authmode

package
v0.0.2 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Dec 29, 2025 License: Apache-2.0 Imports: 16 Imported by: 0

Documentation

Overview

Package authmode defines common types and utilities for auth modes.

Index

Constants

View Source 
const (
	// XHasuraDefaultRole is the constant string of the x-hasura-default-role header name.
	XHasuraDefaultRole = "x-hasura-default-role"
	// XHasuraAllowedRoles is the constant string of the x-hasura-allowed-roles header name.
	XHasuraAllowedRoles = "x-hasura-allowed-roles"
	// XHasuraRole is the constant string of the x-hasura-role header name.
	XHasuraRole = "x-hasura-role"
	// XHasuraAuthMode is the constant string of the x-hasura-auth-mode header name.
	XHasuraAuthMode = "x-hasura-auth-mode"
	// XRelyAuthMode is the constant string of the x-rely-auth-mode header name.
	XRelyAuthMode = "x-rely-auth-mode"
	// XRelyAuthID is the constant string of the x-rely-auth-id header name.
	XRelyAuthID = "x-rely-auth-id"
)

Variables

View Source 
var (
	// ErrAuthConfigRequired occurs when the auth config is null.
	ErrAuthConfigRequired = errors.New("auth definition is empty")
	// ErrAuthConfigValueRequired occurs when the auth value is empty.
	ErrAuthConfigValueRequired = errors.New("auth definition value is empty")
	// ErrOnlyOneNoAuthModeAllowed occurs when there are many auth config definitions with noAuth mode.
	ErrOnlyOneNoAuthModeAllowed = errors.New("only one noAuth config is allowed")
	// ErrAuthFieldRequired occurs when a field in the auth config is empty.
	ErrAuthFieldRequired = errors.New("required field")
	// ErrLocationNameRequired occurs when the name of the token location is empty.
	ErrLocationNameRequired = errors.New("name of token location is required")
	// ErrAuthTokenNotFound occurs when the API key or token is not found.
	ErrAuthTokenNotFound = errors.New("auth token not found")
	// ErrUnsupportedAuthMode occurs when the auth mode is unsupported.
	ErrUnsupportedAuthMode = errors.New("unsupported auth mode")
	// ErrEmptyAllowedIPs occurs when the allowed IPs config is empty.
	ErrEmptyAllowedIPs = errors.New("allowed IPs config is empty")
	// ErrInvalidSubnet occurs when the subnet string is invalid.
	ErrInvalidSubnet = errors.New("invalid IP or subnet")
	// ErrInvalidIP occurs when the IP string is invalid.
	ErrInvalidIP = errors.New("invalid IP")
	// ErrIPNotFound occurs when the IP does not exist in request headers.
	ErrIPNotFound = errors.New("ip not found")
	// ErrDisallowedIP occurs when the IP string does not satisfy the allow list.
	ErrDisallowedIP = errors.New("ip address does not satisfy the allow list")
	// ErrInvalidHeader occurs when the header does not satisfy the security rule.
	ErrInvalidHeader = errors.New("invalid header")
)

Functions

func FindAuthTokenByLocation 

func FindAuthTokenByLocation(
	body *AuthenticateRequestData,
	location *authscheme.TokenLocation,
) (string, error)

FindAuthTokenByLocation finds the authentication token or api key from the request.

func GetAuthModeHeader added in v0.0.2 

func GetAuthModeHeader(headers map[string]string) string

GetAuthModeHeader gets the authentication mode from request headers. Note that headers must be converted to a string map with keys in lower-case.

func GetClientIP added in v0.0.2 

func GetClientIP(headers map[string]string, allowedHeaders ...string) (net.IP, error)

GetClientIP gets the client IP from request headers.

func NewAuthFieldRequiredError 

func NewAuthFieldRequiredError(authMode AuthMode, name string) error

NewAuthFieldRequiredError creates a required auth field error.

func ParseSubnet added in v0.0.2 

func ParseSubnet(value string) (*net.IPNet, error)

ParseSubnet parses the subnet from a raw string.

func SerializeSessionVariablesHasuraGraphQLEngine 

func SerializeSessionVariablesHasuraGraphQLEngine(
	sessionVariables map[string]any,
) (map[string]string, error)

SerializeSessionVariablesHasuraGraphQLEngine serializes session variables to be compatible with Hasura GraphQL Engine.

func ValidateTokenLocation 

func ValidateTokenLocation(
	tokenLocation authscheme.TokenLocation,
) (authscheme.TokenLocation, error)

ValidateTokenLocation validates the token location.

Types

type AuthMode 

type AuthMode string

AuthMode represents an authentication mode enum. 

const (
	AuthModeNoAuth   AuthMode = "noAuth"
	AuthModeAPIKey   AuthMode = "apiKey"
	AuthModeJWT      AuthMode = "jwt"
	AuthModeWebhook  AuthMode = "webhook"
	AuthModeComposed AuthMode = "composed"
)

func GetSupportedAuthModes 

func GetSupportedAuthModes() []AuthMode

GetSupportedAuthModes gets the list of supported auth modes.

func (AuthMode) JSONSchema 

func (AuthMode) JSONSchema() *jsonschema.Schema

JSONSchema defines a custom definition for JSON schema.

type AuthenticateRequestData 

type AuthenticateRequestData struct {
	// URL of the original request.
	URL string `json:"url,omitempty"`
	// Request headers.
	Headers map[string]string `json:"headers"`
	// Raw request body.
	Request json.RawMessage `json:"request"`
}

AuthenticateRequestData contains the request body of the auth hook request.

type AuthenticatedOutput 

type AuthenticatedOutput struct {
	ID               string
	Mode             AuthMode
	SessionVariables map[string]any
}

AuthenticatedOutput represents the authenticated output and authenticator metadata.

type Authenticator 

type Authenticator interface {
	// Authenticate validates and authenticates the token from the auth webhook request.
	Authenticate(ctx context.Context, body *AuthenticateRequestData) (AuthenticatedOutput, error)
}

Authenticator abstracts an authenticator struct for the Authenticate method.

type HasuraV2PostRequestBody 

type HasuraV2PostRequestBody struct {
	Variables     map[string]any `json:"variables"`
	OperationName string         `json:"operationName,omitempty"`
	Query         string         `json:"query"`
}

HasuraV2PostRequestBody holds the original body of the request. It's available in [Hasura GraphQL Engine v2](https://hasura.io/docs/2.0/auth/authentication/webhook/#post-request-example) only.

[Hasura GraphQL Engine v2](https://hasura.io/docs/2.0/auth/authentication/webhook/#post-request-example)

type RelyAuthAllowedIPs added in v0.0.2 

type RelyAuthAllowedIPs struct {
	Headers    []string
	AllowedIPs []*net.IPNet
}

RelyAuthAllowedIPs hold the allowed IPs security rule from the parsed config.

func RelyAuthAllowedIPsFromConfig added in v0.0.2 

func RelyAuthAllowedIPsFromConfig(
	conf *RelyAuthIPAllowListConfig,
	getEnvFunc goenvconf.GetEnvFunc,
) (*RelyAuthAllowedIPs, error)

RelyAuthAllowedIPsFromConfig creates a RelyAuthAllowedIPs instance from config.

func (*RelyAuthAllowedIPs) Validate added in v0.0.2 

func (ai *RelyAuthAllowedIPs) Validate(body *AuthenticateRequestData) error

Validate checks if the request satisfies the security rule.

type RelyAuthDefinitionInterface 

type RelyAuthDefinitionInterface interface {
	goutils.IsZeroer

	// GetMode returns the auth mode of the current config.
	GetMode() AuthMode
	// Validate if the current instance is valid.
	Validate() error
}

RelyAuthDefinitionInterface abstracts the interface of an auth mode definition.

type RelyAuthHeaderRules added in v0.0.2 

type RelyAuthHeaderRules map[string][]*goutils.RegexpMatcher

RelyAuthHeaderRules represents a map of header rules.

func RelyAuthHeaderRulesFromConfig added in v0.0.2 

func RelyAuthHeaderRulesFromConfig(
	conf map[string]goenvconf.EnvStringSlice,
	getEnvFunc goenvconf.GetEnvFunc,
) (RelyAuthHeaderRules, error)

RelyAuthHeaderRulesFromConfig creates a header map with expression matchers from config.

func (RelyAuthHeaderRules) Validate added in v0.0.2 

func (hr RelyAuthHeaderRules) Validate(body *AuthenticateRequestData) error

Validate checks if the request satisfies the security rule.

type RelyAuthIPAllowListConfig added in v0.0.2 

type RelyAuthIPAllowListConfig struct {
	Headers  []string                 `json:"headers,omitempty" yaml:"headers,omitempty"`
	Patterns goenvconf.EnvStringSlice `json:"patterns" yaml:"patterns"`
}

RelyAuthIPAllowListConfig represents a setting for IP allow list.

func (RelyAuthIPAllowListConfig) Equal added in v0.0.2 

func (hal RelyAuthIPAllowListConfig) Equal(target RelyAuthIPAllowListConfig) bool

Equal checks if the target value is equal.

func (RelyAuthIPAllowListConfig) IsZero added in v0.0.2 

func (hal RelyAuthIPAllowListConfig) IsZero() bool

IsZero if the current instance is empty.

type RelyAuthSecurityRules added in v0.0.2 

type RelyAuthSecurityRules struct {
	// Configure the list of allowed IPs.
	AllowedIPs *RelyAuthAllowedIPs
	// Configure the list of extra header rules.
	HeaderRules RelyAuthHeaderRules
}

RelyAuthSecurityRules defines rules to harden the security.

