config

package
v1.0.4 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: May 26, 2026 License: Apache-2.0 Imports: 14 Imported by: 0

Documentation

Overview

Package config provides application configuration loading, validation, and access. Configuration is loaded from file (YAML) and environment variables via Viper, then validated and stored for concurrency-safe access via GetCurrent.

Index

Constants

View Source
const (
	// KeyAuditBackend is the Viper key for the audit backend type (sql or dynamodb).
	KeyAuditBackend = "audit.backend"
	// KeyAuditDynamoDBTableName is the Viper key for the DynamoDB audit table name.
	KeyAuditDynamoDBTableName = "audit.dynamodb.table_name"
	// KeyAuditDynamoDBTTLDays is the Viper key for DynamoDB audit entry TTL in days.
	KeyAuditDynamoDBTTLDays = "audit.dynamodb.ttl_days"
	// KeyAuditSQLDSN is the Viper key for the SQL audit connection DSN.
	KeyAuditSQLDSN = "audit.sql.dsn"
)
View Source
const (
	// DefaultDynamoDBTableName is the default DynamoDB table name for audit logs.
	DefaultDynamoDBTableName = "audit_logs"

	// DefaultDynamoDBTTLDays is the default TTL in days for DynamoDB audit entries.
	// 90 days provides sufficient audit history for compliance while managing storage costs.
	DefaultDynamoDBTTLDays = 90

	// MaxDynamoDBTTLDays is the maximum allowed TTL in days for DynamoDB audit entries.
	MaxDynamoDBTTLDays = 365
)
View Source
const (
	// ConfigRootLinux is the default config directory root on Linux.
	ConfigRootLinux = "/etc/"
	// ConfigRootWindows is the default config directory root on Windows.
	ConfigRootWindows = "C:\\ProgramData\\"
	// ConfigRootDarwin is the default config directory root on macOS.
	ConfigRootDarwin = "/Library/Application Support/"
	// ConfigFileName is the base name of the config file (without extension).
	ConfigFileName = "config"
	// ConfigFileExtension is the config file extension used by Viper.
	ConfigFileExtension = "yaml"
	// KeyAWSRegion is the Viper key for the AWS region setting.
	KeyAWSRegion = "aws_region"
)
View Source
const (
	// KeyFIPSEnabled is the Viper key for enabling FIPS 140 mode.
	KeyFIPSEnabled = "fips.enabled"
	// KeyFIPSMode is the Viper key for the FIPS mode (on or only).
	KeyFIPSMode = "fips.mode"
)
View Source
const (
	// KeyLoggerLevel is the Viper key for the log level.
	KeyLoggerLevel = "logger.level"
	// KeyLoggerFormat is the Viper key for the log format (e.g. json, text).
	KeyLoggerFormat = "logger.format"
)
View Source
const (
	// KeyOIDCAudience is the Viper key for the OIDC token audience.
	KeyOIDCAudience = "oidc.audience"
	// DefaultOIDCAudience is the default audience value when not set.
	DefaultOIDCAudience = "gate"
)
View Source
const (
	// KeyOriginEnabled is the Viper key for enabling origin verification.
	KeyOriginEnabled = "origin.enabled"
	// KeyOriginHeaderName is the Viper key for the origin verification header name.
	KeyOriginHeaderName = "origin.header_name"
	// KeyOriginHeaderValue is the Viper key for the expected origin verification header value.
	KeyOriginHeaderValue = "origin.header_value"
)
View Source
const (
	// KeyOTelEnabled is the Viper key for enabling the OpenTelemetry pipeline.
	KeyOTelEnabled = "otel.enabled"
	// KeyOTelServiceName is the Viper key for the OTel service.name resource attribute.
	KeyOTelServiceName = "otel.service_name"
	// KeyOTelEndpoint is the Viper key for the OTLP/gRPC collector endpoint.
	KeyOTelEndpoint = "otel.endpoint"
	// KeyOTelProtocol is the Viper key for the OTLP transport protocol (only "grpc" is supported).
	KeyOTelProtocol = "otel.protocol"
	// KeyOTelInsecure is the Viper key for disabling TLS on the OTLP/gRPC connection.
	KeyOTelInsecure = "otel.insecure"
	// KeyOTelSampleRate is the Viper key for the trace sampler ratio (0.0-1.0).
	KeyOTelSampleRate = "otel.sample_rate"
	// KeyOTelExporterTimeout is the Viper key for the OTLP exporter timeout.
	KeyOTelExporterTimeout = "otel.exporter_timeout"

	// DefaultOTelServiceName is the default service.name when not set.
	DefaultOTelServiceName = "gate"
	// DefaultOTelEndpoint is the default OTLP/gRPC collector endpoint.
	DefaultOTelEndpoint = "localhost:4317"
	// DefaultOTelProtocol is the only supported OTLP transport.
	DefaultOTelProtocol = "grpc"
	// DefaultOTelInsecure requires explicit opt-in to plaintext connections.
	DefaultOTelInsecure = false
	// DefaultOTelSampleRate is the default trace sampler ratio.
	DefaultOTelSampleRate = 1.0
	// DefaultOTelExporterTimeout is the default OTLP exporter timeout.
	DefaultOTelExporterTimeout = 10 * time.Second
)
View Source
const (
	// KeyPolicyVersion is the Viper key for the policy schema version.
	KeyPolicyVersion = "policy.version"
	// KeyPolicyTrustPolicyPath is the Viper key for the trust policy file path.
	KeyPolicyTrustPolicyPath = "policy.trust_policy_path"
	// KeyPolicyDefaultTokenTTL is the Viper key for the default token TTL in seconds.
	KeyPolicyDefaultTokenTTL = "policy.default_token_ttl"
	// KeyPolicyMaxTokenTTL is the Viper key for the maximum token TTL in seconds.
	KeyPolicyMaxTokenTTL = "policy.max_token_ttl"
	// KeyPolicyRequireExplicitPolicy is the Viper key for requiring an explicit matching policy.
	KeyPolicyRequireExplicitPolicy = "policy.require_explicit_policy"
	// KeyPolicyGitHubAPIBaseURL is the Viper key for the GitHub API base URL.
	KeyPolicyGitHubAPIBaseURL = "policy.github_api_base_url"
	// KeyPolicyGitHubRawBaseURL is the Viper key for the GitHub raw content base URL.
	KeyPolicyGitHubRawBaseURL = "policy.github_raw_base_url"
	// KeyPolicyProviders is the Viper key for the OIDC provider list.
	KeyPolicyProviders = "policy.providers"
	// KeyPolicyMaxPermissions is the Viper key for the maximum allowed permissions map.
	KeyPolicyMaxPermissions = "policy.max_permissions"

