env

package
v2.0.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: May 18, 2026 License: Apache-2.0 Imports: 65 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	ZitiSession      = "zt-session"
	ClientApiBinding = "edge-client"

	JwtAudEnrollment = "openziti-enroller"
)
View Source 
const (
	ServiceSessionRemovedType = int32(edge_ctrl_pb.ContentType_SessionRemovedType)

	ApiSessionHeartbeatType = int32(edge_ctrl_pb.ContentType_ApiSessionHeartbeatType)
	ApiSessionRemovedType   = int32(edge_ctrl_pb.ContentType_ApiSessionRemovedType)
	ApiSessionAddedType     = int32(edge_ctrl_pb.ContentType_ApiSessionAddedType)
	ApiSessionUpdatedType   = int32(edge_ctrl_pb.ContentType_ApiSessionUpdatedType)
	RequestClientReSyncType = int32(edge_ctrl_pb.ContentType_RequestClientReSyncType)
	DataStateType           = int32(edge_ctrl_pb.ContentType_DataStateType)
	ValidateDataStateType   = int32(edge_ctrl_pb.ContentType_ValidateDataStateRequestType)
	DataStateChangeSetType  = int32(edge_ctrl_pb.ContentType_DataStateChangeSetType)

	ServerHelloType = int32(edge_ctrl_pb.ContentType_ServerHelloType)
	ClientHelloType = int32(edge_ctrl_pb.ContentType_ClientHelloType)

	EnrollmentCertsResponseType             = int32(edge_ctrl_pb.ContentType_EnrollmentCertsResponseType)
	EnrollmentExtendRouterRequestType       = int32(edge_ctrl_pb.ContentType_EnrollmentExtendRouterRequestType)
	EnrollmentExtendRouterVerifyRequestType = int32(edge_ctrl_pb.ContentType_EnrollmentExtendRouterVerifyRequestType)
)
View Source 
const (
	EventualEventsGauge = "eventual.events"
)

Variables

This section is empty.

Functions

func AddRouter 

func AddRouter(rf ApiRouter)

func GetRequestContextFromHttpContext 

func GetRequestContextFromHttpContext(r *http.Request) (*response.RequestContext, error)

func NewAuthQueryExtJwt 

func NewAuthQueryExtJwt(signer *model.ExternalJwtSigner) *rest_model.AuthQueryDetail

func NewAuthQueryZitiTotp 

func NewAuthQueryZitiTotp() *rest_model.AuthQueryDetail

func NewRequestContext 

func NewRequestContext(rw http.ResponseWriter, r *http.Request) *response.RequestContext

func ServeError 

func ServeError(rw http.ResponseWriter, r *http.Request, inErr error)

ServeError is a wrapper for the OpenAPI REST server to allow the Edge API Error message responses to be used when errors are raised from the OpenAPI internal runtimes. This includes input validation methods, unsupported media types, etc.

func WriteHttpApiError 

func WriteHttpApiError(w http.ResponseWriter, apiError *errorz.ApiError)

WriteHttpApiError is meant to be used in situations where no request context is available to provide responses.

func WriteHttpError 

func WriteHttpError(w http.ResponseWriter, err error)

WriteHttpError is meant to be used in situations where no request context is available to provide responses.

Types

type AddRouterFunc 

type AddRouterFunc func(ae *AppEnv)

type ApiRouter 

type ApiRouter interface {
	Register(ae *AppEnv)
}

func GetRouters 

func GetRouters() []ApiRouter

type ApiRouterMiddleware 

type ApiRouterMiddleware interface {
	AddMiddleware(ae *AppEnv)
}

type ApiRouterShutdown 

type ApiRouterShutdown interface {
	Shutdown(ae *AppEnv)
}

type AppEnv 

type AppEnv struct {
	Stores   *db.Stores
	Managers *model.Managers

	Versions *ziti.Versions

	ApiServerCsrSigner     cert.Signer
	ApiClientCsrSigner     cert.Signer
	ControlClientCsrSigner cert.Signer

