Documentation
¶
Overview ¶
SPDX-FileCopyrightText: (C) 2025 Intel Corporation SPDX-License-Identifier: Apache-2.0
SPDX-FileCopyrightText: (C) 2025 Intel Corporation SPDX-License-Identifier: Apache-2.0
Index ¶
- Constants
- Variables
- func ClearClientAccessTokenTTL(ctx context.Context, oidcURL string, realm string, clientID string, ...) bool
- func EnforceClientAccessTokenTTL(ctx context.Context, oidcURL string, realm string, clientID string, ...) bool
- func EnsureM2MCredentials(forceRefresh bool) error
- func ExtractClaims(tokenString string) (string, string, time.Time, error)
- func ExtractUserRoles(claims jwt.MapClaims) ([]string, error)
- func GetAccessToken(authHeader string) string
- func GetM2MClientID() string
- func JwtTokenWithM2M(ctx context.Context, ttl *time.Duration) (string, error)
- func NewNoopAuthenticator() *noopAuthenticator
- func NewOidcAuthenticator(provider provider, opa opa.ClientWithResponsesInterface) (*oidcAuthenticator, error)
- func NewOidcProvider(endpoint string) (*oidcProvider, error)
- func NewOpaClient(port int) (opa.ClientWithResponsesInterface, error)
- func SetCachedM2MCredentials(id, secret string)
- type TokenResponse
- type VaultAuth
Constants ¶
const ( OidcUrlEnvVar = "OIDC_SERVER_URL" KeycloakUrlEnvVar = "KEYCLOAK_URL" OpaEnabledEnvVar = "OPA_ENABLED" OpaPortEnvVar = "OPA_PORT" )
const ( AuthorizationHeaderKey = "Authorization" ActiveProjectIdHeaderKey = "Activeprojectid" BearerPrefix = "Bearer " )
const ( VaultServer = "http://vault.orch-platform.svc.cluster.local:8200" ServiceAccount = "cluster-manager" )
Variables ¶
var NewVaultAuthFunc = NewVaultAuth
NewVaultAuthFunc allows tests to inject a mock VaultAuth implementation
Functions ¶
func ClearClientAccessTokenTTL ¶
func ClearClientAccessTokenTTL(ctx context.Context, oidcURL string, realm string, clientID string, adminToken string) bool
ClearClientAccessTokenTTL removes per-client token lifespan override to inherit realm default. Returns true if override absent or successfully cleared; false on failure.
func EnforceClientAccessTokenTTL ¶
func EnforceClientAccessTokenTTL(ctx context.Context, oidcURL string, realm string, clientID string, desired time.Duration, adminToken string) bool
EnforceClientAccessTokenTTL sets the client's access token lifespan if different from desired value. Returns true on success (including already correct), false on failure.
func EnsureM2MCredentials ¶
EnsureM2MCredentials loads M2M credentials from Vault if not yet cached (force refresh if forceRefresh) Exposed so other packages (e.g. rest) can guarantee the client ID prior to admin enforcement operations
func ExtractClaims ¶
ExtractClaims extracts claims from a JWT token
func ExtractUserRoles ¶
ExtractUserRoles extracts user roles from JWT token claims
func GetAccessToken ¶
GetAccessToken returns the access token from the Authorization header
func GetM2MClientID ¶
func GetM2MClientID() string
GetM2MClientID returns the currently cached M2M client ID (empty if not yet loaded)
func JwtTokenWithM2M ¶
JwtTokenWithM2M retrieves a new token from Keycloak using M2M authentication with configurable TTL
func NewNoopAuthenticator ¶
func NewNoopAuthenticator() *noopAuthenticator
NewNoopAuthenticator returns a new no-op Authenticator
func NewOidcAuthenticator ¶
func NewOidcAuthenticator(provider provider, opa opa.ClientWithResponsesInterface) (*oidcAuthenticator, error)
NewOidcAuthenticator returns a new OIDC Authenticator
func NewOidcProvider ¶
NewOidcProvider creates a new OIDC provider using it's well-known configuration
func NewOpaClient ¶
func NewOpaClient(port int) (opa.ClientWithResponsesInterface, error)
NewOpaClient returns a new OPA client
func SetCachedM2MCredentials ¶
func SetCachedM2MCredentials(id, secret string)
SetCachedM2MCredentials allows the main package (or tests) to preload client credentials so that JwtTokenWithM2M does not need to contact Vault on each invocation. Safe for concurrent reads after set
Source Files