Documentation
¶
Overview ¶
approval_authorizer.go — the Protocol-side resolve authorizer (Phase 111f, D-203).
Pre-111f the admin/console:fleet scope check lived INSIDE `internal/tools/approval` as a hard `internal/protocol/auth` import — the one standing violation of the D-193 direction rule (runtime packages import protocol TYPES only, never protocol auth / methods / transports). The check moves here, one-way: the server package (the Runtime's network surface) adapts the Protocol's verified scope claims onto the approval package's injected `ResolveAuthorizer` seam. The approval package no longer knows the Protocol's auth vocabulary exists.
Phase 105 (V1.2) — dev-only bootstrap endpoint.
BootstrapHandler is mounted at POST /v1/dev/bootstrap.json on harbor dev and harbor console only. It mints a fresh dev token and returns the full connection envelope so the Console Settings page can offer a one-click "Attach to local Runtime" button.
The endpoint is loopback-gated: only localhost peers receive a 200. Non-loopback peers get 403 regardless of headers. The gate reads r.RemoteAddr directly — no header-based spoofing vector exists.
The endpoint is never registered by harbor serve.
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func SearchAdminScopeFromAuth ¶ added in v1.3.0
SearchAdminScopeFromAuth is the production `search.ScopeChecker` — it consults the Phase 61 auth-attached scope set on ctx via `protocolauth.HasScope`.
The function is exported so the Phase 72c wiring (and tests that want the real shape) can inject it directly without re-implementing the closed-scope-set predicate.
D-079 pins the closed two-scope set `{admin, console:fleet}` — BOTH are cross-tenant fan-in entitlements. The Wave 13 §17.5 checkpoint (D-132 / W8) corrected this predicate to honour `console:fleet` too: a Console fleet operator carrying only `console:fleet` is entitled to a cross-tenant search, exactly as it is entitled to a cross-tenant `events.subscribe`.
Types ¶
type BootstrapHandler ¶
type BootstrapHandler struct {
// contains filtered or unexported fields
}
BootstrapHandler serves POST /v1/dev/bootstrap.json.
func NewBootstrapHandler ¶
func NewBootstrapHandler( signer BootstrapSigner, id identity.Identity, scopes []string, baseURL string, logger *slog.Logger, ) *BootstrapHandler
NewBootstrapHandler returns a handler wired for the dev identity triple and scope set. baseURL is the absolute URL the bootstrapping Console should target (populated from the actual listener address).
func (*BootstrapHandler) ServeHTTP ¶
func (h *BootstrapHandler) ServeHTTP(w http.ResponseWriter, r *http.Request)
type BootstrapResponse ¶
type BootstrapResponse struct {
BaseURL string `json:"base_url"`
Token string `json:"token"`
Identity bootstrapIdentity `json:"identity"`
Scopes []string `json:"scopes"`
ProtocolVersion string `json:"protocol_version"`
}
BootstrapResponse is the JSON envelope returned by the bootstrap endpoint. It carries every field the Console's attachConnection helper needs for a one-click attach.
type BootstrapSigner ¶
type BootstrapSigner interface {
SignDevToken(now time.Time, tenant, user, session string, scopes []string) (string, error)
}
BootstrapSigner is the minimal token-signing surface the bootstrap handler needs. The harbor dev cmd's devSigner satisfies it.
type ProtocolScopeAuthorizer ¶ added in v1.3.0
type ProtocolScopeAuthorizer struct {
// Next is the fallback authorizer consulted when ctx carries no
// qualifying Protocol scope. Nil = no fallback (strict).
Next approval.ResolveAuthorizer
}
ProtocolScopeAuthorizer is the wire-side approval.ResolveAuthorizer: a resolving ctx that carries the verified `admin` OR `console:fleet` Protocol scope claim (Phase 61 JWT validation → Phase 54 edge) is authorized — exactly the acceptance the pre-111f in-gate check enforced, so wire behaviour is unchanged. Everything else delegates to Next (production wires `approval.NewIdentityAuthorizer()`), which is how the in-process steering bridge resolves without the deleted protocol-scope self-elevation.
A nil Next is the strict wire-only posture: protocol scopes or nothing — fail closed with a wrapped approval.ErrResolveForbidden, byte-for-byte the pre-seam gate semantics.
Stateless; safe for concurrent use (D-025).
func NewProtocolScopeAuthorizer ¶ added in v1.3.0
func NewProtocolScopeAuthorizer(next approval.ResolveAuthorizer) ProtocolScopeAuthorizer
NewProtocolScopeAuthorizer constructs the wire-side authorizer with next as the non-Protocol fallback. Production gate assembly (`cmd/harbor`, `harbortest/devstack`) passes `approval.NewIdentityAuthorizer()` so both resolution paths work: Protocol-scoped callers keep today's admin/console:fleet acceptance; the runtime steering bridge resolves via the originating identity.
func (ProtocolScopeAuthorizer) AuthorizeResolve ¶ added in v1.3.0
func (a ProtocolScopeAuthorizer) AuthorizeResolve(ctx context.Context, pending approval.PendingInfo) error
AuthorizeResolve implements approval.ResolveAuthorizer.
Source Files