auth

package
v1.3.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Oct 14, 2025 License: MIT Imports: 20 Imported by: 0

Documentation

Index

Constants

View Source 
const MaxKeyResponseSize = 4096

MaxKeyResponseSize is the maximum size of the response body from the HTTP endpoint.

Variables

This section is empty.

Functions

func BuildPermissions added in v1.2.1 

func BuildPermissions(domain string, includeSubdomains bool) []auth.Permission

BuildPermissions builds permissions for a domain with optional subdomain support

func DecodeAndValidateSignature added in v1.2.1 

func DecodeAndValidateSignature(signedTimestamp string) ([]byte, error)

func IsValidDomain added in v1.2.1 

func IsValidDomain(domain string) bool

func ParseMCPKeysFromStrings added in v1.2.1 

func ParseMCPKeysFromStrings(inputs []string) []ed25519.PublicKey

func RegisterAuthEndpoints 

func RegisterAuthEndpoints(api huma.API, pathPrefix string, cfg *config.Config)

RegisterAuthEndpoints registers all authentication endpoints with a custom path prefix

func RegisterDNSEndpoint 

func RegisterDNSEndpoint(api huma.API, pathPrefix string, cfg *config.Config)

RegisterDNSEndpoint registers the DNS authentication endpoint

func RegisterGitHubATEndpoint 

func RegisterGitHubATEndpoint(api huma.API, pathPrefix string, cfg *config.Config)

RegisterGitHubATEndpoint registers the GitHub access token authentication endpoint with a custom path prefix

func RegisterGitHubOIDCEndpoint 

func RegisterGitHubOIDCEndpoint(api huma.API, pathPrefix string, cfg *config.Config)

RegisterGitHubOIDCEndpoint registers the GitHub OIDC authentication endpoint

func RegisterHTTPEndpoint 

func RegisterHTTPEndpoint(api huma.API, pathPrefix string, cfg *config.Config)

RegisterHTTPEndpoint registers the HTTP authentication endpoint

func RegisterNoneEndpoint 

func RegisterNoneEndpoint(api huma.API, pathPrefix string, cfg *config.Config)

RegisterNoneEndpoint registers the anonymous authentication endpoint WARNING: This endpoint is intended for local development and automated tests only. It should NOT be enabled in production environments as it bypasses normal authentication.

func RegisterOIDCEndpoints 

func RegisterOIDCEndpoints(api huma.API, pathPrefix string, cfg *config.Config)

RegisterOIDCEndpoints registers all OIDC authentication endpoints

func ReverseString added in v1.2.1 

func ReverseString(domain string) string

ReverseString reverses a domain string (example.com -> com.example)

func ValidateDomainAndTimestamp added in v1.2.1 

func ValidateDomainAndTimestamp(domain, timestamp string) (*time.Time, error)

ValidateDomainAndTimestamp validates the domain format and timestamp

func VerifySignatureWithKeys added in v1.2.1 

func VerifySignatureWithKeys(publicKeys []ed25519.PublicKey, messageBytes []byte, signature []byte) bool

Types

type CoreAuthHandler added in v1.2.1 

type CoreAuthHandler struct {
	// contains filtered or unexported fields
}

CoreAuthHandler represents the common handler structure

func NewCoreAuthHandler added in v1.2.1 

func NewCoreAuthHandler(cfg *config.Config) *CoreAuthHandler

NewCoreAuthHandler creates a new core authentication handler

func (*CoreAuthHandler) CreateJWTClaimsAndToken added in v1.2.1 

func (h *CoreAuthHandler) CreateJWTClaimsAndToken(ctx context.Context, authMethod auth.Method, domain string, permissions []auth.Permission) (*auth.TokenResponse, error)

