inauth

package
v2.0.0-alpha.2 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: May 11, 2026 License: Apache-2.0 Imports: 23 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	AccessKeyStateActive   = "active"
	AccessKeyStateDisabled = "disabled"
)

Variables

View Source 
var DefaultSigner = &hmacSigner{"HS256", crypto.SHA256}
View Source 
var File_inauth_proto protoreflect.FileDescriptor
View Source 
var Signers = SignerManager{
	// contains filtered or unexported fields
}

Functions

func NewAppContext 

func NewAppContext(ctx context.Context, av AppValidator) context.Context

func NewGrpcAppCredential 

func NewGrpcAppCredential(ak *AccessKey) credentials.PerRPCCredentials

func Sign 

func Sign(header TokenHeader, claims any, key any) (string, error)

Types

type AccessKey 

type AccessKey struct {

	// Unique identifier for this access key.
	// Generated as a semi-sequential hex string (e.g., "67f3a1b2c3d4e5f6").
	Id string `protobuf:"bytes,1,opt,name=id,proto3" json:"id,omitempty" toml:"id,omitempty"`
	// The secret key used to sign AccessToken payloads.
	// Generated as a 48-character base62 string. Must be kept confidential.
	Secret string `protobuf:"bytes,2,opt,name=secret,proto3" json:"secret,omitempty" toml:"secret,omitempty"`
	// The user or service principal this key belongs to.
	User string `protobuf:"bytes,3,opt,name=user,proto3" json:"user,omitempty" toml:"user,omitempty"`
	// The type of credential. Accepted values:
	//   - "User": human user access key (created via NewUserAccessKey).
	//   - "App":  machine/service access key (created via NewAppAccessKey).
	//
	// The type affects token validation; for example, "App" tokens enforce
	// a strict 60-second issued-at (iat) window to prevent replay attacks.
	Type string `protobuf:"bytes,4,opt,name=type,proto3" json:"type,omitempty" toml:"type,omitempty"`
	// The lifecycle state of this access key (e.g., "active", "disabled").
	State string `protobuf:"bytes,5,opt,name=state,proto3" json:"state,omitempty" toml:"state,omitempty"`
	// The names of RBAC roles assigned to this key. Role definitions are
	// registered separately via AccessKeyManager.SetRole() and map to a
	// set of permissions.
	Roles []string `protobuf:"bytes,6,rep,name=roles,proto3" json:"roles,omitempty" toml:"roles,omitempty"`
	// Fine-grained permission scopes granted to this key. Scopes are checked
	// via the Allow() method, which requires ALL specified scopes to be present.
	// Example scopes might include resource-level or action-level identifiers.
	Scopes []string `protobuf:"bytes,11,rep,name=scopes,proto3" json:"scopes,omitempty" toml:"scopes,omitempty"`
	// Optional. A human-readable description of this access key's purpose.
	Description string `protobuf:"bytes,13,opt,name=description,proto3" json:"description,omitempty" toml:"description,omitempty"`
	// contains filtered or unexported fields
}

AccessKey represents a long-lived credential used to authenticate and authorize API requests. Each key consists of a publicly visible ID and a secret that must be kept confidential.

AccessKeys are managed by AccessKeyManager and can be of two types:

  • "User": represents a human user credential.
  • "App": represents a machine/service credential used for programmatic access (e.g., gRPC calls between internal services).

Authentication flow:

  1. The client presents an AccessToken (signed with the AccessKey secret).
  2. The server resolves the AccessKey by ID from AccessKeyManager.
  3. The token signature is verified against the key's secret.
  4. Authorization is checked via roles, permissions, and scopes.

func NewAccessKey 

func NewAccessKey() *AccessKey

func NewAppAccessKey 

func NewAppAccessKey() *AccessKey

func NewUserAccessKey 

func NewUserAccessKey() *AccessKey

func ParseAccessKey 

func ParseAccessKey(ak string) (*AccessKey, error)

func (*AccessKey) Allow 

func (it *AccessKey) Allow(scopes ...string) bool

func (*AccessKey) Descriptor deprecated 

func (*AccessKey) Descriptor() ([]byte, []int)

Deprecated: Use AccessKey.ProtoReflect.Descriptor instead.

func (*AccessKey) Export 

func (it *AccessKey) Export() string

func (*AccessKey) GetDescription 

func (x *AccessKey) GetDescription() string

func (*AccessKey) GetId 

func (x *AccessKey) GetId() string

func (*AccessKey) GetRoles 

func (x *AccessKey) GetRoles() []string

func (*AccessKey) GetScopes 

func (x *AccessKey) GetScopes() []string

func (*AccessKey) GetSecret 

func (x *AccessKey) GetSecret() string

func (*AccessKey) GetState 

func (x *AccessKey) GetState() string

func (*AccessKey) GetType 

func (x *AccessKey) GetType() string

func (*AccessKey) GetUser 

func (x *AccessKey) GetUser() string

func (*AccessKey) ProtoMessage 

func (*AccessKey) ProtoMessage()

func (*AccessKey) ProtoReflect 

func (x *AccessKey) ProtoReflect() protoreflect.Message

func (*AccessKey) Reset 

func (x *AccessKey) Reset()

func (*AccessKey) String 

func (x *AccessKey) String() string

type AccessKeyManager 

type AccessKeyManager struct {
	// contains filtered or unexported fields
}

func NewAccessKeyManager 

func NewAccessKeyManager() *AccessKeyManager

func (*AccessKeyManager) Count 

func (it *AccessKeyManager) Count() int

func (*AccessKeyManager) Del 

func (it *AccessKeyManager) Del(id string) error

func (*AccessKeyManager) Key 

func (it *AccessKeyManager) Key(id string) *AccessKey

func (*AccessKeyManager) Set 

func (it *AccessKeyManager) Set(k *AccessKey) error

func (*AccessKeyManager) SetRole 

func (it *AccessKeyManager) SetRole(r *Role) *AccessKeyManager

type AccessToken 

type AccessToken struct {
	Header TokenHeader

	Claims AuthClaims
	// contains filtered or unexported fields
}

func NewAccessToken 

func NewAccessToken(accessToken string) (*AccessToken, error)

func NewAccessTokenWithContext 

func NewAccessTokenWithContext(ctx context.Context) (*AccessToken, error)

func (*AccessToken) IsExpired 

func (it *AccessToken) IsExpired() bool

func (*AccessToken) String 

func (it *AccessToken) String() string

func (*AccessToken) Verify 

func (it *AccessToken) Verify(keyMgr *AccessKeyManager) (*AccessKey, error)

type AppCredential 

type AppCredential interface {
	AuthToken() string
}

func NewAppCredential 

func NewAppCredential(ak *AccessKey, args ...any) AppCredential

type AppValidator 

type AppValidator interface {
	Verify(keyMgr *AccessKeyManager) error
	AccessKey() *AccessKey
	Allow(scopes ...string) bool
}

func AppContext 

func AppContext(ctx context.Context) AppValidator

func NewAppValidator 

func NewAppValidator(token string) (AppValidator, error)

func NewGrpcAppValidator 

func NewGrpcAppValidator(ctx context.Context, keyMgr *AccessKeyManager) (AppValidator, error)

type AuthClaims 

type AuthClaims struct {
	Jti string `json:"jti,omitempty" toml:"jti,omitempty"` // JWT ID
	Iat int64  `json:"iat" toml:"iat"`                     // Issued At Time
	Exp int64  `json:"exp" toml:"exp"`
	Sub string `json:"sub,omitempty" toml:"sub,omitempty"`

	State string `json:"state,omitempty" toml:"state,omitempty"`
}

type Role 

type Role struct {

	// The unique name identifier of the role (e.g., "admin", "viewer").
	Name string `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty" toml:"name,omitempty"`
	// Optional. A human-readable title for the role. Typically this
	// is limited to 100 UTF-8 bytes.
	Title string `protobuf:"bytes,2,opt,name=title,proto3" json:"title,omitempty" toml:"title,omitempty"`
	// Optional. A human-readable description for the role.
	Description string `protobuf:"bytes,3,opt,name=description,proto3" json:"description,omitempty" toml:"description,omitempty"`
	// The names of the permissions this role grants when bound to an
	// AccessKey. Permissions are stored as a set within AccessKeyManager
	// for efficient lookup.
	Permissions []string `protobuf:"bytes,7,rep,name=permissions,proto3" json:"permissions,omitempty" toml:"permissions,omitempty"`
	// The lifecycle state of the role (e.g., "active", "disabled").
	State string `protobuf:"bytes,10,opt,name=state,proto3" json:"state,omitempty" toml:"state,omitempty"`
	// contains filtered or unexported fields
}

Role defines a named collection of permissions in the RBAC (Role-Based Access Control) system. Roles are registered with AccessKeyManager and then referenced by name from AccessKey.roles.

Permission resolution flow: 

AccessKey.roles → Role lookup → Role.permissions

func (*Role) Descriptor deprecated 

func (*Role) Descriptor() ([]byte, []int)

Deprecated: Use Role.ProtoReflect.Descriptor instead.

func (*Role) GetDescription 

func (x *Role) GetDescription() string

func (*Role) GetName 

func (x *Role) GetName() string

func (*Role) GetPermissions 

func (x *Role) GetPermissions() []string

func (*Role) GetState 

func (x *Role) GetState() string

func (*Role) GetTitle 

func (x *Role) GetTitle() string

func (*Role) ProtoMessage 

func (*Role) ProtoMessage()

func (*Role) ProtoReflect 

func (x *Role) ProtoReflect() protoreflect.Message

func (*Role) Reset 

func (x *Role) Reset()

func (*Role) String 

func (x *Role) String() string

type Signer 

type Signer interface {
	Name() string
	Sign(signingString string, key any) ([]byte, error)
}

type SignerManager 

type SignerManager struct {
	// contains filtered or unexported fields
}

func (*SignerManager) Register 

func (it *SignerManager) Register(s Signer)

func (*SignerManager) Signer 

func (it *SignerManager) Signer(name string) Signer

type TokenHeader 

type TokenHeader struct {
	Alg string `json:"alg" toml:"alg"`
	Typ string `json:"typ,omitempty" toml:"typ,omitempty"`
	Kid string `json:"kid,omitempty" toml:"kid,omitempty"`
}

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.