auth

package
v0.3.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Sep 4, 2025 License: Apache-2.0 Imports: 37 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	MaxSecretFileSize = 64 * 1024 // 64KB limit for secret files

	MinSecretLength = 16 // Minimum secret length for security

	MaxSecretLength = 512 // Maximum secret length to prevent DoS

	MaxProviderNameLength = 50 // Maximum provider name length

	MinJWTSecretLength = 32 // Minimum JWT secret length

	DefaultKeycloakRealm = "master" // Default Keycloak realm

	DefaultTokenTTL = 24 * 60 * 60 // 24 hours in seconds

	DefaultRefreshTTL = 7 * 24 * 60 * 60 // 7 days in seconds

)
View Source 
const (
	PermissionCreateIntent = "intent:create"

	PermissionReadIntent = "intent:read"

	PermissionUpdateIntent = "intent:update"

	PermissionDeleteIntent = "intent:delete"

	PermissionManageE2Nodes = "e2nodes:manage"

	PermissionViewMetrics = "metrics:view"

	PermissionManageSystem = "system:manage"

	PermissionManageUsers = "users:manage"

	PermissionViewLogs = "logs:view"

	PermissionManageSecrets = "secrets:manage"
)
View Source 
const (
	AuthContextKey contextKey = "auth_context"
)

Variables

View Source 
var (
	SystemAdminRole = &Role{
		ID: "system-admin",

		Name: "System Administrator",

		Description: "Full system access with all privileges",

		Permissions: []string{
			"system:*",

			"intent:*",

			"e2:*",

			"auth:*",

			"config:*",

			"monitoring:*",

			"user:*",

			"rbac:*",
		},

		CreatedAt: time.Now(),

		UpdatedAt: time.Now(),
	}

	IntentOperatorRole = &Role{
		ID: "intent-operator",

		Name: "Intent Operator",

		Description: "Manage network intents and deployments",

		Permissions: []string{
			"intent:create",

			"intent:read",

			"intent:update",

			"intent:delete",

			"intent:deploy",

			"e2:read",

			"config:read",

			"monitoring:read",
		},

		CreatedAt: time.Now(),

		UpdatedAt: time.Now(),
	}

	E2ManagerRole = &Role{
		ID: "e2-manager",

		Name: "E2 Interface Manager",

		Description: "Manage E2 interface connections and service models",

		Permissions: []string{
			"e2:create",

			"e2:read",

			"e2:update",

			"e2:delete",

			"e2:subscribe",

			"e2:control",

			"monitoring:read",
		},

		CreatedAt: time.Now(),

		UpdatedAt: time.Now(),
	}

	ReadOnlyRole = &Role{
		ID: "read-only",

		Name: "Read Only User",

		Description: "Read-only access to system resources",

		Permissions: []string{
			"intent:read",

			"e2:read",

			"config:read",

			"monitoring:read",
		},

		CreatedAt: time.Now(),

		UpdatedAt: time.Now(),
	}

	NephoranPermissions = []*Permission{

		{ID: "system:admin", Name: "System Administration", Resource: "system", Action: "*"},

		{ID: "system:config", Name: "System Configuration", Resource: "system", Action: "config"},

		{ID: "intent:create", Name: "Create Intent", Resource: "intent", Action: "create"},

		{ID: "intent:read", Name: "Read Intent", Resource: "intent", Action: "read"},

		{ID: "intent:update", Name: "Update Intent", Resource: "intent", Action: "update"},

		{ID: "intent:delete", Name: "Delete Intent", Resource: "intent", Action: "delete"},

		{ID: "intent:deploy", Name: "Deploy Intent", Resource: "intent", Action: "deploy"},

		{ID: "e2:create", Name: "Create E2 Connection", Resource: "e2", Action: "create"},

		{ID: "e2:read", Name: "Read E2 Data", Resource: "e2", Action: "read"},

		{ID: "e2:update", Name: "Update E2 Configuration", Resource: "e2", Action: "update"},

		{ID: "e2:delete", Name: "Delete E2 Connection", Resource: "e2", Action: "delete"},

		{ID: "e2:subscribe", Name: "Subscribe to E2 Events", Resource: "e2", Action: "subscribe"},

		{ID: "e2:control", Name: "Control E2 Functions", Resource: "e2", Action: "control"},

		{ID: "config:read", Name: "Read Configuration", Resource: "config", Action: "read"},

		{ID: "config:write", Name: "Write Configuration", Resource: "config", Action: "write"},

		{ID: "monitoring:read", Name: "Read Monitoring Data", Resource: "monitoring", Action: "read"},

		{ID: "monitoring:write", Name: "Write Monitoring Config", Resource: "monitoring", Action: "write"},

		{ID: "auth:read", Name: "Read Auth Configuration", Resource: "auth", Action: "read"},

		{ID: "auth:write", Name: "Write Auth Configuration", Resource: "auth", Action: "write"},

		{ID: "auth:manage", Name: "Manage Authentication", Resource: "auth", Action: "manage"},

		{ID: "user:read", Name: "Read User Data", Resource: "user", Action: "read"},

		{ID: "user:write", Name: "Write User Data", Resource: "user", Action: "write"},

		{ID: "user:manage", Name: "Manage Users", Resource: "user", Action: "manage"},

		{ID: "rbac:read", Name: "Read RBAC Configuration", Resource: "rbac", Action: "read"},

		{ID: "rbac:write", Name: "Write RBAC Configuration", Resource: "rbac", Action: "write"},

		{ID: "rbac:manage", Name: "Manage RBAC", Resource: "rbac", Action: "manage"},
	}
)
View Source 
var ErrMissingJWTSecret = &AuthError{Code: "missing_jwt_secret", Message: "JWT secret key is required when OAuth2 is enabled"}

Functions

func EnhancedSetupHTTPServer 

func EnhancedSetupHTTPServer(cfg *config.LLMProcessorConfig, handler interface{}, logger *slog.Logger) *http.Server

func GenerateJWT 

func GenerateJWT(userInfo *UserInfo, provider string, secretKey []byte, ttl time.Duration) (string, error)

func GenerateNonce 

func GenerateNonce() (string, error)

func GenerateState 

func GenerateState() (string, error)

func GetUserID 

func GetUserID(ctx context.Context) string

func HasPermission 

func HasPermission(ctx context.Context, permission string) bool

func HasRole 

func HasRole(ctx context.Context, role string) bool

func HashToken 

func HashToken(token string, salt []byte) string

func IsAdmin 

func IsAdmin(ctx context.Context) bool

func MigrationExample 

func MigrationExample()

func SecureCompare 

func SecureCompare(a, b string) bool

func ValidateState 

func ValidateState(state string) error

Types

type AccessDecision 

type AccessDecision struct {
	Allowed bool `json:"allowed"`

	Reason string `json:"reason"`

	AppliedPolicies []string `json:"applied_policies"`

	RequiredRoles []string `json:"required_roles,omitempty"`

	MissingPermissions []string `json:"missing_permissions,omitempty"`

	Metadata json.RawMessage `json:"metadata,omitempty"`

	EvaluatedAt time.Time `json:"evaluated_at"`

	TTL time.Duration `json:"ttl,omitempty"`
}

type AccessRequest 

type AccessRequest struct {
	UserID string `json:"user_id"`

	Resource string `json:"resource"`

	Action string `json:"action"`

	Context json.RawMessage `json:"context,omitempty"`

	Attributes json.RawMessage `json:"attributes,omitempty"`

	IPAddress string `json:"ip_address,omitempty"`

	UserAgent string `json:"user_agent,omitempty"`

	Timestamp time.Time `json:"timestamp"`

	RequestID string `json:"request_id,omitempty"`
}

type AuthContext 

type AuthContext struct {
	UserID string `json:"user_id"`

	SessionID string `json:"session_id"`

	Provider string `json:"provider"`

	Roles []string `json:"roles"`

	Permissions []string `json:"permissions"`

	IsAdmin bool `json:"is_admin"`

	Attributes json.RawMessage `json:"attributes"`
}

func GetAuthContext 

func GetAuthContext(ctx context.Context) *AuthContext

func RequireAuthContext 

func RequireAuthContext(ctx context.Context) (*AuthContext, error)

type AuthError 

type AuthError struct {
	Code string `json:"code"`

	Message string `json:"message"`
}

func (*AuthError) Error 

func (e *AuthError) Error() string

type AuthHandlers 

type AuthHandlers = Handlers

AuthHandlers is an alias for Handlers to maintain compatibility

func NewAuthHandlers 

func NewAuthHandlers(sessionManager *SessionManager, jwtManager *JWTManager, rbacManager *RBACManager, config *HandlersConfig) *AuthHandlers

NewAuthHandlers creates new authentication handlers (compatibility function)

type AuthHandlersConfig 

type AuthHandlersConfig = HandlersConfig

AuthHandlersConfig is an alias for HandlersConfig to maintain compatibility

type AuthManager 

type AuthManager struct {
	JWTManager      *JWTManager
	SessionManager  *SessionManager
	RBACManager     *RBACManager
	OAuth2Manager   *OAuth2Manager
	SecurityManager *SecurityManager
	// contains filtered or unexported fields
}

AuthManager provides a unified interface for all authentication components

func NewAuthManager 

func NewAuthManager(config *AuthManagerConfig, logger *slog.Logger) (*AuthManager, error)

NewAuthManager creates a new unified authentication manager

func (*AuthManager) Close 

func (am *AuthManager) Close() error

Close performs cleanup of all managed components

func (*AuthManager) GetLDAPMiddleware 

func (am *AuthManager) GetLDAPMiddleware() *LDAPAuthMiddleware

GetLDAPMiddleware returns LDAP middleware if available

func (*AuthManager) GetMiddleware 

func (am *AuthManager) GetMiddleware() *AuthMiddleware

GetMiddleware returns the auth middleware

func (*AuthManager) GetOAuth2Manager 

func (am *AuthManager) GetOAuth2Manager() *OAuth2Manager

GetOAuth2Manager returns OAuth2 manager

func (*AuthManager) GetSessionManager 

func (am *AuthManager) GetSessionManager() *SessionManager

GetSessionManager returns session manager

func (*AuthManager) HandleHealthCheck 

func (am *AuthManager) HandleHealthCheck(w http.ResponseWriter, r *http.Request)