CreateJWTClaimsAndToken creates JWT claims and generates a token response

func (*CoreAuthHandler) ExchangeToken added in v1.2.1 

func (h *CoreAuthHandler) ExchangeToken(
	ctx context.Context,
	domain, timestamp, signedTimestamp string,
	keyFetcher KeyFetcher,
	includeSubdomains bool,
	authMethod auth.Method) (*auth.TokenResponse, error)

ExchangeToken is a shared method for token exchange that takes a key fetcher function, subdomain inclusion flag, and auth method

type DNSAuthHandler 

type DNSAuthHandler struct {
	CoreAuthHandler
	// contains filtered or unexported fields
}

DNSAuthHandler handles DNS-based authentication

func NewDNSAuthHandler 

func NewDNSAuthHandler(cfg *config.Config) *DNSAuthHandler

NewDNSAuthHandler creates a new DNS authentication handler

func (*DNSAuthHandler) ExchangeToken 

func (h *DNSAuthHandler) ExchangeToken(ctx context.Context, domain, timestamp, signedTimestamp string) (*auth.TokenResponse, error)

ExchangeToken exchanges DNS signature for a Registry JWT token

func (*DNSAuthHandler) SetResolver 

func (h *DNSAuthHandler) SetResolver(resolver DNSResolver)

SetResolver sets a custom DNS resolver (used for testing)

type DNSResolver 

type DNSResolver interface {
	LookupTXT(ctx context.Context, name string) ([]string, error)
}

DNSResolver defines the interface for DNS resolution

type DNSTokenExchangeInput 

type DNSTokenExchangeInput struct {
	Body SignatureTokenExchangeInput
}

DNSTokenExchangeInput represents the input for DNS-based authentication

type DefaultDNSResolver 

type DefaultDNSResolver struct{}

DefaultDNSResolver uses Go's standard DNS resolution

func (*DefaultDNSResolver) LookupTXT 

func (r *DefaultDNSResolver) LookupTXT(ctx context.Context, name string) ([]string, error)

LookupTXT performs DNS TXT record lookup

type DefaultHTTPKeyFetcher 

type DefaultHTTPKeyFetcher struct {
	// contains filtered or unexported fields
}

DefaultHTTPKeyFetcher uses Go's standard HTTP client

func NewDefaultHTTPKeyFetcher 

func NewDefaultHTTPKeyFetcher() *DefaultHTTPKeyFetcher

NewDefaultHTTPKeyFetcher creates a new HTTP key fetcher with timeout

func NewDefaultHTTPKeyFetcherWithClient added in v1.2.1 

func NewDefaultHTTPKeyFetcherWithClient(client *http.Client) *DefaultHTTPKeyFetcher

NewDefaultHTTPKeyFetcherWithClient creates a new HTTP key fetcher with a custom HTTP client. This is primarily useful in tests to inject transports or TLS settings.

func (*DefaultHTTPKeyFetcher) FetchKey 

func (f *DefaultHTTPKeyFetcher) FetchKey(ctx context.Context, domain string) (string, error)

FetchKey fetches the public key from the well-known HTTP endpoint

type GenericOIDCValidator 

type GenericOIDCValidator interface {
	ValidateToken(ctx context.Context, token string) (*OIDCClaims, error)
}

GenericOIDCValidator defines the interface for validating OIDC tokens from any provider

type GitHubHandler 

type GitHubHandler struct {
	// contains filtered or unexported fields
}

GitHubHandler handles GitHub authentication

func NewGitHubHandler 

func NewGitHubHandler(cfg *config.Config) *GitHubHandler

NewGitHubHandler creates a new GitHub handler

func (*GitHubHandler) ExchangeToken 

func (h *GitHubHandler) ExchangeToken(ctx context.Context, githubToken string) (*auth.TokenResponse, error)

ExchangeToken exchanges a GitHub OAuth token for a Registry JWT token

func (*GitHubHandler) SetBaseURL 

func (h *GitHubHandler) SetBaseURL(url string)

