Documentation
¶
Index ¶
Constants ¶
View Source
const ( // DefaultUserIDClaim is the default JWT claim used to extract user IDs DefaultUserIDClaim = "sub" // Wildcard is a special user ID that matches all users Wildcard = "*" )
Variables ¶
View Source
var ( ErrEmptyUserID = errors.New("JWT user ID is empty") ErrUserNotAuthorized = errors.New("user is not authorized to access this peer") ErrNoMachineUserMapping = errors.New("no authorization mapping for OS user") ErrUserNotMappedToOSUser = errors.New("user is not authorized to login as OS user") )
Functions ¶
This section is empty.
Types ¶
type Authorizer ¶
type Authorizer struct {
// contains filtered or unexported fields
}
Authorizer handles SSH fine-grained access control authorization
func NewAuthorizer ¶
func NewAuthorizer() *Authorizer
NewAuthorizer creates a new SSH authorizer with empty configuration
func (*Authorizer) Authorize ¶
func (a *Authorizer) Authorize(jwtUserID, osUsername string) (string, error)
Authorize validates if a user is authorized to login as the specified OS user. Returns a success message describing how authorization was granted, or an error.
func (*Authorizer) GetUserIDClaim ¶
func (a *Authorizer) GetUserIDClaim() string
GetUserIDClaim returns the JWT claim name used to extract user IDs
func (*Authorizer) Update ¶
func (a *Authorizer) Update(config *Config)
Update updates the authorizer configuration with new values
type Config ¶
type Config struct {
// UserIDClaim is the JWT claim to extract the user ID from (e.g., "sub", "email")
UserIDClaim string
// AuthorizedUsers is a list of hashed user IDs (FNV-1a 64-bit) authorized to access this peer
AuthorizedUsers []sshuserhash.UserIDHash
// MachineUsers maps OS login usernames to indexes in AuthorizedUsers
// If a user wants to login as a specific OS user, their index must be in the corresponding list
MachineUsers map[string][]uint32
}
Config contains configuration for the SSH authorizer
Source Files
Click to show internal directories.
Click to hide internal directories.