HandleHealthCheck provides health check endpoint

func (*AuthManager) ListProviders 

func (am *AuthManager) ListProviders() map[string]interface{}

ListProviders returns available authentication providers

func (*AuthManager) RefreshTokens 

func (am *AuthManager) RefreshTokens(ctx context.Context, refreshToken string) (string, string, error)

RefreshTokens refreshes access and refresh tokens

func (*AuthManager) ValidateSession 

func (am *AuthManager) ValidateSession(ctx context.Context, sessionID string) (*SessionInfo, error)

ValidateSession validates a session

type AuthManagerConfig 

type AuthManagerConfig struct {
	JWTConfig      *JWTConfig
	SessionConfig  *SessionConfig
	RBACConfig     *RBACManagerConfig
	OAuth2Config   *OAuth2ManagerConfig
	SecurityConfig *SecurityManagerConfig
}

AuthManagerConfig holds configuration for the unified auth manager

type AuthMiddleware 

type AuthMiddleware struct {
	// contains filtered or unexported fields
}

func NewAuthMiddleware 

func NewAuthMiddleware(config *AuthMiddlewareConfig) *AuthMiddleware

NewAuthMiddleware creates middleware with config - compatibility function.

func NewAuthMiddlewareWithComponents 

func NewAuthMiddlewareWithComponents(sessionManager *SessionManager, jwtManager *JWTManager, rbacManager *RBACManager, config *MiddlewareConfig) *AuthMiddleware

func (*AuthMiddleware) AuthenticateMiddleware 

func (am *AuthMiddleware) AuthenticateMiddleware(next http.Handler) http.Handler

func (*AuthMiddleware) CSRFMiddleware 

func (am *AuthMiddleware) CSRFMiddleware(next http.Handler) http.Handler

func (*AuthMiddleware) Middleware 

func (am *AuthMiddleware) Middleware(next http.Handler) http.Handler

Middleware method for compatibility.

func (*AuthMiddleware) RequestLoggingMiddleware 

func (am *AuthMiddleware) RequestLoggingMiddleware(next http.Handler) http.Handler

func (*AuthMiddleware) RequireAdmin 

func (am *AuthMiddleware) RequireAdmin() func(http.Handler) http.Handler

func (*AuthMiddleware) RequireAdminMiddleware 

func (am *AuthMiddleware) RequireAdminMiddleware(next http.Handler) http.Handler

func (*AuthMiddleware) RequireOperator 

func (am *AuthMiddleware) RequireOperator() func(http.Handler) http.Handler

func (*AuthMiddleware) RequirePermissionMiddleware 

func (am *AuthMiddleware) RequirePermissionMiddleware(permission string) func(http.Handler) http.Handler

func (*AuthMiddleware) RequireRoleMiddleware 

func (am *AuthMiddleware) RequireRoleMiddleware(role string) func(http.Handler) http.Handler

type AuthMiddlewareConfig 

type AuthMiddlewareConfig struct {
	JWTManager     *JWTManager     `json:"-"`
	SessionManager *SessionManager `json:"-"`
	RequireAuth    bool            `json:"require_auth"`
	AllowedPaths   []string        `json:"allowed_paths"`
	HeaderName     string          `json:"header_name"`
	CookieName     string          `json:"cookie_name"`
	ContextKey     string          `json:"context_key"`
}

AuthMiddlewareConfig represents authentication middleware configuration.

type AuthenticationInfo 

type AuthenticationInfo struct {
	Enabled bool `json:"enabled"`

	RequireAuth bool `json:"require_auth"`

	Providers []string `json:"providers,omitempty"`
}

type AuthenticationResult 

type AuthenticationResult struct {
	Token *TokenResponse `json:"token"`

	UserInfo *UserInfo `json:"user_info"`

	Provider string `json:"provider"`
}

type BlacklistConfig 

type BlacklistConfig struct {
	RedisAddr string `json:"redis_addr"`

	RedisPassword string `json:"redis_password"`

	RedisDB int `json:"redis_db"`

	RedisKeyPrefix string `json:"redis_key_prefix"`

	LocalCacheSize int `json:"local_cache_size"`

	LocalCacheTTL time.Duration `json:"local_cache_ttl"`

	CleanupInterval time.Duration `json:"cleanup_interval"`

	MaxTokenAge time.Duration `json:"max_token_age"`

	EnableCompression bool `json:"enable_compression"`
}

type BlacklistEntry 

type BlacklistEntry struct {
	TokenHash string `json:"token_hash"`

	UserID string `json:"user_id"`

	Reason string `json:"reason"`

	BlacklistedAt time.Time `json:"blacklisted_at"`

	ExpiresAt time.Time `json:"expires_at"`

	IPAddress string `json:"ip_address"`

	UserAgent string `json:"user_agent"`
}

type BlacklistMetrics 

type BlacklistMetrics struct {
	TotalBlacklisted int64 `json:"total_blacklisted"`

	TotalChecks int64 `json:"total_checks"`

	CacheHits int64 `json:"cache_hits"`

	CacheMisses int64 `json:"cache_misses"`

	RedisErrors int64 `json:"redis_errors"`

	AverageCheckTime time.Duration `json:"average_check_time"`

	LastCleanup time.Time `json:"last_cleanup"`

	RemovedExpiredTokens int64 `json:"removed_expired_tokens"`
	// contains filtered or unexported fields
}

type CORSConfig 

type CORSConfig struct {
	AllowedOrigins   []string `json:"allowed_origins"`
	AllowedMethods   []string `json:"allowed_methods"`
	AllowedHeaders   []string `json:"allowed_headers"`
	ExposedHeaders   []string `json:"exposed_headers"`
	AllowCredentials bool     `json:"allow_credentials"`
	MaxAge           int      `json:"max_age"`
}

CORSConfig represents CORS middleware configuration.

type CORSMiddleware 

type CORSMiddleware struct {
	// contains filtered or unexported fields
}

CORSMiddleware handles Cross-Origin Resource Sharing.

func NewCORSMiddleware 

func NewCORSMiddleware(config *CORSConfig) *CORSMiddleware

NewCORSMiddleware creates a new CORS middleware.

func (*CORSMiddleware) Middleware 

func (m *CORSMiddleware) Middleware(next http.Handler) http.Handler

Middleware applies CORS headers.

type CSRFConfig 

type CSRFConfig struct {
	Secret []byte        `json:"secret"`
	TTL    time.Duration `json:"ttl"`
}

CSRFConfig holds CSRF configuration

type CSRFManager 

type CSRFManager struct {
	// contains filtered or unexported fields
}

func NewCSRFManager 

func NewCSRFManager(secret []byte, ttl time.Duration) *CSRFManager

func (*CSRFManager) GenerateToken 

func (cm *CSRFManager) GenerateToken(sessionID string) (string, error)

func (*CSRFManager) InvalidateSession 

func (cm *CSRFManager) InvalidateSession(sessionID string)

func (*CSRFManager) InvalidateToken 

func (cm *CSRFManager) InvalidateToken(token string)

func (*CSRFManager) ValidateToken 

func (cm *CSRFManager) ValidateToken(token, sessionID string) error

type CSRFMiddleware 

type CSRFMiddleware struct {
	// contains filtered or unexported fields
}

func NewCSRFMiddleware 

func NewCSRFMiddleware(csrfManager *CSRFManager, config *CSRFMiddlewareConfig) *CSRFMiddleware

func (*CSRFMiddleware) GetToken 

func (cm *CSRFMiddleware) GetToken(w http.ResponseWriter, r *http.Request) (string, error)

func (*CSRFMiddleware) Middleware 

func (cm *CSRFMiddleware) Middleware(next http.Handler) http.Handler

type CSRFMiddlewareConfig 

type CSRFMiddlewareConfig struct {
	TokenHeader string `json:"token_header"`

	CookieName string `json:"cookie_name"`

	SafeMethods []string `json:"safe_methods"`

	RequireHTTPS bool `json:"require_https"`

	CookieSecure bool `json:"cookie_secure"`

	CookieHTTPOnly bool `json:"cookie_http_only"`

	CookieSameSite http.SameSite `json:"cookie_same_site"`

	MaxAge int `json:"max_age"`
}

type CSRFToken 

type CSRFToken struct {
	Token string `json:"token"`

	SessionID string `json:"session_id"`

	CreatedAt time.Time `json:"created_at"`

	UsedAt *time.Time `json:"used_at,omitempty"`
}

type CallbackRequest 

type CallbackRequest struct {
	Provider string `json:"provider"`

	Code string `json:"code"`

	State string `json:"state"`

	RedirectURI string `json:"redirect_uri"`

	IPAddress string `json:"ip_address"`

	UserAgent string `json:"user_agent"`
}

type CallbackResponse 

type CallbackResponse struct {
	Success bool `json:"success"`

	SessionID string `json:"session_id"`

	AccessToken string `json:"access_token"`

	RefreshToken string `json:"refresh_token"`

	IDToken string `json:"id_token,omitempty"`

	UserInfo *providers.UserInfo `json:"user_info"`

	RedirectURL string `json:"redirect_url,omitempty"`

	Error string `json:"error,omitempty"`
}

type ConditionType 

type ConditionType string
const (
	ConditionTypeAttribute ConditionType = "attribute"

	ConditionTypeTime ConditionType = "time"

	ConditionTypeIP ConditionType = "ip"

	ConditionTypeGroup ConditionType = "group"
)

type Config 

type Config struct {
	Enabled bool `json:"enabled"`

	JWTSecretKey string `json:"jwt_secret_key"`

	TokenTTL time.Duration `json:"token_ttl"`

	RefreshTTL time.Duration `json:"refresh_ttl"`

	Providers map[string]ProviderConfig `json:"providers"`

	LDAPProviders map[string]LDAPProviderConfig `json:"ldap_providers"`

	RBAC RBACConfig `json:"rbac"`

	AdminUsers []string `json:"admin_users"`

	OperatorUsers []string `json:"operator_users"`
}

func LoadAuthConfig 

func LoadAuthConfig(ctx context.Context, configPath string) (*Config, error)

func (*Config) CreateLDAPProviders 

func (c *Config) CreateLDAPProviders() (map[string]providers.LDAPProvider, error)

func (*Config) CreateOAuth2Providers 

func (c *Config) CreateOAuth2Providers() (map[string]*OAuth2Provider, error)

func (*Config) ToOAuth2Config 

func (c *Config) ToOAuth2Config() (*OAuth2Config, error)

type ControllerAuthConfig 

type ControllerAuthConfig struct {
	Enabled bool
}

type EmailClient 

type EmailClient struct {
	// contains filtered or unexported fields
}

func NewEmailClient 

func NewEmailClient(config *EmailConfig) *EmailClient

func (*EmailClient) SendMFACode 

func (ec *EmailClient) SendMFACode(ctx context.Context, email, code string, ttl time.Duration) error

type EmailConfig 

type EmailConfig struct {
	SMTPHost string `json:"smtp_host"`

	SMTPPort int `json:"smtp_port"`

	SMTPUsername string `json:"smtp_username"`

	SMTPPassword string `json:"smtp_password"`

	FromAddress string `json:"from_address"`

	FromName string `json:"from_name"`

	Subject string `json:"subject"`

	Template string `json:"template"`
}

type EndpointProtectionConfig 

type EndpointProtectionConfig struct {
	RequireAuth bool
}

type EnhancedOAuth2Manager 

type EnhancedOAuth2Manager struct {
	// contains filtered or unexported fields
}

func NewEnhancedOAuth2Manager 

func NewEnhancedOAuth2Manager(config *EnhancedOAuth2ManagerConfig, logger *slog.Logger) (*EnhancedOAuth2Manager, error)

func (*EnhancedOAuth2Manager) ConfigureAllRoutes 

func (eom *EnhancedOAuth2Manager) ConfigureAllRoutes(
	router *mux.Router,

	publicHandlers *PublicRouteHandlers,

	protectedHandlers *ProtectedRouteHandlers,
) error

func (*EnhancedOAuth2Manager) GetAuthenticationInfo 

func (eom *EnhancedOAuth2Manager) GetAuthenticationInfo() *AuthenticationInfo

func (*EnhancedOAuth2Manager) IsEnabled 

func (eom *EnhancedOAuth2Manager) IsEnabled() bool

func (*EnhancedOAuth2Manager) RequiresAuth 

func (eom *EnhancedOAuth2Manager) RequiresAuth() bool

type EnhancedOAuth2ManagerConfig 

type EnhancedOAuth2ManagerConfig struct {
	Enabled bool

	AuthConfigFile string

	JWTSecretKey string

	RequireAuth bool

	AdminUsers []string

	OperatorUsers []string

	StreamingEnabled bool

	MaxRequestSize int64

	ExposeMetricsPublicly bool

	MetricsAllowedCIDRs []string

	HealthEndpointsEnabled bool // Allow disabling health endpoints in specific contexts
}

func NewEnhancedConfigFromLLMConfig 

func NewEnhancedConfigFromLLMConfig(llmConfig interface{}, authEnabled, requireAuth bool, jwtSecret string) *EnhancedOAuth2ManagerConfig

func (*EnhancedOAuth2ManagerConfig) Validate 

func (config *EnhancedOAuth2ManagerConfig) Validate() error

type Handlers 

type Handlers struct {
	// contains filtered or unexported fields
}

func NewHandlers 

func NewHandlers(sessionManager *SessionManager, jwtManager *JWTManager, rbacManager *RBACManager, config *HandlersConfig) *Handlers

func (*Handlers) AssignRoleHandler 

func (ah *Handlers) AssignRoleHandler(w http.ResponseWriter, r *http.Request)

func (*Handlers) CallbackHandler 

func (ah *Handlers) CallbackHandler(w http.ResponseWriter, r *http.Request)

func (*Handlers) CreateRoleHandler 

func (ah *Handlers) CreateRoleHandler(w http.ResponseWriter, r *http.Request)

func (*Handlers) DeleteRoleHandler 

func (ah *Handlers) DeleteRoleHandler(w http.ResponseWriter, r *http.Request)

func (*Handlers) GenerateTokenHandler 

func (ah *Handlers) GenerateTokenHandler(w http.ResponseWriter, r *http.Request)

func (*Handlers) GetProvidersHandler 

func (ah *Handlers) GetProvidersHandler(w http.ResponseWriter, r *http.Request)

func (*Handlers) GetRoleHandler 

func (ah *Handlers) GetRoleHandler(w http.ResponseWriter, r *http.Request)

func (*Handlers) GetSessionHandler 

func (ah *Handlers) GetSessionHandler(w http.ResponseWriter, r *http.Request)

func (*Handlers) GetUserInfoHandler 

func (ah *Handlers) GetUserInfoHandler(w http.ResponseWriter, r *http.Request)

func (*Handlers) GetUserRolesHandler 

func (ah *Handlers) GetUserRolesHandler(w http.ResponseWriter, r *http.Request)

func (*Handlers) InitiateLoginHandler 

func (ah *Handlers) InitiateLoginHandler(w http.ResponseWriter, r *http.Request)

func (*Handlers) ListPermissionsHandler 

func (ah *Handlers) ListPermissionsHandler(w http.ResponseWriter, r *http.Request)

func (*Handlers) ListRolesHandler 

func (ah *Handlers) ListRolesHandler(w http.ResponseWriter, r *http.Request)

func (*Handlers) ListSessionsHandler 

func (ah *Handlers) ListSessionsHandler(w http.ResponseWriter, r *http.Request)

func (*Handlers) LogoutHandler 

func (ah *Handlers) LogoutHandler(w http.ResponseWriter, r *http.Request)

func (*Handlers) RefreshTokenHandler 

func (ah *Handlers) RefreshTokenHandler(w http.ResponseWriter, r *http.Request)

func (*Handlers) RegisterRoutes 

func (ah *Handlers) RegisterRoutes(router *mux.Router)

func (*Handlers) RevokeRoleHandler 

func (ah *Handlers) RevokeRoleHandler(w http.ResponseWriter, r *http.Request)

func (*Handlers) RevokeSessionHandler 

func (ah *Handlers) RevokeSessionHandler(w http.ResponseWriter, r *http.Request)

func (*Handlers) RevokeTokenHandler 

func (ah *Handlers) RevokeTokenHandler(w http.ResponseWriter, r *http.Request)

func (*Handlers) UpdateRoleHandler 

func (ah *Handlers) UpdateRoleHandler(w http.ResponseWriter, r *http.Request)

type HandlersConfig 

type HandlersConfig struct {
	BaseURL         string `json:"base_url"`
	DefaultRedirect string `json:"default_redirect"`
	LoginPath       string `json:"login_path"`
	CallbackPath    string `json:"callback_path"`
	LogoutPath      string `json:"logout_path"`
	UserInfoPath    string `json:"userinfo_path"`
	EnableAPITokens bool   `json:"enable_api_tokens"`
	TokenPath       string `json:"token_path"`
}

HandlersConfig represents handlers configuration.

type HandlersInterface 

type HandlersInterface interface {
	RegisterRoutes(router interface{})

	GetProvidersHandler(w http.ResponseWriter, r *http.Request)

	InitiateLoginHandler(w http.ResponseWriter, r *http.Request)

	CallbackHandler(w http.ResponseWriter, r *http.Request)

	LogoutHandler(w http.ResponseWriter, r *http.Request)

	GetUserInfoHandler(w http.ResponseWriter, r *http.Request)
}

type JWTClaims 

type JWTClaims struct {
	jwt.RegisteredClaims

	Email string `json:"email"`

	Name string `json:"name"`

	Groups []string `json:"groups"`

	Roles []string `json:"roles"`

	Provider string `json:"provider"`
}

func ValidateJWT 

func ValidateJWT(tokenString string, secretKey []byte) (*JWTClaims, error)

type JWTConfig 

type JWTConfig struct {
	Issuer string `json:"issuer"`

	SigningKeyPath string `json:"signing_key_path,omitempty"`

	SigningKey string `json:"signing_key,omitempty"`

	KeyRotationPeriod time.Duration `json:"key_rotation_period"`

	DefaultTTL time.Duration `json:"default_ttl"`

	RefreshTTL time.Duration `json:"refresh_ttl"`

	RequireSecureCookies bool `json:"require_secure_cookies"`

	CookieDomain string `json:"cookie_domain"`

	CookiePath string `json:"cookie_path"`

	Algorithm string `json:"algorithm"`
}

type JWTManager 

type JWTManager struct {
	// contains filtered or unexported fields
}

func NewJWTManager 

func NewJWTManager(ctx context.Context, config *JWTConfig, tokenStore TokenStore, blacklist TokenBlacklist, logger *slog.Logger) (*JWTManager, error)

func (*JWTManager) BlacklistToken 

func (jm *JWTManager) BlacklistToken(tokenString string) error

func (*JWTManager) CleanupBlacklist 

func (jm *JWTManager) CleanupBlacklist() error

func (*JWTManager) CreateAccessToken 

func (jm *JWTManager) CreateAccessToken(ctx context.Context, userInfo *providers.UserInfo, sessionID string, options ...TokenOption) (string, *TokenInfo, error)

CreateAccessToken creates an access token for a user (alias for GenerateAccessToken for API compatibility).

func (*JWTManager) CreateRefreshToken 

func (jm *JWTManager) CreateRefreshToken(ctx context.Context, userInfo *providers.UserInfo, sessionID string, options ...TokenOption) (string, *TokenInfo, error)

CreateRefreshToken creates a refresh token (alias for GenerateRefreshToken for API compatibility).

