platform

package

v0.36.7-hanzo.1 Latest Latest Go to latest Published: Mar 19, 2026 License: MIT Imports: 12 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/hanzoai/base

Links

Open Source Insights

Documentation ¶

Overview ¶

Package platform implements a multi-tenant platform plugin for Hanzo Base.

Each tenant (org) gets isolated collections with prefix-based namespacing. Authentication is handled via Hanzo IAM (hanzo.id) OAuth2 and secrets via Hanzo KMS (kms.hanzo.ai) Universal Auth.

Example:

platform.MustRegister(app, platform.PlatformConfig{
	IAMEndpoint:     "https://hanzo.id",
	KMSEndpoint:     "https://kms.hanzo.ai",
	IAMClientID:     "my-client-id",
	IAMClientSecret: "my-client-secret",
})

Index ¶

Constants
func CreateTenantCollections(app core.App, tenantSlug string, templates []CollectionTemplate) error
func CreateTenantProject(tenantSlug string, config PlatformConfig) (string, error)
func DeleteTenantCollections(app core.App, tenantSlug string) error
func ExchangeOAuth2Token(code, redirectURI string, config PlatformConfig) (accessToken, refreshToken string, err error)
func FetchSecret(path string, config PlatformConfig) (string, error)
func ListTenantCollections(app core.App, tenantSlug string) ([]string, error)
func MustRegister(app core.App, config PlatformConfig)
func Register(app core.App, config PlatformConfig) error
func ScopedQuery(tenantSlug, collection string) string
func TenantPrefix(slug string) string
type CollectionTemplate
type IAMClient
- func NewIAMClient(baseURL string) *IAMClient
- func (c *IAMClient) InvalidateToken(token string)
- func (c *IAMClient) ValidateToken(token string) (*IAMUser, error)
type IAMUser
- func ValidateIAMToken(token string, config PlatformConfig) (*IAMUser, error)
type KMSClient
- func NewKMSClient(baseURL, authToken string) *KMSClient
- func (c *KMSClient) DeleteSecret(tenantId, secretPath string) error
- func (c *KMSClient) GetSecret(tenantId, secretPath string) (string, error)
- func (c *KMSClient) InvalidateCache(tenantId string)
- func (c *KMSClient) SetSecret(tenantId, secretPath, value string) error
type PlatformConfig

Constants ¶

View Source

const (

	// Member roles.
	RoleOwner  = "owner"
	RoleAdmin  = "admin"
	RoleMember = "member"
	RoleViewer = "viewer"
)

Variables ¶

This section is empty.

Functions ¶

func CreateTenantCollections ¶

func CreateTenantCollections(app core.App, tenantSlug string, templates []CollectionTemplate) error

CreateTenantCollections creates prefixed collections for a tenant from the given templates. Each template's Name is prefixed with t_{slug}_.

Collections that already exist are skipped.

func CreateTenantProject ¶

func CreateTenantProject(tenantSlug string, config PlatformConfig) (string, error)

CreateTenantProject creates a KMS project (workspace environment) for a tenant identified by slug. Returns the project/environment ID.

func DeleteTenantCollections ¶

func DeleteTenantCollections(app core.App, tenantSlug string) error

DeleteTenantCollections removes all collections with the tenant's prefix.

func ExchangeOAuth2Token ¶

func ExchangeOAuth2Token(code, redirectURI string, config PlatformConfig) (accessToken, refreshToken string, err error)

ExchangeOAuth2Token exchanges an authorization code for tokens using the IAM OAuth2 token endpoint.

func FetchSecret ¶

func FetchSecret(path string, config PlatformConfig) (string, error)

FetchSecret fetches a secret value from Hanzo KMS at the given path. Uses Universal Auth machine identity (config.IAMClientID / IAMClientSecret).

func ListTenantCollections ¶

func ListTenantCollections(app core.App, tenantSlug string) ([]string, error)

ListTenantCollections returns all collection names belonging to a tenant.

func MustRegister ¶

func MustRegister(app core.App, config PlatformConfig)

