Documentation
¶
Overview ¶
Package auth provides authentication middleware for the registry API server.
Index ¶
- Variables
- func ClaimsFromContext(ctx context.Context) jwt.MapClaims
- func ContextWithClaims(ctx context.Context, claims jwt.MapClaims) context.Context
- func ContextWithRoles(ctx context.Context, roles []Role) context.Context
- func HasRole(roles []Role, required Role) bool
- func IsPublicPath(requestPath string, publicPaths []string) bool
- func IsSuperAdmin(ctx context.Context) bool
- func NewAuthMiddleware(ctx context.Context, cfg *config.AuthConfig, factory validatorFactory) (func(http.Handler) http.Handler, http.Handler, error)
- func RequireRole(role Role, authzCfg *config.AuthzConfig) func(http.Handler) http.Handler
- func ResolveRolesMiddleware(authzCfg *config.AuthzConfig) func(http.Handler) http.Handler
- func WrapWithPublicPaths(authMw func(http.Handler) http.Handler, publicPaths []string) func(http.Handler) http.Handler
- type Role
Constants ¶
This section is empty.
Variables ¶
var DefaultValidatorFactory validatorFactory = func( ctx context.Context, cfg auth.TokenValidatorConfig, ) (tokenValidatorInterface, error) { return auth.NewTokenValidator(ctx, cfg) }
DefaultValidatorFactory uses the real ToolHive token validator.
Functions ¶
func ClaimsFromContext ¶ added in v1.0.0
ClaimsFromContext extracts JWT claims from the context. Returns nil if no claims are present (e.g., anonymous mode).
func ContextWithClaims ¶ added in v1.0.0
ContextWithClaims returns a new context with the JWT claims stored.
func ContextWithRoles ¶ added in v1.0.0
ContextWithRoles returns a new context with the resolved roles stored.
func HasRole ¶ added in v1.0.0
HasRole checks if the resolved roles contain the specified role. superAdmin grants access to everything.
func IsPublicPath ¶
IsPublicPath checks if a path should bypass authentication. It performs secure path matching by: 1. Rejecting paths with encoded path separators to prevent double-encoding attacks 2. Normalizing the path to prevent traversal attacks (e.g., /health/../registry/v0.1/servers) 3. Using segment-aware matching so /health matches /health and /health/check but NOT /healthcheck
func IsSuperAdmin ¶ added in v1.0.0
IsSuperAdmin returns true if the context contains the superAdmin role.
func NewAuthMiddleware ¶
func NewAuthMiddleware( ctx context.Context, cfg *config.AuthConfig, factory validatorFactory, ) (func(http.Handler) http.Handler, http.Handler, error)
NewAuthMiddleware creates authentication middleware based on config. Returns: (middleware, authInfoHandler, error)
By default, authentication is ENABLED and requires OAuth configuration. To disable authentication for development, either:
- Use --auth-mode=anonymous flag
- Set auth.mode: anonymous in the config file
This function validates the auth configuration before creating the middleware.
func RequireRole ¶ added in v1.0.0
RequireRole returns middleware that enforces the specified role. It expects roles to already be resolved in the context by ResolveRolesMiddleware. If authzCfg is nil, a pass-through middleware is returned immediately. If claims are nil (anonymous mode), role checks are skipped.
func ResolveRolesMiddleware ¶ added in v1.0.0
ResolveRolesMiddleware resolves the caller's roles from JWT claims and stores them in the request context. This must run after the auth middleware (which populates claims) and before any RequireRole or claim-checking code.
If authzCfg is nil, authenticated requests receive all roles (so that downstream role checks remain a no-op) and anonymous requests receive none. If authzCfg is non-nil, roles are resolved from the JWT claims via ResolveRoles; anonymous requests (nil claims) are passed through without roles and a one-time warning is logged.
func WrapWithPublicPaths ¶
func WrapWithPublicPaths( authMw func(http.Handler) http.Handler, publicPaths []string, ) func(http.Handler) http.Handler
WrapWithPublicPaths wraps an auth middleware to bypass authentication for public paths. It checks each request path against the provided list of public paths using IsPublicPath. Requests to public paths are passed directly to the next handler without authentication, while all other requests go through the provided auth middleware.
Types ¶
type Role ¶ added in v1.0.0
type Role string
Role represents an authorization role
const ( // RoleSuperAdmin grants access to all operations, bypassing claim checks. RoleSuperAdmin Role = "superAdmin" // RoleManageSources grants access to source management operations. RoleManageSources Role = "manageSources" // RoleManageRegistries grants access to registry management operations. RoleManageRegistries Role = "manageRegistries" // RoleManageEntries grants access to entry management operations. RoleManageEntries Role = "manageEntries" )
func AllRoles ¶ added in v1.1.1
func AllRoles() []Role
AllRoles returns every role defined in the system. Used when no authz config is provided — authenticated users implicitly hold all permissions.
func ResolveRoles ¶ added in v1.0.0
func ResolveRoles(claims jwt.MapClaims, authzCfg *config.AuthzConfig) []Role
ResolveRoles returns all roles the user has based on JWT claims and authz config. Returns nil when either argument is nil. The nil-authz semantic (authenticated users receive all roles) is handled at the middleware layer by ResolveRolesMiddleware.
func RolesFromContext ¶ added in v1.0.0
RolesFromContext extracts resolved roles from the context. Returns nil if no roles are present.
Source Files
Directories