README
¶
pkg/middleware/authorization
This package carries request-local authorization facts through the middleware and handler stack.
Intent
pkg/middleware/authorization is a context-and-header helper package for normalized authorization
state.
It exists to make the already-established identity facts of a request available to later layers without forcing each package to rediscover them from raw headers or tokens.
Its main responsibilities are:
- carry normalized authorization information in request context
- distinguish user, service account, and system account request modes
- propagate the originating client certificate through an internal service chain when needed
Invariants
Infois the canonical request-local authorization payload.- Authorization facts are set once by trusted middleware and then consumed downstream.
- The propagated client certificate is carried verbatim from the trusted ingress/service chain headers and is used primarily for certificate-bound token handling.
- Client certificate propagation is contextual and explicit, not global process state.
- This package does not itself authenticate the request; it carries the results of authentication.
Caveats
- The package is intentionally small, but it sits on a trust boundary because downstream packages assume the information here has already been normalized by trusted middleware.
- The client certificate propagation model depends on the surrounding ingress and middleware invariants that prevent end-user spoofing of internal certificate headers.
- Incorrect or missing context population here breaks later principal, RBAC, and audit behaviour.
Related Documentation
pkg/middleware/openapi, which populates and consumes this contextpkg/oauth2, which provides bearer-token userinfo and token factspkg/principal, which carries delegated identity alongside these authorization facts
Documentation
¶
Index ¶
- func ClientCertFromContext(ctx context.Context) (string, error)
- func ExtractClientCert(ctx context.Context, header http.Header) (context.Context, error)
- func InjectClientCert(ctx context.Context, header http.Header)
- func NewContext(ctx context.Context, info *Info) context.Context
- func NewContextWithClientCert(ctx context.Context, clientCert string) context.Context
- type Info
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func ExtractClientCert ¶
ExtractClientCert is called from the API to either propagate an existing certificate to the context, or to extract one from headers injected by TLS termination.
func InjectClientCert ¶
InjectClientCert is called by clients to propagate the client certificate that started the call chain, and thus owns the access token, to the next server.
func NewContextWithClientCert ¶
NewContextWithClientCert is used to propagate the client certificate to other clients. The client certificate parameter is passed verbatim from the TLS termination header, so should be a url encoded string.
Types ¶
type Info ¶ added in v0.2.52
type Info struct {
// Token is a copy of the access token made available to handlers.
Token string
// Userinfo is a parsed version of the token, used primarily for
// auditing etc.
Userinfo *openapi.Userinfo
// ClientID optionally records the oauth2 client that initiated
// the session, and can be used to route errors to the correct
// endpoint.
ClientID string
// SystemAccount means this belongs to a system account that is
// authenticated with X.509.
SystemAccount bool
// ServiceAccount means this belongs explicitly to a service account.
ServiceAccount bool
}
Info contains all the information we can derive from an access token.
Source Files