func RelyAuthSecurityRulesFromConfig added in v0.0.2 

func RelyAuthSecurityRulesFromConfig(
	conf *RelyAuthSecurityRulesConfig,
	getEnvFunc goenvconf.GetEnvFunc,
) (*RelyAuthSecurityRules, error)

RelyAuthSecurityRulesFromConfig creates a RelyAuthSecurityRules from configurations.

func (*RelyAuthSecurityRules) Validate added in v0.0.2 

func (sr *RelyAuthSecurityRules) Validate(body *AuthenticateRequestData) error

Validate checks if the webhook request satisfies security rules.

type RelyAuthSecurityRulesConfig added in v0.0.2 

type RelyAuthSecurityRulesConfig struct {
	// Configure the list of allowed IPs.
	AllowedIPs *RelyAuthIPAllowListConfig `json:"allowedIPs,omitempty" yaml:"allowedIPs,omitempty"`
	// Configure the map of header rules.
	HeaderRules map[string]goenvconf.EnvStringSlice `json:"headerRules,omitempty" yaml:"headerRules,omitempty"`
}

RelyAuthSecurityRulesConfig defines configurations of security rules.

func (RelyAuthSecurityRulesConfig) Equal added in v0.0.2 

func (es RelyAuthSecurityRulesConfig) Equal(target RelyAuthSecurityRulesConfig) bool

Equal checks if the target value is equal.

func (RelyAuthSecurityRulesConfig) IsZero added in v0.0.2 

func (es RelyAuthSecurityRulesConfig) IsZero() bool

IsZero if the current instance is empty.

type RelyAuthSettings 

type RelyAuthSettings struct {
	// The interval in seconds to reload JSON web keys from the remote URL.
	// If the value is zero or negative, disables the process.
	ReloadInterval int `json:"reloadInterval,omitempty" yaml:"reloadInterval,omitempty" jsonschema:"minimum=0,default=0"`
}

RelyAuthSettings holds global settings for the authenticators.

type RelyAuthentication added in v0.0.2 

type RelyAuthentication struct {
	RelyAuthenticator

	SecurityRules *RelyAuthSecurityRules
}

RelyAuthentication is the wrapper of RelyAuthenticator with extra security rules.

func (*RelyAuthentication) Authenticate added in v0.0.2 

func (ra *RelyAuthentication) Authenticate(
	ctx context.Context,
	body *AuthenticateRequestData,
) (AuthenticatedOutput, error)

Authenticate validates and authenticates the token from the auth webhook request.

type RelyAuthenticator 

type RelyAuthenticator interface {
	Authenticator

	// IDs returns identities of this authenticator.
	IDs() []string
	// GetMode returns the auth mode of the current authenticator.
	Mode() AuthMode
	// Close handles the resources cleaning.
	Close() error
}

RelyAuthenticator abstracts the authenticator for the auth webhook.

type RelyAuthenticatorOption 

type RelyAuthenticatorOption func(*RelyAuthenticatorOptions)

RelyAuthenticatorOption abstracts a function to modify RelyAuthenticatorOptions.

func WithCustomAttributes 

func WithCustomAttributes(attrs []attribute.KeyValue) RelyAuthenticatorOption

WithCustomAttributes sets custom trace and metrics attributes to auth manager options.

func WithCustomEnvGetter 

func WithCustomEnvGetter(
	getter func(ctx context.Context) goenvconf.GetEnvFunc,
) RelyAuthenticatorOption

WithCustomEnvGetter returns a function to set the GetEnvFunc getter to RelyAuthenticatorOptions.

func WithHTTPClient 

func WithHTTPClient(client *gohttpc.Client) RelyAuthenticatorOption

WithHTTPClient sets the HTTP client to auth manager options.

func WithLogger 

func WithLogger(logger *slog.Logger) RelyAuthenticatorOption

WithLogger sets the logger to auth manager options.

func WithPrefix 

func WithPrefix(prefix string) RelyAuthenticatorOption

WithPrefix sets the prefix to auth manager options.

type RelyAuthenticatorOptions 

type RelyAuthenticatorOptions struct {
	CustomEnvGetter  func(ctx context.Context) goenvconf.GetEnvFunc
	Logger           *slog.Logger
	HTTPClient       *gohttpc.Client
	CustomAttributes []attribute.KeyValue
	// Prefix is used to create unique JWKS registration keys, allowing multiple authenticators
	// to register the same JWKS URL independently.
	Prefix string
}

RelyAuthenticatorOptions define common options for the authenticator.

func NewRelyAuthenticatorOptions 

func NewRelyAuthenticatorOptions(options ...RelyAuthenticatorOption) RelyAuthenticatorOptions

NewRelyAuthenticatorOptions creates a new RelyAuthenticatorOptions instance.

func (RelyAuthenticatorOptions) GetEnvFunc 

func (rao RelyAuthenticatorOptions) GetEnvFunc(ctx context.Context) goenvconf.GetEnvFunc

GetEnvFunc return the get-env function. Default is OS environment.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.