auth

package
v1.2.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 6, 2026 License: Apache-2.0 Imports: 2 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type MockUserTransport 

type MockUserTransport struct {
	// contains filtered or unexported fields
}

MockUserTransport implements http.RoundTripper for integration tests. Directly injects X-Auth-Request-User header without token validation.

Thread Safety: Safe for concurrent use (clones request to avoid mutation).

func NewMockUserTransport 

func NewMockUserTransport(userID string) *MockUserTransport

NewMockUserTransport creates a test-only transport that injects X-Auth-Request-User header.

Used by: Integration tests (no oauth-proxy, no token validation) Injects: X-Auth-Request-User: <mockUserID> Simulates: What oauth-proxy would inject after JWT validation + SAR

Example: 

transport := mocks.NewMockUserTransport("test-operator@example.com")
httpClient := &http.Client{Transport: transport}
dsClient := datastorage.NewClientWithResponses(url, datastorage.WithHTTPClient(httpClient))

// All DataStorage API calls will have X-Auth-Request-User: test-operator@example.com
resp, err := dsClient.PlaceLegalHoldWithResponse(ctx, req)

DD-AUTH-005: This is the ONLY way integration tests should authenticate with DataStorage.

func NewMockUserTransportWithBase 

func NewMockUserTransportWithBase(userID string, base http.RoundTripper) *MockUserTransport

NewMockUserTransportWithBase creates a mock user transport with custom base transport. Useful for testing or custom transport configuration.

func (*MockUserTransport) RoundTrip 

func (t *MockUserTransport) RoundTrip(req *http.Request) (*http.Response, error)

RoundTrip implements http.RoundTripper. Injects X-Auth-Request-User header to simulate oauth-proxy behavior.

Thread Safety: Safe for concurrent use (clones request to avoid mutation).

type ServiceAccountTransport 

type ServiceAccountTransport struct {
	// contains filtered or unexported fields
}

ServiceAccountTransport is an http.RoundTripper that injects Kubernetes ServiceAccount Bearer tokens into HTTP requests for E2E testing with real middleware-based authentication.

Authority: DD-AUTH-014 (Middleware-Based SAR Authentication)

Usage: 

token, err := infrastructure.GetServiceAccountToken(ctx, namespace, "datastorage-e2e-sa", kubeconfigPath)
transport := auth.NewServiceAccountTransport(token)
client := &http.Client{Transport: transport}

This injects Bearer tokens that are validated by DataStorage middleware using: 1. Kubernetes TokenReview API (authentication) 2. Kubernetes SubjectAccessReview API (authorization with SAR)

func NewServiceAccountTransport 

func NewServiceAccountTransport(token string) *ServiceAccountTransport

NewServiceAccountTransport creates a new ServiceAccountTransport with the given token.

Parameters:

  • token: Kubernetes ServiceAccount Bearer token (from Secret)

Returns:

  • *ServiceAccountTransport: HTTP transport that injects Bearer token

func (*ServiceAccountTransport) RoundTrip 

func (t *ServiceAccountTransport) RoundTrip(req *http.Request) (*http.Response, error)

RoundTrip implements http.RoundTripper interface. It clones the request and adds Authorization header with Bearer token.

Authority: DD-AUTH-014 (Middleware-based authentication for E2E)

type StaticTokenTransport 

type StaticTokenTransport struct {
	// contains filtered or unexported fields
}

StaticTokenTransport implements http.RoundTripper for E2E tests. Injects static token (acquired externally) without token refresh.

Thread Safety: Safe for concurrent use (clones request to avoid mutation).

func NewStaticTokenTransport 

func NewStaticTokenTransport(token string) *StaticTokenTransport

NewStaticTokenTransport creates a test-only transport that injects static tokens.

Used by: E2E tests that run externally (outside Kubernetes, no mounted tokens) Injects: Authorization: Bearer <token> Token source: TokenRequest API or kubectl whoami -t

Example (ServiceAccount token via TokenRequest API): 

token := getServiceAccountToken("datastorage-e2e-sa", "default", 3600)
transport := testutil.NewStaticTokenTransport(token)
httpClient := &http.Client{Transport: transport}
dsClient := datastorage.NewClientWithResponses(nodePortURL, datastorage.WithHTTPClient(httpClient))

// All DataStorage API calls will have Authorization: Bearer <token>
resp, err := dsClient.CreateAuditEvent(ctx, req)

Example (Kubeadmin token via kubectl): 

output, _ := exec.Command("kubectl", "whoami", "-t").Output()
token := strings.TrimSpace(string(output))
transport := testutil.NewStaticTokenTransport(token)
// ... same as above

DD-AUTH-005: This is the ONLY way E2E tests (running externally) should authenticate.

func NewStaticTokenTransportWithBase 

func NewStaticTokenTransportWithBase(token string, base http.RoundTripper) *StaticTokenTransport

NewStaticTokenTransportWithBase creates a static token transport with custom base transport. Useful for custom transport configuration (e.g., timeouts, TLS).

func (*StaticTokenTransport) RoundTrip 

func (t *StaticTokenTransport) RoundTrip(req *http.Request) (*http.Response, error)

RoundTrip implements http.RoundTripper. Injects Authorization: Bearer <token> header for E2E tests.

Thread Safety: Safe for concurrent use (clones request to avoid mutation).

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.