	FingerprintGenerator cert.FingerprintGenerator
	AuthRegistry         model.AuthRegistry
	EnrollRegistry       model.EnrollmentRegistry
	Broker               *Broker
	HostController       HostController
	FabricApi            *fabricOperations.ZitiFabricAPI
	ManagementApi        *managementOperations.ZitiEdgeManagementAPI
	ClientApi            *clientOperations.ZitiEdgeClientAPI
	IdentityRefreshMap   cmap.ConcurrentMap[string, time.Time]

	StartupTime     time.Time
	InstanceId      string
	AuthRateLimiter rate.AdaptiveRateLimiter

	TraceManager *TraceManager

	TokenIssuerCache *model.TokenIssuerCache
	// contains filtered or unexported fields
}

func NewAppEnv 

func NewAppEnv(host HostController) (*AppEnv, error)

func (*AppEnv) AddRouterPresenceHandler 

func (ae *AppEnv) AddRouterPresenceHandler(h model.RouterPresenceHandler)

AddRouterPresenceHandler registers a handler for router connect/disconnect events.

func (*AppEnv) ControllersKeyFunc 

func (ae *AppEnv) ControllersKeyFunc(token *jwt.Token) (interface{}, error)

ControllersKeyFunc provides public keys for JWT token verification from peer controllers.

func (*AppEnv) CreateRequestContext 

func (ae *AppEnv) CreateRequestContext(rw http.ResponseWriter, r *http.Request) (*response.RequestContext, error)

CreateRequestContext creates a new request context for handling HTTP requests.

func (*AppEnv) CreateTotpTokenFromAccessClaims 

func (ae *AppEnv) CreateTotpTokenFromAccessClaims(issuer string, claims *common.AccessClaims) (string, *common.TotpClaims, error)

func (*AppEnv) GetApiAddresses 

func (ae *AppEnv) GetApiAddresses() (map[string][]event.ApiAddress, []byte)

GetApiAddresses returns the controller's API addresses and their fingerprint hash.

func (*AppEnv) GetApiClientCsrSigner 

func (ae *AppEnv) GetApiClientCsrSigner() cert.Signer

GetApiClientCsrSigner returns the certificate signer for API client CSRs.

func (*AppEnv) GetApiServerCsrSigner 

func (ae *AppEnv) GetApiServerCsrSigner() cert.Signer

GetApiServerCsrSigner returns the certificate signer for API server CSRs.

func (*AppEnv) GetAuthRegistry 

func (ae *AppEnv) GetAuthRegistry() model.AuthRegistry

GetAuthRegistry returns the authentication module registry.

func (*AppEnv) GetClientApiDefaultTlsJwtSigner 

func (ae *AppEnv) GetClientApiDefaultTlsJwtSigner() *jwtsigner.TlsJwtSigner

GetClientApiDefaultTlsJwtSigner returns the default JWT signer for client API operations.

func (*AppEnv) GetCloseNotifyChannel 

func (ae *AppEnv) GetCloseNotifyChannel() <-chan struct{}

GetCloseNotifyChannel returns a channel that signals when the controller is shutting down.

func (*AppEnv) GetCommandDispatcher 

func (ae *AppEnv) GetCommandDispatcher() command.Dispatcher

GetCommandDispatcher returns the command dispatcher for processing control plane commands.

func (*AppEnv) GetConfig 

func (ae *AppEnv) GetConfig() *config.Config

GetConfig returns the controller configuration.

func (*AppEnv) GetControlClientCsrSigner 

func (ae *AppEnv) GetControlClientCsrSigner() cert.Signer

GetControlClientCsrSigner returns the certificate signer for control client CSRs.

func (*AppEnv) GetControllerPublicKey 

func (ae *AppEnv) GetControllerPublicKey(kid string) crypto.PublicKey

GetControllerPublicKey retrieves a public key by key ID from peer controllers.