SetBaseURL sets the base URL for GitHub API (used for testing)

type GitHubOIDCClaims 

type GitHubOIDCClaims struct {
	jwt.RegisteredClaims
	RepositoryOwner string `json:"repository_owner"` // e.g., "octo-org"
}

GitHubOIDCClaims represents the claims we need from a GitHub OIDC token

type GitHubOIDCHandler 

type GitHubOIDCHandler struct {
	// contains filtered or unexported fields
}

GitHubOIDCHandler handles GitHub OIDC authentication

func NewGitHubOIDCHandler 

func NewGitHubOIDCHandler(cfg *config.Config) *GitHubOIDCHandler

NewGitHubOIDCHandler creates a new GitHub OIDC handler

func (*GitHubOIDCHandler) ExchangeToken 

func (h *GitHubOIDCHandler) ExchangeToken(ctx context.Context, oidcToken string) (*auth.TokenResponse, error)

ExchangeToken exchanges a GitHub OIDC token for a Registry JWT token

func (*GitHubOIDCHandler) SetValidator 

func (h *GitHubOIDCHandler) SetValidator(validator OIDCValidator)

SetValidator sets a custom OIDC validator (used for testing)

type GitHubOIDCTokenExchangeInput 

type GitHubOIDCTokenExchangeInput struct {
	Body struct {
		OIDCToken string `json:"oidc_token" doc:"GitHub Actions OIDC token" required:"true"`
	}
}

GitHubOIDCTokenExchangeInput represents the input for GitHub OIDC token exchange

type GitHubOIDCValidator 

type GitHubOIDCValidator struct {
	// contains filtered or unexported fields
}

GitHubOIDCValidator validates GitHub OIDC tokens

func NewGitHubOIDCValidator 

func NewGitHubOIDCValidator() *GitHubOIDCValidator

NewGitHubOIDCValidator creates a new GitHub OIDC validator

func NewMockOIDCValidator 

func NewMockOIDCValidator(jwksURL, issuer string) *GitHubOIDCValidator

NewMockOIDCValidator creates a mock validator for testing

func (*GitHubOIDCValidator) ValidateToken 

func (v *GitHubOIDCValidator) ValidateToken(ctx context.Context, tokenString string, audience string) (*GitHubOIDCClaims, error)

ValidateToken validates a GitHub OIDC token

type GitHubTokenExchangeInput 

type GitHubTokenExchangeInput struct {
	Body struct {
		GitHubToken string `json:"github_token" doc:"GitHub OAuth token" required:"true"`
	}
}

GitHubTokenExchangeInput represents the input for GitHub token exchange

type GitHubUserOrOrg 

type GitHubUserOrOrg struct {
	Login string `json:"login"`
	ID    int    `json:"id"`
}

type HTTPAuthHandler 

type HTTPAuthHandler struct {
	CoreAuthHandler
	// contains filtered or unexported fields
}

HTTPAuthHandler handles HTTP-based authentication

func NewHTTPAuthHandler 

func NewHTTPAuthHandler(cfg *config.Config) *HTTPAuthHandler

NewHTTPAuthHandler creates a new HTTP authentication handler

func (*HTTPAuthHandler) ExchangeToken 

func (h *HTTPAuthHandler) ExchangeToken(ctx context.Context, domain, timestamp, signedTimestamp string) (*auth.TokenResponse, error)

ExchangeToken exchanges HTTP signature for a Registry JWT token

func (*HTTPAuthHandler) SetFetcher 

func (h *HTTPAuthHandler) SetFetcher(fetcher HTTPKeyFetcher)

SetFetcher sets a custom HTTP key fetcher (used for testing)

type HTTPKeyFetcher 

type HTTPKeyFetcher interface {
	FetchKey(ctx context.Context, domain string) (string, error)
}

