Documentation
¶
Index ¶
- Constants
- Variables
- type AccessTokenExchanger
- type Auth0Provider
- func (p *Auth0Provider) ExchangeAccessToken(ctx context.Context, accessToken string) (*user.User, error)
- func (p *Auth0Provider) ExchangeToken(ctx context.Context, rawIDToken string) (*user.User, error)
- func (p *Auth0Provider) GetAuthURL(state string) string
- func (p *Auth0Provider) HandleCallback(ctx context.Context, code string) (*user.User, error)
- func (p *Auth0Provider) IssuerURL() string
- func (p *Auth0Provider) Name() string
- func (p *Auth0Provider) Type() string
- type Claims
- type GenericOIDCProvider
- func (p *GenericOIDCProvider) ExchangeAccessToken(ctx context.Context, accessToken string) (*user.User, error)
- func (p *GenericOIDCProvider) ExchangeToken(ctx context.Context, rawIDToken string) (*user.User, error)
- func (p *GenericOIDCProvider) GetAuthURL(state string) string
- func (p *GenericOIDCProvider) HandleCallback(ctx context.Context, code string) (*user.User, error)
- func (p *GenericOIDCProvider) IssuerURL() string
- func (p *GenericOIDCProvider) Name() string
- func (p *GenericOIDCProvider) Type() string
- type GitHubProvider
- type GitLabProvider
- func (p *GitLabProvider) ExchangeAccessToken(ctx context.Context, accessToken string) (*user.User, error)
- func (p *GitLabProvider) ExchangeToken(ctx context.Context, rawIDToken string) (*user.User, error)
- func (p *GitLabProvider) GetAuthURL(state string) string
- func (p *GitLabProvider) HandleCallback(ctx context.Context, code string) (*user.User, error)
- func (p *GitLabProvider) IssuerURL() string
- func (p *GitLabProvider) Name() string
- func (p *GitLabProvider) Type() string
- type GoogleProvider
- func (p *GoogleProvider) ExchangeAccessToken(ctx context.Context, accessToken string) (*user.User, error)
- func (p *GoogleProvider) ExchangeToken(ctx context.Context, rawIDToken string) (*user.User, error)
- func (p *GoogleProvider) GetAuthURL(state string) string
- func (p *GoogleProvider) HandleCallback(ctx context.Context, code string) (*user.User, error)
- func (p *GoogleProvider) IssuerURL() string
- func (p *GoogleProvider) Name() string
- func (p *GoogleProvider) Type() string
- type IssuerProvider
- type KeycloakProvider
- func (p *KeycloakProvider) ExchangeAccessToken(ctx context.Context, accessToken string) (*user.User, error)
- func (p *KeycloakProvider) ExchangeToken(ctx context.Context, rawIDToken string) (*user.User, error)
- func (p *KeycloakProvider) GetAuthURL(state string) string
- func (p *KeycloakProvider) HandleCallback(ctx context.Context, code string) (*user.User, error)
- func (p *KeycloakProvider) IssuerURL() string
- func (p *KeycloakProvider) Name() string
- func (p *KeycloakProvider) Type() string
- type OAuthManager
- type OAuthProvider
- type OktaProvider
- func (p *OktaProvider) ExchangeAccessToken(ctx context.Context, accessToken string) (*user.User, error)
- func (p *OktaProvider) ExchangeToken(ctx context.Context, rawIDToken string) (*user.User, error)
- func (p *OktaProvider) GetAuthURL(state string) string
- func (p *OktaProvider) HandleCallback(ctx context.Context, code string) (*user.User, error)
- func (p *OktaProvider) IssuerURL() string
- func (p *OktaProvider) Name() string
- func (p *OktaProvider) Type() string
- type Principal
- type PrincipalType
- type Repository
- type Resolver
- type Service
- type SlackProvider
- func (p *SlackProvider) ExchangeAccessToken(ctx context.Context, accessToken string) (*user.User, error)
- func (p *SlackProvider) ExchangeToken(ctx context.Context, rawIDToken string) (*user.User, error)
- func (p *SlackProvider) GetAuthURL(state string) string
- func (p *SlackProvider) HandleCallback(ctx context.Context, code string) (*user.User, error)
- func (p *SlackProvider) IssuerURL() string
- func (p *SlackProvider) Name() string
- func (p *SlackProvider) Type() string
- type TokenExchanger
Constants ¶
const AdminRoleName = "admin"
AdminRoleName is the role that unconditionally passes permission checks. Must stay in sync with the `admin` row seeded in migration 000002.
const JWTSigningKeyID = "jwt_signing_key"
const OperatorPrincipalID = "00000000-0000-0000-0000-000000000001"
OperatorPrincipalID matches the legacy singleton user UUID so audit trails and any user_id foreign keys remain linkable across the PRINCIPAL_V2 flip.
Variables ¶
var ( ErrNotFound = errors.New("key not found") ErrDB = errors.New("database error") )
var ErrUserInactive = errors.New("user account is inactive")
Functions ¶
This section is empty.
Types ¶
type AccessTokenExchanger ¶ added in v0.10.0
type AccessTokenExchanger interface {
ExchangeAccessToken(ctx context.Context, accessToken string) (*user.User, error)
}
AccessTokenExchanger validates an OAuth access token via the UserInfo endpoint and resolves a local Marmot user. Used by MCP clients that send access tokens.
type Auth0Provider ¶ added in v0.5.0
type Auth0Provider struct {
// contains filtered or unexported fields
}
func NewAuth0Provider ¶ added in v0.5.0
func (*Auth0Provider) ExchangeAccessToken ¶ added in v0.10.0
func (*Auth0Provider) ExchangeToken ¶ added in v0.10.0
func (*Auth0Provider) GetAuthURL ¶ added in v0.5.0
func (p *Auth0Provider) GetAuthURL(state string) string
func (*Auth0Provider) HandleCallback ¶ added in v0.5.0
func (*Auth0Provider) IssuerURL ¶ added in v0.10.0
func (p *Auth0Provider) IssuerURL() string
func (*Auth0Provider) Name ¶ added in v0.5.0
func (p *Auth0Provider) Name() string
func (*Auth0Provider) Type ¶ added in v0.5.0
func (p *Auth0Provider) Type() string
type Claims ¶
type Claims struct {
Roles []string `json:"roles"`
Permissions []string `json:"permissions"`
Preferences map[string]interface{} `json:"preferences,omitempty"`
// Omitted for user principals; consumers must treat "" as PrincipalTypeUser.
PrincipalType string `json:"principal_type,omitempty"`
jwt.RegisteredClaims
}
type GenericOIDCProvider ¶ added in v0.7.0
type GenericOIDCProvider struct {
// contains filtered or unexported fields
}
func NewGenericOIDCProvider ¶ added in v0.7.0
func (*GenericOIDCProvider) ExchangeAccessToken ¶ added in v0.10.0
func (*GenericOIDCProvider) ExchangeToken ¶ added in v0.10.0
func (*GenericOIDCProvider) GetAuthURL ¶ added in v0.7.0
func (p *GenericOIDCProvider) GetAuthURL(state string) string
func (*GenericOIDCProvider) HandleCallback ¶ added in v0.7.0
func (*GenericOIDCProvider) IssuerURL ¶ added in v0.10.0
func (p *GenericOIDCProvider) IssuerURL() string
func (*GenericOIDCProvider) Name ¶ added in v0.7.0
func (p *GenericOIDCProvider) Name() string
func (*GenericOIDCProvider) Type ¶ added in v0.7.0
func (p *GenericOIDCProvider) Type() string
type GitHubProvider ¶ added in v0.5.0
type GitHubProvider struct {
// contains filtered or unexported fields
}
func NewGitHubProvider ¶ added in v0.5.0
func (*GitHubProvider) GetAuthURL ¶ added in v0.5.0
func (p *GitHubProvider) GetAuthURL(state string) string
func (*GitHubProvider) HandleCallback ¶ added in v0.5.0
func (*GitHubProvider) Name ¶ added in v0.5.0
func (p *GitHubProvider) Name() string
func (*GitHubProvider) Type ¶ added in v0.5.0
func (p *GitHubProvider) Type() string
type GitLabProvider ¶ added in v0.5.0
type GitLabProvider struct {
// contains filtered or unexported fields
}
func NewGitLabProvider ¶ added in v0.5.0
func (*GitLabProvider) ExchangeAccessToken ¶ added in v0.10.0
func (*GitLabProvider) ExchangeToken ¶ added in v0.10.0
func (*GitLabProvider) GetAuthURL ¶ added in v0.5.0
func (p *GitLabProvider) GetAuthURL(state string) string
func (*GitLabProvider) HandleCallback ¶ added in v0.5.0
func (*GitLabProvider) IssuerURL ¶ added in v0.10.0
func (p *GitLabProvider) IssuerURL() string
func (*GitLabProvider) Name ¶ added in v0.5.0
func (p *GitLabProvider) Name() string
func (*GitLabProvider) Type ¶ added in v0.5.0
func (p *GitLabProvider) Type() string
type GoogleProvider ¶ added in v0.5.0
type GoogleProvider struct {
// contains filtered or unexported fields
}
func NewGoogleProvider ¶ added in v0.5.0
func (*GoogleProvider) ExchangeAccessToken ¶ added in v0.10.0
func (*GoogleProvider) ExchangeToken ¶ added in v0.10.0
func (*GoogleProvider) GetAuthURL ¶ added in v0.5.0
func (p *GoogleProvider) GetAuthURL(state string) string
func (*GoogleProvider) HandleCallback ¶ added in v0.5.0
func (*GoogleProvider) IssuerURL ¶ added in v0.10.0
func (p *GoogleProvider) IssuerURL() string
func (*GoogleProvider) Name ¶ added in v0.5.0
func (p *GoogleProvider) Name() string
func (*GoogleProvider) Type ¶ added in v0.5.0
func (p *GoogleProvider) Type() string
type IssuerProvider ¶ added in v0.10.0
type IssuerProvider interface {
IssuerURL() string
}
IssuerProvider returns the provider's OIDC issuer URL.
type KeycloakProvider ¶ added in v0.7.0
type KeycloakProvider struct {
// contains filtered or unexported fields
}
func NewKeycloakProvider ¶ added in v0.7.0
func (*KeycloakProvider) ExchangeAccessToken ¶ added in v0.10.0
func (*KeycloakProvider) ExchangeToken ¶ added in v0.10.0
func (*KeycloakProvider) GetAuthURL ¶ added in v0.7.0
func (p *KeycloakProvider) GetAuthURL(state string) string
func (*KeycloakProvider) HandleCallback ¶ added in v0.7.0
func (*KeycloakProvider) IssuerURL ¶ added in v0.10.0
func (p *KeycloakProvider) IssuerURL() string
func (*KeycloakProvider) Name ¶ added in v0.7.0
func (p *KeycloakProvider) Name() string
func (*KeycloakProvider) Type ¶ added in v0.7.0
func (p *KeycloakProvider) Type() string
type OAuthManager ¶
type OAuthManager struct {
// contains filtered or unexported fields
}
func NewOAuthManager ¶
func NewOAuthManager() *OAuthManager
func (*OAuthManager) GetProvider ¶
func (m *OAuthManager) GetProvider(providerType string) (OAuthProvider, bool)
func (*OAuthManager) GetProviderNames ¶ added in v0.5.0
func (m *OAuthManager) GetProviderNames() []string
func (*OAuthManager) GetProviders ¶ added in v0.10.0
func (m *OAuthManager) GetProviders() map[string]OAuthProvider
func (*OAuthManager) RegisterProvider ¶
func (m *OAuthManager) RegisterProvider(provider OAuthProvider)
type OAuthProvider ¶
type OktaProvider ¶
type OktaProvider struct {
// contains filtered or unexported fields
}
OktaProvider represents the OAuth provider for Okta.
func NewOktaProvider ¶
func NewOktaProvider(cfg *config.Config, userService user.Service, authService Service, teamService *team.Service) (*OktaProvider, error)
NewOktaProvider creates a new OktaProvider.
func (*OktaProvider) ExchangeAccessToken ¶ added in v0.10.0
func (*OktaProvider) ExchangeToken ¶ added in v0.10.0
func (*OktaProvider) GetAuthURL ¶
func (p *OktaProvider) GetAuthURL(state string) string
func (*OktaProvider) HandleCallback ¶
func (*OktaProvider) IssuerURL ¶ added in v0.10.0
func (p *OktaProvider) IssuerURL() string
func (*OktaProvider) Name ¶
func (p *OktaProvider) Name() string
Name returns the name of the provider.
func (*OktaProvider) Type ¶
func (p *OktaProvider) Type() string
Type returns the type of the provider.
type Principal ¶ added in v0.10.0
type Principal interface {
// ID: user UUID, oidc-trust ID, or a fixed sentinel for operator.
ID() string
Type() PrincipalType
DisplayName() string
// AuditSubject returns a readable log/audit identifier (e.g. "user:alice").
// Never a raw UUID — guardrail against UUID leakage into audit trails.
AuditSubject() string
Roles() []string
// Permissions may be incomplete for admin principals. Use IsAdmin/HasPermission
// to gate access; never iterate this slice for authorization decisions.
Permissions() []string
// IsAdmin bypasses fine-grained checks (Vault's root-token pattern).
IsAdmin() bool
HasPermission(resourceType, action string) bool
// AsUser returns the underlying user record, or nil for machine principals.
// User-only handlers (profile, personal API keys) should 403 on nil.
AsUser() *user.User
}
Principal is any entity that can hold roles/permissions and act against the API. The interface is deliberately narrow — anything user-specific belongs behind AsUser.
func NewOperatorPrincipal ¶ added in v0.10.0
func NewOperatorPrincipal() Principal
func NewServiceAccountPrincipal ¶ added in v0.10.0
func NewUserPrincipal ¶ added in v0.10.0
NewUserPrincipal converts at the middleware boundary. Handlers should not scatter this conversion — they receive a Principal from context.
type PrincipalType ¶ added in v0.10.0
type PrincipalType string
PrincipalType identifies the kind of principal a Marmot session represents.
const ( PrincipalTypeUser PrincipalType = "user" PrincipalTypeOperator PrincipalType = "operator" PrincipalTypeOIDCTrust PrincipalType = "oidc_trust" PrincipalTypeServiceAccount PrincipalType = "service_account" )
type Repository ¶
type Repository interface {
GetSigningKey(ctx context.Context, key string) (string, error)
StoreSigningKey(ctx context.Context, key, value string) error
}
func NewPostgresRepository ¶
func NewPostgresRepository(db *pgxpool.Pool) Repository
type Resolver ¶ added in v0.10.0
Resolver converts validated JWT claims to a Principal.
func NewResolver ¶ added in v0.10.0
type Service ¶
type Service interface {
GenerateToken(ctx context.Context, user *user.User, preferencesClaims map[string]interface{}) (string, error)
GenerateTokenForPrincipal(ctx context.Context, p Principal, preferencesClaims map[string]interface{}) (string, error)
ValidateToken(ctx context.Context, tokenString string) (*Claims, error)
GetSigningKey(ctx context.Context) ([]byte, error)
}
func NewService ¶
func NewService(repo Repository, userService user.Service) Service
type SlackProvider ¶ added in v0.5.0
type SlackProvider struct {
// contains filtered or unexported fields
}
func NewSlackProvider ¶ added in v0.5.0
func (*SlackProvider) ExchangeAccessToken ¶ added in v0.10.0
func (*SlackProvider) ExchangeToken ¶ added in v0.10.0
func (*SlackProvider) GetAuthURL ¶ added in v0.5.0
func (p *SlackProvider) GetAuthURL(state string) string
func (*SlackProvider) HandleCallback ¶ added in v0.5.0
func (*SlackProvider) IssuerURL ¶ added in v0.10.0
func (p *SlackProvider) IssuerURL() string
func (*SlackProvider) Name ¶ added in v0.5.0
func (p *SlackProvider) Name() string
func (*SlackProvider) Type ¶ added in v0.5.0
func (p *SlackProvider) Type() string