userpat

package
v0.98.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 23, 2026 License: Apache-2.0 Imports: 35 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type AlertAuditRepository added in v0.98.0 

type AlertAuditRepository interface {
	Create(ctx context.Context, auditRecord auditmodels.AuditRecord) (auditmodels.AuditRecord, error)
}

AlertAuditRepository creates audit records for alert events.

type AlertConfig added in v0.98.0 

type AlertConfig struct {
	Enabled               bool   `yaml:"enabled" mapstructure:"enabled" default:"false"`
	Schedule              string `yaml:"schedule" mapstructure:"schedule" default:"@every 1h"`
	DaysBefore            int    `yaml:"days_before" mapstructure:"days_before" default:"3"`
	ExpiryReminderSubject string `yaml:"expiry_reminder_subject" mapstructure:"expiry_reminder_subject"`
	ExpiryReminderBody    string `yaml:"expiry_reminder_body" mapstructure:"expiry_reminder_body"`
	ExpiredNoticeSubject  string `yaml:"expired_notice_subject" mapstructure:"expired_notice_subject"`
	ExpiredNoticeBody     string `yaml:"expired_notice_body" mapstructure:"expired_notice_body"`
}

type AlertOrgService added in v0.98.0 

type AlertOrgService interface {
	Get(ctx context.Context, id string) (organization.Organization, error)
}

AlertOrgService resolves org details from org ID.

type AlertRepository added in v0.98.0 

type AlertRepository interface {
	ListExpiryReminderPending(ctx context.Context, days int) ([]models.PAT, error)
	ListExpiredNoticePending(ctx context.Context) ([]models.PAT, error)
	SetAlertSentMetadata(ctx context.Context, id string, key string) error
}

AlertRepository is the subset of Repository needed by the alert service.

type AlertService added in v0.98.0 

type AlertService struct {
	// contains filtered or unexported fields
}

func NewAlertService added in v0.98.0 

func NewAlertService(
	repo AlertRepository,
	userSvc AlertUserService,
	orgSvc AlertOrgService,
	dialer mailer.Dialer,
	locker Locker,
	config AlertConfig,
	logger log.Logger,
	auditRepo AlertAuditRepository,
) *AlertService

func (*AlertService) Close added in v0.98.0 

func (s *AlertService) Close() error

func (*AlertService) Init added in v0.98.0 

func (s *AlertService) Init(ctx context.Context) error

func (*AlertService) Run added in v0.98.0 

func (s *AlertService) Run(ctx context.Context) error

type AlertUserService added in v0.98.0 

type AlertUserService interface {
	GetByID(ctx context.Context, id string) (user.User, error)
}

AlertUserService resolves user details from user ID.

type AuditRecordRepository 

type AuditRecordRepository interface {
	Create(ctx context.Context, auditRecord models.AuditRecord) (models.AuditRecord, error)
}

type Config 

type Config struct {
	Enabled           bool        `yaml:"enabled" mapstructure:"enabled" default:"false"`
	Prefix            string      `yaml:"prefix" mapstructure:"prefix" default:"fpt"`
	MaxPerUserPerOrg  int64       `yaml:"max_per_user_per_org" mapstructure:"max_per_user_per_org" default:"50"`
	MaxLifetime       string      `yaml:"max_lifetime" mapstructure:"max_lifetime" default:"8760h"`
	DefaultLifetime   string      `yaml:"default_lifetime" mapstructure:"default_lifetime" default:"2160h"`
	DeniedPermissions []string    `yaml:"denied_permissions" mapstructure:"denied_permissions"`
	Alert             AlertConfig `yaml:"alert" mapstructure:"alert"`
}

func (Config) DeniedPermissionsSet 

func (c Config) DeniedPermissionsSet() map[string]struct{}

DeniedPermissionsSet returns denied permissions as a set for efficient lookups.

func (Config) MaxExpiry 

func (c Config) MaxExpiry() time.Duration

type CreateRequest 

type CreateRequest struct {
	UserID    string
	OrgID     string
	Title     string
	Scopes    []patmodels.PATScope
	ExpiresAt time.Time
	Metadata  map[string]any
}

type Locker added in v0.98.0 

type Locker interface {
	TryLock(ctx context.Context, id string) (*db.Lock, error)
}

Locker acquires distributed locks via Postgres advisory locks.

type OrganizationService 

type OrganizationService interface {
	GetRaw(ctx context.Context, id string) (organization.Organization, error)
}

type PolicyService 

type PolicyService interface {
	Create(ctx context.Context, pol policy.Policy) (policy.Policy, error)
	List(ctx context.Context, flt policy.Filter) ([]policy.Policy, error)
	Delete(ctx context.Context, id string) error
}

type ProjectService added in v0.95.1 

type ProjectService interface {
	ListByUser(ctx context.Context, principal authenticate.Principal, flt project.Filter) ([]project.Project, error)
}

type Repository 

type Repository interface {
	Create(ctx context.Context, pat models.PAT) (models.PAT, error)
	CountActive(ctx context.Context, userID, orgID string) (int64, error)
	GetByID(ctx context.Context, id string) (models.PAT, error)
	List(ctx context.Context, userID, orgID string, query *rql.Query) (models.PATList, error)
	GetBySecretHash(ctx context.Context, secretHash string) (models.PAT, error)
	IsTitleAvailable(ctx context.Context, userID, orgID, title string) (bool, error)
	UpdateUsedAt(ctx context.Context, id string, at time.Time) error
	Update(ctx context.Context, pat models.PAT) (models.PAT, error)
	Regenerate(ctx context.Context, id, secretHash string, expiresAt time.Time) (models.PAT, error)
	Delete(ctx context.Context, id string) error
	ListExpiryReminderPending(ctx context.Context, days int) ([]models.PAT, error)
	ListExpiredNoticePending(ctx context.Context) ([]models.PAT, error)
	SetAlertSentMetadata(ctx context.Context, id string, key string) error
}

type RoleService 

type RoleService interface {
	Get(ctx context.Context, id string) (role.Role, error)
	List(ctx context.Context, f role.Filter) ([]role.Role, error)
}

type Service 

type Service struct {
	// contains filtered or unexported fields
}

func NewService 

func NewService(logger log.Logger, repo Repository, config Config, orgService OrganizationService,
	roleService RoleService, policyService PolicyService, projectService ProjectService, auditRecordRepository AuditRecordRepository) *Service

func (*Service) Create 

func (s *Service) Create(ctx context.Context, req CreateRequest) (patmodels.PAT, string, error)

Create generates a new PAT and returns it with the plaintext value. The plaintext value is only available at creation time.

func (*Service) Delete added in v0.94.0 

func (s *Service) Delete(ctx context.Context, userID, id string) error

Delete soft-deletes the PAT first, then removes its SpiceDB policies. Soft-delete before policy cleanup prevents concurrent Update from re-creating policies for a deleted PAT (TOCTOU mitigation).

func (*Service) Get added in v0.94.0 

func (s *Service) Get(ctx context.Context, userID, id string) (patmodels.PAT, error)

Get retrieves a PAT by ID, verifying it belongs to the given user. Returns ErrDisabled if PATs are not enabled, ErrNotFound if the PAT does not exist or belongs to a different user.

func (*Service) GetByID added in v0.93.2 

func (s *Service) GetByID(ctx context.Context, id string) (patmodels.PAT, error)

func (*Service) IsTitleAvailable added in v0.94.0 

func (s *Service) IsTitleAvailable(ctx context.Context, userID, orgID, title string) (bool, error)

IsTitleAvailable checks if a PAT title is available for the given user and org.

func (*Service) List added in v0.94.0 

func (s *Service) List(ctx context.Context, userID, orgID string, query *rql.Query) (patmodels.PATList, error)

List retrieves all PATs for a user in an org and enriches each with scope fields.

func (*Service) ListAllowedRoles added in v0.94.0 

func (s *Service) ListAllowedRoles(ctx context.Context, scopes []string) ([]role.Role, error)

ListAllowedRoles returns predefined roles that are valid for PAT assignment. It lists platform roles filtered by scopes and removes any role containing a denied permission. If scopes is empty, defaults to org + project scopes. Accepts short aliases (e.g. "project", "org") which are normalized to full namespace form (e.g. "app/project", "app/organization").

func (*Service) Regenerate added in v0.94.0 

func (s *Service) Regenerate(ctx context.Context, userID, id string, newExpiresAt time.Time) (patmodels.PAT, string, error)

Regenerate creates a new secret and updates the expiry for an existing PAT. Scope (roles + projects) and policies are preserved. Expired PATs can be regenerated; if reviving one, checks the active count limit.

func (*Service) Update added in v0.94.0 

func (s *Service) Update(ctx context.Context, toUpdate patmodels.PAT) (patmodels.PAT, error)

Update replaces a PAT's title, metadata, and scope (roles + projects). Scope changes use revoke-all + recreate pattern with a TOCTOU guard against concurrent Delete.

func (*Service) ValidateExpiry 

func (s *Service) ValidateExpiry(expiresAt time.Time) error

ValidateExpiry checks that the given expiry time is in the future and within the configured maximum PAT lifetime.

type Validator added in v0.93.2 

type Validator struct {
	// contains filtered or unexported fields
}

Validator validates PAT values during authentication.

func NewValidator added in v0.93.2 

func NewValidator(logger log.Logger, repo Repository, config Config) *Validator

func (*Validator) GetByID added in v0.96.0 

func (v *Validator) GetByID(ctx context.Context, id string) (models.PAT, error)

GetByID retrieves a PAT by ID. Used by the access token authenticator to reconstruct the PAT principal from JWT claims.

func (*Validator) Validate added in v0.93.2 

func (v *Validator) Validate(ctx context.Context, value string) (models.PAT, error)

Validate checks a PAT value and returns the corresponding PAT. Returns ErrInvalidPAT if the value doesn't match the configured prefix (allowing the auth chain to fall through to the next authenticator). Returns ErrMalformedPAT, ErrExpired, ErrNotFound, or ErrDisabled for terminal auth failures.

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.