	// DefaultPolicyVersion is the default policy schema version.
	DefaultPolicyVersion = "1.0"
	// DefaultPolicyDefaultTokenTTL is the default token TTL in seconds.
	DefaultPolicyDefaultTokenTTL = 900
	// DefaultPolicyMaxTokenTTL is the default maximum token TTL in seconds.
	DefaultPolicyMaxTokenTTL = 3600
	// DefaultGitHubAPIBaseURL is the default GitHub API base URL.
	DefaultGitHubAPIBaseURL = "https://api.github.com"
	// DefaultGitHubRawBaseURL is the default GitHub raw content base URL.
	DefaultGitHubRawBaseURL = "https://raw.githubusercontent.com"
)
View Source
const (
	// KeySelectorType is the Viper key for the selector store type (memory, redis, or dynamodb).
	KeySelectorType = "selector.type"
	// KeySelectorRedisAddress is the Viper key for the Redis server address.
	KeySelectorRedisAddress = "selector.redis.address"
	// KeySelectorRedisPassword is the Viper key for the Redis password.
	KeySelectorRedisPassword = "selector.redis.password" // #nosec G101 -- config key name, not a credential
	// KeySelectorRedisDB is the Viper key for the Redis database index.
	KeySelectorRedisDB = "selector.redis.db"
	// KeySelectorRedisTLS is the Viper key for enabling TLS to Redis.
	KeySelectorRedisTLS = "selector.redis.tls"
	// KeySelectorDynamoDBTableName is the Viper key for the selector DynamoDB table name.
	KeySelectorDynamoDBTableName = "selector.dynamodb.table_name"
	// KeySelectorDynamoDBTTLMinutes is the Viper key for selector DynamoDB entry TTL in minutes.
	KeySelectorDynamoDBTTLMinutes = "selector.dynamodb.ttl_minutes"
)
View Source
const (
	// DefaultSelectorStoreType is the default selector store when type is not set (in-memory).
	DefaultSelectorStoreType = SelectorStoreTypeMemory
	// DefaultRedisDB is the default Redis database index when not set.
	DefaultRedisDB = 0
)
View Source
const (
	// KeyServerPort is the Viper key for the server listen port.
	KeyServerPort = "server.port"
	// KeyServerReadTimeout is the Viper key for the HTTP read timeout.
	KeyServerReadTimeout = "server.read_timeout"
	// KeyServerWriteTimeout is the Viper key for the HTTP write timeout.
	KeyServerWriteTimeout = "server.write_timeout"
	// KeyServerShutdownTimeout is the Viper key for the server shutdown timeout.
	KeyServerShutdownTimeout = "server.shutdown_timeout"
	// KeyServerRequestTimeout is the Viper key for the per-request timeout.
	KeyServerRequestTimeout = "server.request_timeout"
	// KeyServerIdleTimeout is the Viper key for the HTTP idle (keep-alive) timeout.
	KeyServerIdleTimeout = "server.idle_timeout"
	// KeyServerWaitTimeout is the Viper key for the graceful shutdown wait timeout.
	KeyServerWaitTimeout = "server.wait_timeout"
	// KeyServerTLSCertFilePath is the Viper key for the TLS certificate file path.
	KeyServerTLSCertFilePath = "server.tls.cert_file_path"
	// KeyServerTLSKeyFilePath is the Viper key for the TLS private key file path.
	KeyServerTLSKeyFilePath = "server.tls.key_file_path"

	// DefaultServerPort is the default HTTP listen port.
	DefaultServerPort = 8080
	// DefaultServerReadTimeout is the default HTTP read timeout.
	DefaultServerReadTimeout = 30 * time.Second
	// DefaultServerWriteTimeout is the default HTTP write timeout.
	DefaultServerWriteTimeout = 30 * time.Second
	// DefaultServerShutdownTimeout is the default server shutdown timeout.
	DefaultServerShutdownTimeout = 10 * time.Second
	// DefaultServerRequestTimeout is the default per-request timeout.
	DefaultServerRequestTimeout = 30 * time.Second
	// DefaultServerIdleTimeout is the default HTTP idle timeout.
	DefaultServerIdleTimeout = 10 * time.Second
	// DefaultServerWaitTimeout is the default graceful shutdown wait duration.
	DefaultServerWaitTimeout = 10 * time.Second
)
View Source
const (
	// MaxSelectorDynamoDBTTLMinutes is the maximum TTL in minutes
	// for selector DynamoDB entries (24 hours).
	MaxSelectorDynamoDBTTLMinutes = 1440
)

