credentialsource

package

v0.7.0 Latest Latest Go to latest Published: Apr 22, 2026 License: MIT Imports: 23 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/majorcontext/gatekeeper

Links

Open Source Insights

Documentation ¶

Index ¶

type CredentialSource
type GitHubAppSource
- func NewGitHubAppSource(appID, installationID string, privateKeyPEM []byte) (*GitHubAppSource, error)
type RefreshingSource
type SecretsManagerClient
type TokenExchangeConfig
type TokenExchangeResponse
type TokenExchangeSource
- func NewTokenExchangeSource(cfg TokenExchangeConfig) *TokenExchangeSource
- func (s *TokenExchangeSource) Exchange(ctx context.Context, subjectToken, actorToken, requestID string) (*TokenExchangeResponse, error)
- func (s *TokenExchangeSource) Resolve(ctx context.Context, subjectToken, actorToken, requestID string) (string, error)

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

This section is empty.

Types ¶

type CredentialSource ¶

type CredentialSource interface {
	Fetch(ctx context.Context) (string, error)
	Type() string
}

CredentialSource fetches a credential value from an external system.

func NewAWSSecretsManagerSource ¶

func NewAWSSecretsManagerSource(secretID, region string) (CredentialSource, error)

NewAWSSecretsManagerSource creates a CredentialSource backed by AWS Secrets Manager.

func NewEnvSource ¶

func NewEnvSource(varName string) CredentialSource

NewEnvSource creates a CredentialSource that reads from an environment variable.

func NewStaticSource ¶

func NewStaticSource(value string) CredentialSource

NewStaticSource creates a CredentialSource that returns a fixed value.

type GitHubAppSource ¶

type GitHubAppSource struct {
	// contains filtered or unexported fields
}

GitHubAppSource generates GitHub App installation access tokens. It implements both CredentialSource and RefreshingSource.

func NewGitHubAppSource ¶

func NewGitHubAppSource(appID, installationID string, privateKeyPEM []byte) (*GitHubAppSource, error)

NewGitHubAppSource creates a credential source that generates GitHub App installation tokens. privateKeyPEM must be a PEM-encoded RSA private key.

func (*GitHubAppSource) Fetch ¶

func (s *GitHubAppSource) Fetch(ctx context.Context) (string, error)

func (*GitHubAppSource) TTL ¶

func (s *GitHubAppSource) TTL() time.Duration

func (*GitHubAppSource) Type ¶

func (s *GitHubAppSource) Type() string

type RefreshingSource ¶

type RefreshingSource interface {
	CredentialSource
	TTL() time.Duration
}

RefreshingSource is a CredentialSource whose values expire and must be re-fetched periodically. TTL returns the duration until the most recently fetched credential expires. Callers use this to schedule background refresh.

type SecretsManagerClient ¶

type SecretsManagerClient interface {
	GetSecretValue(ctx context.Context, secretID string) (string, error)
}

SecretsManagerClient abstracts the AWS Secrets Manager API for testing.

type TokenExchangeConfig ¶ added in v0.5.0

type TokenExchangeConfig struct {
	Endpoint         string // STS token endpoint URL
	ClientID         string // OAuth client ID for client credentials auth
	ClientSecret     string // OAuth client secret
	Resource         string // Target resource URI (e.g., "https://api.github.com")
	SubjectTokenType string // Subject token type URI (defaults to access_token type)
	ActorTokenType   string // Actor token type URI (defaults to access_token type)
}

TokenExchangeConfig configures an RFC 8693 token exchange source.

type TokenExchangeResponse ¶ added in v0.5.0

type TokenExchangeResponse struct {
	AccessToken     string `json:"access_token"`
	IssuedTokenType string `json:"issued_token_type"`
	TokenType       string `json:"token_type"`
	ExpiresIn       int    `json:"expires_in"`
}

TokenExchangeResponse is the STS response per RFC 8693 §2.2.1.

type TokenExchangeSource ¶ added in v0.5.0

type TokenExchangeSource struct {
	// contains filtered or unexported fields
}

TokenExchangeSource exchanges a subject token for an access token via RFC 8693. It caches tokens per subject with TTL from the STS response.

func NewTokenExchangeSource ¶ added in v0.5.0

func NewTokenExchangeSource(cfg TokenExchangeConfig) *TokenExchangeSource

NewTokenExchangeSource creates a new RFC 8693 token exchange source.

func (*TokenExchangeSource) Exchange ¶ added in v0.5.0

func (s *TokenExchangeSource) Exchange(ctx context.Context, subjectToken, actorToken, requestID string) (*TokenExchangeResponse, error)

Exchange performs an RFC 8693 token exchange for the given subject token. When actorToken is non-empty, it is included as the actor_token parameter. When requestID is non-empty, it is forwarded as X-Request-Id to the STS.

func (*TokenExchangeSource) Resolve ¶ added in v0.5.0

func (s *TokenExchangeSource) Resolve(ctx context.Context, subjectToken, actorToken, requestID string) (string, error)

Resolve returns a credential for the given subject, using the cache when possible. Concurrent requests for the same subject are coalesced into a single STS call via singleflight. When actorToken is non-empty, it is forwarded to the STS as the RFC 8693 actor_token parameter and included in the cache key. When requestID is non-empty, it is forwarded as X-Request-Id to the STS for cross-service correlation.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL