Documentation
¶
Overview ¶
Package config provides application configuration loading, validation, and access. Configuration is loaded from file (YAML) and environment variables via Viper, then validated and stored for concurrency-safe access via GetCurrent.
Index ¶
- Constants
- Variables
- func IsValidFIPSMode(mode FIPSMode) bool
- func SetCurrent(cfg *Config)
- func ValidateGitHubApps(apps []GitHubAppConfig) error
- type AllowedDays
- type AuditBackendType
- type AuditConfig
- type AuditDynamoDBConfig
- type AuditSQLConfig
- type Config
- type FIPSConfig
- type FIPSMode
- type GitHubAppConfig
- type HourRange
- type LoggerConfig
- type OIDCConfig
- type OTelConfig
- type OriginConfig
- type PolicyConfig
- type ProviderConfig
- type RedisConfig
- type SelectorConfig
- type SelectorDynamoDBConfig
- type SelectorStoreType
- type ServerConfig
- type TLSConfig
- type TimeRestriction
Constants ¶
const ( // KeyAuditBackend is the Viper key for the audit backend type (sql or dynamodb). KeyAuditBackend = "audit.backend" // KeyAuditDynamoDBTableName is the Viper key for the DynamoDB audit table name. KeyAuditDynamoDBTableName = "audit.dynamodb.table_name" // KeyAuditDynamoDBTTLDays is the Viper key for DynamoDB audit entry TTL in days. KeyAuditDynamoDBTTLDays = "audit.dynamodb.ttl_days" // KeyAuditSQLDSN is the Viper key for the SQL audit connection DSN. KeyAuditSQLDSN = "audit.sql.dsn" )
const ( // DefaultDynamoDBTableName is the default DynamoDB table name for audit logs. DefaultDynamoDBTableName = "audit_logs" // DefaultDynamoDBTTLDays is the default TTL in days for DynamoDB audit entries. // 90 days provides sufficient audit history for compliance while managing storage costs. DefaultDynamoDBTTLDays = 90 // MaxDynamoDBTTLDays is the maximum allowed TTL in days for DynamoDB audit entries. MaxDynamoDBTTLDays = 365 )
const ( // ConfigRootLinux is the default config directory root on Linux. ConfigRootLinux = "/etc/" // ConfigRootWindows is the default config directory root on Windows. ConfigRootWindows = "C:\\ProgramData\\" // ConfigRootDarwin is the default config directory root on macOS. ConfigRootDarwin = "/Library/Application Support/" // ConfigFileName is the base name of the config file (without extension). ConfigFileName = "config" // ConfigFileExtension is the config file extension used by Viper. ConfigFileExtension = "yaml" // KeyAWSRegion is the Viper key for the AWS region setting. KeyAWSRegion = "aws_region" )
const ( // KeyFIPSEnabled is the Viper key for enabling FIPS 140 mode. KeyFIPSEnabled = "fips.enabled" // KeyFIPSMode is the Viper key for the FIPS mode (on or only). KeyFIPSMode = "fips.mode" )
const ( // KeyLoggerLevel is the Viper key for the log level. KeyLoggerLevel = "logger.level" // KeyLoggerFormat is the Viper key for the log format (e.g. json, text). KeyLoggerFormat = "logger.format" )
const ( // KeyOIDCAudience is the Viper key for the OIDC token audience. KeyOIDCAudience = "oidc.audience" // DefaultOIDCAudience is the default audience value when not set. DefaultOIDCAudience = "gate" )
const ( // KeyOriginEnabled is the Viper key for enabling origin verification. KeyOriginEnabled = "origin.enabled" // KeyOriginHeaderName is the Viper key for the origin verification header name. KeyOriginHeaderName = "origin.header_name" // KeyOriginHeaderValue is the Viper key for the expected origin verification header value. KeyOriginHeaderValue = "origin.header_value" )
const ( // KeyOTelEnabled is the Viper key for enabling the OpenTelemetry pipeline. KeyOTelEnabled = "otel.enabled" // KeyOTelServiceName is the Viper key for the OTel service.name resource attribute. KeyOTelServiceName = "otel.service_name" // KeyOTelEndpoint is the Viper key for the OTLP/gRPC collector endpoint. KeyOTelEndpoint = "otel.endpoint" // KeyOTelProtocol is the Viper key for the OTLP transport protocol (only "grpc" is supported). KeyOTelProtocol = "otel.protocol" // KeyOTelInsecure is the Viper key for disabling TLS on the OTLP/gRPC connection. KeyOTelInsecure = "otel.insecure" // KeyOTelSampleRate is the Viper key for the trace sampler ratio (0.0-1.0). KeyOTelSampleRate = "otel.sample_rate" // KeyOTelExporterTimeout is the Viper key for the OTLP exporter timeout. KeyOTelExporterTimeout = "otel.exporter_timeout" // DefaultOTelServiceName is the default service.name when not set. DefaultOTelServiceName = "gate" // DefaultOTelEndpoint is the default OTLP/gRPC collector endpoint. DefaultOTelEndpoint = "localhost:4317" // DefaultOTelProtocol is the only supported OTLP transport. DefaultOTelProtocol = "grpc" // DefaultOTelInsecure requires explicit opt-in to plaintext connections. DefaultOTelInsecure = false // DefaultOTelSampleRate is the default trace sampler ratio. DefaultOTelSampleRate = 1.0 // DefaultOTelExporterTimeout is the default OTLP exporter timeout. DefaultOTelExporterTimeout = 10 * time.Second )
const ( // KeyPolicyVersion is the Viper key for the policy schema version. KeyPolicyVersion = "policy.version" // KeyPolicyTrustPolicyPath is the Viper key for the trust policy file path. KeyPolicyTrustPolicyPath = "policy.trust_policy_path" // KeyPolicyDefaultTokenTTL is the Viper key for the default token TTL in seconds. KeyPolicyDefaultTokenTTL = "policy.default_token_ttl" // KeyPolicyMaxTokenTTL is the Viper key for the maximum token TTL in seconds. KeyPolicyMaxTokenTTL = "policy.max_token_ttl" // KeyPolicyRequireExplicitPolicy is the Viper key for requiring an explicit matching policy. KeyPolicyRequireExplicitPolicy = "policy.require_explicit_policy" // KeyPolicyGitHubAPIBaseURL is the Viper key for the GitHub API base URL. KeyPolicyGitHubAPIBaseURL = "policy.github_api_base_url" // KeyPolicyGitHubRawBaseURL is the Viper key for the GitHub raw content base URL. KeyPolicyGitHubRawBaseURL = "policy.github_raw_base_url" // KeyPolicyProviders is the Viper key for the OIDC provider list. KeyPolicyProviders = "policy.providers" // KeyPolicyMaxPermissions is the Viper key for the maximum allowed permissions map. KeyPolicyMaxPermissions = "policy.max_permissions" // DefaultPolicyVersion is the default policy schema version. DefaultPolicyVersion = "1.0" // DefaultPolicyDefaultTokenTTL is the default token TTL in seconds. DefaultPolicyDefaultTokenTTL = 900 // DefaultPolicyMaxTokenTTL is the default maximum token TTL in seconds. DefaultPolicyMaxTokenTTL = 3600 // DefaultGitHubAPIBaseURL is the default GitHub API base URL. DefaultGitHubAPIBaseURL = "https://api.github.com" // DefaultGitHubRawBaseURL is the default GitHub raw content base URL. DefaultGitHubRawBaseURL = "https://raw.githubusercontent.com" )
const ( // KeySelectorType is the Viper key for the selector store type (memory, redis, or dynamodb). KeySelectorType = "selector.type" // KeySelectorRedisAddress is the Viper key for the Redis server address. KeySelectorRedisAddress = "selector.redis.address" // KeySelectorRedisPassword is the Viper key for the Redis password. KeySelectorRedisPassword = "selector.redis.password" // #nosec G101 -- config key name, not a credential // KeySelectorRedisDB is the Viper key for the Redis database index. KeySelectorRedisDB = "selector.redis.db" // KeySelectorRedisTLS is the Viper key for enabling TLS to Redis. KeySelectorRedisTLS = "selector.redis.tls" // KeySelectorDynamoDBTableName is the Viper key for the selector DynamoDB table name. KeySelectorDynamoDBTableName = "selector.dynamodb.table_name" // KeySelectorDynamoDBTTLMinutes is the Viper key for selector DynamoDB entry TTL in minutes. KeySelectorDynamoDBTTLMinutes = "selector.dynamodb.ttl_minutes" )
const ( // DefaultSelectorStoreType is the default selector store when type is not set (in-memory). DefaultSelectorStoreType = SelectorStoreTypeMemory // DefaultRedisDB is the default Redis database index when not set. DefaultRedisDB = 0 )