Variables

View Source
var (
	// ErrInvalidAuditBackendType is returned when the audit backend is not "sql" or "dynamodb".
	ErrInvalidAuditBackendType = errors.New("invalid audit backend type")
	// ErrInvalidSQLDSN is returned when the SQL DSN is empty.
	ErrInvalidSQLDSN = errors.New("SQL DSN is required")
	// ErrInvalidSQLConfig is returned when the audit backend is sql but sql config is missing.
	ErrInvalidSQLConfig = errors.New("sql config is required")
	// ErrInvalidDynamoDBConfig is returned when the audit backend is
	// dynamodb but dynamodb config is missing.
	ErrInvalidDynamoDBConfig = errors.New("dynamodb config is required")
	// ErrInvalidDynamoDBTable is returned when the DynamoDB table name is empty.
	ErrInvalidDynamoDBTable = errors.New("dynamodb table name is required")
	// ErrInvalidDynamoDBTTLDays is returned when TTL days are not in [0, 365].
	ErrInvalidDynamoDBTTLDays = errors.New("TTL days must be between 0 and 365")
)
View Source
var (
	// ErrInvalidGithubAppClientID is returned when a GitHub App entry has an empty client_id.
	ErrInvalidGithubAppClientID = errors.New("client_id is required")
	// ErrInvalidGithubAppPrivateKeyPath is returned when a GitHub App
	// entry has an empty private_key_path.
	ErrInvalidGithubAppPrivateKeyPath = errors.New("private_key_path is required")
	// ErrInvalidGithubAppOrganization is returned when a GitHub App entry has an empty organization.
	ErrInvalidGithubAppOrganization = errors.New("organization is required")
)
View Source
var (
	// ErrInvalidLogLevel is returned when the configured log level is not supported.
	ErrInvalidLogLevel = errors.New("invalid log level")
	// ErrInvalidLogFormat is returned when the configured log format is not supported.
	ErrInvalidLogFormat = errors.New("invalid log format")
)
View Source
var (
	// ErrInvalidOriginHeaderName is returned when origin verification
	// is enabled but header_name is empty.
	ErrInvalidOriginHeaderName = errors.New("origin header name is required")
	// ErrInvalidOriginHeaderValue is returned when origin verification
	// is enabled but header_value is empty.
	ErrInvalidOriginHeaderValue = errors.New("origin header value is required")
)
View Source
var (
	// ErrOTelEndpointRequired is returned when OTel is enabled without an endpoint.
	ErrOTelEndpointRequired = errors.New("otel endpoint is required when enabled")
	// ErrOTelInvalidProtocol is returned when otel.protocol is not "grpc".
	ErrOTelInvalidProtocol = errors.New("otel protocol must be \"grpc\"")
	// ErrOTelInvalidSampleRate is returned when otel.sample_rate is outside [0, 1].
	ErrOTelInvalidSampleRate = errors.New("otel sample_rate must be between 0.0 and 1.0")
	// ErrOTelInvalidExporterTimeout is returned when otel.exporter_timeout is not positive.
	ErrOTelInvalidExporterTimeout = errors.New("otel exporter_timeout must be positive")
)
View Source
var (
	// ErrInvalidStartHour is returned when allowed_hours start is not in 0-23.
	ErrInvalidStartHour = errors.New("start hour must be 0-23")
	// ErrInvalidEndHour is returned when allowed_hours end is not in 0-23.
	ErrInvalidEndHour = errors.New("end hour must be 0-23")
	// ErrInvalidAllowedDays is returned when an allowed day is not a valid weekday name.
	ErrInvalidAllowedDays = errors.New("invalid allowed days")
	// ErrInvalidProviderName is returned when a provider has an empty name.
	ErrInvalidProviderName = errors.New("provider name is required")
	// ErrInvalidProviderIssuer is returned when a provider has an empty issuer.
	ErrInvalidProviderIssuer = errors.New("provider issuer is required")
	// ErrInvalidPolicyVersion is returned when the policy version is empty or not supported.
	ErrInvalidPolicyVersion = errors.New("invalid policy version")
	// ErrInvalidTrustPolicyPath is returned when trust_policy_path is empty.
	ErrInvalidTrustPolicyPath = errors.New("trust policy path is required")
	// ErrInvalidDefaultTokenTTL is returned when default_token_ttl is not positive.
	ErrInvalidDefaultTokenTTL = errors.New("default token TTL must be positive")
	// ErrInvalidMaxTokenTTL is returned when max_token_ttl is not positive.
	ErrInvalidMaxTokenTTL = errors.New("max token TTL must be positive")
	// ErrDefaultTTLExceedsMax is returned when default_token_ttl is greater than max_token_ttl.
	ErrDefaultTTLExceedsMax = errors.New("default token TTL must be less than or equal to max token TTL")
	// ErrInvalidPermissionLevel is returned when a permission level is not none, read, or write.
	ErrInvalidPermissionLevel = errors.New("invalid permission level")
)
View Source
var (
	// ErrInvalidSelectorStoreType is returned when the selector type
	// is not memory, redis, or dynamodb.
	ErrInvalidSelectorStoreType = errors.New("invalid selector store type")
	// ErrInvalidRedisConfig is returned when the selector type is redis but redis config is missing.
	ErrInvalidRedisConfig = errors.New("redis config is required")
	// ErrInvalidRedisAddress is returned when the Redis address is empty.
	ErrInvalidRedisAddress = errors.New("redis address is required")
	// ErrInvalidRedisDB is returned when the Redis DB index is negative.
	ErrInvalidRedisDB = errors.New("redis db must be positive")
	// ErrInvalidSelectorDynamoDBConfig is returned when the selector type
	// is dynamodb but dynamodb config is missing.
	ErrInvalidSelectorDynamoDBConfig = errors.New("selector dynamodb config is required")
	// ErrInvalidSelectorDynamoDBTable is returned when the selector DynamoDB table name is empty.
	ErrInvalidSelectorDynamoDBTable = errors.New("selector dynamodb table name is required")
	// ErrInvalidSelectorDynamoDBTTL is returned when TTL minutes are not in [0, 1440].
	ErrInvalidSelectorDynamoDBTTL = errors.New("selector dynamodb TTL minutes must be between 0 and 1440")
)
View Source
var (
	// ErrInvalidPort is returned when the server port is outside the valid range (1-65535).
	ErrInvalidPort = errors.New("invalid port")
	// ErrInvalidReadTimeout is returned when read_timeout is not positive.
	ErrInvalidReadTimeout = errors.New("invalid read timeout")
	// ErrInvalidWriteTimeout is returned when write_timeout is not positive.
	ErrInvalidWriteTimeout = errors.New("invalid write timeout")
	// ErrInvalidShutdownTimeout is returned when shutdown_timeout is not positive.
	ErrInvalidShutdownTimeout = errors.New("invalid shutdown timeout")
	// ErrInvalidRequestTimeout is returned when request_timeout is not positive.
	ErrInvalidRequestTimeout = errors.New("invalid request timeout")
	// ErrInvalidIdleTimeout is returned when idle_timeout is not positive.
	ErrInvalidIdleTimeout = errors.New("invalid idle timeout")
	// ErrInvalidWaitTimeout is returned when wait_timeout is not positive.
	ErrInvalidWaitTimeout = errors.New("invalid wait timeout")
	// ErrInvalidTLSConfig is returned when only one of cert_file_path or key_file_path is set.
	ErrInvalidTLSConfig = errors.New("both cert_file_path and key_file_path must be set for TLS")
)
View Source
var ErrInvalidFIPSMode = errors.New("invalid FIPS mode")

ErrInvalidFIPSMode is returned when the FIPS mode is not "on" or "only".

View Source
var ErrInvalidOIDCAudience = errors.New("invalid OIDC audience")

ErrInvalidOIDCAudience is returned when the OIDC audience is empty.

ValidAllowedDays is the list of allowed weekday values for time restrictions.

View Source
var ValidFIPSModes = []FIPSMode{
	FIPSModeOn,
	FIPSModeOnly,
}

ValidFIPSModes lists the allowed FIPS mode values.

View Source
var ValidPolicyVersions = []string{
	"1.0",
}

ValidPolicyVersions lists the supported policy schema versions.

Functions

func IsValidFIPSMode

func IsValidFIPSMode(mode FIPSMode) bool

IsValidFIPSMode returns true if mode is "on" or "only".

func SetCurrent

func SetCurrent(cfg *Config)

SetCurrent sets the current application configuration in a concurrency-safe manner.

func ValidateGitHubApps

func ValidateGitHubApps(apps []GitHubAppConfig) error

ValidateGitHubApps validates all GitHub App entries and returns the first error encountered.

Types

type AllowedDays

type AllowedDays string

AllowedDays is a weekday name for time restrictions (e.g. Monday, Tuesday).

const (
	AllowedDaysMonday    AllowedDays = "Monday"
	AllowedDaysTuesday   AllowedDays = "Tuesday"
	AllowedDaysWednesday AllowedDays = "Wednesday"
	AllowedDaysThursday  AllowedDays = "Thursday"
	AllowedDaysFriday    AllowedDays = "Friday"
	AllowedDaysSaturday  AllowedDays = "Saturday"
	AllowedDaysSunday    AllowedDays = "Sunday"
)

type AuditBackendType

type AuditBackendType string

AuditBackendType identifies the audit storage backend (sql or dynamodb).

const (
	// AuditBackendSQL uses a SQL database for audit storage.
	AuditBackendSQL AuditBackendType = "sql"
	// AuditBackendDynamoDB uses DynamoDB for audit storage.
	AuditBackendDynamoDB AuditBackendType = "dynamodb"
)

type AuditConfig

type AuditConfig struct {
	Backend  AuditBackendType     `mapstructure:"backend"`
	DynamoDB *AuditDynamoDBConfig `mapstructure:"dynamodb"`
	SQL      *AuditSQLConfig      `mapstructure:"sql"`
}

AuditConfig holds audit backend type and backend-specific settings.

func (*AuditConfig) IsMigrationSupported

func (a *AuditConfig) IsMigrationSupported() bool

IsMigrationSupported returns true if the audit backend supports database migrations.

func (*AuditConfig) Validate

func (a *AuditConfig) Validate() error

Validate validates the audit configuration based on the selected backend type.

type AuditDynamoDBConfig

type AuditDynamoDBConfig struct {
	TableName string `mapstructure:"table_name"`
	TTLDays   int    `mapstructure:"ttl_days"`
}

AuditDynamoDBConfig holds DynamoDB-specific audit configuration.

func (*AuditDynamoDBConfig) Validate

func (d *AuditDynamoDBConfig) Validate() error

Validate validates the DynamoDB audit configuration.

type AuditSQLConfig

type AuditSQLConfig struct {
	DSN string `mapstructure:"dsn" json:"-"`
}

AuditSQLConfig holds SQL connection settings for the audit backend.

func (*AuditSQLConfig) Validate

func (p *AuditSQLConfig) Validate() error

Validate validates the SQL audit configuration.

type Config

type Config struct {
	Logger     LoggerConfig      `mapstructure:"logger"`
	Audit      AuditConfig       `mapstructure:"audit"`
	Selector   SelectorConfig    `mapstructure:"selector"`
	Policy     PolicyConfig      `mapstructure:"policy"`
	Server     ServerConfig      `mapstructure:"server"`
	OIDC       OIDCConfig        `mapstructure:"oidc"`
	Origin     OriginConfig      `mapstructure:"origin"`
	FIPS       FIPSConfig        `mapstructure:"fips"`
	OTel       OTelConfig        `mapstructure:"otel"`
	GitHubApps []GitHubAppConfig `mapstructure:"github_apps"`

	AWSRegion string `mapstructure:"aws_region"`
}

Config holds the full application configuration. All nested sections are validated on Load.

func GetCurrent

func GetCurrent() *Config

GetCurrent returns the current application configuration in a concurrency-safe manner.

func Load

func Load(ctx context.Context, configPath string) (*Config, error)

Load loads configuration from file (if present) and environment variables, validates, and sets it as current.

func (*Config) Validate

func (c *Config) Validate() error

Validate validates all configuration sections and returns the first error encountered.

type FIPSConfig

type FIPSConfig struct {
	Enabled bool     `mapstructure:"enabled"`
	Mode    FIPSMode `mapstructure:"mode"`
}

FIPSConfig holds FIPS 140 enablement and mode settings.

func (*FIPSConfig) Validate

func (f *FIPSConfig) Validate() error

Validate validates the FIPS configuration.

type FIPSMode

type FIPSMode string

FIPSMode is the FIPS 140 mode: "on" (prefer FIPS) or "only" (require FIPS).

const (
	// FIPSModeOn prefers FIPS-approved crypto when available.
	FIPSModeOn FIPSMode = "on"
	// FIPSModeOnly requires FIPS-approved crypto only.
	FIPSModeOnly FIPSMode = "only"
)

type GitHubAppConfig

type GitHubAppConfig struct {
	ClientID       string `mapstructure:"client_id"`
	PrivateKeyPath string `mapstructure:"private_key_path"`
	Organization   string `mapstructure:"organization"`
}

GitHubAppConfig holds a single GitHub App's client ID, key path, and organization.

func (*GitHubAppConfig) Validate

func (c *GitHubAppConfig) Validate() error

Validate validates the GitHub App configuration.

type HourRange

type HourRange struct {
	Start int `mapstructure:"start"`
	End   int `mapstructure:"end"`
}

HourRange holds start and end hours (0-23) for time-based access restrictions.

func (*HourRange) Validate

func (h *HourRange) Validate() error

Validate validates the hour range ensuring Start and End are between 0-23.

type LoggerConfig

type LoggerConfig struct {
	Level  logger.LogLevel  `mapstructure:"level"`
	Format logger.LogFormat `mapstructure:"format"`
}

LoggerConfig holds logging level and format settings.

func (*LoggerConfig) Validate

func (l *LoggerConfig) Validate() error

Validate validates the logger configuration.

type OIDCConfig

type OIDCConfig struct {
	Audience string `mapstructure:"audience"`
}

OIDCConfig holds OIDC token audience configuration.

func (*OIDCConfig) Validate

func (o *OIDCConfig) Validate() error

Validate validates the OIDC configuration.

type OTelConfig added in v1.0.4

type OTelConfig struct {
	Enabled         bool          `mapstructure:"enabled"`
	ServiceName     string        `mapstructure:"service_name"`
	Endpoint        string        `mapstructure:"endpoint"`
	Protocol        string        `mapstructure:"protocol"`
	Insecure        bool          `mapstructure:"insecure"`
	SampleRate      float64       `mapstructure:"sample_rate"`
	ExporterTimeout time.Duration `mapstructure:"exporter_timeout"`
}

OTelConfig holds OpenTelemetry exporter and sampler configuration.

func (*OTelConfig) Validate added in v1.0.4

func (o *OTelConfig) Validate() error

Validate validates OTel configuration. When disabled, all fields are accepted.

type OriginConfig

type OriginConfig struct {
	Enabled     bool   `mapstructure:"enabled"`
	HeaderName  string `mapstructure:"header_name"`
	HeaderValue string `mapstructure:"header_value"`
}

OriginConfig holds origin verification settings (shared secret header).

func (*OriginConfig) Validate

func (o *OriginConfig) Validate() error

Validate validates the origin verification configuration.

type PolicyConfig

type PolicyConfig struct {
	Version               string            `mapstructure:"version"`
	TrustPolicyPath       string            `mapstructure:"trust_policy_path"`
	DefaultTokenTTL       int               `mapstructure:"default_token_ttl"`
	MaxTokenTTL           int               `mapstructure:"max_token_ttl"`
	RequireExplicitPolicy bool              `mapstructure:"require_explicit_policy"`
	GitHubAPIBaseURL      string            `mapstructure:"github_api_base_url"`
	GitHubRawBaseURL      string            `mapstructure:"github_raw_base_url"`
	Providers             []ProviderConfig  `mapstructure:"providers"`
	MaxPermissions        map[string]string `mapstructure:"max_permissions"`
}

PolicyConfig holds trust policy path, token TTL limits, providers, and max permissions.

func (*PolicyConfig) Issuers

func (p *PolicyConfig) Issuers() []string

Issuers returns the issuer URLs from all configured providers.

func (*PolicyConfig) Validate

func (p *PolicyConfig) Validate() error

Validate validates the policy configuration.

type ProviderConfig

type ProviderConfig struct {
	Issuer           string            `mapstructure:"issuer"`
	Name             string            `mapstructure:"name"`
	RequiredClaims   map[string]string `mapstructure:"required_claims"`
	ForbiddenClaims  map[string]string `mapstructure:"forbidden_claims"`
	TimeRestrictions *TimeRestriction  `mapstructure:"time_restrictions"`
}

