security

package

v0.1.26 Latest Latest Go to latest Published: Jan 7, 2026 License: MIT Imports: 17 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/minuk-dev/opampcommander

Links

Open Source Insights

Documentation ¶

Overview ¶

Package security provides security-related functionality for the opampcommander application.

Index ¶

Constants
Variables
func NewAuthJWTMiddleware(service *Service) gin.HandlerFunc
type AdminUsecase
type OAuth2Usecase
type OAuthStateClaims
type OPAMPClaims
type Service
- func New(logger *slog.Logger, settings *config.AuthSettings, httpClient *http.Client) *Service
type UnsupportedTokenTypeError
- func (e *UnsupportedTokenTypeError) Error() string
type Usecase
type User
- func GetUser(ctx context.Context) (*User, error)
- func NewAnonymousUser() *User
- func (user *User) String() string

Constants ¶

View Source

const (
	// StateLength defines the length of the state string to be generated for OAuth2 authentication.
	StateLength = 16 // Length of the state string to be generated for OAuth2 authentication.
)

Variables ¶

View Source

var (
	// ErrInvalidState is returned when the state parameter is invalid.
	ErrInvalidState = errors.New("invalid state parameter")
	// ErrStateExpired is returned when the state parameter has expired.
	ErrStateExpired = errors.New("state parameter has expired")
	// ErrInvalidToken is returned when the provided token is invalid.
	ErrInvalidToken = errors.New("invalid token")
	// ErrInvalidEmail is returned when the email in the token claims is invalid.
	ErrInvalidEmail = errors.New("invalid email in token claims")
	// ErrInvalidTokenClaims is returned when the token claims are invalid.
	ErrInvalidTokenClaims = errors.New("invalid token claims")
	// ErrTokenExpired is returned when the token has expired.
	ErrTokenExpired = errors.New("token has expired")
	// ErrInvalidUsernameOrPassword is returned when the provided username or password is invalid.
	ErrInvalidUsernameOrPassword = errors.New("invalid username or password")
	// ErrNoPrimaryEmailFound is returned when no primary email is found in the user's emails.
	ErrNoPrimaryEmailFound = errors.New("no primary verified email found")
	// ErrOAuth2ClientCreationFailed is returned when the OAuth2 client creation fails.
	ErrOAuth2ClientCreationFailed = errors.New("failed to create OAuth2 client")
)

View Source

var (
	// ErrNilContext is returned when the context is nil.
	ErrNilContext = errors.New("nil context")
	// ErrInvalidContext is returned when the context is not a valid Gin context.
	ErrInvalidContext = errors.New("invalid context")
	// ErrInvalidUserInContext is returned when the user in the context is not valid.
	ErrInvalidUserInContext = errors.New("invalid user in context")
)

Functions ¶

func NewAuthJWTMiddleware ¶

func NewAuthJWTMiddleware(
	service *Service,
) gin.HandlerFunc

NewAuthJWTMiddleware creates a new Gin middleware for JWT authentication.

Types ¶

type AdminUsecase ¶

type AdminUsecase interface {
	// BasicAuth authenticates the user using basic authentication with username and password.
	BasicAuth(username, password string) (string, error)
}

AdminUsecase defines the use case for admin authentication.

type OAuth2Usecase ¶

type OAuth2Usecase interface {
	// AuthCodeURL generates the OAuth2 authorization URL with a unique state parameter.
	AuthCodeURL() (string, error)
	// Exchange exchanges the OAuth2 authorization code for an access token.
	Exchange(ctx context.Context, state, code string) (string, error)
}

OAuth2Usecase defines the use case for OAuth2 authentication.

type OAuthStateClaims ¶

type OAuthStateClaims struct {
	jwt.RegisteredClaims
}

OAuthStateClaims defines the custom claims for the JWT token used for the state parameter in OAuth2 authentication.

type OPAMPClaims ¶

type OPAMPClaims struct {
	jwt.RegisteredClaims

	Email string `json:"email"`
}

OPAMPClaims defines the custom claims for the JWT token used for opampcommander's authentication. It includes the user's email and standard JWT registered claims.

type Service ¶

type Service struct {
	// contains filtered or unexported fields
}

Service provides security-related functionality for the opampcommander application.

func New ¶

func New(
	logger *slog.Logger,
	settings *config.AuthSettings,
	httpClient *http.Client,
) *Service

New creates a new instance of the Service struct with the provided logger and OAuth settings.

func (*Service) AuthCodeURL ¶

func (s *Service) AuthCodeURL() (string, error)

AuthCodeURL generates the OAuth2 authorization URL with a unique state parameter.

func (*Service) BasicAuth ¶

func (s *Service) BasicAuth(username, password string) (string, error)

BasicAuth authenticates the user using basic authentication with username and password.

func (*Service) DeviceAuth ¶ added in v0.1.1

func (s *Service) DeviceAuth(ctx context.Context) (*oauth2.DeviceAuthResponse, error)

DeviceAuth initiates the OAuth2 device authorization flow. It returns a device authorization response that contains the user code and verification URL.

func (*Service) Exchange ¶

func (s *Service) Exchange(ctx context.Context, state, code string) (string, error)

Exchange exchanges the OAuth2 authorization code for an access token. It validates the state parameter to prevent CSRF attacks.

func (*Service) ExchangeDeviceAuth ¶ added in v0.1.1

func (s *Service) ExchangeDeviceAuth(
	ctx context.Context,
	deviceCode string,
	expiry time.Time,
) (string, error)

ExchangeDeviceAuth exchanges the device code for an access token. It retrieves the user's primary email from GitHub and creates a JWT token with the email as a claim. It returns the JWT token string or an error if the process fails.

func (*Service) ValidateToken ¶

func (s *Service) ValidateToken(tokenString string) (*OPAMPClaims, error)

ValidateToken validates the provided JWT token string and returns the claims if valid. It checks the token's validity, expiration, and the email in the claims.

type UnsupportedTokenTypeError ¶

type UnsupportedTokenTypeError struct {
	TokenType string
}

UnsupportedTokenTypeError is returned when the token type is not supported.

func (*UnsupportedTokenTypeError) Error ¶

func (e *UnsupportedTokenTypeError) Error() string

type Usecase ¶

type Usecase interface {
	// ValidateToken validates the provided JWT token string and returns the claims if valid.
	ValidateToken(tokenString string) (*OPAMPClaims, error)

	// AdminUsecase returns the use case for admin authentication.
	AdminUsecase
	// OAuth2Usecase returns the use case for OAuth2 authentication.
	OAuth2Usecase
}

Usecase defines the use case for the security package.

type User ¶

type User struct {
	// Authenticated indicates if the user is authenticated
	Authenticated bool
	// Email is the primary email of the user
	// If the user is not authenticated, this will be nil
	Email *string
}

User represents a user in the system.

func GetUser ¶

func GetUser(ctx context.Context) (*User, error)

GetUser retrieves the user from the Gin context.

func NewAnonymousUser ¶ added in v0.1.20

func NewAnonymousUser() *User

NewAnonymousUser creates a new anonymous user. Some operations needs an user (e.g., for audit logging) even if the user is not authenticated.

func (*User) String ¶ added in v0.1.18

func (user *User) String() string

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL