auth

package
v0.10.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jul 15, 2026 License: MIT Imports: 21 Imported by: 0

Documentation

Index

Constants

View Source
const AdminRoleName = "admin"

AdminRoleName is the role that unconditionally passes permission checks. Must stay in sync with the `admin` row seeded in migration 000002.

View Source
const JWTSigningKeyID = "jwt_signing_key"
View Source
const OperatorPrincipalID = "00000000-0000-0000-0000-000000000001"

OperatorPrincipalID matches the legacy singleton user UUID so audit trails and any user_id foreign keys remain linkable across the PRINCIPAL_V2 flip.

Variables

View Source
var (
	ErrNotFound = errors.New("key not found")
	ErrDB       = errors.New("database error")
)
View Source
var ErrUserInactive = errors.New("user account is inactive")

Functions

This section is empty.

Types

type AccessTokenExchanger added in v0.10.0

type AccessTokenExchanger interface {
	ExchangeAccessToken(ctx context.Context, accessToken string) (*user.User, error)
}

AccessTokenExchanger validates an OAuth access token via the UserInfo endpoint and resolves a local Marmot user. Used by MCP clients that send access tokens.

type Auth0Provider added in v0.5.0

type Auth0Provider struct {
	// contains filtered or unexported fields
}

func NewAuth0Provider added in v0.5.0

func NewAuth0Provider(cfg *config.Config, userService user.Service, authService Service, teamService *team.Service) (*Auth0Provider, error)

func (*Auth0Provider) ExchangeAccessToken added in v0.10.0

func (p *Auth0Provider) ExchangeAccessToken(ctx context.Context, accessToken string) (*user.User, error)

func (*Auth0Provider) ExchangeToken added in v0.10.0

func (p *Auth0Provider) ExchangeToken(ctx context.Context, rawIDToken string) (*user.User, error)

func (*Auth0Provider) GetAuthURL added in v0.5.0

func (p *Auth0Provider) GetAuthURL(state string) string

func (*Auth0Provider) HandleCallback added in v0.5.0

func (p *Auth0Provider) HandleCallback(ctx context.Context, code string) (*user.User, error)

func (*Auth0Provider) IssuerURL added in v0.10.0

func (p *Auth0Provider) IssuerURL() string

func (*Auth0Provider) Name added in v0.5.0

func (p *Auth0Provider) Name() string

func (*Auth0Provider) Type added in v0.5.0

func (p *Auth0Provider) Type() string

type Claims

type Claims struct {
	Roles       []string               `json:"roles"`
	Permissions []string               `json:"permissions"`
	Preferences map[string]interface{} `json:"preferences,omitempty"`
	// Omitted for user principals; consumers must treat "" as PrincipalTypeUser.
	PrincipalType string `json:"principal_type,omitempty"`
	jwt.RegisteredClaims
}

type GenericOIDCProvider added in v0.7.0

type GenericOIDCProvider struct {
	// contains filtered or unexported fields
}

func NewGenericOIDCProvider added in v0.7.0

func NewGenericOIDCProvider(cfg *config.Config, userService user.Service, authService Service, teamService *team.Service) (*GenericOIDCProvider, error)

func (*GenericOIDCProvider) ExchangeAccessToken added in v0.10.0

func (p *GenericOIDCProvider) ExchangeAccessToken(ctx context.Context, accessToken string) (*user.User, error)

func (*GenericOIDCProvider) ExchangeToken added in v0.10.0

func (p *GenericOIDCProvider) ExchangeToken(ctx context.Context, rawIDToken string) (*user.User, error)

func (*GenericOIDCProvider) GetAuthURL added in v0.7.0

func (p *GenericOIDCProvider) GetAuthURL(state string) string

func (*GenericOIDCProvider) HandleCallback added in v0.7.0

func (p *GenericOIDCProvider) HandleCallback(ctx context.Context, code string) (*user.User, error)

func (*GenericOIDCProvider) IssuerURL added in v0.10.0

func (p *GenericOIDCProvider) IssuerURL() string

func (*GenericOIDCProvider) Name added in v0.7.0

func (p *GenericOIDCProvider) Name() string

func (*GenericOIDCProvider) Type added in v0.7.0

func (p *GenericOIDCProvider) Type() string

type GitHubProvider added in v0.5.0

type GitHubProvider struct {
	// contains filtered or unexported fields
}

func NewGitHubProvider added in v0.5.0

func NewGitHubProvider(cfg *config.Config, userService user.Service) (*GitHubProvider, error)

func (*GitHubProvider) GetAuthURL added in v0.5.0

func (p *GitHubProvider) GetAuthURL(state string) string

func (*GitHubProvider) HandleCallback added in v0.5.0

func (p *GitHubProvider) HandleCallback(ctx context.Context, code string) (*user.User, error)

func (*GitHubProvider) Name added in v0.5.0

func (p *GitHubProvider) Name() string

func (*GitHubProvider) Type added in v0.5.0

func (p *GitHubProvider) Type() string

type GitLabProvider added in v0.5.0

type GitLabProvider struct {
	// contains filtered or unexported fields
}

func NewGitLabProvider added in v0.5.0

func NewGitLabProvider(cfg *config.Config, userService user.Service) (*GitLabProvider, error)

func (*GitLabProvider) ExchangeAccessToken added in v0.10.0

func (p *GitLabProvider) ExchangeAccessToken(ctx context.Context, accessToken string) (*user.User, error)

func (*GitLabProvider) ExchangeToken added in v0.10.0

func (p *GitLabProvider) ExchangeToken(ctx context.Context, rawIDToken string) (*user.User, error)

func (*GitLabProvider) GetAuthURL added in v0.5.0

func (p *GitLabProvider) GetAuthURL(state string) string

func (*GitLabProvider) HandleCallback added in v0.5.0

func (p *GitLabProvider) HandleCallback(ctx context.Context, code string) (*user.User, error)

func (*GitLabProvider) IssuerURL added in v0.10.0

func (p *GitLabProvider) IssuerURL() string

func (*GitLabProvider) Name added in v0.5.0

func (p *GitLabProvider) Name() string

func (*GitLabProvider) Type added in v0.5.0

func (p *GitLabProvider) Type() string

type GoogleProvider added in v0.5.0

type GoogleProvider struct {
	// contains filtered or unexported fields
}

func NewGoogleProvider added in v0.5.0

func NewGoogleProvider(cfg *config.Config, userService user.Service) (*GoogleProvider, error)

func (*GoogleProvider) ExchangeAccessToken added in v0.10.0

func (p *GoogleProvider) ExchangeAccessToken(ctx context.Context, accessToken string) (*user.User, error)

func (*GoogleProvider) ExchangeToken added in v0.10.0

func (p *GoogleProvider) ExchangeToken(ctx context.Context, rawIDToken string) (*user.User, error)

func (*GoogleProvider) GetAuthURL added in v0.5.0

func (p *GoogleProvider) GetAuthURL(state string) string

func (*GoogleProvider) HandleCallback added in v0.5.0

func (p *GoogleProvider) HandleCallback(ctx context.Context, code string) (*user.User, error)

func (*GoogleProvider) IssuerURL added in v0.10.0

func (p *GoogleProvider) IssuerURL() string

func (*GoogleProvider) Name added in v0.5.0

func (p *GoogleProvider) Name() string

func (*GoogleProvider) Type added in v0.5.0

func (p *GoogleProvider) Type() string

type IssuerProvider added in v0.10.0

type IssuerProvider interface {
	IssuerURL() string
}

IssuerProvider returns the provider's OIDC issuer URL.

type KeycloakProvider added in v0.7.0

type KeycloakProvider struct {
	// contains filtered or unexported fields
}

func NewKeycloakProvider added in v0.7.0

func NewKeycloakProvider(cfg *config.Config, userService user.Service, authService Service, teamService *team.Service) (*KeycloakProvider, error)

func (*KeycloakProvider) ExchangeAccessToken added in v0.10.0

func (p *KeycloakProvider) ExchangeAccessToken(ctx context.Context, accessToken string) (*user.User, error)

func (*KeycloakProvider) ExchangeToken added in v0.10.0

func (p *KeycloakProvider) ExchangeToken(ctx context.Context, rawIDToken string) (*user.User, error)

func (*KeycloakProvider) GetAuthURL added in v0.7.0

func (p *KeycloakProvider) GetAuthURL(state string) string

func (*KeycloakProvider) HandleCallback added in v0.7.0

func (p *KeycloakProvider) HandleCallback(ctx context.Context, code string) (*user.User, error)

func (*KeycloakProvider) IssuerURL added in v0.10.0

func (p *KeycloakProvider) IssuerURL() string

func (*KeycloakProvider) Name added in v0.7.0

func (p *KeycloakProvider) Name() string

func (*KeycloakProvider) Type added in v0.7.0

func (p *KeycloakProvider) Type() string

type OAuthManager

type OAuthManager struct {
	// contains filtered or unexported fields
}

func NewOAuthManager

func NewOAuthManager() *OAuthManager

func (*OAuthManager) GetProvider

func (m *OAuthManager) GetProvider(providerType string) (OAuthProvider, bool)

func (*OAuthManager) GetProviderNames added in v0.5.0

func (m *OAuthManager) GetProviderNames() []string

func (*OAuthManager) GetProviders added in v0.10.0

func (m *OAuthManager) GetProviders() map[string]OAuthProvider

func (*OAuthManager) RegisterProvider

func (m *OAuthManager) RegisterProvider(provider OAuthProvider)

type OAuthProvider

type OAuthProvider interface {
	GetAuthURL(state string) string
	HandleCallback(ctx context.Context, code string) (*user.User, error)
	Name() string
	Type() string
}

type OktaProvider

type OktaProvider struct {
	// contains filtered or unexported fields
}

OktaProvider represents the OAuth provider for Okta.

func NewOktaProvider

func NewOktaProvider(cfg *config.Config, userService user.Service, authService Service, teamService *team.Service) (*OktaProvider, error)

NewOktaProvider creates a new OktaProvider.

