auth

package
v1.0.15 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 25, 2026 License: Apache-2.0 Imports: 22 Imported by: 0

Documentation

Overview

Package auth provides authentication utilities for integration providers including token extraction, HTTP client builders, and credential helpers.

Index

Constants

View Source 
const (
	// AWSAccountScopeAll indicates operations should run across all accessible accounts.
	AWSAccountScopeAll = "all"
	// AWSAccountScopeSpecific indicates operations should be limited to explicitly listed accounts.
	AWSAccountScopeSpecific = "specific"
)

Variables

View Source 
var (
	// ErrOAuthTokenMissing indicates the OAuth token is not present in the credential payload.
	ErrOAuthTokenMissing = errors.New("auth: oauth token missing")
	// ErrAccessTokenEmpty indicates the access token field is empty.
	ErrAccessTokenEmpty = errors.New("auth: access token empty")
	// ErrAPITokenMissing indicates the API token is not present in the credential payload.
	ErrAPITokenMissing = errors.New("auth: api token missing")
	// ErrHTTPRequestFailed indicates an HTTP request returned a non-2xx status.
	ErrHTTPRequestFailed = errors.New("auth: http request failed")
	// ErrDecodeProviderDataTargetNil indicates provider data decoding target is nil.
	ErrDecodeProviderDataTargetNil = errors.New("auth: decode provider data target is nil")
)

Functions

func APITokenFromPayload 

func APITokenFromPayload(payload types.CredentialPayload) (string, error)

APITokenFromPayload extracts a raw API token from the credential payload.

func BuildAPITokenCredentialPayload added in v1.0.13 

func BuildAPITokenCredentialPayload(provider types.ProviderType, token string, providerData map[string]any, opts ...types.CredentialOption) (types.CredentialPayload, error)

BuildAPITokenCredentialPayload builds a normalized API token credential payload.

func BuildAWSConfig 

func BuildAWSConfig(ctx context.Context, region string, creds AWSCredentials, assume AWSAssumeRole) (aws.Config, error)

BuildAWSConfig constructs an AWS SDK config with optional static and assumed credentials

func BuildCredentialPayload added in v1.0.13 

func BuildCredentialPayload(provider types.ProviderType, opts ...types.CredentialOption) (types.CredentialPayload, error)

BuildCredentialPayload constructs a credential payload from variadic credential options.

func BuildOAuthCredentialPayload added in v1.0.13 

func BuildOAuthCredentialPayload(provider types.ProviderType, token *oauth2.Token, claims *oidc.IDTokenClaims, opts ...types.CredentialOption) (types.CredentialPayload, error)

BuildOAuthCredentialPayload builds a normalized OAuth credential payload.

func CloneMetadata 

func CloneMetadata(data map[string]any) map[string]any

CloneMetadata creates a shallow copy of provider metadata, returning an empty map if nil.

func DecodeProviderData 

func DecodeProviderData(config map[string]any, target any) error

DecodeProviderData decodes provider metadata into the target struct without failing on unknown keys.

func DefaultClientDescriptor 

func DefaultClientDescriptor(provider types.ProviderType, name types.ClientName, description string, build types.ClientBuilderFunc) types.ClientDescriptor

DefaultClientDescriptor returns a descriptor with a default object config schema.

func DefaultClientDescriptors 

func DefaultClientDescriptors(provider types.ProviderType, name types.ClientName, description string, build types.ClientBuilderFunc) []types.ClientDescriptor

DefaultClientDescriptors returns a single-descriptor slice with a default object config schema.

func ExtractMetadata 

func ExtractMetadata[T any](payload types.CredentialPayload) (T, error)

ExtractMetadata decodes provider metadata from a credential payload into the target type.

func GetJSONWithClient 

func GetJSONWithClient(ctx context.Context, client *AuthenticatedClient, endpoint string, bearer string, headers map[string]string, out any) error

GetJSONWithClient uses the authenticated client when available, otherwise falls back to HTTPGetJSON

func HTTPGetJSON 

func HTTPGetJSON(ctx context.Context, client *http.Client, url string, bearer string, headers map[string]string, out any) error

HTTPGetJSON issues a GET request with the provided bearer token and decodes JSON responses

func HTTPPostJSON 

func HTTPPostJSON(ctx context.Context, client *http.Client, url string, bearer string, headers map[string]string, body any, out any) error

HTTPPostJSON issues a POST request with the provided bearer token and JSON body, then decodes JSON responses

func NormalizeServiceAccountKey 

func NormalizeServiceAccountKey(value string) string

NormalizeServiceAccountKey trims and unwraps JSON-encoded service account keys.

func OAuthTokenFromPayload 

func OAuthTokenFromPayload(payload types.CredentialPayload) (string, error)

OAuthTokenFromPayload extracts a usable access token from the credential payload

func ParseDuration 

func ParseDuration(value string) time.Duration

ParseDuration returns a parsed duration or zero when invalid

func PersistMetadata added in v1.0.10 

func PersistMetadata[T any](base map[string]any, meta T) (map[string]any, error)

PersistMetadata merges the JSON-tagged fields of meta into a clone of base. Fields tagged with omitempty are excluded when zero-valued.

func TokenClientBuilder added in v1.0.13 

func TokenClientBuilder(extract TokenExtractor, headers map[string]string) types.ClientBuilderFunc

TokenClientBuilder returns a ClientBuilderFunc that extracts a token and creates an AuthenticatedClient.

Types

type AWSAssumeRole 

type AWSAssumeRole struct {
	// RoleARN is the ARN of the role to assume
	RoleARN string
	// ExternalID is the external ID for role assumption
	ExternalID string
	// SessionName is the name for the session
	SessionName string
	// SessionDuration is the duration for the session
	SessionDuration time.Duration
}

AWSAssumeRole captures the optional STS assume-role settings

type AWSCredentials 

type AWSCredentials struct {
	// AccessKeyID is the AWS access key ID
	AccessKeyID string
	// SecretAccessKey is the AWS secret access key
	SecretAccessKey string
	// SessionToken is the AWS session token
	SessionToken string
}

AWSCredentials captures static AWS access key credentials

func AWSCredentialsFromPayload 

func AWSCredentialsFromPayload(payload types.CredentialPayload) AWSCredentials

AWSCredentialsFromPayload extracts access keys from payload credentials with metadata fallback

type AWSMetadata 

type AWSMetadata struct {
	// Region is the AWS region for API calls
	Region string
	// HomeRegion is the Security Hub home region for aggregated queries
	HomeRegion string
	// LinkedRegions optionally limits queries to the listed regions
	LinkedRegions []string
	// OrganizationID is the AWS Organizations identifier associated with this integration
	OrganizationID string
	// AccountScope controls whether queries should use all accounts or a provided subset
	AccountScope string
	// AccountIDs optionally scopes collection to specific AWS account IDs
	AccountIDs []string
	// RoleARN is the ARN of the role to assume
	RoleARN string
	// AccountID is the AWS account ID
	AccountID string
	// ExternalID is the external ID for role assumption
	ExternalID string
	// SessionName is the name for the session
	SessionName string
	// SessionDuration is the duration for the session
	SessionDuration time.Duration
}

AWSMetadata captures common AWS configuration fields stored in provider metadata

func AWSMetadataFromProviderData 

func AWSMetadataFromProviderData(meta map[string]any, defaultSessionName string) (AWSMetadata, error)

AWSMetadataFromProviderData normalizes AWS metadata with a default session name

type AuthenticatedClient 

type AuthenticatedClient struct {
	// BearerToken is the optional bearer token for Authorization headers
	BearerToken string
	// Headers contains additional static headers for each request
	Headers map[string]string
}

AuthenticatedClient wraps a bearer token and headers for simple HTTP JSON calls

func AuthenticatedClientFromAny 

func AuthenticatedClientFromAny(value any) *AuthenticatedClient

AuthenticatedClientFromAny attempts to unwrap an AuthenticatedClient from an arbitrary value

func ClientAndToken added in v1.0.13 

func ClientAndToken(input types.OperationInput, extract TokenExtractor) (*AuthenticatedClient, string, error)

ClientAndToken returns the optional authenticated client and extracted token.

func NewAuthenticatedClient 

func NewAuthenticatedClient(bearerToken string, headers map[string]string) *AuthenticatedClient

NewAuthenticatedClient builds an AuthenticatedClient with a cloned header map

func (*AuthenticatedClient) GetJSON 

func (c *AuthenticatedClient) GetJSON(ctx context.Context, endpoint string, out any) error

GetJSON issues a GET request using the stored credentials and decodes the JSON response

type HTTPRequestError 

type HTTPRequestError struct {
	// URL is the URL that was requested
	URL string
	// Status is the HTTP status text returned by the request
	Status string
	// StatusCode is the HTTP status code returned by the request
	StatusCode int
	// Body is the response body returned by the request, if any
	Body string
}

HTTPRequestError captures metadata for failed HTTP requests.

func (*HTTPRequestError) Error 

func (e *HTTPRequestError) Error() string

Error returns a formatted error message for the HTTP request failure

func (*HTTPRequestError) Unwrap 

func (e *HTTPRequestError) Unwrap() error

Unwrap allows errors.Is and errors.As to work with HTTPRequestError

type TokenExtractor added in v1.0.13 

type TokenExtractor func(types.CredentialPayload) (string, error)

TokenExtractor extracts a token string from a credential payload.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.