Documentation
¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type CredentialSource ¶
CredentialSource fetches a credential value from an external system.
func NewAWSSecretsManagerSource ¶
func NewAWSSecretsManagerSource(secretID, region string) (CredentialSource, error)
NewAWSSecretsManagerSource creates a CredentialSource backed by AWS Secrets Manager.
func NewEnvSource ¶
func NewEnvSource(varName string) CredentialSource
NewEnvSource creates a CredentialSource that reads from an environment variable.
func NewStaticSource ¶
func NewStaticSource(value string) CredentialSource
NewStaticSource creates a CredentialSource that returns a fixed value.
type GitHubAppSource ¶
type GitHubAppSource struct {
// contains filtered or unexported fields
}
GitHubAppSource generates GitHub App installation access tokens. It implements both CredentialSource and RefreshingSource.
func NewGitHubAppSource ¶
func NewGitHubAppSource(appID, installationID string, privateKeyPEM []byte) (*GitHubAppSource, error)
NewGitHubAppSource creates a credential source that generates GitHub App installation tokens. privateKeyPEM must be a PEM-encoded RSA private key.
func (*GitHubAppSource) Fetch ¶
func (s *GitHubAppSource) Fetch(ctx context.Context) (string, error)
func (*GitHubAppSource) TTL ¶
func (s *GitHubAppSource) TTL() time.Duration
func (*GitHubAppSource) Type ¶
func (s *GitHubAppSource) Type() string
type RefreshingSource ¶
type RefreshingSource interface {
CredentialSource
TTL() time.Duration
}
RefreshingSource is a CredentialSource whose values expire and must be re-fetched periodically. TTL returns the duration until the most recently fetched credential expires. Callers use this to schedule background refresh.
type SecretsManagerClient ¶
type SecretsManagerClient interface {
GetSecretValue(ctx context.Context, secretID string) (string, error)
}
SecretsManagerClient abstracts the AWS Secrets Manager API for testing.
type TokenExchangeConfig ¶ added in v0.5.0
type TokenExchangeConfig struct {
Endpoint string // STS token endpoint URL
ClientID string // OAuth client ID for client credentials auth
ClientSecret string // OAuth client secret
Resource string // Target resource URI (e.g., "https://api.github.com")
SubjectTokenType string // Subject token type URI (defaults to access_token type)
ActorTokenType string // Actor token type URI (defaults to access_token type)
}
TokenExchangeConfig configures an RFC 8693 token exchange source.
type TokenExchangeResponse ¶ added in v0.5.0
type TokenExchangeResponse struct {
AccessToken string `json:"access_token"`
IssuedTokenType string `json:"issued_token_type"`
TokenType string `json:"token_type"`
ExpiresIn int `json:"expires_in"`
}
TokenExchangeResponse is the STS response per RFC 8693 §2.2.1.
type TokenExchangeSource ¶ added in v0.5.0
type TokenExchangeSource struct {
// contains filtered or unexported fields
}
TokenExchangeSource exchanges a subject token for an access token via RFC 8693. It caches tokens per subject with TTL from the STS response.
func NewTokenExchangeSource ¶ added in v0.5.0
func NewTokenExchangeSource(cfg TokenExchangeConfig) *TokenExchangeSource
NewTokenExchangeSource creates a new RFC 8693 token exchange source.
func (*TokenExchangeSource) Exchange ¶ added in v0.5.0
func (s *TokenExchangeSource) Exchange(ctx context.Context, subjectToken, actorToken string) (*TokenExchangeResponse, error)
Exchange performs an RFC 8693 token exchange for the given subject token. When actorToken is non-empty, it is included as the actor_token parameter.
func (*TokenExchangeSource) Resolve ¶ added in v0.5.0
func (s *TokenExchangeSource) Resolve(ctx context.Context, subjectToken, actorToken string) (string, error)
Resolve returns a credential for the given subject, using the cache when possible. Concurrent requests for the same subject are coalesced into a single STS call via singleflight. When actorToken is non-empty, it is forwarded to the STS as the RFC 8693 actor_token parameter and included in the cache key.
Source Files