auth

package
v0.5.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 25, 2026 License: Apache-2.0 Imports: 8 Imported by: 0

Documentation

Overview

Package auth provides authentication handler interfaces and utilities for scafctl. Auth handlers manage identity verification, credential storage, and token acquisition. They are separate from providers - providers are stateless execution primitives, while auth handlers manage state (cached tokens, refresh tokens) across invocations.

Index

Constants

View Source 
const DefaultMinValidFor = 60 * time.Second

DefaultMinValidFor is the default minimum validity duration for tokens.

Variables

View Source 
var (
	ErrNotAuthenticated       = errors.New("not authenticated: please run 'scafctl auth login entra'")
	ErrAuthenticationFailed   = errors.New("authentication failed")
	ErrTokenExpired           = errors.New("credentials expired: please run 'scafctl auth login entra'")
	ErrConsentRequired        = errors.New("consent required: please login with the required scope, e.g. 'scafctl auth login entra --scope <scope>'")
	ErrInvalidScope           = errors.New("invalid scope: scope cannot be empty")
	ErrHandlerNotFound        = errors.New("auth handler not found")
	ErrFlowNotSupported       = errors.New("authentication flow not supported")
	ErrUserCancelled          = errors.New("authentication cancelled by user")
	ErrTimeout                = errors.New("authentication timed out")
	ErrAlreadyAuthenticated   = errors.New("already authenticated")
	ErrGrantInvalid           = errors.New("invalid grant: the refresh token is invalid or has been revoked, please re-authenticate with 'scafctl auth login entra'")
	ErrCapabilityNotSupported = errors.New("capability not supported by this auth handler")
)

Sentinel errors for the auth package.

Functions

func HasCapability added in v0.5.0 

func HasCapability(capabilities []Capability, capability Capability) bool

HasCapability checks if a set of capabilities includes the specified capability.

func HasHandler 

func HasHandler(ctx context.Context, name string) bool

HasHandler checks if an auth handler exists in the context's registry.

func IsCapabilityNotSupported added in v0.5.0 

func IsCapabilityNotSupported(err error) bool

IsCapabilityNotSupported returns true if the error indicates a capability is not supported.

func IsConsentRequired added in v0.4.0 

func IsConsentRequired(err error) bool

IsConsentRequired returns true if the error indicates consent is required for the requested scope.

func IsHandlerNotFound 

func IsHandlerNotFound(err error) bool

IsHandlerNotFound returns true if the error indicates the handler was not found.

func IsNotAuthenticated 

func IsNotAuthenticated(err error) bool

IsNotAuthenticated returns true if the error indicates the user is not authenticated.

func IsTimeout 

func IsTimeout(err error) bool

IsTimeout returns true if the error indicates a timeout occurred.

func IsTokenExpired 

func IsTokenExpired(err error) bool

IsTokenExpired returns true if the error indicates the token has expired.

func IsUserCancelled 

func IsUserCancelled(err error) bool

IsUserCancelled returns true if the error indicates the user cancelled.

func ListHandlers 

func ListHandlers(ctx context.Context) []string

ListHandlers lists all auth handlers in the context's registry.

func WithRegistry 

func WithRegistry(ctx context.Context, registry *Registry) context.Context

WithRegistry returns a new context with the auth registry attached.

Types

type CachedTokenInfo added in v0.5.0 

type CachedTokenInfo struct {
	// Handler is the name of the auth handler that owns this token.
	Handler string `json:"handler"`
	// TokenKind is either "refresh" or "access".
	TokenKind string `json:"tokenKind"`
	// Scope is the OAuth scope associated with the token.
	// Empty for refresh tokens that were not scope-specific.
	Scope string `json:"scope,omitempty"`
	// TokenType is the token type, e.g. "Bearer".
	TokenType string `json:"tokenType,omitempty"`
	// Flow is the authentication flow that produced the token.
	Flow Flow `json:"flow,omitempty"`
	// ExpiresAt is when the token expires.
	ExpiresAt time.Time `json:"expiresAt,omitempty"`
	// CachedAt is when the token was written to the on-disk cache.
	CachedAt time.Time `json:"cachedAt,omitempty"`
	// IsExpired indicates whether the token is past its expiry time.
	IsExpired bool `json:"isExpired"`
	// SessionID is the stable identifier of the authentication session that
	// produced this token.  Present on both refresh and access entries, allowing
	// callers to trace which login session minted a given access token.
	SessionID string `json:"sessionId,omitempty"`
}

CachedTokenInfo holds display metadata for a cached token (refresh or access). The actual token value is intentionally omitted — use 'auth token' to retrieve it.

func (*CachedTokenInfo) TimeUntilExpiry added in v0.5.0 

func (c *CachedTokenInfo) TimeUntilExpiry() time.Duration

TimeUntilExpiry returns the duration until this cached token expires. Returns 0 if the token is already expired or has no expiry set.

type Capability added in v0.5.0 

type Capability string

Capability represents a feature or behavior that an auth handler supports. Capabilities allow CLI commands to dynamically adapt their flags and validation based on what each handler supports, enabling plugin-loaded handlers to work without hardcoded knowledge of their features. 

const (
	// CapScopesOnLogin indicates the handler supports specifying OAuth scopes at login time.
	// Both GitHub (device code) and Entra (device code/SP/WI) support this.
	CapScopesOnLogin Capability = "scopes_on_login"

	// CapScopesOnTokenRequest indicates the handler supports specifying per-request scopes
	// when acquiring tokens. Entra supports this (different resource scopes per request),
	// but GitHub does not (scopes are fixed at login time).
	CapScopesOnTokenRequest Capability = "scopes_on_token_request"

	// CapTenantID indicates the handler supports a tenant ID parameter.
	// Entra uses this for Azure AD tenant selection.
	CapTenantID Capability = "tenant_id"

	// CapHostname indicates the handler supports a hostname parameter.
	// GitHub uses this for GitHub Enterprise Server (GHES) support.
	CapHostname Capability = "hostname"

	// CapFederatedToken indicates the handler supports federated token input.
	// Entra uses this for workload identity (Kubernetes) authentication.
	CapFederatedToken Capability = "federated_token"

	// CapCallbackPort indicates the handler supports binding the OAuth callback
	// server to a specific port via --callback-port. Handlers that use the
	// authorization code + PKCE flow (Entra, GCP) advertise this capability.
	CapCallbackPort Capability = "callback_port"
)

type Claims 

type Claims struct {
	Issuer    string
	Subject   string
	TenantID  string
	ObjectID  string
	ClientID  string
	Email     string
	Name      string
	Username  string
	IssuedAt  time.Time
	ExpiresAt time.Time
}

Claims represents normalized identity claims from any auth handler.

func (*Claims) DisplayIdentity 

func (c *Claims) DisplayIdentity() string

DisplayIdentity returns the best available identity string for display.

func (*Claims) IsEmpty 

func (c *Claims) IsEmpty() bool

IsEmpty returns true if the claims have no meaningful data.

type Error 

type Error struct {
	Handler   string
	Operation string
	Cause     error
}

Error wraps authentication errors with additional context.

func NewError 

func NewError(handler, operation string, cause error) *Error

NewError creates a new Error.

func (*Error) Error 

func (e *Error) Error() string

Error implements the error interface.

func (*Error) Unwrap 

func (e *Error) Unwrap() error

Unwrap returns the underlying cause.

type Flow 

type Flow string

Flow represents an authentication flow type. 

const (
	// FlowDeviceCode is the OAuth 2.0 device authorization flow.
	FlowDeviceCode Flow = "device_code"

	// FlowInteractive is an interactive browser-based flow.
	FlowInteractive Flow = "interactive"

	// FlowServicePrincipal is authentication using service principal credentials.
	FlowServicePrincipal Flow = "service_principal"

	// FlowWorkloadIdentity is authentication using Azure Workload Identity (Kubernetes).
	FlowWorkloadIdentity Flow = "workload_identity"

	// FlowPAT is authentication using a personal access token from environment variables.
	FlowPAT Flow = "pat"

	// FlowMetadata is authentication using cloud metadata server (e.g., GCE, Cloud Run).
	FlowMetadata Flow = "metadata"

	// FlowGcloudADC is authentication using gcloud's Application Default Credentials file.
	FlowGcloudADC Flow = "gcloud_adc"

	// FlowGitHubApp is authentication using a GitHub App installation token.
	// A JWT is minted from the App's private key and exchanged for a short-lived
	// installation access token.
	FlowGitHubApp Flow = "github_app"
)

func ParseFlow added in v0.5.0 

func ParseFlow(flowStr, handlerName string) (Flow, error)

ParseFlow converts a flow string to a Flow constant. If flowStr is empty, an empty Flow is returned (caller should auto-detect). handlerName is used to produce handler-specific error messages for unrecognised values.

type GroupsProvider added in v0.5.0 

type GroupsProvider interface {
	// GetGroups returns the ObjectIDs of all groups the authenticated user belongs to.
	// Implementations must handle pagination transparently, so all memberships —
	// including those beyond any per-token cap (e.g. the 200-group JWT limit for
	// Microsoft Entra) — are returned.
	GetGroups(ctx context.Context) ([]string, error)
}

GroupsProvider is an optional interface that auth handlers can implement to return the authenticated user's group memberships as a slice of ObjectIDs.

Handlers that do not implement this interface do not support group membership queries. Callers should type-assert to this interface before invoking GetGroups.

type Handler 

type Handler interface {
	// Name returns the unique identifier for this auth handler.
	Name() string

	// DisplayName returns a human-readable name for display purposes.
	DisplayName() string

	// Login initiates the authentication flow.
	// For interactive flows (like device code), this blocks until completion or timeout.
	// Returns the authenticated identity claims on success.
	Login(ctx context.Context, opts LoginOptions) (*Result, error)

	// Logout clears stored credentials for this handler.
	Logout(ctx context.Context) error

	// Status returns the current authentication status.
	// Returns a status with Authenticated=false if not logged in.
	Status(ctx context.Context) (*Status, error)

	// GetToken returns a valid access token for the specified options.
	// Uses cached tokens when available and valid for the requested duration,
	// otherwise refreshes from the identity provider.
	// Returns ErrNotAuthenticated if user is not logged in.
	// Returns ErrTokenExpired if refresh token has expired (re-login required).
	GetToken(ctx context.Context, opts TokenOptions) (*Token, error)

	// InjectAuth adds authentication to an HTTP request.
	// This is the primary method used by providers (like HTTP) to authenticate requests.
	// Automatically handles token acquisition/refresh as needed.
	InjectAuth(ctx context.Context, req *http.Request, opts TokenOptions) error

	// SupportedFlows returns the authentication flows this handler supports.
	SupportedFlows() []Flow

	// Capabilities returns the set of capabilities this handler supports.
	// Commands use capabilities to dynamically determine which flags and
	// validation rules apply for a given handler.
	Capabilities() []Capability
}

Handler defines the interface for authentication handlers. Auth handlers manage identity verification, credential storage, and token acquisition.

func GetHandler 

func GetHandler(ctx context.Context, name string) (Handler, error)

GetHandler gets an auth handler from the context's registry.

type IdentityType 

type IdentityType string

IdentityType represents the type of authenticated identity. 

const (
	// IdentityTypeUser represents a user identity (e.g., device code flow).
	IdentityTypeUser IdentityType = "user"
	// IdentityTypeServicePrincipal represents a service principal identity.
	IdentityTypeServicePrincipal IdentityType = "service-principal"
	// IdentityTypeWorkloadIdentity represents a workload identity (Kubernetes federated).
	IdentityTypeWorkloadIdentity IdentityType = "workload-identity"
)

type LoginOptions 

type LoginOptions struct {
	TenantID           string
	Scopes             []string
	Flow               Flow
	Timeout            time.Duration
	CallbackPort       int
	DeviceCodeCallback func(userCode, verificationURI, message string)
}

LoginOptions configures the login process.

type MockHandler 

type MockHandler struct {
	NameValue         string
	DisplayNameValue  string
	FlowsValue        []Flow
	CapabilitiesValue []Capability

	LoginResult            *Result
	LoginErr               error
	LogoutErr              error
	StatusResult           *Status
	StatusErr              error
	GetTokenResult         *Token
	GetTokenErr            error
	InjectAuthErr          error
	ListCachedTokensResult []*CachedTokenInfo
	ListCachedTokensErr    error
	PurgeExpiredResult     int
	PurgeExpiredErr        error

	LoginCalls        []LoginOptions
	LogoutCalls       int
	StatusCalls       int
	GetTokenCalls     []TokenOptions
	InjectAuthCalls   []TokenOptions
	PurgeExpiredCalls int
	// contains filtered or unexported fields
}

MockHandler implements Handler for testing.

func NewMockHandler 

func NewMockHandler(name string) *MockHandler

NewMockHandler creates a new mock auth handler with default values.

func (*MockHandler) Capabilities added in v0.5.0 

func (m *MockHandler) Capabilities() []Capability

func (*MockHandler) DisplayName 

func (m *MockHandler) DisplayName() string

func (*MockHandler) GetToken 

func (m *MockHandler) GetToken(_ context.Context, opts TokenOptions) (*Token, error)

func (*MockHandler) InjectAuth 

func (m *MockHandler) InjectAuth(_ context.Context, req *http.Request, opts TokenOptions) error

func (*MockHandler) ListCachedTokens added in v0.5.0 

func (m *MockHandler) ListCachedTokens(_ context.Context) ([]*CachedTokenInfo, error)

func (*MockHandler) Login 

func (m *MockHandler) Login(_ context.Context, opts LoginOptions) (*Result, error)

func (*MockHandler) Logout 

func (m *MockHandler) Logout(_ context.Context) error

func (*MockHandler) Name 

func (m *MockHandler) Name() string

func (*MockHandler) PurgeExpiredTokens added in v0.5.0 

func (m *MockHandler) PurgeExpiredTokens(_ context.Context) (int, error)

func (*MockHandler) Reset 

func (m *MockHandler) Reset()

func (*MockHandler) SetAuthenticated 

func (m *MockHandler) SetAuthenticated(claims *Claims)

func (*MockHandler) SetNotAuthenticated 

func (m *MockHandler) SetNotAuthenticated()

func (*MockHandler) SetToken 

func (m *MockHandler) SetToken(token *Token)

func (*MockHandler) SetTokenError 

func (m *MockHandler) SetTokenError(err error)

func (*MockHandler) Status 

func (m *MockHandler) Status(_ context.Context) (*Status, error)

func (*MockHandler) SupportedFlows 

func (m *MockHandler) SupportedFlows() []Flow

type Registry 

type Registry struct {
	// contains filtered or unexported fields
}

Registry manages registered auth handlers.

func MustRegistryFromContext 

func MustRegistryFromContext(ctx context.Context) *Registry

MustRegistryFromContext retrieves the auth registry from the context. Panics if no registry is attached.

func NewRegistry 

func NewRegistry() *Registry

NewRegistry creates a new auth handler registry.

func RegistryFromContext 

func RegistryFromContext(ctx context.Context) *Registry

RegistryFromContext retrieves the auth registry from the context.

func (*Registry) All 

func (r *Registry) All() map[string]Handler

All returns all registered handlers as a map.

func (*Registry) Count 

func (r *Registry) Count() int

Count returns the number of registered handlers.

