auth

package
v1.2.2 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Sep 30, 2025 License: MIT Imports: 20 Imported by: 0

Documentation

Index

Constants

View Source 
const MaxKeyResponseSize = 4096

MaxKeyResponseSize is the maximum size of the response body from the HTTP endpoint.

Variables

This section is empty.

Functions

func BuildPermissions added in v1.2.1 

func BuildPermissions(domain string, includeSubdomains bool) []auth.Permission

BuildPermissions builds permissions for a domain with optional subdomain support

func DecodeAndValidateSignature added in v1.2.1 

func DecodeAndValidateSignature(signedTimestamp string) ([]byte, error)

func IsValidDomain added in v1.2.1 

func IsValidDomain(domain string) bool

func ParseMCPKeysFromStrings added in v1.2.1 

func ParseMCPKeysFromStrings(inputs []string) []ed25519.PublicKey

func RegisterAuthEndpoints 

func RegisterAuthEndpoints(api huma.API, cfg *config.Config)

RegisterAuthEndpoints registers all authentication endpoints

func RegisterDNSEndpoint 

func RegisterDNSEndpoint(api huma.API, cfg *config.Config)

RegisterDNSEndpoint registers the DNS authentication endpoint

func RegisterGitHubATEndpoint 

func RegisterGitHubATEndpoint(api huma.API, cfg *config.Config)

RegisterGitHubATEndpoint registers the GitHub access token authentication endpoint

func RegisterGitHubOIDCEndpoint 

func RegisterGitHubOIDCEndpoint(api huma.API, cfg *config.Config)

RegisterGitHubOIDCEndpoint registers the GitHub OIDC authentication endpoint

func RegisterHTTPEndpoint 

func RegisterHTTPEndpoint(api huma.API, cfg *config.Config)

RegisterHTTPEndpoint registers the HTTP authentication endpoint

func RegisterNoneEndpoint 

func RegisterNoneEndpoint(api huma.API, cfg *config.Config)

RegisterNoneEndpoint registers the anonymous authentication endpoint WARNING: This endpoint is intended for local development and automated tests only. It should NOT be enabled in production environments as it bypasses normal authentication.

func RegisterOIDCEndpoints 

func RegisterOIDCEndpoints(api huma.API, cfg *config.Config)

RegisterOIDCEndpoints registers all OIDC authentication endpoints

func ReverseString added in v1.2.1 

func ReverseString(domain string) string

ReverseString reverses a domain string (example.com -> com.example)

func ValidateDomainAndTimestamp added in v1.2.1 

func ValidateDomainAndTimestamp(domain, timestamp string) (*time.Time, error)

ValidateDomainAndTimestamp validates the domain format and timestamp

func VerifySignatureWithKeys added in v1.2.1 

func VerifySignatureWithKeys(publicKeys []ed25519.PublicKey, messageBytes []byte, signature []byte) bool

Types

type CoreAuthHandler added in v1.2.1 

type CoreAuthHandler struct {
	// contains filtered or unexported fields
}

CoreAuthHandler represents the common handler structure

func NewCoreAuthHandler added in v1.2.1 

func NewCoreAuthHandler(cfg *config.Config) *CoreAuthHandler

NewCoreAuthHandler creates a new core authentication handler

func (*CoreAuthHandler) CreateJWTClaimsAndToken added in v1.2.1 

func (h *CoreAuthHandler) CreateJWTClaimsAndToken(ctx context.Context, authMethod auth.Method, domain string, permissions []auth.Permission) (*auth.TokenResponse, error)

CreateJWTClaimsAndToken creates JWT claims and generates a token response

func (*CoreAuthHandler) ExchangeToken added in v1.2.1 

func (h *CoreAuthHandler) ExchangeToken(
	ctx context.Context,
	domain, timestamp, signedTimestamp string,
	keyFetcher KeyFetcher,
	includeSubdomains bool,
	authMethod auth.Method) (*auth.TokenResponse, error)

ExchangeToken is a shared method for token exchange that takes a key fetcher function, subdomain inclusion flag, and auth method

type DNSAuthHandler 

type DNSAuthHandler struct {
	CoreAuthHandler
	// contains filtered or unexported fields
}

DNSAuthHandler handles DNS-based authentication

func NewDNSAuthHandler 

func NewDNSAuthHandler(cfg *config.Config) *DNSAuthHandler

NewDNSAuthHandler creates a new DNS authentication handler

func (*DNSAuthHandler) ExchangeToken 

func (h *DNSAuthHandler) ExchangeToken(ctx context.Context, domain, timestamp, signedTimestamp string) (*auth.TokenResponse, error)

ExchangeToken exchanges DNS signature for a Registry JWT token

func (*DNSAuthHandler) SetResolver 

func (h *DNSAuthHandler) SetResolver(resolver DNSResolver)

SetResolver sets a custom DNS resolver (used for testing)

type DNSResolver 

type DNSResolver interface {
	LookupTXT(ctx context.Context, name string) ([]string, error)
}

DNSResolver defines the interface for DNS resolution

type DNSTokenExchangeInput 

type DNSTokenExchangeInput struct {
	Body SignatureTokenExchangeInput
}

DNSTokenExchangeInput represents the input for DNS-based authentication

type DefaultDNSResolver 

type DefaultDNSResolver struct{}

DefaultDNSResolver uses Go's standard DNS resolution

func (*DefaultDNSResolver) LookupTXT 

func (r *DefaultDNSResolver) LookupTXT(ctx context.Context, name string) ([]string, error)

LookupTXT performs DNS TXT record lookup

type DefaultHTTPKeyFetcher 

type DefaultHTTPKeyFetcher struct {
	// contains filtered or unexported fields
}

DefaultHTTPKeyFetcher uses Go's standard HTTP client

func NewDefaultHTTPKeyFetcher 

func NewDefaultHTTPKeyFetcher() *DefaultHTTPKeyFetcher

NewDefaultHTTPKeyFetcher creates a new HTTP key fetcher with timeout

func NewDefaultHTTPKeyFetcherWithClient added in v1.2.1 

func NewDefaultHTTPKeyFetcherWithClient(client *http.Client) *DefaultHTTPKeyFetcher

NewDefaultHTTPKeyFetcherWithClient creates a new HTTP key fetcher with a custom HTTP client. This is primarily useful in tests to inject transports or TLS settings.

func (*DefaultHTTPKeyFetcher) FetchKey 

func (f *DefaultHTTPKeyFetcher) FetchKey(ctx context.Context, domain string) (string, error)

FetchKey fetches the public key from the well-known HTTP endpoint

type GenericOIDCValidator 

type GenericOIDCValidator interface {
	ValidateToken(ctx context.Context, token string) (*OIDCClaims, error)
}

GenericOIDCValidator defines the interface for validating OIDC tokens from any provider

type GitHubHandler 

type GitHubHandler struct {
	// contains filtered or unexported fields
}

GitHubHandler handles GitHub authentication

func NewGitHubHandler 

func NewGitHubHandler(cfg *config.Config) *GitHubHandler

NewGitHubHandler creates a new GitHub handler

func (*GitHubHandler) ExchangeToken 

func (h *GitHubHandler) ExchangeToken(ctx context.Context, githubToken string) (*auth.TokenResponse, error)

ExchangeToken exchanges a GitHub OAuth token for a Registry JWT token

func (*GitHubHandler) SetBaseURL 

func (h *GitHubHandler) SetBaseURL(url string)

SetBaseURL sets the base URL for GitHub API (used for testing)

type GitHubOIDCClaims 

type GitHubOIDCClaims struct {
	jwt.RegisteredClaims
	RepositoryOwner string `json:"repository_owner"` // e.g., "octo-org"
}

GitHubOIDCClaims represents the claims we need from a GitHub OIDC token

type GitHubOIDCHandler 

type GitHubOIDCHandler struct {
	// contains filtered or unexported fields
}

GitHubOIDCHandler handles GitHub OIDC authentication

func NewGitHubOIDCHandler 

func NewGitHubOIDCHandler(cfg *config.Config) *GitHubOIDCHandler

NewGitHubOIDCHandler creates a new GitHub OIDC handler

func (*GitHubOIDCHandler) ExchangeToken 

func (h *GitHubOIDCHandler) ExchangeToken(ctx context.Context, oidcToken string) (*auth.TokenResponse, error)

ExchangeToken exchanges a GitHub OIDC token for a Registry JWT token

func (*GitHubOIDCHandler) SetValidator 

func (h *GitHubOIDCHandler) SetValidator(validator OIDCValidator)

SetValidator sets a custom OIDC validator (used for testing)

type GitHubOIDCTokenExchangeInput 

type GitHubOIDCTokenExchangeInput struct {
	Body struct {
		OIDCToken string `json:"oidc_token" doc:"GitHub Actions OIDC token" required:"true"`
	}
}

GitHubOIDCTokenExchangeInput represents the input for GitHub OIDC token exchange

type GitHubOIDCValidator 

type GitHubOIDCValidator struct {
	// contains filtered or unexported fields
}

GitHubOIDCValidator validates GitHub OIDC tokens

func NewGitHubOIDCValidator 

func NewGitHubOIDCValidator() *GitHubOIDCValidator

NewGitHubOIDCValidator creates a new GitHub OIDC validator

func NewMockOIDCValidator 

func NewMockOIDCValidator(jwksURL, issuer string) *GitHubOIDCValidator

NewMockOIDCValidator creates a mock validator for testing

func (*GitHubOIDCValidator) ValidateToken 

func (v *GitHubOIDCValidator) ValidateToken(ctx context.Context, tokenString string, audience string) (*GitHubOIDCClaims, error)

ValidateToken validates a GitHub OIDC token

type GitHubTokenExchangeInput 

type GitHubTokenExchangeInput struct {
	Body struct {
		GitHubToken string `json:"github_token" doc:"GitHub OAuth token" required:"true"`
	}
}

GitHubTokenExchangeInput represents the input for GitHub token exchange

type GitHubUserOrOrg 

type GitHubUserOrOrg struct {
	Login string `json:"login"`
	ID    int    `json:"id"`
}

type HTTPAuthHandler 

type HTTPAuthHandler struct {
	CoreAuthHandler
	// contains filtered or unexported fields
}

