAnd returns a new MultipleEntityCheckerAnd using all the passed EntityChecker

func (MultipleEntityCheckerAnd) Check 

func (c MultipleEntityCheckerAnd) Check(entityStatement *oidfed.EntityStatement, entityTypes []string) (
	bool, int, *oidfed.Error,
)

Check implements the EntityChecker interface

func (*MultipleEntityCheckerAnd) UnmarshalYAML 

func (c *MultipleEntityCheckerAnd) UnmarshalYAML(node *yaml.Node) error

UnmarshalYAML implements the yaml.Unmarshaler and EntityChecker interfaces

type MultipleEntityCheckerOr 

type MultipleEntityCheckerOr struct {
	Checkers []EntityChecker
}

MultipleEntityCheckerOr is an EntityChecker that combines multiple EntityChecker by requiring only one check to pass

func NewMultipleEntityCheckerOr 

func NewMultipleEntityCheckerOr(checkers ...EntityChecker) *MultipleEntityCheckerOr

NewMultipleEntityCheckerOr returns a new MultipleEntityCheckerOr using all the passed EntityChecker

func (MultipleEntityCheckerOr) Check 

func (c MultipleEntityCheckerOr) Check(
	entityStatement *oidfed.EntityStatement, entityTypes []string,
) (bool, int, *oidfed.Error)

Check implements the EntityChecker interface

func (*MultipleEntityCheckerOr) UnmarshalYAML 

func (c *MultipleEntityCheckerOr) UnmarshalYAML(node *yaml.Node) error

UnmarshalYAML implements the yaml.Unmarshaler and EntityChecker interfaces

type ServerConf 

type ServerConf struct {
	// IPListen is the IP address to listen on.
	// Env: LH_SERVER_IP_LISTEN
	IPListen string `yaml:"ip_listen" envconfig:"IP_LISTEN"`
	// Port is the HTTP server port.
	// Env: LH_SERVER_PORT
	Port int `yaml:"port" envconfig:"PORT"`
	// Prefork enables multiple processes listening on the same port.
	// When enabled, Fiber spawns child processes to distribute connections
	// across CPU cores for improved performance.
	// Note: When using prefork, it is strongly recommended to use Redis for
	// caching to ensure cache consistency across processes.
	// Env: LH_SERVER_PREFORK
	Prefork bool `yaml:"prefork" envconfig:"PREFORK"`
	// AdminAPIPort is set internally and not configurable via env.
	AdminAPIPort int `yaml:"-" envconfig:"-"`
	// TLS holds TLS configuration.
	// Env prefix: LH_SERVER_TLS_
	TLS tlsConf `yaml:"tls" envconfig:"TLS"`
	// TrustedProxies is a list of trusted proxy IPs.
	// Env: LH_SERVER_TRUSTED_PROXIES (comma-separated)
	TrustedProxies []string `yaml:"trusted_proxies" envconfig:"TRUSTED_PROXIES"`
	// ForwardedIPHeader is the header name for forwarded IP.
	// Env: LH_SERVER_FORWARDED_IP_HEADER
	ForwardedIPHeader string `yaml:"forwarded_ip_header" envconfig:"FORWARDED_IP_HEADER"`
}

ServerConf holds the server configuration.

Environment variables (accent prefix LH_SERVER_):

  • LH_SERVER_IP_LISTEN: IP address to listen on
  • LH_SERVER_PORT: HTTP server port
  • LH_SERVER_PREFORK: Enable multiple processes (prefork)
  • LH_SERVER_TRUSTED_PROXIES: Comma-separated list of trusted proxy IPs
  • LH_SERVER_FORWARDED_IP_HEADER: Header name for forwarded IP
  • LH_SERVER_TLS_ENABLED: Enable TLS
  • LH_SERVER_TLS_REDIRECT_HTTP: Redirect HTTP to HTTPS
  • LH_SERVER_TLS_CERT: Path to TLS certificate
  • LH_SERVER_TLS_KEY: Path to TLS private key

type SigningConf 

type SigningConf struct {
	// KMS specifies the key management system to use.
	// Env: LH_SIGNING_KMS
	KMS string `yaml:"kms" envconfig:"KMS"`
	// PKBackend specifies the public key storage backend.
	// Env: LH_SIGNING_PK_BACKEND
	PKBackend string `yaml:"pk_backend" envconfig:"PK_BACKEND"`
	// AutoGenerateKeys enables automatic key generation if keys are missing.
	// Env: LH_SIGNING_AUTO_GENERATE_KEYS
	AutoGenerateKeys bool `yaml:"auto_generate_keys" envconfig:"AUTO_GENERATE_KEYS"`
	// FileSystemBackend holds filesystem-based key storage configuration.
	// Env prefix: LH_SIGNING_FILESYSTEM_
	FileSystemBackend struct {
		// KeyFile is the path to a single key file.
		// Env: LH_SIGNING_FILESYSTEM_KEY_FILE
		KeyFile string `yaml:"key_file" envconfig:"KEY_FILE"`
		// KeyDir is the directory for key files.
		// Env: LH_SIGNING_FILESYSTEM_KEY_DIR
		KeyDir string `yaml:"key_dir" envconfig:"KEY_DIR"`
	} `yaml:"filesystem" envconfig:"FILESYSTEM"`
	// PKCS11Backend holds PKCS#11 (HSM) configuration.
	// Env prefix: LH_SIGNING_PKCS11_
	PKCS11Backend struct {
		// StorageDir is the storage directory for PKCS#11.
		// Env: LH_SIGNING_PKCS11_STORAGE_DIR
		StorageDir string `yaml:"storage_dir" envconfig:"STORAGE_DIR"`