func (*Registry) Get 

func (r *Registry) Get(name string) (Handler, error)

Get retrieves an auth handler by name.

func (*Registry) Has 

func (r *Registry) Has(name string) bool

Has returns true if a handler with the given name is registered.

func (*Registry) List 

func (r *Registry) List() []string

List returns the names of all registered handlers in sorted order.

func (*Registry) Register 

func (r *Registry) Register(handler Handler) error

Register adds an auth handler to the registry.

func (*Registry) Unregister 

func (r *Registry) Unregister(name string) error

Unregister removes an auth handler from the registry.

type Result 

type Result struct {
	Claims    *Claims
	ExpiresAt time.Time
}

Result contains the result of a successful authentication.

type Status 

type Status struct {
	Authenticated bool
	Claims        *Claims
	ExpiresAt     time.Time
	LastRefresh   time.Time
	TenantID      string
	IdentityType  IdentityType // Type of identity: "user", "service-principal", or "workload-identity"
	ClientID      string       // For service principal/workload identity: the application ID
	TokenFile     string       // For workload identity: path to the federated token file
	Scopes        []string     // Scopes granted during login
}

Status represents the current authentication state.

type Token 

type Token struct {
	AccessToken string //nolint:gosec // G117: not a hardcoded credential, stores runtime token data
	TokenType   string
	ExpiresAt   time.Time
	Scope       string
	// CachedAt records when this token was written to the on-disk cache.
	// Zero value means the token was not loaded from the cache.
	CachedAt time.Time
	// Flow is the authentication flow that produced this token (e.g. "device_code",
	// "service_principal", "workload_identity").  Empty string means unknown.
	Flow Flow
	// SessionID is a stable identifier linking this access token back to the
	// authentication session (login) that produced it.  Generated once at login
	// time and preserved across refresh-token rotations.
	SessionID string
}

Token represents a short-lived access token.

func (*Token) IsExpired 

func (t *Token) IsExpired() bool

IsExpired returns true if the token has expired.

func (*Token) IsValidFor 

func (t *Token) IsValidFor(duration time.Duration) bool

IsValidFor returns true if the token will be valid for at least the specified duration.

func (*Token) TimeUntilExpiry 

func (t *Token) TimeUntilExpiry() time.Duration

TimeUntilExpiry returns the duration until the token expires. Returns 0 if the token is already expired or invalid.

type TokenLister added in v0.5.0 

type TokenLister interface {
	ListCachedTokens(ctx context.Context) ([]*CachedTokenInfo, error)
}

TokenLister is an optional interface implemented by auth handlers that can enumerate all cached tokens (both refresh and minted access tokens).

type TokenOptions 

type TokenOptions struct {
	Scope        string
	MinValidFor  time.Duration
	ForceRefresh bool
}

TokenOptions configures token acquisition.

type TokenPurger added in v0.5.0 

type TokenPurger interface {
	PurgeExpiredTokens(ctx context.Context) (int, error)
}

TokenPurger is an optional interface implemented by auth handlers that can remove expired access tokens from the cache without affecting valid tokens or the refresh token. Returns the number of tokens removed.

Source Files

View all Source files

Directories

Path Synopsis
Package entra provides Microsoft Entra ID (formerly Azure AD) authentication for scafctl using the OAuth 2.0 device authorization flow.
 Package entra provides Microsoft Entra ID (formerly Azure AD) authentication for scafctl using the OAuth 2.0 device authorization flow.
Package gcp provides Google Cloud Platform authentication for scafctl.
 Package gcp provides Google Cloud Platform authentication for scafctl.
Package github provides GitHub authentication for scafctl.
 Package github provides GitHub authentication for scafctl.
Package oauth provides shared OAuth 2.0 utilities used by multiple auth handlers, including PKCE code generation, browser launching, and local callback servers.
 Package oauth provides shared OAuth 2.0 utilities used by multiple auth handlers, including PKCE code generation, browser launching, and local callback servers.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.