HTTPAuthHandler handles HTTP-based authentication

func NewHTTPAuthHandler 

func NewHTTPAuthHandler(cfg *config.Config) *HTTPAuthHandler

NewHTTPAuthHandler creates a new HTTP authentication handler

func (*HTTPAuthHandler) ExchangeToken 

func (h *HTTPAuthHandler) ExchangeToken(ctx context.Context, domain, timestamp, signedTimestamp string) (*auth.TokenResponse, error)

ExchangeToken exchanges HTTP signature for a Registry JWT token

func (*HTTPAuthHandler) SetFetcher 

func (h *HTTPAuthHandler) SetFetcher(fetcher HTTPKeyFetcher)

SetFetcher sets a custom HTTP key fetcher (used for testing)

type HTTPKeyFetcher 

type HTTPKeyFetcher interface {
	FetchKey(ctx context.Context, domain string) (string, error)
}

HTTPKeyFetcher defines the interface for fetching HTTP keys

type HTTPTokenExchangeInput 

type HTTPTokenExchangeInput struct {
	Body SignatureTokenExchangeInput
}

HTTPTokenExchangeInput represents the input for HTTP-based authentication

type JWK 

type JWK struct {
	KTY string `json:"kty"`
	KID string `json:"kid"`
	Use string `json:"use"`
	N   string `json:"n"`
	E   string `json:"e"`
}

JWK represents a JSON Web Key

type JWKS 

type JWKS struct {
	Keys []JWK `json:"keys"`
}

JWKS represents a JSON Web Key Set

type KeyFetcher added in v1.2.1 

type KeyFetcher func(ctx context.Context, domain string) ([]string, error)

KeyFetcher defines a function type for fetching keys from external sources

type NoneHandler 

type NoneHandler struct {
	// contains filtered or unexported fields
}

NoneHandler handles anonymous authentication

func NewNoneHandler 

func NewNoneHandler(cfg *config.Config) *NoneHandler

NewNoneHandler creates a new anonymous authentication handler

func (*NoneHandler) GetAnonymousToken 

func (h *NoneHandler) GetAnonymousToken(ctx context.Context) (*auth.TokenResponse, error)

GetAnonymousToken generates an anonymous Registry JWT token

type OIDCClaims 

type OIDCClaims struct {
	Subject     string         `json:"sub"`
	Issuer      string         `json:"iss"`
	Audience    []string       `json:"aud"`
	ExtraClaims map[string]any `json:"-"`
}

OIDCClaims represents the claims we extract from any OIDC token

type OIDCHandler 

type OIDCHandler struct {
	// contains filtered or unexported fields
}

OIDCHandler handles configurable OIDC authentication

func NewOIDCHandler 

func NewOIDCHandler(cfg *config.Config) *OIDCHandler

NewOIDCHandler creates a new OIDC handler

func (*OIDCHandler) ExchangeToken 

func (h *OIDCHandler) ExchangeToken(ctx context.Context, oidcToken string) (*auth.TokenResponse, error)

ExchangeToken exchanges an OIDC ID token for a Registry JWT token

func (*OIDCHandler) SetValidator 

func (h *OIDCHandler) SetValidator(validator GenericOIDCValidator)

SetValidator sets a custom OIDC validator (used for testing)

type OIDCTokenExchangeInput 

type OIDCTokenExchangeInput struct {
	Body struct {
		OIDCToken string `json:"oidc_token" doc:"OIDC ID token from any provider" required:"true"`
	}
}

OIDCTokenExchangeInput represents the input for OIDC token exchange

type OIDCValidator 

type OIDCValidator interface {
	ValidateToken(ctx context.Context, token string, audience string) (*GitHubOIDCClaims, error)
}

OIDCValidator defines the interface for OIDC token validation

type SignatureTokenExchangeInput added in v1.2.1 

type SignatureTokenExchangeInput struct {
	Domain          string `json:"domain" doc:"Domain name" example:"example.com" required:"true"`
	Timestamp       string `json:"timestamp" doc:"RFC3339 timestamp" example:"2023-01-01T00:00:00Z" required:"true"`
	SignedTimestamp string `json:"signed_timestamp" doc:"Hex-encoded Ed25519 signature of timestamp" example:"abcdef1234567890" required:"true"`
}

SignatureTokenExchangeInput represents the common input structure for token exchange

type StandardOIDCValidator 

type StandardOIDCValidator struct {
	// contains filtered or unexported fields
}

StandardOIDCValidator validates OIDC tokens using go-oidc library

func NewStandardOIDCValidator 

func NewStandardOIDCValidator(issuer, clientID string) (*StandardOIDCValidator, error)

NewStandardOIDCValidator creates a new standard OIDC validator using go-oidc

func (*StandardOIDCValidator) ValidateToken 

func (v *StandardOIDCValidator) ValidateToken(ctx context.Context, tokenString string) (*OIDCClaims, error)

ValidateToken validates an OIDC ID token using go-oidc library

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.