func (*AppEnv) GetDb 

func (ae *AppEnv) GetDb() boltz.Db

GetDb returns the database instance.

func (*AppEnv) GetEnrollRegistry 

func (ae *AppEnv) GetEnrollRegistry() model.EnrollmentRegistry

GetEnrollRegistry returns the enrollment handler registry.

func (*AppEnv) GetEnrollmentJwtSigner 

func (ae *AppEnv) GetEnrollmentJwtSigner() (jwtsigner.Signer, error)

GetEnrollmentJwtSigner returns as Signer to use for enrollments based on the edge.api.address hostname or an error if one cannot be located that matches. Hostname matching is done across all identity server certificates, including alternate server certificates.

func (*AppEnv) GetEventDispatcher 

func (ae *AppEnv) GetEventDispatcher() event.Dispatcher

GetEventDispatcher returns the event dispatcher for publishing system events.

func (*AppEnv) GetFingerprintGenerator 

func (ae *AppEnv) GetFingerprintGenerator() cert.FingerprintGenerator

GetFingerprintGenerator returns the certificate fingerprint generator.

func (*AppEnv) GetHostController 

func (ae *AppEnv) GetHostController() HostController

GetHostController returns the host controller instance.

func (*AppEnv) GetId 

func (ae *AppEnv) GetId() string

GetId returns the unique application identifier for this controller instance.

func (*AppEnv) GetManagers 

func (ae *AppEnv) GetManagers() *model.Managers

GetManagers returns the business logic managers.

func (*AppEnv) GetMetricsRegistry 

func (ae *AppEnv) GetMetricsRegistry() metrics.Registry

GetMetricsRegistry returns the metrics registry for collecting performance data.

func (*AppEnv) GetNetwork 

func (ae *AppEnv) GetNetwork() *network.Network

func (*AppEnv) GetPeerControllerAddresses 

func (ae *AppEnv) GetPeerControllerAddresses() []string

GetPeerControllerAddresses returns the network addresses of peer controllers.

func (*AppEnv) GetPeerSigners 

func (ae *AppEnv) GetPeerSigners() []*x509.Certificate

GetPeerSigners returns the certificates of peer controllers for signature verification.

func (*AppEnv) GetRaftInfo 

func (ae *AppEnv) GetRaftInfo() (string, string, string)

GetRaftInfo returns Raft cluster information (node ID, leader, cluster state).

func (*AppEnv) GetRootTlsJwtSigner 

func (ae *AppEnv) GetRootTlsJwtSigner() *jwtsigner.TlsJwtSigner

GetRootTlsJwtSigner creates and returns a JWT signer using the root server certificate.

func (*AppEnv) GetStores 

func (ae *AppEnv) GetStores() *db.Stores

GetStores returns the database stores.

func (*AppEnv) GetTokenIssuerCache 

func (ae *AppEnv) GetTokenIssuerCache() *model.TokenIssuerCache

GetTokenIssuerCache returns the TokenIssuerCache instance for verifying external JWT tokens.

func (*AppEnv) HandleServiceEvent 

func (ae *AppEnv) HandleServiceEvent(event *db.ServiceEvent)

HandleServiceEvent processes service change events and triggers identity refreshes.

func (*AppEnv) HandleServicePolicyChange 

func (ae *AppEnv) HandleServicePolicyChange(ctx boltz.MutateContext, policyChange *edge_ctrl_pb.DataState_ServicePolicyChange)

func (*AppEnv) HandleServiceUpdatedEventForIdentityId 

func (ae *AppEnv) HandleServiceUpdatedEventForIdentityId(identityId string)

HandleServiceUpdatedEventForIdentityId marks an identity for refresh due to service changes.

func (*AppEnv) InitPermissionsContext 

func (ae *AppEnv) InitPermissionsContext(request *http.Request, api permissions.Api, entityType string, action permissions.Action)

func (*AppEnv) InitPersistence 

func (ae *AppEnv) InitPersistence() error

func (*AppEnv) InitTimelineId 

func (ae *AppEnv) InitTimelineId(timelineId string)

InitTimelineId sets the timeline ID during startup, panics if already set.

func (*AppEnv) IsAllowed 

func (ae *AppEnv) IsAllowed(responderFunc func(ae *AppEnv, rc *response.RequestContext), request *http.Request, entityId string, entitySubId string, permissions ...permissions.Resolver) openApiMiddleware.Responder

IsAllowed creates a middleware responder that checks permissions before executing the handler.

func (*AppEnv) IsEdgeRouterOnline 

func (ae *AppEnv) IsEdgeRouterOnline(id string) bool

IsEdgeRouterOnline checks if an edge router is currently connected.

func (*AppEnv) JwtSignerKeyFunc 

func (ae *AppEnv) JwtSignerKeyFunc(token *jwt.Token) (interface{}, error)

JwtSignerKeyFunc is used in combination with jwt.Parse or jwt.ParseWithClaims to facilitate verifying JWTs from the current controller or any peer controllers.

func (*AppEnv) OidcIssuer 

func (ae *AppEnv) OidcIssuer() string

OidcIssuer returns the OIDC issuer URL for this controller.

func (*AppEnv) OverrideTimelineId 

func (ae *AppEnv) OverrideTimelineId(timelineId string)

OverrideTimelineId forcibly sets the timeline ID bypassing startup checks.

func (*AppEnv) RootIssuer 

func (ae *AppEnv) RootIssuer() string

RootIssuer returns the base issuer URL for this controller.

func (*AppEnv) SetClientApiDefaultCertificate 

func (ae *AppEnv) SetClientApiDefaultCertificate(serverCert *tls.Certificate)

SetClientApiDefaultCertificate configures the default JWT signer for client API operations.

func (*AppEnv) TimelineId 

func (ae *AppEnv) TimelineId() string

TimelineId returns the current timeline identifier for event ordering.

func (*AppEnv) ValidateAccessToken 

func (ae *AppEnv) ValidateAccessToken(token string) (*common.AccessClaims, error)

ValidateAccessToken verifies an access token and returns its claims if valid. Checks token signature, audience, type, and revocation status.

func (*AppEnv) ValidateServiceAccessToken 

func (ae *AppEnv) ValidateServiceAccessToken(token string, apiSessionId *string) (*common.ServiceAccessClaims, error)

ValidateServiceAccessToken verifies a service access token and returns its claims. Optionally validates against a specific API session ID.

type AppHandler 

type AppHandler func(ae *AppEnv, rc *response.RequestContext)

type AppMiddleware 

type AppMiddleware func(*AppEnv, http.Handler) http.Handler

type BasicEntitySchema 

type BasicEntitySchema struct {
	Post  *gojsonschema.Schema
	Patch *gojsonschema.Schema
	Put   *gojsonschema.Schema
}

type Broker 

type Broker struct {
	// contains filtered or unexported fields
}

The Broker delegates Ziti Edge events to a RouterSyncStrategy. Handling the details of which events to watch and dealing with casting arguments to their proper concrete types.

func NewBroker 

func NewBroker(ae *AppEnv, synchronizer RouterSyncStrategy) *Broker

func (*Broker) AcceptClusterEvent 

func (broker *Broker) AcceptClusterEvent(clusterEvent *event.ClusterEvent)

func (*Broker) GetEdgeRouterState 

func (broker *Broker) GetEdgeRouterState(id string) RouterStateValues

func (*Broker) GetPublicKeys 

func (broker *Broker) GetPublicKeys() map[string]crypto.PublicKey

func (*Broker) GetReceiveHandlers 

func (broker *Broker) GetReceiveHandlers() []channel.TypedReceiveHandler

func (*Broker) GetRouterDataModel 

func (broker *Broker) GetRouterDataModel() *common.RouterDataModelSender

func (*Broker) GetRouterSyncStrategy 

func (broker *Broker) GetRouterSyncStrategy() RouterSyncStrategy

func (*Broker) InvokeRouterConnectedSynchronously 

func (broker *Broker) InvokeRouterConnectedSynchronously() bool

func (*Broker) IsEdgeRouterOnline 

func (broker *Broker) IsEdgeRouterOnline(id string) bool

func (*Broker) RouterConnected 

func (broker *Broker) RouterConnected(router *model.Router)

func (*Broker) RouterDisconnected 

func (broker *Broker) RouterDisconnected(router *model.Router)

func (*Broker) Stop 

func (broker *Broker) Stop()

func (*Broker) ValidateRouterDataModel 

func (broker *Broker) ValidateRouterDataModel() []error

type HostController 

type HostController interface {
	GetConfig() *config.Config
	GetEnv() *AppEnv
	RegisterAgentBindHandler(bindHandler channel.BindHandler)
	RegisterXctrl(x xctrl.Xctrl) error
	RegisterXmgmt(x xmgmt.Xmgmt) error
	GetXWebInstance() xweb.Instance
	GetNetwork() *network.Network
	GetCloseNotifyChannel() <-chan struct{}
	Shutdown()
	Identity() identity.Identity
	IsRaftEnabled() bool
	IsRaftLeader() bool
	GetStartRaftIndex() uint64
	GetDb() boltz.Db
	GetCommandDispatcher() command.Dispatcher
	GetPeerSigners() []*x509.Certificate
	GetEventDispatcher() event.Dispatcher
	GetRaftIndex() uint64
	GetPeerAddresses() []string
	GetRaftInfo() (string, string, string)
	GetApiAddresses() (map[string][]event.ApiAddress, []byte)
	GetMetricsRegistry() metrics.Registry
}

type IdentityEntitySchema 

type IdentityEntitySchema struct {
	Post           *gojsonschema.Schema
	Patch          *gojsonschema.Schema
	Put            *gojsonschema.Schema
	ServiceConfigs *gojsonschema.Schema
}

type LockingRouterState 

type LockingRouterState struct {
	// contains filtered or unexported fields
}

func NewLockingRouterStatus 

func NewLockingRouterStatus() *LockingRouterState

func (*LockingRouterState) GetVersionInfo 

func (r *LockingRouterState) GetVersionInfo() versions.VersionInfo

func (*LockingRouterState) Hostname 

func (r *LockingRouterState) Hostname() string

func (*LockingRouterState) IsOnline 

func (r *LockingRouterState) IsOnline() bool

func (*LockingRouterState) Protocols 

func (r *LockingRouterState) Protocols() map[string]string

func (*LockingRouterState) SetHostname 

func (r *LockingRouterState) SetHostname(hostname string)

func (*LockingRouterState) SetIsOnline 

func (r *LockingRouterState) SetIsOnline(isOnline bool)

func (*LockingRouterState) SetProtocols 

func (r *LockingRouterState) SetProtocols(protocols map[string]string)

func (*LockingRouterState) SetSyncStatus 

func (r *LockingRouterState) SetSyncStatus(syncStatus RouterSyncStatus)

func (*LockingRouterState) SetVersionInfo 

func (r *LockingRouterState) SetVersionInfo(versionInfo versions.VersionInfo)

func (*LockingRouterState) SyncStatus 

func (r *LockingRouterState) SyncStatus() RouterSyncStatus

func (*LockingRouterState) Values 

func (r *LockingRouterState) Values() RouterStateValues

type RouterConnectionHandler 

type RouterConnectionHandler interface {
	RouterConnected(edgeRouter *model.EdgeRouter, router *model.Router)
	RouterDisconnected(router *model.Router)
	GetReceiveHandlers() []channel.TypedReceiveHandler
}

RouterConnectionHandler is responsible for handling router connect/disconnect for synchronizing state. This is intended for API Session but additional state is possible. Implementations may bind additional handlers to the channel.

type RouterState 

type RouterState interface {
	SetIsOnline(isOnline bool)
	IsOnline() bool

	SetHostname(hostname string)
	Hostname() string

	SetProtocols(protocols map[string]string)
	Protocols() map[string]string

	SetSyncStatus(status RouterSyncStatus)
	SyncStatus() RouterSyncStatus

	SetVersionInfo(versionInfo versions.VersionInfo)
	GetVersionInfo() versions.VersionInfo

	Values() RouterStateValues
}

RouterState provides a thread save mechanism to access and set router status information that may be influx due to reouter connection/disconnection.

type RouterStateValues 

type RouterStateValues struct {
	IsOnline    bool
	Hostname    string
	Protocols   map[string]string
	SyncStatus  RouterSyncStatus
	VersionInfo versions.VersionInfo
}

func NewRouterStatusValues 

func NewRouterStatusValues() RouterStateValues

type RouterSyncCache 

type RouterSyncCache struct {
}

type RouterSyncStatus 

type RouterSyncStatus string

RouterSyncStatus aliased type for router sync status 

const (
	RouterSyncNew        RouterSyncStatus = "SYNC_NEW"         //connection accepted but no strategy actions have been taken
	RouterSyncQueued     RouterSyncStatus = "SYNC_QUEUED"      //connection handed to strategy, but not processed
	RouterSyncHello      RouterSyncStatus = "SYNC_HELLO"       //connection is beginning hello cycle
	RouterSyncHelloWait  RouterSyncStatus = "SYNC_HELLO_WAIT"  //hello received from router, but there are too many synchronizing routers
	RouterSyncResyncWait RouterSyncStatus = "SYNC_RESYNC_WAIT" //router requested a resync, in queue
	RouterSynInProgress  RouterSyncStatus = "SYNC_IN_PROGRESS" //hello finished, starting to send state
	RouterSyncDone       RouterSyncStatus = "SYNC_DONE"        //initial state sent

	//Error states
	RouterSyncUnknown      RouterSyncStatus = "SYNC_UNKNOWN"       //the router is currently unknown
	RouterSyncDisconnected RouterSyncStatus = "SYNC_DISCONNECTED"  //strategy was disconnected before finishing
	RouterSyncHelloTimeout RouterSyncStatus = "SYNC_HELLO_TIMEOUT" //sync failed due to a hello timeout.
	RouterSyncError        RouterSyncStatus = "SYNC_ERROR"         //sync failed due to an unexpected error

	//msg headers
	SyncStrategyTypeHeader  = 1013
	SyncStrategyStateHeader = 1014
	SyncStrategyLastIndex   = 1015
)

type RouterSyncStrategy 

type RouterSyncStrategy interface {
	Type() RouterSyncStrategyType
	GetEdgeRouterState(id string) RouterStateValues
	Stop()
	GetPublicKeys() map[string]crypto.PublicKey
	RouterConnectionHandler
	RouterSynchronizerEventHandler
	Validate() []error
	GetRouterDataModel() *common.RouterDataModelSender
	ContextIndex(ctx boltz.MutateContext) *uint64
	NextIndex(ctx boltz.MutateContext) (uint64, error)
}

RouterSyncStrategy handles the life cycle of an Edge Router connecting to the controller, synchronizing any upfront state and then maintaining state after that.

type RouterSyncStrategyType 

type RouterSyncStrategyType string

RouterSyncStrategyType aliased type for router strategies

type RouterSynchronizerEventHandler 

type RouterSynchronizerEventHandler interface {
	ApiSessionAdded(apiSession *db.ApiSession)
	ApiSessionUpdated(apiSession *db.ApiSession, apiSessionCert *db.ApiSessionCertificate)
	ApiSessionDeleted(apiSession *db.ApiSession)
	SessionDeleted(session *db.Session)
	HandleServicePolicyChange(ctx boltz.MutateContext, policyChange *edge_ctrl_pb.DataState_ServicePolicyChange)
}

