auth

package
v0.78.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Dec 22, 2025 License: Apache-2.0 Imports: 28 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func GatewayMiddleware added in v0.24.0 

func GatewayMiddleware(aud *Audience, next gateway.HandlerFunc) gateway.HandlerFunc

GatewayMiddleware is a gRPC-gateway middleware variant of UnaryServerInterceptor. It should be used for non-gRPC HTTP endpoints mounted directly on the gRPC-gateway mux.

func GetClaims 

func GetClaims(ctx context.Context, instanceID string) *runtime.SecurityClaims

GetClaims retrieves Claims from a request context. The instanceID is optional, but if provided, the permissions in the result will be scoped to that instance. It should only be used in handlers intercepted by UnaryServerInterceptor or StreamServerInterceptor.

func HTTPMiddleware 

func HTTPMiddleware(aud *Audience, next http.Handler) http.Handler

HTTPMiddleware is a HTTP middleware variant of UnaryServerInterceptor. It should be used for non-gRPC HTTP endpoints.

func NewDevToken added in v0.33.0 

func NewDevToken(attr map[string]any, permissions []runtime.Permission) (string, error)

NewDevToken creates a new development token with the given user attributes.

func StreamServerInterceptor 

func StreamServerInterceptor(aud *Audience) grpc.StreamServerInterceptor

StreamServerInterceptor is the streaming variant of UnaryServerInterceptor.

func UnaryServerInterceptor 

func UnaryServerInterceptor(aud *Audience) grpc.UnaryServerInterceptor

UnaryServerInterceptor is a middleware for setting claims on runtime server requests. The assigned claims can be retrieved using GetClaims. If the interceptor succeeds, a Claims value is guaranteed to be set on the ctx. The claim parsing logic is as follows - When aud is nil, auth is considered disabled. We set a Claims that allows all actions (openClaims). - When aud is not nil, we set a Claims based on a JWT set as a bearer token in the authorization header (jwtClaims). - When aud is not nil and no authorization header is passed, we set a Claims that denies any action (anonClaims).

func WithClaims added in v0.78.0 

func WithClaims(ctx context.Context, claims *runtime.SecurityClaims) context.Context

WithClaims wraps a context with the given claims. It mimics the result of parsing a JWT using a middleware. It should only be used in tests. NOTE: We should remove this when the server tests support interceptors.

Types

type Audience 

type Audience struct {
	// contains filtered or unexported fields
}

Audience represents a receiver of tokens from Issuer. The Audience is used by the runtime to parse claims from a JWT. It parses and validates tokens and resolves permissions. It refreshes its JWKS in the background from {issuerURL}/.well-known/jwks.json.

func OpenAudience 

func OpenAudience(ctx context.Context, logger *zap.Logger, issuerURL, audienceURL string) (*Audience, error)

OpenAudience creates an Audience. Remember to call Close() when done. The issuerURL should be the external URL of the issuing admin server. The issuerURL is expected to serve a JWKS on /.well-known/jwks.json. The audienceURL should be the external URL of the receiving runtime server.

func (*Audience) Close 

func (a *Audience) Close()

Close stops background refresh of the JWKS.

func (*Audience) ParseAndValidate 

func (a *Audience) ParseAndValidate(tokenStr string) (ClaimsProvider, error)

ParseAndValidate parses and validates a JWT and returns Claims if successful.

type ClaimsProvider added in v0.78.0 

type ClaimsProvider interface {
	Claims(instanceID string) *runtime.SecurityClaims
}

ClaimsProvider resolves a runtime.SecurityClaims from an underlying source (which in practice is a JWT's claims).

type Issuer 

type Issuer struct {
	// contains filtered or unexported fields
}

Issuer creates JWTs with claims for an Audience. The Issuer is used by the admin server to create JWTs for the runtimes it manages based on a user's control-plane permissions.

func NewEphemeralIssuer 

func NewEphemeralIssuer(issuerURL string) (*Issuer, error)

NewEphemeralIssuer creates an Issuer using a generated JWKS. It is useful for development and testing, but should not be used in production.

func NewIssuer 

func NewIssuer(issuerURL, signingKeyID string, jwksJSON []byte) (*Issuer, error)

NewIssuer creates an issuer from a JWKS. The JWKS must contain private keys. The key identified by signingKeyID will be used to sign new JWTs.

func (*Issuer) NewToken 

func (i *Issuer) NewToken(opts TokenOptions) (string, error)

NewToken issues a new JWT based on the provided options.

func (*Issuer) WellKnownHandler added in v0.24.0 

func (i *Issuer) WellKnownHandler() http.Handler

WellKnownHandler serves the public keys of the Issuer's JWKS. The Audience expects it to be mounted on {issuerURL}/.well-known/jwks.json.

type TokenOptions 

type TokenOptions struct {
	AudienceURL         string
	Subject             string
	TTL                 time.Duration
	SystemPermissions   []runtime.Permission
	InstancePermissions map[string][]runtime.Permission
	Attributes          map[string]any
	SecurityRules       []*runtimev1.SecurityRule
}

TokenOptions provides options for Issuer.NewToken.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.