MustRegister registers the platform plugin to the provided app instance and panics if it fails.

func Register ¶

func Register(app core.App, config PlatformConfig) error

Register registers the platform plugin to the provided app instance.

func ScopedQuery ¶

func ScopedQuery(tenantSlug, collection string) string

ScopedQuery returns the prefixed collection name for a tenant. Example: ScopedQuery("acme", "tasks") returns "t_acme_tasks".

func TenantPrefix ¶

func TenantPrefix(slug string) string

TenantPrefix returns the collection name prefix for a tenant slug. Format: t_{slug}_

Types ¶

type CollectionTemplate ¶

type CollectionTemplate struct {
	// Name is the base collection name (without tenant prefix).
	// The actual collection will be created as t_{slug}_{Name}.
	Name string

	// Type is the collection type: "base", "auth", or "view".
	// Defaults to "base" if empty.
	Type string

	// Fields defines the fields for the collection.
	Fields []core.Field
}

CollectionTemplate defines a collection schema that gets cloned per tenant.

type IAMClient ¶

type IAMClient struct {
	// contains filtered or unexported fields
}

IAMClient handles authentication against Hanzo IAM with token caching.

func NewIAMClient ¶

func NewIAMClient(baseURL string) *IAMClient

NewIAMClient creates a new IAM client pointed at the given base URL.

func (*IAMClient) InvalidateToken ¶

func (c *IAMClient) InvalidateToken(token string)

InvalidateToken removes a token from the cache.

func (*IAMClient) ValidateToken ¶

func (c *IAMClient) ValidateToken(token string) (*IAMUser, error)

ValidateToken validates a Bearer token against IAM userinfo. Results are cached for 5 minutes.

type IAMUser ¶

type IAMUser struct {
	ID     string   `json:"id"`
	Email  string   `json:"email"`
	Name   string   `json:"name"`
	OrgIDs []string `json:"orgIds"`
}

IAMUser represents an authenticated user from Hanzo IAM.

func ValidateIAMToken ¶

func ValidateIAMToken(token string, config PlatformConfig) (*IAMUser, error)

ValidateIAMToken validates a bearer token against the IAM userinfo endpoint at config.IAMEndpoint/api/userinfo.

This is a convenience function that creates a one-off HTTP request. For production use with caching, use the IAMClient returned by NewIAMClient.

type KMSClient ¶

type KMSClient struct {
	// contains filtered or unexported fields
}

KMSClient handles secret operations with caching.

func NewKMSClient ¶

func NewKMSClient(baseURL, authToken string) *KMSClient

NewKMSClient creates a new KMS client. If baseURL or authToken is empty, operations will return errors but the plugin still functions.

func (*KMSClient) DeleteSecret ¶

func (c *KMSClient) DeleteSecret(tenantId, secretPath string) error

DeleteSecret removes a secret.

func (*KMSClient) GetSecret ¶

func (c *KMSClient) GetSecret(tenantId, secretPath string) (string, error)

GetSecret fetches a secret with caching (1 min TTL).

func (*KMSClient) InvalidateCache ¶

func (c *KMSClient) InvalidateCache(tenantId string)

InvalidateCache clears all cached secrets for a tenant.

func (*KMSClient) SetSecret ¶

func (c *KMSClient) SetSecret(tenantId, secretPath, value string) error

SetSecret creates or updates a secret.

type PlatformConfig ¶

type PlatformConfig struct {
	// IAMEndpoint is the base URL for Hanzo IAM (default: "https://hanzo.id").
	IAMEndpoint string

	// KMSEndpoint is the base URL for Hanzo KMS (default: "https://kms.hanzo.ai").
	KMSEndpoint string

	// IAMClientID is the OAuth2 client ID for IAM authentication.
	IAMClientID string

	// IAMClientSecret is the OAuth2 client secret for IAM authentication.
	IAMClientSecret string

	// DefaultTemplates defines collection schemas cloned per tenant on creation.
	// If nil, no default tenant collections are created.
	DefaultTemplates []CollectionTemplate
}

PlatformConfig defines the configuration for the platform plugin.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL