Documentation
¶
Overview ¶
Package security implements the functions, types, and interfaces for the module.
Package security provides declarative security interfaces for authentication and authorization.
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func RegisterPolicies ¶
func RegisterPolicies(policies []Policy)
RegisterPolicies is a public function called by generated code in init() functions. It appends a slice of policies to the global unifiedPolicies registry.
Types ¶
type Claims ¶
type Claims interface {
// Get retrieves a claim by its key and returns its value as an interface{}.
// The second return value indicates if the claim was found.
Get(key string) (any, bool)
// GetString retrieves a string claim by its key.
GetString(key string) (string, bool)
// GetInt64 retrieves an int64 claim by its key.
GetInt64(key string) (int64, bool)
// GetFloat64 retrieves a float64 claim by its key.
GetFloat64(key string) (float64, bool)
// GetBool retrieves a boolean claim by its key.
GetBool(key string) (bool, bool)
// GetStringSlice retrieves a string slice claim by its key.
GetStringSlice(key string) ([]string, bool)
// GetMap retrieves a map[string]any claim by its key.
GetMap(key string) (map[string]any, bool)
// UnmarshalValue unmarshals a claim with the given key into the provided Go type.
// The target must be a pointer to a struct.
UnmarshalValue(key string, target any) error
// Export returns the raw claims data as a map of structpb.Value.
Export() map[string]*structpb.Value
}
Claims represents a set of custom claims associated with a Principal. It provides methods for accessing and unmarshaling claim values.
type Credential ¶
type Credential interface {
// Type returns the type of the credential (e.g., "jwt", "apikey").
Type() string
// Raw returns the original, unparsed credential string.
// For example, the full "Bearer eyJ..." JWT string, or the API key string.
Raw() string
// ParsedPayload unmarshals the credential's payload into the provided protobuf message.
// This allows for type-safe unpacking of the payload into specific protobuf messages.
ParsedPayload(message proto.Message) error
// GetMeta returns the authentication-related metadata associated with the credential
// as a standard Go map[string][]string, for easy consumption by Authenticator implementations.
// This metadata is typically extracted and processed from the request context.
GetMeta() map[string][]string
// Source returns the canonical Protobuf representation of the credential.
// This is essential for transmitting the credential data, for example, in a CredentialResponse.
Source() *securityv1.CredentialSource
}
Credential represents a credential, either received from a request or newly issued. It provides a unified interface to access credential data and its canonical Protobuf representation.
type CredentialResponse ¶
type CredentialResponse interface {
// GetType returns the type of the credential.
GetType() string
// Payload returns the payload of the credential.
// This should ideally return a structured type or a proto.Message.
Payload() *securityv1.Payload
// GetMeta returns the metadata associated with the credential response
// as a standard Go map[string][]string, for easy consumption.
GetMeta() map[string][]string
// Response returns the canonical Protobuf representation of the credential response.
// This allows direct access to the underlying protobuf message for serialization.
Response() *securityv1.CredentialResponse
}
CredentialResponse represents a credential structure intended for transmission to clients (e.g., frontend applications).
type Policy ¶
type Policy struct {
ServiceMethod string // gRPC full method name, e.g., "/user.v1.UserService/GetUser"
GatewayPath string // HTTP path and method, e.g., "GET:/api/v1/users/{id}"
Name string // The policy name/definition string from the proto annotation, e.g., "admin-only"
VersionID string // A hash representing the version of this policy definition
}
Policy holds all information for a single resource's policy. This struct is created by generated code and registered via init().
func RegisteredPolicies ¶
func RegisteredPolicies() []Policy
RegisteredPolicies returns a copy of all policy registrations. This is called once at application startup to sync policies to the database.
type Principal ¶
type Principal interface {
// GetID returns the unique identifier of the principal.
GetID() string
// GetDomain returns the domain associated with the principal.
// This is often used in multi-tenant or multi-project environments.
GetDomain() string
// GetRoles returns a slice of roles assigned to the principal.
GetRoles() []string
// GetPermissions returns a slice of permissions granted to the principal.
GetPermissions() []string
// GetScopes returns a map of scopes associated with the principal.
GetScopes() map[string]bool
// GetClaims returns the custom claims associated with the principal.
GetClaims() Claims
// Export converts the Principal to its Protobuf representation.
Export() *securityv1.Principal
}
Principal represents the identity of the entity making a request. It typically contains information about the authenticated user or service.
type Request ¶
type Request interface {
// Kind returns the type of the request as a string (e.g., "grpc", "http").
// This helps consumers understand how to interpret GetOperation(), GetMethod(), and GetRouteTemplate().
Kind() string
// GetOperation returns the primary identifier for the logical operation being performed.
// The specific value depends on the Kind() and the nature of the request:
// - For "grpc" kind: Returns the full gRPC method name (e.g., /package.Service/Method).
// - For "http" kind:
// - If the HTTP request is a proxy for a gRPC method (e.g., via Kratos HTTP gateway),
// it returns the corresponding full gRPC method name.
// - Otherwise (for a pure HTTP service request), it returns the actual HTTP request path (e.g., /v1/users/123).
// This value is typically used for policy lookup in `servicePolicies` (if it's a gRPC method name)
// or for general operation identification.
GetOperation() string
// GetMethod returns the HTTP verb (e.g., "GET", "POST") if the request is an HTTP call.
// For "grpc" kind requests, this method will return an empty string.
GetMethod() string
// GetRouteTemplate returns the matched HTTP route template (e.g., "/v1/users/{id}")
// if the request is an HTTP call and a route template was matched.
// This is typically used for policy lookup in `gatewayPolicies`.
// For "grpc" kind requests, this method will return an empty string.
GetRouteTemplate() string
// Get returns the first value associated with the given key.
// If the key is not found, it returns an empty string.
Get(key string) string
// Values returns the values associated with the given key.
// It returns a slice of strings because sources like HTTP headers can have
// multiple values for the same key.
Values(key string) []string
// GetAll returns all key-value pairs from the source.
GetAll() map[string][]string
}
Request provides access to security-relevant information needed for authorization decisions. It abstracts away the underlying transport (HTTP/gRPC) and provides a unified interface for accessing request metadata, operation details, and routing information.
type SkipChecker ¶
SkipChecker defines the function signature for determining whether to skip a middleware. It takes a context.Context and a Request, returning true if the middleware should be skipped.
func NoOpSkipChecker ¶
func NoOpSkipChecker() SkipChecker
NoOpSkipChecker creates a SkipChecker that never skips. This is the default behavior if no checker is provided, ensuring the middleware is always applied.
func PathSkipChecker ¶
func PathSkipChecker(skipPaths ...string) SkipChecker
PathSkipChecker creates a SkipChecker that skips authentication for specified operation paths. The checker returns true if the request's operation matches any of the provided skipPaths.
Source Files
¶
Directories
¶
| Path | Synopsis |
|---|---|
|
_examples
|
|
|
security-demo/backend
command
|
|
|
security-demo/client
command
|
|
|
security-demo/gateway
command
|
|
|
Package authn provides interfaces and implementations for authentication.
|
Package authn provides interfaces and implementations for authentication. |
|
cache
Package cache provides token caching functionality for security module
|
Package cache provides token caching functionality for security module |
|
jwt
Package jwt provides a JWT-based implementation of the security interfaces.
|
Package jwt provides a JWT-based implementation of the security interfaces. |
|
noop
Package noop implements the functions, types, and interfaces for the module.
|
Package noop implements the functions, types, and interfaces for the module. |
|
casbin/adapter
Package adapter implements the functions, types, and interfaces for the module.
|
Package adapter implements the functions, types, and interfaces for the module. |
|
casbin/internal/model
Package model embedding the model files for Casbin.
|
Package model embedding the model files for Casbin. |
|
casbin/internal/policy
Package policy embedding the policy files for Casbin.
|
Package policy embedding the policy files for Casbin. |
|
Package credential provides interfaces and implementations for credential management.
|
Package credential provides interfaces and implementations for credential management. |
|
jwt
module
|
|
|
Package request implements the functions, types, and interfaces for the module.
|
Package request implements the functions, types, and interfaces for the module. |