func (*JWTManager) ExtractClaims 

func (jm *JWTManager) ExtractClaims(tokenString string) (jwt.MapClaims, error)

func (*JWTManager) GenerateAccessToken 

func (jm *JWTManager) GenerateAccessToken(ctx context.Context, userInfo *providers.UserInfo, sessionID string, options ...TokenOption) (string, *TokenInfo, error)

func (*JWTManager) GenerateRefreshToken 

func (jm *JWTManager) GenerateRefreshToken(ctx context.Context, userInfo *providers.UserInfo, sessionID string, options ...TokenOption) (string, *TokenInfo, error)

func (*JWTManager) GenerateToken 

func (jm *JWTManager) GenerateToken(userInfo *providers.UserInfo, customClaims map[string]interface{}) (string, error)

func (*JWTManager) GenerateTokenPair 

func (jm *JWTManager) GenerateTokenPair(ctx context.Context, userInfo *providers.UserInfo, sessionID string, options ...TokenOption) (string, string, error)

func (*JWTManager) GenerateTokenPairLegacy 

func (jm *JWTManager) GenerateTokenPairLegacy(userInfo *providers.UserInfo, customClaims map[string]interface{}) (string, string, error)

func (*JWTManager) GenerateTokenWithTTL 

func (jm *JWTManager) GenerateTokenWithTTL(userInfo *providers.UserInfo, customClaims map[string]interface{}, ttl time.Duration) (string, error)

func (*JWTManager) GetDefaultTTL 

func (jm *JWTManager) GetDefaultTTL() time.Duration

func (*JWTManager) GetIssuer 

func (jm *JWTManager) GetIssuer() string

func (*JWTManager) GetJWKS 

func (jm *JWTManager) GetJWKS() (map[string]interface{}, error)

func (*JWTManager) GetKeyID 

func (jm *JWTManager) GetKeyID() string

func (*JWTManager) GetMetrics 

func (jm *JWTManager) GetMetrics() *JWTMetrics

func (*JWTManager) GetPublicKey 

func (jm *JWTManager) GetPublicKey(keyID string) (*rsa.PublicKey, error)

func (*JWTManager) GetRefreshTTL 

func (jm *JWTManager) GetRefreshTTL() time.Duration

func (*JWTManager) GetRequireSecureCookies 

func (jm *JWTManager) GetRequireSecureCookies() bool

func (*JWTManager) GetTokenInfo 

func (jm *JWTManager) GetTokenInfo(ctx context.Context, tokenID string) (*TokenInfo, error)

func (*JWTManager) IsTokenBlacklisted 

func (jm *JWTManager) IsTokenBlacklisted(ctx context.Context, tokenString string) (bool, error)

func (*JWTManager) ListUserTokens 

func (jm *JWTManager) ListUserTokens(ctx context.Context, userID string) ([]*TokenInfo, error)

func (*JWTManager) RefreshAccessToken 

func (jm *JWTManager) RefreshAccessToken(ctx context.Context, refreshTokenString string, options ...TokenOption) (string, *TokenInfo, error)

func (*JWTManager) RefreshToken 

func (jm *JWTManager) RefreshToken(refreshTokenString string) (string, string, error)

func (*JWTManager) RevokeToken 

func (jm *JWTManager) RevokeToken(ctx context.Context, tokenString string) error

func (*JWTManager) RevokeUserTokens 

func (jm *JWTManager) RevokeUserTokens(ctx context.Context, userID string) error

func (*JWTManager) RotateKeys 

func (jm *JWTManager) RotateKeys() error

func (*JWTManager) SetSigningKey 

func (jm *JWTManager) SetSigningKey(privateKey *rsa.PrivateKey, keyID string) error

func (*JWTManager) ValidateToken 

func (jm *JWTManager) ValidateToken(ctx context.Context, tokenString string) (*NephoranJWTClaims, error)

func (*JWTManager) ValidateTokenWithContext 

func (jm *JWTManager) ValidateTokenWithContext(ctx context.Context, tokenString string) (*NephoranJWTClaims, error)

type JWTManagerInterface 

type JWTManagerInterface interface {
	// Core token operations
	GenerateToken(user *providers.UserInfo, customClaims map[string]interface{}) (string, error)
	GenerateTokenWithTTL(user *providers.UserInfo, customClaims map[string]interface{}, ttl time.Duration) (string, error)
	GenerateTokenPair(user *providers.UserInfo, customClaims map[string]interface{}) (string, string, error)

	// Validation and claims
	ValidateToken(ctx context.Context, tokenString string) (*NephoranJWTClaims, error)
	ExtractClaims(tokenString string) (jwt.MapClaims, error)

	// Token lifecycle
	RefreshToken(refreshTokenString string) (string, string, error)
	BlacklistToken(tokenString string) error
	IsTokenBlacklisted(ctx context.Context, tokenString string) (bool, error)
	CleanupBlacklist() error

	// Key management
	SetSigningKey(privateKey *rsa.PrivateKey, keyID string) error
	GetPublicKey(keyID string) (*rsa.PublicKey, error)
	GetJWKS() (map[string]interface{}, error)
	RotateKeys() error
	GetKeyID() string

	// Configuration getters
	GetIssuer() string
	GetDefaultTTL() time.Duration
	GetRefreshTTL() time.Duration
	GetRequireSecureCookies() bool

	// Cleanup
	Close()
}

type JWTMetrics 

type JWTMetrics struct {
	TokensIssued int64 `json:"tokens_issued"`

	TokensValidated int64 `json:"tokens_validated"`

	TokensRevoked int64 `json:"tokens_revoked"`

	TokensExpired int64 `json:"tokens_expired"`

	ValidationFailures int64 `json:"validation_failures"`

	KeyRotations int64 `json:"key_rotations"`
}

type LDAPAttributeMapping 

type LDAPAttributeMapping struct {
	Username string `json:"username"`

	Email string `json:"email"`

	FirstName string `json:"first_name"`

	LastName string `json:"last_name"`

	DisplayName string `json:"display_name"`

	Groups string `json:"groups"`

	Title string `json:"title"`

	Department string `json:"department"`

	Phone string `json:"phone"`

	Manager string `json:"manager"`
}

type LDAPAuthMiddleware 

type LDAPAuthMiddleware struct {
	// contains filtered or unexported fields
}

func NewLDAPAuthMiddleware 

func NewLDAPAuthMiddleware(providers map[string]providers.LDAPProvider, sessionManager *SessionManager, jwtManager *JWTManager, rbacManager *RBACManager, config *LDAPMiddlewareConfig, logger *slog.Logger) *LDAPAuthMiddleware

func (*LDAPAuthMiddleware) GetLDAPProviders 

func (lm *LDAPAuthMiddleware) GetLDAPProviders() map[string]providers.LDAPProvider

func (*LDAPAuthMiddleware) GetUserInfo 

func (lm *LDAPAuthMiddleware) GetUserInfo(ctx context.Context, username, providerName string) (*providers.UserInfo, error)

func (*LDAPAuthMiddleware) HandleLDAPLogin 

func (lm *LDAPAuthMiddleware) HandleLDAPLogin(w http.ResponseWriter, r *http.Request)

func (*LDAPAuthMiddleware) HandleLDAPLogout 

func (lm *LDAPAuthMiddleware) HandleLDAPLogout(w http.ResponseWriter, r *http.Request)

func (*LDAPAuthMiddleware) LDAPAuthenticateMiddleware 

func (lm *LDAPAuthMiddleware) LDAPAuthenticateMiddleware(next http.Handler) http.Handler

func (*LDAPAuthMiddleware) TestLDAPConnection 

func (lm *LDAPAuthMiddleware) TestLDAPConnection(ctx context.Context) map[string]error

type LDAPAuthRequest 

type LDAPAuthRequest struct {
	Username string `json:"username"`

	Password string `json:"password"`

	Provider string `json:"provider,omitempty"`
}

type LDAPAuthResponse 

type LDAPAuthResponse struct {
	Success bool `json:"success"`

	AccessToken string `json:"access_token,omitempty"`

	RefreshToken string `json:"refresh_token,omitempty"`

	ExpiresIn int64 `json:"expires_in,omitempty"`

	TokenType string `json:"token_type,omitempty"`

	User *LDAPUserResponse `json:"user,omitempty"`

	Error string `json:"error,omitempty"`

	ErrorCode string `json:"error_code,omitempty"`
}

type LDAPMiddlewareConfig 

type LDAPMiddlewareConfig struct {
	Realm string `json:"realm"`

	DefaultProvider string `json:"default_provider"`

	AllowBasicAuth bool `json:"allow_basic_auth"`

	AllowFormAuth bool `json:"allow_form_auth"`

	AllowJSONAuth bool `json:"allow_json_auth"`

	SessionTimeout time.Duration `json:"session_timeout"`

	RequireHTTPS bool `json:"require_https"`

	MaxFailedAttempts int `json:"max_failed_attempts"`

	LockoutDuration time.Duration `json:"lockout_duration"`

	EnableUserCache bool `json:"enable_user_cache"`

	CacheTTL time.Duration `json:"cache_ttl"`

	UserHeader string `json:"user_header"`

	RolesHeader string `json:"roles_header"`

	GroupsHeader string `json:"groups_header"`

	SkipAuth []string `json:"skip_auth"`
}

type LDAPProviderConfig 

type LDAPProviderConfig struct {
	Enabled bool `json:"enabled"`

	Host string `json:"host"`

	Port int `json:"port"`

	UseSSL bool `json:"use_ssl"`

	UseTLS bool `json:"use_tls"`

	SkipVerify bool `json:"skip_verify"`

	BindDN string `json:"bind_dn"`

	BindPassword string `json:"bind_password"`

	BaseDN string `json:"base_dn"`

	UserFilter string `json:"user_filter"`

	GroupFilter string `json:"group_filter"`

	UserSearchBase string `json:"user_search_base"`

	GroupSearchBase string `json:"group_search_base"`

	UserAttributes LDAPAttributeMapping `json:"user_attributes"`

	GroupAttributes LDAPAttributeMapping `json:"group_attributes"`

	AuthMethod string `json:"auth_method"`

	Timeout time.Duration `json:"timeout"`

	ConnectionTimeout time.Duration `json:"connection_timeout"`

	MaxConnections int `json:"max_connections"`

	IsActiveDirectory bool `json:"is_active_directory"`

	Domain string `json:"domain"`

	GroupMemberAttribute string `json:"group_member_attribute"`

	UserGroupAttribute string `json:"user_group_attribute"`

	RoleMappings map[string][]string `json:"role_mappings"`

	DefaultRoles []string `json:"default_roles"`
}

type LDAPUserResponse 

type LDAPUserResponse struct {
	Username string `json:"username"`

	Email string `json:"email"`

	DisplayName string `json:"display_name"`

	FirstName string `json:"first_name"`

	LastName string `json:"last_name"`

	Title string `json:"title"`

	Department string `json:"department"`

	Phone string `json:"phone"`

	Groups []string `json:"groups"`

	Roles []string `json:"roles"`
}

type LoginRequest 

type LoginRequest struct {
	Provider string `json:"provider"`

	RedirectURI string `json:"redirect_uri,omitempty"`

	State string `json:"state,omitempty"`

	Options map[string]string `json:"options,omitempty"`

	IPAddress string `json:"ip_address"`

	UserAgent string `json:"user_agent"`
}

type LoginResponse 

type LoginResponse struct {
	AuthURL string `json:"auth_url"`

	State string `json:"state"`

	SessionID string `json:"session_id,omitempty"`

	PKCEChallenge string `json:"pkce_challenge,omitempty"`
}

type MFACode 

type MFACode struct {
	UserID string `json:"user_id"`

	Code string `json:"code"`

	Method string `json:"method"` // totp, email, sms

	CreatedAt time.Time `json:"created_at"`

	ExpiresAt time.Time `json:"expires_at"`

	Attempts int `json:"attempts"`

	Used bool `json:"used"`

	IPAddress string `json:"ip_address"`

	UserAgent string `json:"user_agent"`
}

type MFAConfig 

type MFAConfig struct {
	Enabled bool `json:"enabled"`

	RequiredForAdmin bool `json:"required_for_admin"`

	RequiredForOperator bool `json:"required_for_operator"`

	TOTPEnabled bool `json:"totp_enabled"`

	EmailEnabled bool `json:"email_enabled"`

	SMSEnabled bool `json:"sms_enabled"`

	BackupCodesEnabled bool `json:"backup_codes_enabled"`

	CodeLength int `json:"code_length"`

	CodeTTL time.Duration `json:"code_ttl"`

	MaxAttempts int `json:"max_attempts"`

	AttemptWindow time.Duration `json:"attempt_window"`

	CleanupInterval time.Duration `json:"cleanup_interval"`

	IssuerName string `json:"issuer_name"`

	EmailConfig *EmailConfig `json:"email_config,omitempty"`

	SMSConfig *SMSConfig `json:"sms_config,omitempty"`
}

type MFAManager 

type MFAManager struct {
	// contains filtered or unexported fields
}

func NewMFAManager 

func NewMFAManager(config *MFAConfig) (*MFAManager, error)

func (*MFAManager) GetMetrics 

func (mfa *MFAManager) GetMetrics() *MFAMetrics

func (*MFAManager) SendEmailCode 

func (mfa *MFAManager) SendEmailCode(ctx context.Context, userID, email, ipAddress, userAgent string) error

func (*MFAManager) SendSMSCode 

func (mfa *MFAManager) SendSMSCode(ctx context.Context, userID, phoneNumber, ipAddress, userAgent string) error

func (*MFAManager) SetupTOTP 

func (mfa *MFAManager) SetupTOTP(ctx context.Context, userID, userEmail string) (*MFASetupData, error)

func (*MFAManager) VerifyCode 

func (mfa *MFAManager) VerifyCode(ctx context.Context, request *MFAVerificationRequest) (*MFAVerificationResult, error)

type MFAMetrics 

type MFAMetrics struct {
	TotalVerifications int64 `json:"total_verifications"`

	SuccessfulVerifications int64 `json:"successful_verifications"`

	FailedVerifications int64 `json:"failed_verifications"`

	MethodStats map[string]int64 `json:"method_stats"`

	AverageVerificationTime time.Duration `json:"average_verification_time"`

	BruteForceAttempts int64 `json:"brute_force_attempts"`

	BackupCodesUsed int64 `json:"backup_codes_used"`

	LastUpdated time.Time `json:"last_updated"`
	// contains filtered or unexported fields
}

type MFASetupData 

type MFASetupData struct {
	QRCodeURL string `json:"qr_code_url"`

	Secret string `json:"secret"`

	BackupCodes []string `json:"backup_codes"`

	RecoveryCodes []string `json:"recovery_codes"`
}

type MFAVerificationRequest 

type MFAVerificationRequest struct {
	UserID string `json:"user_id"`

	Code string `json:"code"`

	Method string `json:"method"`

	IPAddress string `json:"ip_address"`

	UserAgent string `json:"user_agent"`
}

type MFAVerificationResult 

type MFAVerificationResult struct {
	Valid bool `json:"valid"`

	Method string `json:"method"`

	RemainingCodes int `json:"remaining_codes"`

	NextCodeAt time.Time `json:"next_code_at"`

	AttemptsLeft int `json:"attempts_left"`

	BackupUsed bool `json:"backup_used"`

	Error string `json:"error,omitempty"`
}

type Manager 

type Manager struct {
	// contains filtered or unexported fields
}

func NewManager 

func NewManager(ctx context.Context, config *Config, logger *slog.Logger) (*Manager, error)

func (*Manager) GetHandlers 

func (am *Manager) GetHandlers() *AuthHandlers

func (*Manager) GetJWTManager 

func (am *Manager) GetJWTManager() *JWTManager

func (*Manager) GetLDAPMiddleware 

func (am *Manager) GetLDAPMiddleware() *LDAPAuthMiddleware

func (*Manager) GetMiddleware 

func (am *Manager) GetMiddleware() *AuthMiddleware

func (*Manager) GetOAuth2Manager 

func (am *Manager) GetOAuth2Manager() *OAuth2Manager

func (*Manager) GetRBACManager 

func (am *Manager) GetRBACManager() *RBACManager

func (*Manager) GetSessionManager 

func (am *Manager) GetSessionManager() *SessionManager

func (*Manager) HandleHealthCheck 

func (am *Manager) HandleHealthCheck(w http.ResponseWriter, r *http.Request)

func (*Manager) ListProviders 

func (am *Manager) ListProviders() map[string]interface{}

func (*Manager) RefreshTokens 

func (am *Manager) RefreshTokens(ctx context.Context, refreshToken string) (string, string, error)

func (*Manager) Shutdown 

func (am *Manager) Shutdown(ctx context.Context) error

func (*Manager) ValidateSession 

func (am *Manager) ValidateSession(ctx context.Context, sessionID string) (*UserSession, error)

type ManagerInterface 

type ManagerInterface interface {
	GetMiddleware() interface{}

	GetLDAPMiddleware() interface{}

	GetOAuth2Manager() interface{}

	GetSessionManager() SessionManagerInterface

	GetJWTManager() JWTManagerInterface

	GetRBACManager() RBACManagerInterface

	ListProviders() map[string]interface{}

	RefreshTokens(ctx context.Context, refreshToken string) (string, string, error)

	ValidateSession(ctx context.Context, sessionID string) (*UserSession, error)

	Shutdown(ctx context.Context) error
}

type MemoryTokenBlacklist 

type MemoryTokenBlacklist struct {
	// contains filtered or unexported fields
}

MemoryTokenBlacklist provides an in-memory implementation of TokenBlacklist for testing

func NewMemoryTokenBlacklist 

func NewMemoryTokenBlacklist() *MemoryTokenBlacklist

NewMemoryTokenBlacklist creates a new in-memory token blacklist

func (*MemoryTokenBlacklist) BlacklistToken 

func (b *MemoryTokenBlacklist) BlacklistToken(ctx context.Context, tokenID string, expiresAt time.Time) error

BlacklistToken adds a token to the blacklist

func (*MemoryTokenBlacklist) CleanupExpired 

func (b *MemoryTokenBlacklist) CleanupExpired(ctx context.Context) error

CleanupExpired removes expired blacklist entries

func (*MemoryTokenBlacklist) IsTokenBlacklisted 

func (b *MemoryTokenBlacklist) IsTokenBlacklisted(ctx context.Context, tokenID string) (bool, error)

IsTokenBlacklisted checks if a token is blacklisted

type MemoryTokenStore 

type MemoryTokenStore struct {
	// contains filtered or unexported fields
}

MemoryTokenStore provides an in-memory implementation of TokenStore for testing

func NewMemoryTokenStore 

func NewMemoryTokenStore() *MemoryTokenStore

NewMemoryTokenStore creates a new in-memory token store

func (*MemoryTokenStore) CleanupExpired 

func (s *MemoryTokenStore) CleanupExpired(ctx context.Context) error

CleanupExpired removes expired tokens

func (*MemoryTokenStore) DeleteToken 

func (s *MemoryTokenStore) DeleteToken(ctx context.Context, tokenID string) error

DeleteToken deletes a token

func (*MemoryTokenStore) GetToken 

func (s *MemoryTokenStore) GetToken(ctx context.Context, tokenID string) (*TokenInfo, error)

GetToken retrieves token info

func (*MemoryTokenStore) ListUserTokens 

func (s *MemoryTokenStore) ListUserTokens(ctx context.Context, userID string) ([]*TokenInfo, error)

ListUserTokens lists tokens for a user

func (*MemoryTokenStore) StoreToken 

func (s *MemoryTokenStore) StoreToken(ctx context.Context, tokenID string, token *TokenInfo) error

StoreToken stores a token with expiration

func (*MemoryTokenStore) UpdateToken 

func (s *MemoryTokenStore) UpdateToken(ctx context.Context, tokenID string, token *TokenInfo) error

UpdateToken updates token info

type MiddlewareConfig 

type MiddlewareConfig struct {
	SkipAuth []string `json:"skip_auth"`

	EnableCORS bool `json:"enable_cors"`

	AllowedOrigins []string `json:"allowed_origins"`

	AllowedMethods []string `json:"allowed_methods"`

	AllowedHeaders []string `json:"allowed_headers"`

	AllowCredentials bool `json:"allow_credentials"`

	MaxAge int `json:"max_age"`

	EnableSecurityHeaders bool `json:"enable_security_headers"`

	EnableRateLimit bool `json:"enable_rate_limit"`

	RequestsPerMin int `json:"requests_per_min"`

	RateLimitWindow time.Duration `json:"rate_limit_window"`

	EnableCSRF bool `json:"enable_csrf"`

	CSRFTokenHeader string `json:"csrf_token_header"`

	CSRFSafeMethods []string `json:"csrf_safe_methods"`
}

type NephoranAuthConfig 

type NephoranAuthConfig struct {
	AuthConfig *Config

	ControllerAuth *ControllerAuthConfig

	EndpointProtection *EndpointProtectionConfig

	NephoranRBAC *NephoranRBACConfig
}

type NephoranAuthIntegration 

type NephoranAuthIntegration struct {
	// contains filtered or unexported fields
}

func NewNephoranAuthIntegration 

func NewNephoranAuthIntegration(config *NephoranAuthConfig, kubeClient client.Client, logger *slog.Logger) (*NephoranAuthIntegration, error)

type NephoranJWTClaims 

type NephoranJWTClaims struct {
	jwt.RegisteredClaims

	Email string `json:"email"`

	EmailVerified bool `json:"email_verified"`

	Name string `json:"name"`

	PreferredName string `json:"preferred_username"`

	Picture string `json:"picture"`

	Groups []string `json:"groups"`

	Roles []string `json:"roles"`

	Permissions []string `json:"permissions"`

	Organizations []string `json:"organizations"`

	Provider string `json:"provider"`

	ProviderID string `json:"provider_id"`

	TenantID string `json:"tenant_id,omitempty"`

	SessionID string `json:"session_id"`

	TokenType string `json:"token_type"` // "access" or "refresh"

	Scope string `json:"scope,omitempty"`

	IPAddress string `json:"ip_address,omitempty"`

	UserAgent string `json:"user_agent,omitempty"`

	Attributes json.RawMessage `json:"attributes,omitempty"`
}

type NephoranRBACConfig 

type NephoranRBACConfig struct {
	Enabled bool
}

type OAuth2Config 

type OAuth2Config struct {
	Providers map[string]*OAuth2Provider `json:"providers"`

	DefaultScopes []string `json:"default_scopes"`

	TokenTTL time.Duration `json:"token_ttl"`

	RefreshTTL time.Duration `json:"refresh_ttl"`
}

type OAuth2Manager 

type OAuth2Manager struct {
	// contains filtered or unexported fields
}

func NewOAuth2Manager 

func NewOAuth2Manager(ctx context.Context, config *OAuth2ManagerConfig, logger *slog.Logger) (*OAuth2Manager, error)

func (*OAuth2Manager) ConfigureProtectedRoutes 

func (om *OAuth2Manager) ConfigureProtectedRoutes(router *mux.Router, handlers *RouteHandlers)

func (*OAuth2Manager) CreateHandlersWithSizeLimit 

func (om *OAuth2Manager) CreateHandlersWithSizeLimit(
	processIntent http.HandlerFunc,

	status http.HandlerFunc,

	circuitBreakerStatus http.HandlerFunc,

	streamingHandler http.HandlerFunc,

	metrics http.HandlerFunc,
) *RouteHandlers

func (*OAuth2Manager) GetAuthenticationInfo 

func (om *OAuth2Manager) GetAuthenticationInfo() *AuthenticationInfo

func (*OAuth2Manager) IsEnabled 

func (om *OAuth2Manager) IsEnabled() bool

func (*OAuth2Manager) RequiresAuth 

func (om *OAuth2Manager) RequiresAuth() bool

func (*OAuth2Manager) SetupRoutes 

func (om *OAuth2Manager) SetupRoutes(router *mux.Router)

type OAuth2ManagerConfig 

type OAuth2ManagerConfig struct {
	Enabled bool

	AuthConfigFile string

	JWTSecretKey string

	RequireAuth bool

	AdminUsers []string

	OperatorUsers []string

	StreamingEnabled bool

	MaxRequestSize int64
}

func (*OAuth2ManagerConfig) Validate 

func (config *OAuth2ManagerConfig) Validate() error

type OAuth2Provider 

type OAuth2Provider struct {
	Name string

	ClientID string

	ClientSecret string

	AuthURL string

	TokenURL string

	UserInfoURL string

	Scopes []string

	TLSConfig *tls.Config
	// contains filtered or unexported fields
}

func NewAzureADProvider 

func NewAzureADProvider(tenantID, clientID, clientSecret string) *OAuth2Provider

func NewGoogleProvider 

func NewGoogleProvider(clientID, clientSecret string) *OAuth2Provider

func NewKeycloakProvider 

func NewKeycloakProvider(baseURL, realm, clientID, clientSecret string) *OAuth2Provider

func NewOAuth2Provider 

func NewOAuth2Provider(name, clientID, clientSecret, authURL, tokenURL, userInfoURL string, scopes []string) *OAuth2Provider

func NewOktaProvider 

func NewOktaProvider(domain, clientID, clientSecret string) *OAuth2Provider

func (*OAuth2Provider) ExchangeCodeForToken 

func (p *OAuth2Provider) ExchangeCodeForToken(ctx context.Context, code, redirectURI string) (*TokenResponse, error)

func (*OAuth2Provider) GetAuthorizationURL 

func (p *OAuth2Provider) GetAuthorizationURL(state, redirectURI string) string

func (*OAuth2Provider) GetClientCredentialsToken 

func (p *OAuth2Provider) GetClientCredentialsToken(ctx context.Context) (*TokenResponse, error)

func (*OAuth2Provider) RefreshToken 

func (p *OAuth2Provider) RefreshToken(ctx context.Context, refreshToken string) (*TokenResponse, error)

func (*OAuth2Provider) ValidateToken 

func (p *OAuth2Provider) ValidateToken(ctx context.Context, accessToken string) (*UserInfo, error)

type PKCEChallenge 

type PKCEChallenge struct {
	CodeVerifier string `json:"code_verifier"`

	CodeChallenge string `json:"code_challenge"`

	Method string `json:"code_challenge_method"`

	State string `json:"state"`

	CreatedAt time.Time `json:"created_at"`

	ClientID string `json:"client_id"`

	RedirectURI string `json:"redirect_uri"`
}

type PKCEConfig 

type PKCEConfig struct {
	TTL time.Duration `json:"ttl"`
}

PKCEConfig holds PKCE configuration

type PKCEManager 

type PKCEManager struct {
	// contains filtered or unexported fields
}

func NewPKCEManager 

func NewPKCEManager(ttl time.Duration) *PKCEManager

func (*PKCEManager) GenerateChallenge 

func (pm *PKCEManager) GenerateChallenge(state, clientID, redirectURI string) (*PKCEChallenge, error)

func (*PKCEManager) GetChallenge 

func (pm *PKCEManager) GetChallenge(state string) (*PKCEChallenge, bool)

func (*PKCEManager) ValidateChallenge 

func (pm *PKCEManager) ValidateChallenge(state, codeVerifier, clientID, redirectURI string) (*PKCEChallenge, error)

type Permission 

type Permission struct {
	ID string `json:"id"`

	Name string `json:"name"`

	Description string `json:"description"`

	Resource string `json:"resource"`

	Action string `json:"action"`

	Scope string `json:"scope,omitempty"`

	Metadata map[string]string `json:"metadata,omitempty"`

	CreatedAt time.Time `json:"created_at"`

	UpdatedAt time.Time `json:"updated_at"`
}

type Policy 

type Policy struct {
	ID string `json:"id"`

	Name string `json:"name"`

	Description string `json:"description"`

	Rules []PolicyRule `json:"rules"`

	Effect PolicyEffect `json:"effect"`

	Conditions []PolicyCondition `json:"conditions,omitempty"`

	Metadata map[string]string `json:"metadata,omitempty"`

	CreatedAt time.Time `json:"created_at"`

	UpdatedAt time.Time `json:"updated_at"`

	Priority int `json:"priority"`
}

type PolicyCondition 

type PolicyCondition struct {
	Type ConditionType `json:"type"`

	Attribute string `json:"attribute"`

	Operator string `json:"operator"`

	Values []string `json:"values"`
}

type PolicyEffect 

type PolicyEffect string
const (
	PolicyEffectAllow PolicyEffect = "allow"

	PolicyEffectDeny PolicyEffect = "deny"
)

type PolicyRule 

type PolicyRule struct {
	Resources []string `json:"resources"`

	Actions []string `json:"actions"`

	Permissions []string `json:"permissions,omitempty"`
}

type ProtectedRouteHandlers 

type ProtectedRouteHandlers struct {
	ProcessIntent http.HandlerFunc

	Status http.HandlerFunc

	CircuitBreakerStatus http.HandlerFunc

	StreamingHandler http.HandlerFunc
}

type ProviderConfig 

type ProviderConfig struct {
	Enabled bool `json:"enabled"`

	Type string `json:"type"` // azure-ad, okta, keycloak, google, ldap

	ClientID string `json:"client_id"`

	ClientSecret string `json:"client_secret"`

	TenantID string `json:"tenant_id,omitempty"` // Azure AD

	Domain string `json:"domain,omitempty"` // Okta

	BaseURL string `json:"base_url,omitempty"` // Keycloak

	Realm string `json:"realm,omitempty"` // Keycloak

	Scopes []string `json:"scopes,omitempty"`

	AuthURL string `json:"auth_url,omitempty"` // Custom

	TokenURL string `json:"token_url,omitempty"` // Custom

	UserInfoURL string `json:"user_info_url,omitempty"` // Custom
}

type PublicRouteHandlers 

type PublicRouteHandlers struct {
	Health http.HandlerFunc

	Ready http.HandlerFunc

	Metrics http.HandlerFunc
}

type RBACCache 

type RBACCache struct {
	// contains filtered or unexported fields
}

type RBACConfig 

type RBACConfig struct {
	Enabled bool `json:"enabled"`

	DefaultRole string `json:"default_role"`

	RoleMapping map[string][]string `json:"role_mapping"` // provider_role -> internal_roles

	GroupMapping map[string][]string `json:"group_mapping"` // provider_group -> internal_roles

	AdminRoles []string `json:"admin_roles"`

	OperatorRoles []string `json:"operator_roles"`

	ReadOnlyRoles []string `json:"readonly_roles"`

	Permissions map[string][]string `json:"permissions"` // role -> permissions
}

type RBACManager 

type RBACManager struct {
	// contains filtered or unexported fields
}

func NewRBACManager 

func NewRBACManager(config *RBACManagerConfig, logger *slog.Logger) *RBACManager

func (*RBACManager) AssignRolesFromClaims 

func (r *RBACManager) AssignRolesFromClaims(ctx context.Context, userInfo *providers.UserInfo) error

func (*RBACManager) CheckAccess 

func (r *RBACManager) CheckAccess(ctx context.Context, request *AccessRequest) *AccessDecision

func (*RBACManager) CheckPermission 

func (r *RBACManager) CheckPermission(ctx context.Context, userID, permission string) bool

func (*RBACManager) CreatePermission 

func (r *RBACManager) CreatePermission(ctx context.Context, perm *Permission) error

func (*RBACManager) CreateRole 

func (r *RBACManager) CreateRole(ctx context.Context, role *Role) error

func (*RBACManager) DeleteRole 

func (r *RBACManager) DeleteRole(ctx context.Context, roleID string) error

func (*RBACManager) GetRBACStatus 

func (r *RBACManager) GetRBACStatus(ctx context.Context) map[string]interface{}

func (*RBACManager) GetRole 

func (r *RBACManager) GetRole(ctx context.Context, roleID string) (*Role, error)

func (*RBACManager) GetUserPermissions 

func (r *RBACManager) GetUserPermissions(ctx context.Context, userID string) []string

func (*RBACManager) GetUserRoles 

func (r *RBACManager) GetUserRoles(ctx context.Context, userID string) []string

func (*RBACManager) GrantRoleToUser 

func (r *RBACManager) GrantRoleToUser(ctx context.Context, userID, roleID string) error

func (*RBACManager) ListPermissions 

func (r *RBACManager) ListPermissions(ctx context.Context) []*Permission

func (*RBACManager) ListRoles 

func (r *RBACManager) ListRoles(ctx context.Context) []*Role

func (*RBACManager) RevokeRoleFromUser 

func (r *RBACManager) RevokeRoleFromUser(ctx context.Context, userID, roleID string) error

func (*RBACManager) UpdateRole 

func (r *RBACManager) UpdateRole(ctx context.Context, role *Role) error

type RBACManagerConfig 

type RBACManagerConfig struct {
	CacheTTL time.Duration `json:"cache_ttl"`

	EnableHierarchy bool `json:"enable_hierarchy"`

	DefaultDenyAll bool `json:"default_deny_all"`

	PolicyEvaluation string `json:"policy_evaluation"` // "first-applicable", "deny-overrides", "permit-overrides"

	MaxPolicyDepth int `json:"max_policy_depth"`

	EnableAuditLogging bool `json:"enable_audit_logging"`
}

type RBACManagerInterface 

type RBACManagerInterface interface {
	// Permission checking
	CheckPermission(ctx context.Context, userID, permission string) bool
	CheckPermissionLegacy(ctx context.Context, userID, resource, action string) (bool, error)
	CheckAccess(ctx context.Context, request *AccessRequest) *AccessDecision

	// Role management
	AssignRole(ctx context.Context, userID, role string) error
	AssignRoleToUser(ctx context.Context, userID, roleID string) error
	RevokeRole(ctx context.Context, userID, role string) error
	RevokeRoleFromUser(ctx context.Context, userID, roleID string) error

	// User queries
	GetUserRoles(ctx context.Context, userID string) []string
	GetUserPermissions(ctx context.Context, userID string) []string
	GetRolePermissions(ctx context.Context, role string) ([]string, error)

	// RBAC data management
	CreateRole(ctx context.Context, role interface{}) (interface{}, error)
	UpdateRole(ctx context.Context, role interface{}) error
	DeleteRole(ctx context.Context, roleID string) error
	ListRoles(ctx context.Context) interface{}
	GetRole(ctx context.Context, roleID string) (interface{}, error)

	CreatePermission(ctx context.Context, perm interface{}) (interface{}, error)
	ListPermissions(ctx context.Context) interface{}

	// Role assignment from claims
	AssignRolesFromClaims(ctx context.Context, userInfo *providers.UserInfo) error
}

type RBACMiddleware 

type RBACMiddleware struct {
	// contains filtered or unexported fields
}

RBACMiddleware provides role-based access control.

func NewRBACMiddleware 

func NewRBACMiddleware(config *RBACMiddlewareConfig) *RBACMiddleware

NewRBACMiddleware creates a new RBAC middleware.

func (*RBACMiddleware) Middleware 

func (m *RBACMiddleware) Middleware(next http.Handler) http.Handler

Middleware applies RBAC authorization.

type RBACMiddlewareConfig 

type RBACMiddlewareConfig struct {
	RBACManager       *RBACManager                                 `json:"-"`
	ResourceExtractor func(r *http.Request) string                 `json:"-"`
	ActionExtractor   func(r *http.Request) string                 `json:"-"`
	UserIDExtractor   func(r *http.Request) string                 `json:"-"`
	OnAccessDenied    func(w http.ResponseWriter, r *http.Request) `json:"-"`
}

RBACMiddlewareConfig represents RBAC middleware configuration.

type RateLimitConfig 

type RateLimitConfig struct {
	RequestsPerMinute int                                          `json:"requests_per_minute"`
	BurstSize         int                                          `json:"burst_size"`
	KeyGenerator      func(r *http.Request) string                 `json:"-"`
	OnLimitExceeded   func(w http.ResponseWriter, r *http.Request) `json:"-"`
}

RateLimitConfig represents rate limiting middleware configuration.

type RateLimitMiddleware 

type RateLimitMiddleware struct {
	// contains filtered or unexported fields
}

RateLimitMiddleware provides rate limiting functionality.

func NewRateLimitMiddleware 

func NewRateLimitMiddleware(config *RateLimitConfig) *RateLimitMiddleware

NewRateLimitMiddleware creates a new rate limit middleware.

func (*RateLimitMiddleware) Middleware 

func (m *RateLimitMiddleware) Middleware(next http.Handler) http.Handler

Middleware applies rate limiting.

type RequestLoggingConfig 

type RequestLoggingConfig struct {
	Logger           func(entry string) `json:"-"`
	LogHeaders       bool               `json:"log_headers"`
	LogBody          bool               `json:"log_body"`
	MaxBodySize      int                `json:"max_body_size"`
	SkipPaths        []string           `json:"skip_paths"`
	SensitiveHeaders []string           `json:"sensitive_headers"`
}

RequestLoggingConfig represents request logging middleware configuration.

type RequestLoggingMiddleware 

type RequestLoggingMiddleware struct {
	// contains filtered or unexported fields
}

RequestLoggingMiddleware logs HTTP requests.

func NewRequestLoggingMiddleware 

func NewRequestLoggingMiddleware(config *RequestLoggingConfig) *RequestLoggingMiddleware

NewRequestLoggingMiddleware creates a new request logging middleware.

func (*RequestLoggingMiddleware) Middleware 

func (m *RequestLoggingMiddleware) Middleware(next http.Handler) http.Handler

Middleware applies request logging.

type Role 

type Role struct {
	ID string `json:"id"`

	Name string `json:"name"`

	Description string `json:"description"`

	Permissions []string `json:"permissions"`

	Metadata map[string]string `json:"metadata,omitempty"`

	CreatedAt time.Time `json:"created_at"`

	UpdatedAt time.Time `json:"updated_at"`

	ParentRoles []string `json:"parent_roles,omitempty"`

	ChildRoles []string `json:"child_roles,omitempty"`
}

type RouteHandlers 

type RouteHandlers struct {
	ProcessIntent http.HandlerFunc

	Status http.HandlerFunc

	CircuitBreakerStatus http.HandlerFunc

	StreamingHandler http.HandlerFunc

	Metrics http.HandlerFunc
}

type SMSClient 

type SMSClient struct {
	// contains filtered or unexported fields
}

func NewSMSClient 

func NewSMSClient(config *SMSConfig) *SMSClient

func (*SMSClient) SendMFACode 

func (sc *SMSClient) SendMFACode(ctx context.Context, phoneNumber, code string) error

type SMSConfig 

type SMSConfig struct {
	Provider string `json:"provider"` // twilio, aws-sns, etc.

	APIKey string `json:"api_key"`

	APISecret string `json:"api_secret"`

	FromNumber string `json:"from_number"`

	Template string `json:"template"`
}

type SecurityHeadersConfig 

type SecurityHeadersConfig struct {
	ContentSecurityPolicy string            `json:"content_security_policy"`
	XFrameOptions         string            `json:"x_frame_options"`
	XContentTypeOptions   string            `json:"x_content_type_options"`
	ReferrerPolicy        string            `json:"referrer_policy"`
	HSTSMaxAge            int64             `json:"hsts_max_age"`
	HSTSIncludeSubdomains bool              `json:"hsts_include_subdomains"`
	HSTSPreload           bool              `json:"hsts_preload"`
	RemoveServerHeader    bool              `json:"remove_server_header"`
	CustomHeaders         map[string]string `json:"custom_headers"`
}

SecurityHeadersConfig represents security headers middleware configuration.

type SecurityHeadersMiddleware 

type SecurityHeadersMiddleware struct {
	// contains filtered or unexported fields
}

SecurityHeadersMiddleware adds security headers to responses.

func NewSecurityHeadersMiddleware 

func NewSecurityHeadersMiddleware(config *SecurityHeadersConfig) *SecurityHeadersMiddleware

NewSecurityHeadersMiddleware creates a new security headers middleware.

func (*SecurityHeadersMiddleware) Middleware 

func (m *SecurityHeadersMiddleware) Middleware(next http.Handler) http.Handler

Middleware applies security headers.

type SecurityManager 

type SecurityManager struct {
	// contains filtered or unexported fields
}

func NewSecurityManager 

func NewSecurityManager(csrfSecret []byte) *SecurityManager

func (*SecurityManager) GetCSRFManager 

func (sm *SecurityManager) GetCSRFManager() *CSRFManager

func (*SecurityManager) GetPKCEManager 

func (sm *SecurityManager) GetPKCEManager() *PKCEManager

type SecurityManagerConfig 

type SecurityManagerConfig struct {
	CSRFSecret []byte     `json:"csrf_secret"`
	PKCE       PKCEConfig `json:"pkce"`
	CSRF       CSRFConfig `json:"csrf"`
}

SecurityManagerConfig holds configuration for security manager

type Session 

type Session = UserSession

Session is an alias for UserSession to maintain compatibility

type SessionConfig 

type SessionConfig struct {
	SessionTimeout time.Duration `json:"session_timeout"`

	RefreshThreshold time.Duration `json:"refresh_threshold"`

	MaxSessions int `json:"max_sessions"`

	SecureCookies bool `json:"secure_cookies"`

	SameSiteCookies string `json:"same_site_cookies"`

	CookieDomain string `json:"cookie_domain"`

	CookiePath string `json:"cookie_path"`

	EnableSSO bool `json:"enable_sso"`

	SSODomain string `json:"sso_domain"`

	CrossDomainSSO bool `json:"cross_domain_sso"`

	EnableCSRF bool `json:"enable_csrf"`

	StateTimeout time.Duration `json:"state_timeout"`

	RequireHTTPS bool `json:"require_https"`

	CleanupInterval time.Duration `json:"cleanup_interval"`
}

type SessionData 

type SessionData struct {
	UserID string `json:"user_id"`

	Username string `json:"username"`

	Email string `json:"email"`

	DisplayName string `json:"display_name"`

	Provider string `json:"provider"`

	Groups []string `json:"groups"`

	Roles []string `json:"roles"`

	Metadata map[string]string `json:"metadata,omitempty"`
}

type SessionInfo 

type SessionInfo struct {
	ID string `json:"id"`

	UserID string `json:"user_id"`

	Provider string `json:"provider"`

	CreatedAt time.Time `json:"created_at"`

	LastActivity time.Time `json:"last_activity"`

	ExpiresAt time.Time `json:"expires_at"`

	IPAddress string `json:"ip_address"`

	UserAgent string `json:"user_agent"`

	Roles []string `json:"roles"`

	SSOEnabled bool `json:"sso_enabled"`

	UserInfo *providers.UserInfo `json:"user_info,omitempty"`
}

type SessionManager 

type SessionManager struct {
	// contains filtered or unexported fields
}

func NewSessionManager 

func NewSessionManager(config *SessionConfig, jwtManager *JWTManager, rbacManager *RBACManager, logger *slog.Logger) *SessionManager

func (*SessionManager) ClearSessionCookie 

func (sm *SessionManager) ClearSessionCookie(w http.ResponseWriter)

func (*SessionManager) CreateSession 

func (sm *SessionManager) CreateSession(ctx context.Context, data *SessionData) (*UserSession, error)

func (*SessionManager) GetSession 

func (sm *SessionManager) GetSession(ctx context.Context, sessionID string) (*UserSession, error)

func (*SessionManager) GetSessionMetrics 

func (sm *SessionManager) GetSessionMetrics(ctx context.Context) map[string]interface{}

func (*SessionManager) HandleCallback 

func (sm *SessionManager) HandleCallback(ctx context.Context, request *CallbackRequest) (*CallbackResponse, error)

func (*SessionManager) InitiateLogin 

func (sm *SessionManager) InitiateLogin(ctx context.Context, request *LoginRequest) (*LoginResponse, error)

func (*SessionManager) InvalidateSession 

func (sm *SessionManager) InvalidateSession(ctx context.Context, sessionID string) error

func (*SessionManager) ListUserSessions 

func (sm *SessionManager) ListUserSessions(ctx context.Context, userID string) ([]*SessionInfo, error)

func (*SessionManager) RefreshSession 

func (sm *SessionManager) RefreshSession(ctx context.Context, sessionID string) error

func (*SessionManager) RegisterProvider 

func (sm *SessionManager) RegisterProvider(provider providers.OAuthProvider)

func (*SessionManager) RevokeSession 

func (sm *SessionManager) RevokeSession(ctx context.Context, sessionID string) error

func (*SessionManager) RevokeUserSessions 

func (sm *SessionManager) RevokeUserSessions(ctx context.Context, userID string) error

func (*SessionManager) SetSessionCookie 

func (sm *SessionManager) SetSessionCookie(w http.ResponseWriter, sessionID string)

func (*SessionManager) ValidateSession 

func (sm *SessionManager) ValidateSession(ctx context.Context, sessionID string) (*SessionInfo, error)

type SessionManagerInterface 

type SessionManagerInterface interface {
	CreateSession(ctx context.Context, userInfo *providers.UserInfo, metadata ...map[string]interface{}) (interface{}, error)

	GetSession(ctx context.Context, sessionID string) (interface{}, error)

	UpdateSession(ctx context.Context, sessionID string, updates map[string]interface{}) error

	DeleteSession(ctx context.Context, sessionID string) error

	ListUserSessions(ctx context.Context, userID string) (interface{}, error)

	SetSessionCookie(w http.ResponseWriter, sessionID string)

	GetSessionFromRequest(r *http.Request) (interface{}, error)

	Close()
}

type State 

type State struct {
	State string `json:"state"`

	Provider string `json:"provider"`

	RedirectURI string `json:"redirect_uri"`

	PKCEChallenge *providers.PKCEChallenge `json:"pkce_challenge,omitempty"`

	CreatedAt time.Time `json:"created_at"`

	ExpiresAt time.Time `json:"expires_at"`

	IPAddress string `json:"ip_address"`

	UserAgent string `json:"user_agent"`

	CustomParams map[string]string `json:"custom_params,omitempty"`
}

type TokenBlacklist 

type TokenBlacklist interface {
	BlacklistToken(ctx context.Context, tokenID string, expiresAt time.Time) error

	IsTokenBlacklisted(ctx context.Context, tokenID string) (bool, error)

	CleanupExpired(ctx context.Context) error
}

type TokenBlacklistManager 

type TokenBlacklistManager struct {
	// contains filtered or unexported fields
}

func NewTokenBlacklistManager 

func NewTokenBlacklistManager(config *BlacklistConfig) (*TokenBlacklistManager, error)

func (*TokenBlacklistManager) BlacklistAllUserTokens 

func (tb *TokenBlacklistManager) BlacklistAllUserTokens(ctx context.Context, userID, reason string) error

func (*TokenBlacklistManager) BlacklistToken 

func (tb *TokenBlacklistManager) BlacklistToken(ctx context.Context, token, userID, reason, ipAddress, userAgent string, expiresAt time.Time) error

func (*TokenBlacklistManager) CleanupExpiredTokens 

func (tb *TokenBlacklistManager) CleanupExpiredTokens(ctx context.Context) error

func (*TokenBlacklistManager) Close 

func (tb *TokenBlacklistManager) Close() error

func (*TokenBlacklistManager) GetBlacklistEntry 

func (tb *TokenBlacklistManager) GetBlacklistEntry(ctx context.Context, token string) (*BlacklistEntry, error)

func (*TokenBlacklistManager) GetBlacklistStats 

func (tb *TokenBlacklistManager) GetBlacklistStats(ctx context.Context) (*BlacklistMetrics, error)

func (*TokenBlacklistManager) IsBlacklisted 

func (tb *TokenBlacklistManager) IsBlacklisted(ctx context.Context, token string) (bool, error)

type TokenInfo 

type TokenInfo struct {
	TokenID string `json:"token_id"`

	UserID string `json:"user_id"`

	SessionID string `json:"session_id"`

	TokenType string `json:"token_type"` // "access" or "refresh"

	IssuedAt time.Time `json:"issued_at"`

	ExpiresAt time.Time `json:"expires_at"`

	Provider string `json:"provider"`

	Scope string `json:"scope,omitempty"`

	IPAddress string `json:"ip_address,omitempty"`

	UserAgent string `json:"user_agent,omitempty"`

	Attributes json.RawMessage `json:"attributes,omitempty"`

	LastUsed time.Time `json:"last_used"`

	UseCount int64 `json:"use_count"`
}

type TokenOption 

type TokenOption func(*TokenOptions)

func WithIPAddress 

func WithIPAddress(ip string) TokenOption

func WithScope 

func WithScope(scope string) TokenOption

func WithTTL 

func WithTTL(ttl time.Duration) TokenOption

func WithUserAgent 

func WithUserAgent(ua string) TokenOption

type TokenOptions 

type TokenOptions struct {
	TTL time.Duration

	Scope string

	IPAddress string

	UserAgent string
}

type TokenResponse 

type TokenResponse struct {
	AccessToken string `json:"access_token"`

	RefreshToken string `json:"refresh_token,omitempty"`

	TokenType string `json:"token_type"`

	ExpiresIn int64 `json:"expires_in"`

	Scope string `json:"scope,omitempty"`

	IssuedAt time.Time `json:"issued_at"`
}

type TokenStore 

type TokenStore interface {
	StoreToken(ctx context.Context, tokenID string, token *TokenInfo) error

	GetToken(ctx context.Context, tokenID string) (*TokenInfo, error)

	UpdateToken(ctx context.Context, tokenID string, token *TokenInfo) error

	DeleteToken(ctx context.Context, tokenID string) error

	ListUserTokens(ctx context.Context, userID string) ([]*TokenInfo, error)

	CleanupExpired(ctx context.Context) error
}

type UserContext 

type UserContext struct {
	UserID      string          `json:"user_id"`
	SessionID   string          `json:"session_id"`
	Provider    string          `json:"provider"`
	Roles       []string        `json:"roles"`
	Permissions []string        `json:"permissions"`
	IsAdmin     bool            `json:"is_admin"`
	Attributes  json.RawMessage `json:"attributes"`
}

UserContext represents user context information passed in requests.

type UserInfo 

type UserInfo struct {
	Subject string `json:"sub"`

	Email string `json:"email"`

	EmailVerified bool `json:"email_verified"`

	Name string `json:"name"`

	PreferredName string `json:"preferred_username"`

	Groups []string `json:"groups"`

	Roles []string `json:"roles"`
}

type UserSession 

type UserSession struct {
	ID string `json:"id"`

	UserID string `json:"user_id"`

	UserInfo *providers.UserInfo `json:"user_info"`

	Provider string `json:"provider"`

	AccessToken string `json:"access_token"`

	RefreshToken string `json:"refresh_token"`

	IDToken string `json:"id_token,omitempty"`

	CreatedAt time.Time `json:"created_at"`

	LastActivity time.Time `json:"last_activity"`

	ExpiresAt time.Time `json:"expires_at"`

	IPAddress string `json:"ip_address"`

	UserAgent string `json:"user_agent"`

	Roles []string `json:"roles"`

	Permissions []string `json:"permissions"`

	Attributes json.RawMessage `json:"attributes,omitempty"`

	SSOEnabled bool `json:"sso_enabled"`

	LinkedSessions map[string]string `json:"linked_sessions,omitempty"` // provider -> session_id

	CSRFToken string `json:"csrf_token"`

	SecureContext bool `json:"secure_context"`
}

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.