RouterSynchronizerEventHandler is responsible for keeping Edge Routers up to date on API Sessions

type Schemes 

type Schemes struct {
	Association             *BasicEntitySchema
	Authenticator           *BasicEntitySchema
	AuthenticatorSelf       *BasicEntitySchema
	Ca                      *BasicEntitySchema
	Config                  *BasicEntitySchema
	ConfigType              *BasicEntitySchema
	Enroller                *BasicEntitySchema
	EnrollEr                *BasicEntitySchema
	EnrollUpdb              *BasicEntitySchema
	EdgeRouter              *BasicEntitySchema
	EdgeRouterPolicy        *BasicEntitySchema
	TransitRouter           *BasicEntitySchema
	Identity                *IdentityEntitySchema
	Service                 *BasicEntitySchema
	ServiceEdgeRouterPolicy *BasicEntitySchema
	ServicePolicy           *BasicEntitySchema
	Session                 *BasicEntitySchema
	Terminator              *BasicEntitySchema
}

func (Schemes) GetEnrollErPost 

func (s Schemes) GetEnrollErPost() *gojsonschema.Schema

func (Schemes) GetEnrollUpdbPost 

func (s Schemes) GetEnrollUpdbPost() *gojsonschema.Schema

type SecurityCtx 

type SecurityCtx struct {
	// contains filtered or unexported fields
}

SecurityCtx resolves and caches the full authentication context for a single HTTP request. Starting from the raw token data in a SecurityTokenCtx, it looks up the associated API session, identity, auth policy, MFA state, and permission set — each at most once. It also supports administrator identity masquerading for privileged operations.

func NewSecurityCtx 

func NewSecurityCtx(securityTokenCtx *common.SecurityTokenCtx, env model.Env) *SecurityCtx

NewSecurityCtx creates a SecurityCtx that will resolve authentication details from securityTokenCtx using the managers and stores available through env.

func (*SecurityCtx) AddToRequest 

func (ctx *SecurityCtx) AddToRequest(r *http.Request)

AddToRequest stores this SecurityCtx in the request's context under common.SecurityCtxKey so that route handlers can retrieve it without needing to re-resolve authentication.

func (*SecurityCtx) EndMasquerade 

func (ctx *SecurityCtx) EndMasquerade()

EndMasquerade clears any active identity masquerade, restoring GetIdentity to return the identity associated with the session token.

func (*SecurityCtx) GetApiSession 

func (ctx *SecurityCtx) GetApiSession() (*model.ApiSession, error)

GetApiSession triggers resolution and returns the API session for the request.

func (*SecurityCtx) GetApiSessionWithoutResolve 

func (ctx *SecurityCtx) GetApiSessionWithoutResolve() (*model.ApiSession, error)

GetApiSessionWithoutResolve returns the API session if it has already been resolved, without triggering resolution. Useful for response header helpers that run after the primary handler has already resolved the session.

func (*SecurityCtx) GetAuthPolicy 

func (ctx *SecurityCtx) GetAuthPolicy() (*model.AuthPolicy, error)

GetAuthPolicy triggers resolution and returns the auth policy governing the session's identity.

func (*SecurityCtx) GetError 

func (ctx *SecurityCtx) GetError() error

GetError returns the error encountered while resolving the API session, or nil if the session resolved successfully.

func (*SecurityCtx) GetIdentity 

func (ctx *SecurityCtx) GetIdentity() (*model.Identity, error)

GetIdentity triggers full resolution of the authentication context and returns the identity associated with the session. When an administrator has called MasqueradeAsIdentity, the masquerade identity is returned instead of the session's own identity.

func (*SecurityCtx) GetMfaAuthQueries 

func (ctx *SecurityCtx) GetMfaAuthQueries() []*rest_model.AuthQueryDetail

GetMfaAuthQueries triggers resolution and returns the list of outstanding MFA challenges that the identity must complete before gaining full access.

