auth

package
v0.0.2 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 16, 2026 License: Apache-2.0 Imports: 3 Imported by: 0

Documentation

Overview

Package auth provides the authentication and authorization abstraction for the control plane. It defines the Provider interface that any auth backend can implement, along with claims, context helpers, and a noop provider for development and testing.

Index

Constants

This section is empty.

Variables

View Source 
var ErrUnauthorized = errors.New("ctrlplane: unauthorized")

ErrUnauthorized indicates the request lacks valid authentication credentials.

Functions

func WithClaims 

func WithClaims(ctx context.Context, c *Claims) context.Context

WithClaims stores Claims in the context.

Types

type AuthzRequest 

type AuthzRequest struct {
	TenantID   string `json:"tenant_id"`
	SubjectID  string `json:"subject_id"`
	Resource   string `json:"resource"`
	Action     string `json:"action"`
	ResourceID string `json:"resource_id,omitempty"`
}

AuthzRequest describes an authorization check.

type Claims 

type Claims struct {
	SubjectID string            `json:"sub"`
	TenantID  string            `json:"tenant_id,omitempty"`
	Email     string            `json:"email,omitempty"`
	Name      string            `json:"name,omitempty"`
	Roles     []string          `json:"roles,omitempty"`
	Metadata  map[string]string `json:"metadata,omitempty"`
}

Claims represents the authenticated identity.

func ClaimsFrom 

func ClaimsFrom(ctx context.Context) *Claims

ClaimsFrom retrieves Claims from context. Returns nil if absent.

func RequireClaims 

func RequireClaims(ctx context.Context) (*Claims, error)

RequireClaims retrieves Claims or returns ErrUnauthorized.

func (*Claims) HasRole 

func (c *Claims) HasRole(role string) bool

HasRole checks for a specific role.

func (*Claims) IsSystemAdmin 

func (c *Claims) IsSystemAdmin() bool

IsSystemAdmin returns true if claims contain the system admin role.

type NoopProvider 

type NoopProvider struct {
	DefaultTenantID string
	DefaultClaims   *Claims
}

NoopProvider allows all operations. Use for development and testing only.

func (*NoopProvider) Authenticate 

func (n *NoopProvider) Authenticate(_ context.Context, _ string) (*Claims, error)

Authenticate returns default claims for any token.

func (*NoopProvider) Authorize 

func (n *NoopProvider) Authorize(_ context.Context, _ AuthzRequest) (bool, error)

Authorize allows all operations.

func (*NoopProvider) GetTenantID 

func (n *NoopProvider) GetTenantID(_ context.Context) string

GetTenantID returns the default tenant ID.

type Provider 

type Provider interface {
	// Authenticate validates credentials or token and returns Claims.
	// Typically called by middleware from an HTTP request.
	Authenticate(ctx context.Context, token string) (*Claims, error)

	// Authorize checks whether the identity in ctx has the given
	// permission on the specified resource.
	Authorize(ctx context.Context, req AuthzRequest) (bool, error)

	// GetTenantID extracts the tenant/org ID from context.
	// Returns empty string if not in a tenant context.
	GetTenantID(ctx context.Context) string
}

Provider abstracts authentication and authorization. Implement this interface to plug in any auth backend.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.