ProviderConfig holds OIDC provider identity, claims, and optional time restrictions.

func (*ProviderConfig) Validate

func (p *ProviderConfig) Validate() error

Validate validates the OIDC provider configuration.

type RedisConfig

type RedisConfig struct {
	Address  string `mapstructure:"address"`
	Password string `mapstructure:"password" json:"-"`
	DB       int    `mapstructure:"db"`
	TLS      bool   `mapstructure:"tls"`
}

RedisConfig holds Redis connection settings for the selector store.

func (*RedisConfig) Validate

func (r *RedisConfig) Validate() error

Validate validates the Redis configuration.

type SelectorConfig

type SelectorConfig struct {
	Type     SelectorStoreType       `mapstructure:"type"`
	Redis    *RedisConfig            `mapstructure:"redis"`
	DynamoDB *SelectorDynamoDBConfig `mapstructure:"dynamodb"`
}

SelectorConfig holds selector store configuration.

func (*SelectorConfig) Validate

func (c *SelectorConfig) Validate() error

Validate validates the selector configuration based on type.

type SelectorDynamoDBConfig

type SelectorDynamoDBConfig struct {
	TableName  string `mapstructure:"table_name"`
	TTLMinutes int    `mapstructure:"ttl_minutes"`
}

SelectorDynamoDBConfig holds DynamoDB table and TTL settings for the selector store.

func (*SelectorDynamoDBConfig) Validate

func (d *SelectorDynamoDBConfig) Validate() error

Validate validates the DynamoDB selector configuration.

type SelectorStoreType

type SelectorStoreType string

SelectorStoreType identifies the session/store backend: memory, redis, or dynamodb.

const (
	// SelectorStoreTypeMemory uses in-process memory (no persistence).
	SelectorStoreTypeMemory SelectorStoreType = "memory"
	// SelectorStoreTypeRedis uses Redis for session storage.
	SelectorStoreTypeRedis SelectorStoreType = "redis"
	// SelectorStoreTypeDynamoDB uses DynamoDB for session storage.
	SelectorStoreTypeDynamoDB SelectorStoreType = "dynamodb"
)

type ServerConfig

type ServerConfig struct {
	Port            int           `mapstructure:"port"`
	ReadTimeout     time.Duration `mapstructure:"read_timeout"`
	WriteTimeout    time.Duration `mapstructure:"write_timeout"`
	ShutdownTimeout time.Duration `mapstructure:"shutdown_timeout"`
	RequestTimeout  time.Duration `mapstructure:"request_timeout"`
	IdleTimeout     time.Duration `mapstructure:"idle_timeout"`
	WaitTimeout     time.Duration `mapstructure:"wait_timeout"`
	TLS             TLSConfig     `mapstructure:"tls"`
}

ServerConfig holds HTTP server and TLS settings.

func (*ServerConfig) GetAddr

func (s *ServerConfig) GetAddr() string

GetAddr returns the server listen address in host:port format.

func (*ServerConfig) Validate

func (s *ServerConfig) Validate() error

Validate validates the server configuration.

type TLSConfig

type TLSConfig struct {
	CertFilePath string `mapstructure:"cert_file_path"`
	KeyFilePath  string `mapstructure:"key_file_path"`
}

TLSConfig holds TLS certificate paths for the server.

func (*TLSConfig) Enabled

func (t *TLSConfig) Enabled() bool

Enabled returns true if TLS is configured with both cert and key files.

func (*TLSConfig) Validate

func (t *TLSConfig) Validate() error

Validate validates the TLS configuration.

type TimeRestriction

type TimeRestriction struct {
	AllowedDays  []AllowedDays `mapstructure:"allowed_days"`
	AllowedHours *HourRange    `mapstructure:"allowed_hours"`
}

TimeRestriction holds allowed days and optional hour range for provider access.

func (*TimeRestriction) Validate

func (t *TimeRestriction) Validate() error

Validate validates the time restriction configuration.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL