security

package
v0.17.2 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 6, 2026 License: Apache-2.0 Imports: 17 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

View Source 
var UserContextKey = "user"

Functions

func CheckGlobalRequest 

func CheckGlobalRequest(c *fiber.Ctx, bCtx *BusinessContext) (allow bool)

CheckGlobalRequest performs access checks for global requests Global requests are requests are all requests that do not have a direct resource reference e.g. requests for to list resource `GET /api/v1/foos`

func CheckNamespacedRequest 

func CheckNamespacedRequest(c *fiber.Ctx, params map[string]string, templates map[ClientType]ComparisonTemplates, bCtx *BusinessContext) (allow bool, err error)

CheckNamespacedRequest performs access checks for namespaced requests Namespaced requests are requests that have a direct resource reference e.g. requests for a specific resource `GET /api/v1/foos/<namespace>/<name>` It does to by matching the prefix of the namespace with the client's context and checking if the client has the required access rights

func ConfigureSecurity 

func ConfigureSecurity(router fiber.Router, opts SecurityOpts) fiber.Handler

ConfigureSecurity configures the security middlewares This is a convenience function that configures the JWT middleware and the business context middleware It also returns the check access middleware that should be configured on the route level

func DecodeValue 

func DecodeValue(decoders map[string]ValueDecoder, claims map[string]any, key string) (string, problems.Problem)

DecodeValue decodes a value from the claims map using a custom decoder if available If not, it will try to get the value directly from the claims map

func IsMock 

func IsMock(opts []Option[*JWTOpts]) bool

IsMock checks if the security middleware is mocked If the trusted issuers are not set, the middleware is considered mocked

func IsObfuscated 

func IsObfuscated(ctx context.Context) bool

func IsReadyOnlyRequest 

func IsReadyOnlyRequest(c *fiber.Ctx) bool

func NewBusinessCtxMiddleware 

func NewBusinessCtxMiddleware(mwOpts BusinessContextOpts) fiber.Handler

NewBusinessCtxMiddleware is a convencience function. See NewBusinessCtxMiddlewareWithOpts

func NewBusinessCtxMiddlewareWithOpts 

func NewBusinessCtxMiddlewareWithOpts(opts ...Option[*BusinessContextOpts]) fiber.Handler

NewBusinessCtxMiddlewareWithOpts creates a new middleware that extracts the business context from the JWT token The business context is used to determine the client type and access type The client type is used to determine which resources this client is allowed to see The access type is used to determine if the client has read or write access The actual check if the client is allowed to see a resource is done in `check_access.go`

Example of the JWT token structure: 

{
	"env": "dev",
	"clientId": "group--team--user",
	"scopes": "group:team:read group:team:write",

	# These are used by the JWT middleware
	"operation": "GET",
	"requestPath": "/api/v1/resource",
}

func NewCheckAccessMiddlewareWithOpts 

func NewCheckAccessMiddlewareWithOpts(opts ...Option[*CheckAccessOpts]) fiber.Handler

NewCheckAccessMiddlewareWithOpts creates a new middleware that checks if the client has access to the requested resource

It is expected that `business_context` middleware is executed before this middleware

The middleware checks the client's context and access rights to determine if the client has access to the requested resource.

As this middleware depends on path-params it has to be configured on the route level ```go app.Get("/api/v1/foos/:namespace/:name", NewCheckAccessMiddlewareWithOpts(), handler) ```

func NewJWT 

func NewJWT(opts JWTOpts) fiber.Handler

NewJWT creates a new JWT middleware This middleware will validate the JWT token and perform the Last-Mile-Security(LMS)-Check The LMS-Check is performed by checking the operation and requestPath claims

func NewJWTWithOpts 

func NewJWTWithOpts(opts ...Option[*JWTOpts]) fiber.Handler

func ToContext 

func ToContext(ctx context.Context, bCtx *BusinessContext) context.Context

Types

type AccessType 

type AccessType string

AccessType represents the access type of the client Therefore, it is used to determine if the client has read or write access 

const (
	AccessTypeReadOnly   AccessType = "read"
	AccessTypeObfuscated AccessType = "obfuscated"
	AccessTypeReadWrite  AccessType = "all"
)

func DetermineAccess 

func DetermineAccess(scopes []string, prefix string) (AccessType, error)

DetermineAccess determines the access type based on the scopes It is expeceted that all relevant scopes follow the pattern `<prefix>:<clientType>:<accessType>` Therefore, it is used to determine if the client has read or write access

func (AccessType) IsObfuscated 

func (a AccessType) IsObfuscated() bool

func (AccessType) IsRead 

func (a AccessType) IsRead() bool

func (AccessType) IsWrite 

func (a AccessType) IsWrite() bool

type BusinessContext 

type BusinessContext struct {
	Environment string
	Group       string
	Team        string
	ClientType  ClientType
	AccessType  AccessType
}

func FromContext 

func FromContext(ctx context.Context) (*BusinessContext, bool)

type BusinessContextOpts 

type BusinessContextOpts struct {
	Log            logr.Logger
	ScopePrefix    string
	DefaultScope   string
	ValuesDecoders map[string]ValueDecoder
}

type CheckAccessOpts 

type CheckAccessOpts struct {
	PathParamKeys        []string
	ExpectedResourcePath ResourcePathFunc
	// Prefix is used to calculate the prefix that is used in the context
	// It is expected that this prefix is then used to determine the access to the store
	// The store uses a key-format `<namespace>/<name>` to store resources.
	// At most the prefix should match the namespace part of the key
	Prefix    ResourcePathFunc
	Templates map[ClientType]ComparisonTemplates
}

type ClientType 

type ClientType string

ClientType represents the type of the client Therefore, it is used to determine which resources this client is allowed to see 

const (
	ClientTypeTeam  ClientType = "team"
	ClientTypeGroup ClientType = "group"
	ClientTypeAdmin ClientType = "admin"
)

func DetermineClientType 

func DetermineClientType(scopes []string, prefix string) (ClientType, error)

DetermineClientType determines the client type based on the scopes It is expeceted that all relevant scopes follow the pattern `<prefix>:<clientType>:<accessType>` Therefore, it is used to determine which resources this client is allowed to see e.g. owned by the team, group or all

type CompareCtxInfo 

type CompareCtxInfo struct {
	B *BusinessContext
	P map[string]string
}

func NewCompareCtxInfo 

func NewCompareCtxInfo(bCtx *BusinessContext, pathParams map[string]string) CompareCtxInfo

type ComparisonTemplates 

type ComparisonTemplates struct {
	ExpectedTemplate  string
	UserInputTemplate string
	MatchType         MatchType
}

func (ComparisonTemplates) String 

func (c ComparisonTemplates) String() string

type JWTOpts 

type JWTOpts struct {
	TrustedIssuers  []string
	PerformLMSCheck bool
	LmsBasePath     string
}

type MatchType 

type MatchType string
const (
	MatchTypeEqual  MatchType = "equal"
	MatchTypePrefix MatchType = "prefix"
)

type Matcher 

type Matcher struct {
	ExpectedTemplate  string
	UserInputTemplate string
	// contains filtered or unexported fields
}

func NewMatcher 

func NewMatcher(expectedTemplate, userInputTemplate string) *Matcher

func (*Matcher) FullMatch 

func (m *Matcher) FullMatch(compareCtxInfo CompareCtxInfo) (bool, error)

func (*Matcher) StartsWith 

func (m *Matcher) StartsWith(compareCtxInfo CompareCtxInfo) (bool, error)

func (*Matcher) ToExpectedString 

func (m *Matcher) ToExpectedString(bCtx *BusinessContext, params map[string]string) (string, error)

func (*Matcher) ToString 

func (m *Matcher) ToString(compareCtxInfo CompareCtxInfo) (string, string, error)

type MatcherFunc 

type MatcherFunc func(string, string) bool

type Option 

type Option[T any] func(T)

func WithDefaultScope 

func WithDefaultScope(scope string) Option[*BusinessContextOpts]

func WithExpectedResourcePathFunc 

func WithExpectedResourcePathFunc(f ResourcePathFunc) Option[*CheckAccessOpts]

func WithLmsCheck 

func WithLmsCheck(basePath string) Option[*JWTOpts]

func WithLog 

func WithLog(log logr.Logger) Option[*BusinessContextOpts]

func WithPathParamKey 

func WithPathParamKey(keys ...string) Option[*CheckAccessOpts]

func WithPrefixFunc 

func WithPrefixFunc(f ResourcePathFunc) Option[*CheckAccessOpts]

func WithScopePrefix 

func WithScopePrefix(prefix string) Option[*BusinessContextOpts]

func WithTemplates 

func WithTemplates(templates map[ClientType]ComparisonTemplates) Option[*CheckAccessOpts]

func WithTrustedIssuers 

func WithTrustedIssuers(issuers []string) Option[*JWTOpts]

func WithValueDecoder 

func WithValueDecoder(key string, decoder ValueDecoder) Option[*BusinessContextOpts]

func WithValueDecoders 

func WithValueDecoders(decoders map[string]ValueDecoder) Option[*BusinessContextOpts]

type ResourcePathFunc 

type ResourcePathFunc func(*BusinessContext, map[string]string, map[ClientType]ComparisonTemplates) (string, error)

ResourcePathFunc must return the expected resource for the provided BusinessContext

type SecurityOpts 

type SecurityOpts struct {
	Enabled bool
	Log     logr.Logger

	JWTOpts             []Option[*JWTOpts]
	BusinessContextOpts []Option[*BusinessContextOpts]
	CheckAccessOpts     []Option[*CheckAccessOpts]
}

type ValueDecoder 

type ValueDecoder func(map[string]any, string) (string, problems.Problem)

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.