func (*SecurityCtx) GetMfaAuthQueriesWithoutResolve 

func (ctx *SecurityCtx) GetMfaAuthQueriesWithoutResolve() []*rest_model.AuthQueryDetail

GetMfaAuthQueriesWithoutResolve returns any outstanding MFA auth queries without triggering resolution.

func (*SecurityCtx) GetMfaError 

func (ctx *SecurityCtx) GetMfaError() error

GetMfaError triggers resolution and returns any error encountered while evaluating secondary MFA requirements (e.g., a missing or expired ext-JWT secondary token).

func (*SecurityCtx) GetMfaErrorWithoutResolve 

func (ctx *SecurityCtx) GetMfaErrorWithoutResolve() error

GetMfaErrorWithoutResolve returns the MFA error if secondary authentication checks have already run, without triggering resolution.

func (*SecurityCtx) GetPermissions 

func (ctx *SecurityCtx) GetPermissions() map[string]struct{}

GetPermissions returns the set of permission strings granted to the session, such as "authenticated", "partiallyAuthenticated", and "admin". The map is populated during resolution and is safe to read after any of the Get* methods have been called.

func (*SecurityCtx) GetSecurityTokenCtx 

func (ctx *SecurityCtx) GetSecurityTokenCtx() *common.SecurityTokenCtx

GetSecurityTokenCtx returns the underlying token context that holds the raw bearer tokens and their pre-parsed issuer associations.

func (*SecurityCtx) GetTotp 

func (ctx *SecurityCtx) GetTotp() (*model.Mfa, error)

GetTotp triggers resolution and returns the TOTP MFA configuration for the session's identity.

func (*SecurityCtx) GetVerifiedApiSessionToken 

func (ctx *SecurityCtx) GetVerifiedApiSessionToken() (*common.SecurityToken, error)

GetVerifiedApiSessionToken triggers resolution and returns the verified primary security token (either a legacy zt-session or an OIDC bearer token) along with any session-level error.

func (*SecurityCtx) IsFullyAuthed 

func (ctx *SecurityCtx) IsFullyAuthed() bool

IsFullyAuthed returns true when both primary and all secondary authentication factors have been satisfied.

func (*SecurityCtx) IsPartiallyAuthed 

func (ctx *SecurityCtx) IsPartiallyAuthed() bool

IsPartiallyAuthed returns true when the primary authentication (session token) succeeded but at least one secondary factor (TOTP or ext-JWT) is still outstanding.

func (*SecurityCtx) MasqueradeAsIdentity 

func (ctx *SecurityCtx) MasqueradeAsIdentity(identity *model.Identity) error

MasqueradeAsIdentity allows an authenticated administrator to act as another identity for the duration of the request. Subsequent calls to GetIdentity will return the given identity rather than the one derived from the session token. Returns an error if the caller is not authenticated or does not hold admin privileges.

type TraceManager 

type TraceManager struct {
	// contains filtered or unexported fields
}

func NewTraceManager 

func NewTraceManager(shutdownNotify <-chan struct{}) *TraceManager

func (*TraceManager) GetIdentityTrace 

func (self *TraceManager) GetIdentityTrace(identityId string) *TraceSpec

func (*TraceManager) RemoveIdentityTrace 

func (self *TraceManager) RemoveIdentityTrace(identity string)

func (*TraceManager) TraceIdentity 

func (self *TraceManager) TraceIdentity(identity string, duration time.Duration, id string, channelMask uint32) *TraceSpec

type TraceSpec 

type TraceSpec struct {
	Until       time.Time
	TraceId     string
	ChannelMask uint32
}

func (*TraceSpec) String 

func (self *TraceSpec) String() string

type YamlProducer 

type YamlProducer struct{}

func (YamlProducer) Produce 

func (p YamlProducer) Produce(writer io.Writer, i interface{}) error

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.