		// ModulePath is the path to the PKCS#11 module (crypto11.Config.Path)
		// Env: LH_SIGNING_PKCS11_MODULE_PATH
		ModulePath string `yaml:"module_path" envconfig:"MODULE_PATH"`
		// TokenLabel selects the token by label (crypto11.Config.TokenLabel)
		// Env: LH_SIGNING_PKCS11_TOKEN_LABEL
		TokenLabel string `yaml:"token_label" envconfig:"TOKEN_LABEL"`
		// TokenSerial selects the token by serial (crypto11.Config.TokenSerial)
		// Env: LH_SIGNING_PKCS11_TOKEN_SERIAL
		TokenSerial string `yaml:"token_serial" envconfig:"TOKEN_SERIAL"`
		// SlotNumber selects the token by slot number (crypto11.Config.SlotNumber)
		// Env: LH_SIGNING_PKCS11_TOKEN_SLOT
		SlotNumber *int `yaml:"token_slot" envconfig:"TOKEN_SLOT"`
		// Pin is the user PIN for the token (crypto11.Config.Pin)
		// Env: LH_SIGNING_PKCS11_PIN
		Pin string `yaml:"pin" envconfig:"PIN"`

		// MaxSessions is the maximum number of concurrent sessions to open.
		// If zero, DefaultMaxSessions is used. Otherwise, must be at least 2.
		// Env: LH_SIGNING_PKCS11_MAX_SESSIONS
		MaxSessions int `yaml:"max_sessions" envconfig:"MAX_SESSIONS"`

		// UserType identifies the user type logging in. If zero, DefaultUserType is used.
		// Env: LH_SIGNING_PKCS11_USER_TYPE
		UserType int `yaml:"user_type" envconfig:"USER_TYPE"`

		// LoginNotSupported should be set to true for tokens that do not support logging in.
		// Env: LH_SIGNING_PKCS11_NO_LOGIN
		LoginNotSupported bool `yaml:"no_login" envconfig:"NO_LOGIN"`

		// LabelPrefix is an optional prefix for object labels inside HSM.
		// Env: LH_SIGNING_PKCS11_LABEL_PREFIX
		LabelPrefix string `yaml:"label_prefix" envconfig:"LABEL_PREFIX"`

		// ExtraLabels are HSM object labels to load into this KMS even if
		// they are not present yet in the PublicKeyStorage.
		// Env: LH_SIGNING_PKCS11_LOAD_LABELS (comma-separated)
		ExtraLabels []string `yaml:"load_labels" envconfig:"LOAD_LABELS"`
	} `yaml:"pkcs11" envconfig:"PKCS11"`
}

SigningConf holds signing configuration.

Environment variables (with prefix LH_SIGNING_):

  • LH_SIGNING_KMS: Key management system ("filesystem" or "pkcs11")
  • LH_SIGNING_PK_BACKEND: Public key storage backend ("filesystem" or "db")
  • LH_SIGNING_AUTO_GENERATE_KEYS: Auto-generate keys if missing (bool)
  • LH_SIGNING_FILESYSTEM_KEY_FILE: Path to single key file
  • LH_SIGNING_FILESYSTEM_KEY_DIR: Directory for key files
  • LH_SIGNING_PKCS11_STORAGE_DIR: PKCS#11 storage directory
  • LH_SIGNING_PKCS11_MODULE_PATH: Path to PKCS#11 module
  • LH_SIGNING_PKCS11_TOKEN_LABEL: HSM token label
  • LH_SIGNING_PKCS11_TOKEN_SERIAL: HSM token serial
  • LH_SIGNING_PKCS11_TOKEN_SLOT: HSM slot number
  • LH_SIGNING_PKCS11_PIN: HSM user PIN
  • LH_SIGNING_PKCS11_MAX_SESSIONS: Maximum concurrent sessions
  • LH_SIGNING_PKCS11_USER_TYPE: User type for login
  • LH_SIGNING_PKCS11_NO_LOGIN: Token doesn't support login (bool)
  • LH_SIGNING_PKCS11_LABEL_PREFIX: Prefix for object labels
  • LH_SIGNING_PKCS11_LOAD_LABELS: Extra labels to load (comma-separated)

type StatsOptions 

type StatsOptions struct {
	// Enabled controls whether statistics collection is active.
	Enabled bool

	// BufferSize is the maximum number of entries in the ring buffer.
	BufferSize int

	// FlushInterval is how often the buffer is flushed to the database.
	FlushInterval time.Duration

	// FlushThreshold triggers a flush when the buffer is this percentage full.
	FlushThreshold float64