HTTPKeyFetcher defines the interface for fetching HTTP keys

type HTTPTokenExchangeInput 

type HTTPTokenExchangeInput struct {
	Body SignatureTokenExchangeInput
}

HTTPTokenExchangeInput represents the input for HTTP-based authentication

type JWK 

type JWK struct {
	KTY string `json:"kty"`
	KID string `json:"kid"`
	Use string `json:"use"`
	N   string `json:"n"`
	E   string `json:"e"`
}

JWK represents a JSON Web Key

type JWKS 

type JWKS struct {
	Keys []JWK `json:"keys"`
}

JWKS represents a JSON Web Key Set

type KeyFetcher added in v1.2.1 

type KeyFetcher func(ctx context.Context, domain string) ([]string, error)

KeyFetcher defines a function type for fetching keys from external sources

type NoneHandler 

type NoneHandler struct {
	// contains filtered or unexported fields
}

NoneHandler handles anonymous authentication

func NewNoneHandler 

func NewNoneHandler(cfg *config.Config) *NoneHandler

NewNoneHandler creates a new anonymous authentication handler

func (*NoneHandler) GetAnonymousToken 

func (h *NoneHandler) GetAnonymousToken(ctx context.Context) (*auth.TokenResponse, error)

GetAnonymousToken generates an anonymous Registry JWT token

type OIDCClaims 

type OIDCClaims struct {
	Subject     string         `json:"sub"`
	Issuer      string         `json:"iss"`
	Audience    []string       `json:"aud"`
	ExtraClaims map[string]any `json:"-"`
}

OIDCClaims represents the claims we extract from any OIDC token

type OIDCHandler 

type OIDCHandler struct {
	// contains filtered or unexported fields
}

OIDCHandler handles configurable OIDC authentication

func NewOIDCHandler 

func NewOIDCHandler(cfg *config.Config) *OIDCHandler

NewOIDCHandler creates a new OIDC handler

func (*OIDCHandler) ExchangeToken 

func (h *OIDCHandler) ExchangeToken(ctx context.Context, oidcToken string) (*auth.TokenResponse, error)

ExchangeToken exchanges an OIDC ID token for a Registry JWT token

func (*OIDCHandler) SetValidator 

func (h *OIDCHandler) SetValidator(validator GenericOIDCValidator)

SetValidator sets a custom OIDC validator (used for testing)

type OIDCTokenExchangeInput 

type OIDCTokenExchangeInput struct {
	Body struct {
		OIDCToken string `json:"oidc_token" doc:"OIDC ID token from any provider" required:"true"`
	}
}

OIDCTokenExchangeInput represents the input for OIDC token exchange

type OIDCValidator 

type OIDCValidator interface {
	ValidateToken(ctx context.Context, token string, audience string) (*GitHubOIDCClaims, error)
}

OIDCValidator defines the interface for OIDC token validation

type SignatureTokenExchangeInput added in v1.2.1 

type SignatureTokenExchangeInput struct {
	Domain          string `json:"domain" doc:"Domain name" example:"example.com" required:"true"`
	Timestamp       string `json:"timestamp" doc:"RFC3339 timestamp" example:"2023-01-01T00:00:00Z" required:"true"`
	SignedTimestamp string `json:"signed_timestamp" doc:"Hex-encoded Ed25519 signature of timestamp" example:"abcdef1234567890" required:"true"`
}

SignatureTokenExchangeInput represents the common input structure for token exchange

type StandardOIDCValidator 

type StandardOIDCValidator struct {
	// contains filtered or unexported fields
}

StandardOIDCValidator validates OIDC tokens using go-oidc library

func NewStandardOIDCValidator 

func NewStandardOIDCValidator(issuer, clientID string) (*StandardOIDCValidator, error)

NewStandardOIDCValidator creates a new standard OIDC validator using go-oidc

func (*StandardOIDCValidator) ValidateToken 

func (v *StandardOIDCValidator) ValidateToken(ctx context.Context, tokenString string) (*OIDCClaims, error)

ValidateToken validates an OIDC ID token using go-oidc library

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.