const ( // KeyServerPort is the Viper key for the server listen port. KeyServerPort = "server.port" // KeyServerReadTimeout is the Viper key for the HTTP read timeout. KeyServerReadTimeout = "server.read_timeout" // KeyServerWriteTimeout is the Viper key for the HTTP write timeout. KeyServerWriteTimeout = "server.write_timeout" // KeyServerShutdownTimeout is the Viper key for the server shutdown timeout. KeyServerShutdownTimeout = "server.shutdown_timeout" // KeyServerRequestTimeout is the Viper key for the per-request timeout. KeyServerRequestTimeout = "server.request_timeout" // KeyServerIdleTimeout is the Viper key for the HTTP idle (keep-alive) timeout. KeyServerIdleTimeout = "server.idle_timeout" // KeyServerWaitTimeout is the Viper key for the graceful shutdown wait timeout. KeyServerWaitTimeout = "server.wait_timeout" // KeyServerTLSCertFilePath is the Viper key for the TLS certificate file path. KeyServerTLSCertFilePath = "server.tls.cert_file_path" // KeyServerTLSKeyFilePath is the Viper key for the TLS private key file path. KeyServerTLSKeyFilePath = "server.tls.key_file_path" // DefaultServerPort is the default HTTP listen port. DefaultServerPort = 8080 // DefaultServerReadTimeout is the default HTTP read timeout. DefaultServerReadTimeout = 30 * time.Second // DefaultServerWriteTimeout is the default HTTP write timeout. DefaultServerWriteTimeout = 30 * time.Second // DefaultServerShutdownTimeout is the default server shutdown timeout. DefaultServerShutdownTimeout = 10 * time.Second // DefaultServerRequestTimeout is the default per-request timeout. DefaultServerRequestTimeout = 30 * time.Second // DefaultServerIdleTimeout is the default HTTP idle timeout. DefaultServerIdleTimeout = 10 * time.Second // DefaultServerWaitTimeout is the default graceful shutdown wait duration. DefaultServerWaitTimeout = 10 * time.Second )
const ( // MaxSelectorDynamoDBTTLMinutes is the maximum TTL in minutes // for selector DynamoDB entries (24 hours). MaxSelectorDynamoDBTTLMinutes = 1440 )
Variables ¶
var ( // ErrInvalidAuditBackendType is returned when the audit backend is not "sql" or "dynamodb". ErrInvalidAuditBackendType = errors.New("invalid audit backend type") // ErrInvalidSQLDSN is returned when the SQL DSN is empty. ErrInvalidSQLDSN = errors.New("SQL DSN is required") // ErrInvalidSQLConfig is returned when the audit backend is sql but sql config is missing. ErrInvalidSQLConfig = errors.New("sql config is required") // ErrInvalidDynamoDBConfig is returned when the audit backend is // dynamodb but dynamodb config is missing. ErrInvalidDynamoDBConfig = errors.New("dynamodb config is required") // ErrInvalidDynamoDBTable is returned when the DynamoDB table name is empty. ErrInvalidDynamoDBTable = errors.New("dynamodb table name is required") // ErrInvalidDynamoDBTTLDays is returned when TTL days are not in [0, 365]. ErrInvalidDynamoDBTTLDays = errors.New("TTL days must be between 0 and 365") )
var ( // ErrInvalidGithubAppClientID is returned when a GitHub App entry has an empty client_id. ErrInvalidGithubAppClientID = errors.New("client_id is required") // ErrInvalidGithubAppPrivateKeyPath is returned when a GitHub App // entry has an empty private_key_path. ErrInvalidGithubAppPrivateKeyPath = errors.New("private_key_path is required") // ErrInvalidGithubAppOrganization is returned when a GitHub App entry has an empty organization. ErrInvalidGithubAppOrganization = errors.New("organization is required") )
var ( // ErrInvalidLogLevel is returned when the configured log level is not supported. ErrInvalidLogLevel = errors.New("invalid log level") // ErrInvalidLogFormat is returned when the configured log format is not supported. ErrInvalidLogFormat = errors.New("invalid log format") )
var ( // ErrInvalidOriginHeaderName is returned when origin verification // is enabled but header_name is empty. ErrInvalidOriginHeaderName = errors.New("origin header name is required") // ErrInvalidOriginHeaderValue is returned when origin verification // is enabled but header_value is empty. ErrInvalidOriginHeaderValue = errors.New("origin header value is required") )
var ( // ErrOTelEndpointRequired is returned when OTel is enabled without an endpoint. ErrOTelEndpointRequired = errors.New("otel endpoint is required when enabled") // ErrOTelInvalidProtocol is returned when otel.protocol is not "grpc". ErrOTelInvalidProtocol = errors.New("otel protocol must be \"grpc\"") // ErrOTelInvalidSampleRate is returned when otel.sample_rate is outside [0, 1]. ErrOTelInvalidSampleRate = errors.New("otel sample_rate must be between 0.0 and 1.0") // ErrOTelInvalidExporterTimeout is returned when otel.exporter_timeout is not positive. ErrOTelInvalidExporterTimeout = errors.New("otel exporter_timeout must be positive") )
var ( // ErrInvalidStartHour is returned when allowed_hours start is not in 0-23. ErrInvalidStartHour = errors.New("start hour must be 0-23") // ErrInvalidEndHour is returned when allowed_hours end is not in 0-23. ErrInvalidEndHour = errors.New("end hour must be 0-23") // ErrInvalidAllowedDays is returned when an allowed day is not a valid weekday name. ErrInvalidAllowedDays = errors.New("invalid allowed days") // ErrInvalidProviderName is returned when a provider has an empty name. ErrInvalidProviderName = errors.New("provider name is required") // ErrInvalidProviderIssuer is returned when a provider has an empty issuer. ErrInvalidProviderIssuer = errors.New("provider issuer is required") // ErrInvalidPolicyVersion is returned when the policy version is empty or not supported. ErrInvalidPolicyVersion = errors.New("invalid policy version") // ErrInvalidTrustPolicyPath is returned when trust_policy_path is empty. ErrInvalidTrustPolicyPath = errors.New("trust policy path is required") // ErrInvalidDefaultTokenTTL is returned when default_token_ttl is not positive. ErrInvalidDefaultTokenTTL = errors.New("default token TTL must be positive") // ErrInvalidMaxTokenTTL is returned when max_token_ttl is not positive. ErrInvalidMaxTokenTTL = errors.New("max token TTL must be positive") // ErrDefaultTTLExceedsMax is returned when default_token_ttl is greater than max_token_ttl. ErrDefaultTTLExceedsMax = errors.New("default token TTL must be less than or equal to max token TTL") // ErrInvalidPermissionLevel is returned when a permission level is not none, read, or write. ErrInvalidPermissionLevel = errors.New("invalid permission level") )
var ( // ErrInvalidSelectorStoreType is returned when the selector type // is not memory, redis, or dynamodb. ErrInvalidSelectorStoreType = errors.New("invalid selector store type") // ErrInvalidRedisConfig is returned when the selector type is redis but redis config is missing. ErrInvalidRedisConfig = errors.New("redis config is required") // ErrInvalidRedisAddress is returned when the Redis address is empty. ErrInvalidRedisAddress = errors.New("redis address is required") // ErrInvalidRedisDB is returned when the Redis DB index is negative. ErrInvalidRedisDB = errors.New("redis db must be positive") // ErrInvalidSelectorDynamoDBConfig is returned when the selector type // is dynamodb but dynamodb config is missing. ErrInvalidSelectorDynamoDBConfig = errors.New("selector dynamodb config is required") // ErrInvalidSelectorDynamoDBTable is returned when the selector DynamoDB table name is empty. ErrInvalidSelectorDynamoDBTable = errors.New("selector dynamodb table name is required") // ErrInvalidSelectorDynamoDBTTL is returned when TTL minutes are not in [0, 1440]. ErrInvalidSelectorDynamoDBTTL = errors.New("selector dynamodb TTL minutes must be between 0 and 1440") )
var ( // ErrInvalidPort is returned when the server port is outside the valid range (1-65535). ErrInvalidPort = errors.New("invalid port") // ErrInvalidReadTimeout is returned when read_timeout is not positive. ErrInvalidReadTimeout = errors.New("invalid read timeout") // ErrInvalidWriteTimeout is returned when write_timeout is not positive. ErrInvalidWriteTimeout = errors.New("invalid write timeout") // ErrInvalidShutdownTimeout is returned when shutdown_timeout is not positive. ErrInvalidShutdownTimeout = errors.New("invalid shutdown timeout") // ErrInvalidRequestTimeout is returned when request_timeout is not positive. ErrInvalidRequestTimeout = errors.New("invalid request timeout") // ErrInvalidIdleTimeout is returned when idle_timeout is not positive. ErrInvalidIdleTimeout = errors.New("invalid idle timeout") // ErrInvalidWaitTimeout is returned when wait_timeout is not positive. ErrInvalidWaitTimeout = errors.New("invalid wait timeout") // ErrInvalidTLSConfig is returned when only one of cert_file_path or key_file_path is set. ErrInvalidTLSConfig = errors.New("both cert_file_path and key_file_path must be set for TLS") )
var ErrInvalidFIPSMode = errors.New("invalid FIPS mode")
ErrInvalidFIPSMode is returned when the FIPS mode is not "on" or "only".