	// CaptureClientIP enables recording client IP addresses.
	CaptureClientIP bool

	// CaptureUserAgent enables recording User-Agent headers.
	CaptureUserAgent bool

	// CaptureQueryParams enables recording URL query parameters.
	CaptureQueryParams bool

	// GeoIPEnabled enables country lookup from IP addresses.
	GeoIPEnabled bool

	// GeoIPDBPath is the path to a MaxMind GeoLite2-Country.mmdb file.
	GeoIPDBPath string

	// DetailedRetention is how long to keep individual request logs.
	DetailedRetention time.Duration

	// AggregatedRetention is how long to keep daily aggregated statistics.
	AggregatedRetention time.Duration

	// Endpoints is a list of endpoint paths to track. Empty means all federation endpoints.
	Endpoints []string
}

StatsOptions controls initialization of statistics collection.

type SubordinateListingRequest 

type SubordinateListingRequest struct {
	EntityType    []string `json:"entity_type" query:"entity_type"`
	Intermediate  bool     `json:"intermediate" query:"intermediate"`
	TrustMarked   bool     `json:"trust_marked" query:"trust_marked"`
	TrustMarkType string   `json:"trust_mark_type" query:"trust_mark_type"`
}

type TrustMarkEndpointConfig 

type TrustMarkEndpointConfig struct {
	// Store for subject status (backward compatibility)
	Store model.TrustMarkedEntitiesStorageBackend
	// SpecStore for loading TrustMarkSpec from DB (new)
	SpecStore model.TrustMarkSpecStore
	// InstanceStore for tracking issued trust mark instances
	InstanceStore model.IssuedTrustMarkInstanceStore
	// Checkers map for backward compatibility (config-based checkers).
	//
	// Deprecated: This field is no longer used. Checkers should be configured
	// per TrustMarkSpec via EligibilityConfig in the database using the Admin API.
	// This field will be removed in a future version.
	Checkers map[string]EntityChecker
	// Cache for eligibility results
	Cache *EligibilityCache
	// IssuedTrustMarkCache caches issued trust mark JWTs to avoid repeated signing.
	// The TTL is configured per trust mark type via the TrustMarkSpec.CacheTTL field.
	IssuedTrustMarkCache *IssuedTrustMarkCache
}

TrustMarkEndpointConfig holds configuration for the trust mark endpoint

type TrustMarkEntityChecker 

type TrustMarkEntityChecker struct {
	TrustMarkType       string                    `yaml:"trust_mark_type"`
	TrustAnchors        oidfed.TrustAnchors       `yaml:"trust_anchors"`
	TrustMarkIssuerJWKS jwx.JWKS                  `yaml:"trust_mark_issuer_jwks"`
	TrustMarkOwnerSpec  oidfed.TrustMarkOwnerSpec `yaml:"trust_mark_owner"`
}

TrustMarkEntityChecker checks that the entity has a valid trust mark. The trust mark can be checked with a specific issuer or through the federation

func (TrustMarkEntityChecker) Check 

func (c TrustMarkEntityChecker) Check(
	entityConfiguration *oidfed.EntityStatement,
	entityTypes []string,
) (bool, int, *oidfed.Error)

Check implements the EntityChecker interface

func (*TrustMarkEntityChecker) UnmarshalYAML 

func (c *TrustMarkEntityChecker) UnmarshalYAML(node *yaml.Node) error

UnmarshalYAML implements the yaml.Unmarshaler and EntityChecker interface

type TrustMarkStatusConfig 

type TrustMarkStatusConfig struct {
	// InstanceStore for checking issued trust mark instances
	InstanceStore model.IssuedTrustMarkInstanceStore
}

TrustMarkStatusConfig holds configuration for the trust mark status endpoint

type TrustMarkStatusResponse 

type TrustMarkStatusResponse struct {
	Issuer    string `json:"iss"`
	IssuedAt  int64  `json:"iat"`
	TrustMark string `json:"trust_mark"`
	Status    string `json:"status"`
}

TrustMarkStatusResponse represents the JWT payload for trust mark status response

type TrustPathEntityChecker 

type TrustPathEntityChecker struct {
	TrustAnchors oidfed.TrustAnchors `yaml:"trust_anchors"`
	// contains filtered or unexported fields
}

TrustPathEntityChecker checks that the entity has a valid trust path to a trust anchor

func (TrustPathEntityChecker) Check 

func (c TrustPathEntityChecker) Check(
	entityConfiguration *oidfed.EntityStatement,
	entityTypes []string,
) (bool, int, *oidfed.Error)

Check implements the EntityChecker interface

func (*TrustPathEntityChecker) UnmarshalYAML 

func (c *TrustPathEntityChecker) UnmarshalYAML(node *yaml.Node) error

UnmarshalYAML implements the yaml.Unmarshaler and EntityChecker interface

Source Files

View all Source files

Directories

Path Synopsis
api
adminapi
Package adminapi provides the admin API for managing subordinates in the lighthouse federation.
 Package adminapi provides the admin API for managing subordinates in the lighthouse federation.
cmd
lhcli command
lhmigrate command
lighthouse command
lighthouse/config
logger
stats
utils
version
model

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.