Documentation
¶
Overview ¶
Package identity owns the User catalog kind and the SecretRef resolution machinery used to pull credential material out of the environment, files, or (discouraged) inline literals — pydantic-SecretStr style.
User objects are loaded from the same YAML tree as the rest of the catalog but kept in their own snapshot. Postgres tables for identity do not exist yet; seed simply validates and reports what it found so the schema can stabilise before the storage layer lands.
Index ¶
Constants ¶
const APIVersion = "relay.wyolet.dev/v1"
const KindUser = "User"
Variables ¶
This section is empty.
Functions ¶
func Verify ¶
Verify checks whether the supplied cleartext password matches user's stored password. Two formats are accepted:
- bcrypt — value starts with "$2a$", "$2b$" or "$2y$". Compared via bcrypt.CompareHashAndPassword in constant time.
- plain cleartext — anything else. Compared in constant time. This is the legacy YAML format; we log a one-line deprecation warning per verification so operators see the nudge.
Returns false on any mismatch or error (including "not resolved" — Verify is a request-time call, never panic).
Types ¶
type SecretRef ¶
type SecretRef struct {
Value string `yaml:"value,omitempty" json:"-"`
ValueFrom *ValueFromSpec `yaml:"valueFrom,omitempty" json:"valueFrom,omitempty"`
// contains filtered or unexported fields
}
SecretRef carries either an inline value or a reference to one of several out-of-band sources. Exactly one of Value or ValueFrom must be set.
Resolved is populated by Resolve() and is never marshalled — callers read the cleartext via Get().
func (*SecretRef) Get ¶
Get returns the resolved cleartext. Panics if Resolve has not been called — this is a programmer error, not a runtime condition.
func (*SecretRef) IsLiteral ¶
IsLiteral reports whether the value was set inline. Operators can use this to gate warnings about cleartext credentials in YAML.
func (*SecretRef) Source ¶
Source describes where the value came from. Useful for log lines that must not leak the value itself.
func (*SecretRef) UnmarshalYAML ¶
UnmarshalYAML accepts two shapes:
username: admin # plain scalar, equivalent to {value: admin}
password: {valueFrom: {env: PW}} # full mapping
The scalar form is the ergonomic default for non-sensitive fields. The mapping form is required when reading from env or file.
type Store ¶
type Store struct {
// contains filtered or unexported fields
}
Store holds the loaded User set. It is intentionally small — the catalog snapshot pattern is overkill until identity actually has cross-entity references to validate.
func LoadYAML ¶
LoadYAML walks dir and parses every .yaml/.yml file, picking up only kind=User documents. Other kinds are silently skipped so this can run over the same tree the catalog loader walks.
func (*Store) ByUsername ¶
ByUsername looks up a user by their login credential (spec.username), as distinct from ByName which uses the YAML metadata.name. The metadata.name is the resource id; spec.username is what the user types into a login form.
type ValueFromSpec ¶
type ValueFromSpec struct {
Env string `yaml:"env,omitempty" json:"env,omitempty"`
File string `yaml:"file,omitempty" json:"file,omitempty"`
}
ValueFromSpec is the discriminated union of supported indirect sources. Exactly one of Env or File may be non-empty.