var ErrInvalidOIDCAudience = errors.New("invalid OIDC audience")
ErrInvalidOIDCAudience is returned when the OIDC audience is empty.
var ValidAllowedDays = []AllowedDays{ AllowedDaysMonday, AllowedDaysTuesday, AllowedDaysWednesday, AllowedDaysThursday, AllowedDaysFriday, AllowedDaysSaturday, AllowedDaysSunday, }
ValidAllowedDays is the list of allowed weekday values for time restrictions.
var ValidFIPSModes = []FIPSMode{ FIPSModeOn, FIPSModeOnly, }
ValidFIPSModes lists the allowed FIPS mode values.
var ValidPolicyVersions = []string{
"1.0",
}
ValidPolicyVersions lists the supported policy schema versions.
Functions ¶
func IsValidFIPSMode ¶
IsValidFIPSMode returns true if mode is "on" or "only".
func SetCurrent ¶
func SetCurrent(cfg *Config)
SetCurrent sets the current application configuration in a concurrency-safe manner.
func ValidateGitHubApps ¶
func ValidateGitHubApps(apps []GitHubAppConfig) error
ValidateGitHubApps validates all GitHub App entries and returns the first error encountered.
Types ¶
type AllowedDays ¶
type AllowedDays string
AllowedDays is a weekday name for time restrictions (e.g. Monday, Tuesday).
const ( AllowedDaysMonday AllowedDays = "Monday" AllowedDaysTuesday AllowedDays = "Tuesday" AllowedDaysWednesday AllowedDays = "Wednesday" AllowedDaysThursday AllowedDays = "Thursday" AllowedDaysFriday AllowedDays = "Friday" AllowedDaysSaturday AllowedDays = "Saturday" AllowedDaysSunday AllowedDays = "Sunday" )
type AuditBackendType ¶
type AuditBackendType string
AuditBackendType identifies the audit storage backend (sql or dynamodb).
const ( // AuditBackendSQL uses a SQL database for audit storage. AuditBackendSQL AuditBackendType = "sql" // AuditBackendDynamoDB uses DynamoDB for audit storage. AuditBackendDynamoDB AuditBackendType = "dynamodb" )
type AuditConfig ¶
type AuditConfig struct {
Backend AuditBackendType `mapstructure:"backend"`
DynamoDB *AuditDynamoDBConfig `mapstructure:"dynamodb"`
SQL *AuditSQLConfig `mapstructure:"sql"`
}
AuditConfig holds audit backend type and backend-specific settings.
func (*AuditConfig) IsMigrationSupported ¶
func (a *AuditConfig) IsMigrationSupported() bool
IsMigrationSupported returns true if the audit backend supports database migrations.
func (*AuditConfig) Validate ¶
func (a *AuditConfig) Validate() error
Validate validates the audit configuration based on the selected backend type.
type AuditDynamoDBConfig ¶
type AuditDynamoDBConfig struct {
TableName string `mapstructure:"table_name"`
TTLDays int `mapstructure:"ttl_days"`
}
AuditDynamoDBConfig holds DynamoDB-specific audit configuration.
func (*AuditDynamoDBConfig) Validate ¶
func (d *AuditDynamoDBConfig) Validate() error
Validate validates the DynamoDB audit configuration.
type AuditSQLConfig ¶
type AuditSQLConfig struct {
DSN string `mapstructure:"dsn" json:"-"`
}
AuditSQLConfig holds SQL connection settings for the audit backend.
func (*AuditSQLConfig) Validate ¶
func (p *AuditSQLConfig) Validate() error
Validate validates the SQL audit configuration.
type Config ¶
type Config struct {
Logger LoggerConfig `mapstructure:"logger"`
Audit AuditConfig `mapstructure:"audit"`
Selector SelectorConfig `mapstructure:"selector"`
Policy PolicyConfig `mapstructure:"policy"`
Server ServerConfig `mapstructure:"server"`
OIDC OIDCConfig `mapstructure:"oidc"`
Origin OriginConfig `mapstructure:"origin"`
FIPS FIPSConfig `mapstructure:"fips"`
OTel OTelConfig `mapstructure:"otel"`
GitHubApps []GitHubAppConfig `mapstructure:"github_apps"`
AWSRegion string `mapstructure:"aws_region"`
}
Config holds the full application configuration. All nested sections are validated on Load.
func GetCurrent ¶
func GetCurrent() *Config
GetCurrent returns the current application configuration in a concurrency-safe manner.
type FIPSConfig ¶
type FIPSConfig struct {
Enabled bool `mapstructure:"enabled"`
Mode FIPSMode `mapstructure:"mode"`
}
FIPSConfig holds FIPS 140 enablement and mode settings.
func (*FIPSConfig) Validate ¶
func (f *FIPSConfig) Validate() error
Validate validates the FIPS configuration.
type FIPSMode ¶
type FIPSMode string
FIPSMode is the FIPS 140 mode: "on" (prefer FIPS) or "only" (require FIPS).
type GitHubAppConfig ¶
type GitHubAppConfig struct {
ClientID string `mapstructure:"client_id"`
PrivateKeyPath string `mapstructure:"private_key_path"`
Organization string `mapstructure:"organization"`
}
GitHubAppConfig holds a single GitHub App's client ID, key path, and organization.
func (*GitHubAppConfig) Validate ¶
func (c *GitHubAppConfig) Validate() error
Validate validates the GitHub App configuration.
type LoggerConfig ¶
type LoggerConfig struct {
Level logger.LogLevel `mapstructure:"level"`
Format logger.LogFormat `mapstructure:"format"`
}
LoggerConfig holds logging level and format settings.
func (*LoggerConfig) Validate ¶
func (l *LoggerConfig) Validate() error
Validate validates the logger configuration.
type OIDCConfig ¶
type OIDCConfig struct {
Audience string `mapstructure:"audience"`
}
OIDCConfig holds OIDC token audience configuration.
func (*OIDCConfig) Validate ¶
func (o *OIDCConfig) Validate() error
Validate validates the OIDC configuration.
type OTelConfig ¶ added in v1.0.4
type OTelConfig struct {
Enabled bool `mapstructure:"enabled"`
ServiceName string `mapstructure:"service_name"`
Endpoint string `mapstructure:"endpoint"`
Protocol string `mapstructure:"protocol"`
Insecure bool `mapstructure:"insecure"`
SampleRate float64 `mapstructure:"sample_rate"`
ExporterTimeout time.Duration `mapstructure:"exporter_timeout"`
}
OTelConfig holds OpenTelemetry exporter and sampler configuration.
func (*OTelConfig) Validate ¶ added in v1.0.4
func (o *OTelConfig) Validate() error
Validate validates OTel configuration. When disabled, all fields are accepted.
type OriginConfig ¶
type OriginConfig struct {
Enabled bool `mapstructure:"enabled"`
HeaderName string `mapstructure:"header_name"`
HeaderValue string `mapstructure:"header_value"`
}
OriginConfig holds origin verification settings (shared secret header).
func (*OriginConfig) Validate ¶
func (o *OriginConfig) Validate() error
Validate validates the origin verification configuration.
type PolicyConfig ¶
type PolicyConfig struct {
Version string `mapstructure:"version"`
TrustPolicyPath string `mapstructure:"trust_policy_path"`
DefaultTokenTTL int `mapstructure:"default_token_ttl"`
MaxTokenTTL int `mapstructure:"max_token_ttl"`
RequireExplicitPolicy bool `mapstructure:"require_explicit_policy"`
GitHubAPIBaseURL string `mapstructure:"github_api_base_url"`
GitHubRawBaseURL string `mapstructure:"github_raw_base_url"`
Providers []ProviderConfig `mapstructure:"providers"`
MaxPermissions map[string]string `mapstructure:"max_permissions"`
}
PolicyConfig holds trust policy path, token TTL limits, providers, and max permissions.
func (*PolicyConfig) Issuers ¶
func (p *PolicyConfig) Issuers() []string
Issuers returns the issuer URLs from all configured providers.
func (*PolicyConfig) Validate ¶
func (p *PolicyConfig) Validate() error
Validate validates the policy configuration.
type ProviderConfig ¶
type ProviderConfig struct {
Issuer string `mapstructure:"issuer"`
Name string `mapstructure:"name"`
RequiredClaims map[string]string `mapstructure:"required_claims"`
ForbiddenClaims map[string]string `mapstructure:"forbidden_claims"`
TimeRestrictions *TimeRestriction `mapstructure:"time_restrictions"`
}
ProviderConfig holds OIDC provider identity, claims, and optional time restrictions.
func (*ProviderConfig) Validate ¶
func (p *ProviderConfig) Validate() error
Validate validates the OIDC provider configuration.
type RedisConfig ¶
type RedisConfig struct {
Address string `mapstructure:"address"`
Password string `mapstructure:"password" json:"-"`
DB int `mapstructure:"db"`
TLS bool `mapstructure:"tls"`
}
RedisConfig holds Redis connection settings for the selector store.
func (*RedisConfig) Validate ¶
func (r *RedisConfig) Validate() error
Validate validates the Redis configuration.
type SelectorConfig ¶
type SelectorConfig struct {
Type SelectorStoreType `mapstructure:"type"`
Redis *RedisConfig `mapstructure:"redis"`
DynamoDB *SelectorDynamoDBConfig `mapstructure:"dynamodb"`
}
SelectorConfig holds selector store configuration.
func (*SelectorConfig) Validate ¶
func (c *SelectorConfig) Validate() error
Validate validates the selector configuration based on type.
type SelectorDynamoDBConfig ¶
type SelectorDynamoDBConfig struct {
TableName string `mapstructure:"table_name"`
TTLMinutes int `mapstructure:"ttl_minutes"`
}
SelectorDynamoDBConfig holds DynamoDB table and TTL settings for the selector store.
func (*SelectorDynamoDBConfig) Validate ¶
func (d *SelectorDynamoDBConfig) Validate() error
Validate validates the DynamoDB selector configuration.
type SelectorStoreType ¶
type SelectorStoreType string
SelectorStoreType identifies the session/store backend: memory, redis, or dynamodb.
const ( // SelectorStoreTypeMemory uses in-process memory (no persistence). SelectorStoreTypeMemory SelectorStoreType = "memory" // SelectorStoreTypeRedis uses Redis for session storage. SelectorStoreTypeRedis SelectorStoreType = "redis" // SelectorStoreTypeDynamoDB uses DynamoDB for session storage. SelectorStoreTypeDynamoDB SelectorStoreType = "dynamodb" )
type ServerConfig ¶
type ServerConfig struct {
Port int `mapstructure:"port"`
ReadTimeout time.Duration `mapstructure:"read_timeout"`
WriteTimeout time.Duration `mapstructure:"write_timeout"`
ShutdownTimeout time.Duration `mapstructure:"shutdown_timeout"`
RequestTimeout time.Duration `mapstructure:"request_timeout"`
IdleTimeout time.Duration `mapstructure:"idle_timeout"`
WaitTimeout time.Duration `mapstructure:"wait_timeout"`
TLS TLSConfig `mapstructure:"tls"`
}
ServerConfig holds HTTP server and TLS settings.
func (*ServerConfig) GetAddr ¶
func (s *ServerConfig) GetAddr() string
GetAddr returns the server listen address in host:port format.
func (*ServerConfig) Validate ¶
func (s *ServerConfig) Validate() error
Validate validates the server configuration.
type TLSConfig ¶
type TLSConfig struct {
CertFilePath string `mapstructure:"cert_file_path"`
KeyFilePath string `mapstructure:"key_file_path"`
}
TLSConfig holds TLS certificate paths for the server.
type TimeRestriction ¶
type TimeRestriction struct {
AllowedDays []AllowedDays `mapstructure:"allowed_days"`
AllowedHours *HourRange `mapstructure:"allowed_hours"`
}
TimeRestriction holds allowed days and optional hour range for provider access.
func (*TimeRestriction) Validate ¶
func (t *TimeRestriction) Validate() error
Validate validates the time restriction configuration.