func (*OktaProvider) ExchangeAccessToken added in v0.10.0

func (p *OktaProvider) ExchangeAccessToken(ctx context.Context, accessToken string) (*user.User, error)

func (*OktaProvider) ExchangeToken added in v0.10.0

func (p *OktaProvider) ExchangeToken(ctx context.Context, rawIDToken string) (*user.User, error)

func (*OktaProvider) GetAuthURL

func (p *OktaProvider) GetAuthURL(state string) string

func (*OktaProvider) HandleCallback

func (p *OktaProvider) HandleCallback(ctx context.Context, code string) (*user.User, error)

func (*OktaProvider) IssuerURL added in v0.10.0

func (p *OktaProvider) IssuerURL() string

func (*OktaProvider) Name

func (p *OktaProvider) Name() string

Name returns the name of the provider.

func (*OktaProvider) Type

func (p *OktaProvider) Type() string

Type returns the type of the provider.

type Principal added in v0.10.0

type Principal interface {
	// ID: user UUID, oidc-trust ID, or a fixed sentinel for operator.
	ID() string
	Type() PrincipalType
	DisplayName() string

	// AuditSubject returns a readable log/audit identifier (e.g. "user:alice").
	// Never a raw UUID — guardrail against UUID leakage into audit trails.
	AuditSubject() string

	Roles() []string

	// Permissions may be incomplete for admin principals. Use IsAdmin/HasPermission
	// to gate access; never iterate this slice for authorization decisions.
	Permissions() []string

	// IsAdmin bypasses fine-grained checks (Vault's root-token pattern).
	IsAdmin() bool
	HasPermission(resourceType, action string) bool

	// AsUser returns the underlying user record, or nil for machine principals.
	// User-only handlers (profile, personal API keys) should 403 on nil.
	AsUser() *user.User
}

Principal is any entity that can hold roles/permissions and act against the API. The interface is deliberately narrow — anything user-specific belongs behind AsUser.

func NewOperatorPrincipal added in v0.10.0

func NewOperatorPrincipal() Principal

func NewServiceAccountPrincipal added in v0.10.0

func NewServiceAccountPrincipal(id, name string, roleNames []string, permKeys []string) Principal

func NewUserPrincipal added in v0.10.0

func NewUserPrincipal(u *user.User) Principal

NewUserPrincipal converts at the middleware boundary. Handlers should not scatter this conversion — they receive a Principal from context.

type PrincipalType added in v0.10.0

type PrincipalType string

PrincipalType identifies the kind of principal a Marmot session represents.

const (
	PrincipalTypeUser           PrincipalType = "user"
	PrincipalTypeOperator       PrincipalType = "operator"
	PrincipalTypeOIDCTrust      PrincipalType = "oidc_trust"
	PrincipalTypeServiceAccount PrincipalType = "service_account"
)

type Repository

type Repository interface {
	GetSigningKey(ctx context.Context, key string) (string, error)
	StoreSigningKey(ctx context.Context, key, value string) error
}

func NewPostgresRepository

func NewPostgresRepository(db *pgxpool.Pool) Repository

type Resolver added in v0.10.0

type Resolver interface {
	Resolve(ctx context.Context, claims *Claims) (Principal, error)
}

Resolver converts validated JWT claims to a Principal.

func NewResolver added in v0.10.0

func NewResolver(users user.Service) Resolver

type Service

type Service interface {
	GenerateToken(ctx context.Context, user *user.User, preferencesClaims map[string]interface{}) (string, error)
	GenerateTokenForPrincipal(ctx context.Context, p Principal, preferencesClaims map[string]interface{}) (string, error)
	ValidateToken(ctx context.Context, tokenString string) (*Claims, error)
	GetSigningKey(ctx context.Context) ([]byte, error)
}

func NewService

func NewService(repo Repository, userService user.Service) Service

type SlackProvider added in v0.5.0

type SlackProvider struct {
	// contains filtered or unexported fields
}

func NewSlackProvider added in v0.5.0

func NewSlackProvider(cfg *config.Config, userService user.Service) (*SlackProvider, error)

func (*SlackProvider) ExchangeAccessToken added in v0.10.0

func (p *SlackProvider) ExchangeAccessToken(ctx context.Context, accessToken string) (*user.User, error)

func (*SlackProvider) ExchangeToken added in v0.10.0

func (p *SlackProvider) ExchangeToken(ctx context.Context, rawIDToken string) (*user.User, error)

func (*SlackProvider) GetAuthURL added in v0.5.0

func (p *SlackProvider) GetAuthURL(state string) string

func (*SlackProvider) HandleCallback added in v0.5.0

func (p *SlackProvider) HandleCallback(ctx context.Context, code string) (*user.User, error)

func (*SlackProvider) IssuerURL added in v0.10.0

func (p *SlackProvider) IssuerURL() string

func (*SlackProvider) Name added in v0.5.0

func (p *SlackProvider) Name() string

func (*SlackProvider) Type added in v0.5.0

func (p *SlackProvider) Type() string

type TokenExchanger added in v0.10.0

type TokenExchanger interface {
	ExchangeToken(ctx context.Context, rawIDToken string) (*user.User, error)
}

TokenExchanger exchanges an upstream ID token for a local Marmot user.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL