auth

package
v1.357.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 30, 2026 License: MIT Imports: 24 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func AuthMiddleware 

func AuthMiddleware(cfg *config.Config, authService services.AuthService) echo.MiddlewareFunc

AuthMiddleware creates authentication middleware using internal auth service

func ExtractTokenFromHeader added in v1.0.0 

func ExtractTokenFromHeader(header string) string

ExtractTokenFromHeader extracts GitHub token from Authorization header

func GetConfigFromContext 

func GetConfigFromContext(c echo.Context) *config.Config

GetConfigFromContext retrieves config from Echo context

func GetUserFromContext 

func GetUserFromContext(c echo.Context) *entities.User

GetUserFromContext retrieves internal user entity from Echo context

func IsAWSAccessKeyID added in v1.141.0 

func IsAWSAccessKeyID(s string) bool

IsAWSAccessKeyID checks if the string is a valid AWS Access Key ID format

func RequirePermission 

func RequirePermission(permission entities.Permission, authService services.AuthService) echo.MiddlewareFunc

RequirePermission creates permission-checking middleware using internal auth service

func ResolveUserScope added in v1.354.0 

func ResolveUserScope(user *entities.User, scope string, teamID string) (string, string)

ResolveUserScope is the package-level variant of ResolveScope that operates directly on a User entity. It can be used by controllers that only hold a *entities.User rather than a full AuthorizationContext.

func UserOwnsSession 

func UserOwnsSession(c echo.Context, sessionUserID string) bool

UserOwnsSession checks if the current user owns the specified session using internal auth

Types

type AWSAuthProvider added in v1.141.0 

type AWSAuthProvider struct {
	// contains filtered or unexported fields
}

AWSAuthProvider handles AWS IAM authentication

func NewAWSAuthProvider added in v1.141.0 

func NewAWSAuthProvider(cfg *config.AWSAuthConfig) (*AWSAuthProvider, error)

NewAWSAuthProvider creates a new AWS authentication provider

func (*AWSAuthProvider) Authenticate added in v1.141.0 

func (p *AWSAuthProvider) Authenticate(ctx context.Context, creds *AWSCredentials) (*UserContext, error)

Authenticate authenticates a user using AWS credentials from Basic Auth It verifies the user/role exists and has the required tag using proxy's IAM permissions

type AWSCredentials added in v1.141.0 

type AWSCredentials struct {
	AccessKeyID     string
	SecretAccessKey string
	SessionToken    string
}

AWSCredentials represents AWS credentials extracted from the request

func ExtractAWSCredentialsFromBasicAuth added in v1.141.0 

func ExtractAWSCredentialsFromBasicAuth(r *http.Request) (*AWSCredentials, bool)

ExtractAWSCredentialsFromBasicAuth extracts AWS credentials from Basic Auth header

type AWSUserCache added in v1.141.0 

type AWSUserCache struct {
	Info        *entities.AWSUserInfo
	Role        string
	Permissions []string
	EnvFile     string
}

AWSUserCache represents cached AWS user information

type AuthorizationContext added in v1.215.0 

type AuthorizationContext struct {
	// User information
	User *entities.User

	// Personal scope permissions
	PersonalScope PersonalScopeAuth

	// Team scope permissions
	TeamScope TeamScopeAuth
}

AuthorizationContext contains pre-resolved authorization information This is populated by the Auth Middleware and consumed by handlers

func GetAuthorizationContext added in v1.215.0 

func GetAuthorizationContext(c echo.Context) *AuthorizationContext

GetAuthorizationContext retrieves the pre-built authorization context from Echo context

func (*AuthorizationContext) CanAccessResource added in v1.215.0 

func (a *AuthorizationContext) CanAccessResource(ownerUserID string, scope string, teamID string) bool

CanAccessResource checks if the user can access a resource based on scope

func (*AuthorizationContext) CanAccessTeam added in v1.215.0 

func (a *AuthorizationContext) CanAccessTeam(teamID string) bool

CanAccessTeam checks if the user can access the specified team

func (*AuthorizationContext) CanCreateInTeam added in v1.215.0 

func (a *AuthorizationContext) CanCreateInTeam(teamID string) bool

CanCreateInTeam checks if the user can create resources in the specified team

func (*AuthorizationContext) CanCreateResource added in v1.215.0 

func (a *AuthorizationContext) CanCreateResource(scope string, teamID string) bool

CanCreateResource checks if the user can create a resource with the given scope

func (*AuthorizationContext) CanModifyResource added in v1.215.0 

func (a *AuthorizationContext) CanModifyResource(ownerUserID string, scope string, teamID string) bool

CanModifyResource checks if the user can modify (update/delete) a resource

func (*AuthorizationContext) CanReadInTeam added in v1.215.0 

func (a *AuthorizationContext) CanReadInTeam(teamID string) bool

CanReadInTeam checks if the user can read resources in the specified team

func (*AuthorizationContext) IsServiceAccount added in v1.216.0 

func (a *AuthorizationContext) IsServiceAccount() bool

IsServiceAccount checks if the current user is a service account

func (*AuthorizationContext) ResolveScope added in v1.354.0 

func (a *AuthorizationContext) ResolveScope(scope string, teamID string) (string, string)

ResolveScope returns the effective (scope, teamID) pair for the current user. For service accounts, any non-team scope is automatically routed to the service account's team scope. All other users are returned unchanged.

func (*AuthorizationContext) ServiceAccountTeamID added in v1.354.0 

func (a *AuthorizationContext) ServiceAccountTeamID() string

ServiceAccountTeamID returns the team ID associated with a service account. Returns an empty string if the user is not a service account or has no team.

type GitHubAuthProvider added in v1.0.0 

type GitHubAuthProvider struct {
	// contains filtered or unexported fields
}

GitHubAuthProvider handles GitHub OAuth authentication

func NewGitHubAuthProvider added in v1.0.0 

func NewGitHubAuthProvider(cfg *config.GitHubAuthConfig) *GitHubAuthProvider

NewGitHubAuthProvider creates a new GitHub authentication provider

func (*GitHubAuthProvider) Authenticate added in v1.0.0 

func (p *GitHubAuthProvider) Authenticate(ctx context.Context, token string) (*UserContext, error)

Authenticate authenticates a user using GitHub OAuth token

func (*GitHubAuthProvider) SetTeamMappingRepo added in v1.287.0 

func (p *GitHubAuthProvider) SetTeamMappingRepo(repo TeamMappingRepository)

SetTeamMappingRepo injects a persistent ConfigMap-backed team mapping repository. When set, team memberships will be read from and written to the ConfigMap as a secondary cache layer (behind the 30-second in-memory teamCache).

type GitHubOAuthProvider added in v1.9.1 

type GitHubOAuthProvider struct {
	// contains filtered or unexported fields
}

GitHubOAuthProvider handles GitHub OAuth2 authentication flow

func NewGitHubOAuthProvider added in v1.9.1 

func NewGitHubOAuthProvider(cfg *config.GitHubOAuthConfig, provider *GitHubAuthProvider) *GitHubOAuthProvider

NewGitHubOAuthProvider creates a new GitHub OAuth provider. provider is the shared GitHubAuthProvider that handles token-based auth after the OAuth callback. Sharing the same instance across the application ensures a unified cache (userCache, teamCache, teamMappingRepo).

func (*GitHubOAuthProvider) ExchangeCode added in v1.9.1 

func (p *GitHubOAuthProvider) ExchangeCode(ctx context.Context, code, state string) (*UserContext, error)

ExchangeCode exchanges the authorization code for an access token

func (*GitHubOAuthProvider) GenerateAuthURL added in v1.9.1 

func (p *GitHubOAuthProvider) GenerateAuthURL(redirectURI string) (string, string, error)

GenerateAuthURL generates the GitHub OAuth authorization URL

func (*GitHubOAuthProvider) RevokeToken added in v1.9.1 

func (p *GitHubOAuthProvider) RevokeToken(ctx context.Context, token string) error

RevokeToken revokes a GitHub access token

type GitHubOrganization added in v1.0.0 

type GitHubOrganization struct {
	Login string `json:"login"`
	ID    int64  `json:"id"`
}

GitHubOrganization represents GitHub organization information

type GitHubTeamMembership added in v1.0.0 

type GitHubTeamMembership struct {
	Organization string `json:"organization"`
	TeamSlug     string `json:"team_slug"`
	TeamName     string `json:"team_name"`
	Role         string `json:"role"`
}

GitHubTeamMembership represents GitHub team membership

type GitHubUserInfo added in v1.0.0 

type GitHubUserInfo struct {
	Login         string                 `json:"login"`
	ID            int64                  `json:"id"`
	Email         string                 `json:"email"`
	Name          string                 `json:"name"`
	Organizations []GitHubOrganization   `json:"organizations"`
	Teams         []GitHubTeamMembership `json:"teams"`
}

GitHubUserInfo represents GitHub user information

type OAuthState added in v1.9.1 

type OAuthState struct {
	State       string    `json:"state"`
	RedirectURI string    `json:"redirect_uri"`
	CreatedAt   time.Time `json:"created_at"`
}

OAuthState represents a pending OAuth authentication state

type OAuthTokenResponse added in v1.9.1 

type OAuthTokenResponse struct {
	AccessToken string `json:"access_token"`
	TokenType   string `json:"token_type"`
	Scope       string `json:"scope"`
}

OAuthTokenResponse represents the GitHub OAuth token response

type PersonalScopeAuth added in v1.215.0 

type PersonalScopeAuth struct {
	// UserID of the authenticated user
	UserID string

	// CanCreate indicates if the user can create personal-scoped resources
	CanCreate bool

	// CanRead indicates if the user can read their own personal-scoped resources
	CanRead bool

	// CanUpdate indicates if the user can update their own personal-scoped resources
	CanUpdate bool

	// CanDelete indicates if the user can delete their own personal-scoped resources
	CanDelete bool
}

PersonalScopeAuth contains authorization info for personal (user) scope

type TeamMappingRepository added in v1.287.0 

type TeamMappingRepository interface {
	// Get retrieves the team memberships for a given username.
	// Returns the memberships, true if found, and any error.
	Get(ctx context.Context, username string) ([]GitHubTeamMembership, bool, error)

	// Set stores the team memberships for a given username.
	Set(ctx context.Context, username string, teams []GitHubTeamMembership) error
}

TeamMappingRepository defines the interface for persistent user-team mapping cache. Implementations persist the mapping of GitHub usernames to their team memberships so that the data survives pod restarts and reduces GitHub API calls.

type TeamPermissions added in v1.215.0 

type TeamPermissions struct {
	// TeamID in format "org/team-slug"
	TeamID string

	// CanCreate indicates if the user can create resources in this team
	CanCreate bool

	// CanRead indicates if the user can read resources in this team
	CanRead bool

	// CanUpdate indicates if the user can update resources in this team
	CanUpdate bool

	// CanDelete indicates if the user can delete resources in this team
	CanDelete bool
}

TeamPermissions represents permissions for a specific team

type TeamScopeAuth added in v1.215.0 

type TeamScopeAuth struct {
	// Teams is a list of team IDs the user belongs to (format: "org/team-slug")
	Teams []string

	// TeamPermissions maps team IDs to their permissions
	TeamPermissions map[string]TeamPermissions

	// IsAdmin indicates if the user is an admin (can access all teams)
	IsAdmin bool
}

TeamScopeAuth contains authorization info for team scope

type UserCache added in v1.9.1 

type UserCache struct {
	User        *GitHubUserInfo
	Role        string
	Permissions []string
	EnvFile     string
}

UserCache represents cached user information, role and permissions

type UserContext 

type UserContext struct {
	UserID      string
	Role        string
	Permissions []string
	APIKey      string
	AuthType    string          // "api_key" or "github_oauth"
	GitHubUser  *GitHubUserInfo // GitHub user info when using GitHub auth
	AccessToken string          // OAuth access token (not serialized)
	EnvFile     string          // Path to team-specific environment file
}

UserContext represents the authenticated user context (for legacy compatibility)

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.