auth

package
v0.46.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jan 9, 2026 License: MPL-2.0 Imports: 35 Imported by: 0

Documentation

Overview

Package auth authenticates and authorizes a subject attempting to access API resources.

Index

Constants

View Source 
const (
	JobTokenType               string = "job"
	SCIMTokenType              string = "scim"
	ServiceAccountTokenType    string = "service_account"
	UserSessionAccessTokenType string = "user_session_access"
	UserSessionCSRFTokenType   string = "user_session_csrf"
)

Valid token types used as private claims for tokens issued by Phobos.

View Source 
const (
	// SessionIDClaim is the claim name for the session id in the jwt token
	SessionIDClaim = "sid"
	// CSRFTokenHeader is the header used to pass the CSRF token
	CSRFTokenHeader = "X-Csrf-Token"
)

Variables

View Source 
var ErrInvalidLoginCredentials = errors.New("invalid username or password", errors.WithErrorCode(errors.EUnauthorized))

ErrInvalidLoginCredentials is returned when the provided login credentials are invalid

View Source 
var ErrNoCaller = errors.New("authentication is required", errors.WithErrorCode(errors.EUnauthorized))

ErrNoCaller is the error returned when the context does not have a caller or a caller auth error

View Source 
var ErrSessionAlreadyExists = errors.New("an active session already exists for this user", errors.WithErrorCode(errors.EConflict))

ErrSessionAlreadyExists is returned when trying to create a session while one already exists

Functions

func FindToken 

func FindToken(r *http.Request, userSessionManager UserSessionManager) (string, error)

FindToken returns the bearer token from an HTTP request or from the cookie.

func GetRequestUserSessionID added in v0.42.0 

func GetRequestUserSessionID(ctx context.Context) (string, bool)

GetRequestUserSessionID returns the user session ID for this request if it exists

func GetSubject 

func GetSubject(ctx context.Context) *string

GetSubject returns a context's subject. Return nil if no subject was found on the context.

func HandleCaller 

func HandleCaller(
	ctx context.Context,
	userHandler func(ctx context.Context, c *UserCaller) error,
	serviceAccountHandler func(ctx context.Context, c *ServiceAccountCaller) error,
) error

HandleCaller will invoke the provided callback based on the type of caller

func NormalizeOIDCIssuer added in v0.39.0 

func NormalizeOIDCIssuer(issuer string) string

NormalizeOIDCIssuer normalizes the OIDC issuer URL by adding "https://" prefix if not present and removing the trailing slash

func ParseUsername 

func ParseUsername(username string) string

ParseUsername parses the username, if any, from the email.

func WithAgentID 

func WithAgentID(id string) func(*constraints)

WithAgentID sets the agentID on Constraints struct.

func WithCaller 

func WithCaller(ctx context.Context, caller Caller) context.Context

WithCaller adds the caller to the context

func WithCallerAuthenticationError added in v0.39.0 

func WithCallerAuthenticationError(ctx context.Context, err error) context.Context

WithCallerAuthenticationError adds the auth error to the context

func WithJobID 

func WithJobID(id string) func(*constraints)

WithJobID sets the job ID on the constraints struct.

func WithOrganizationID 

func WithOrganizationID(id string) func(*constraints)

WithOrganizationID sets the organization ID on constraints struct.

func WithOrganizationIDs 

func WithOrganizationIDs(ids []string) func(*constraints)

WithOrganizationIDs sets the organizationIDs on constraints struct.

func WithPipelineAction 

func WithPipelineAction(path string) func(*constraints)

WithPipelineAction sets the pipeline action path on the constraints struct.

func WithPipelineID 

func WithPipelineID(id string) func(*constraints)

WithPipelineID sets the pipeline ID on the constraints struct.

func WithPipelineTask 

func WithPipelineTask(path string) func(*constraints)

WithPipelineTask sets the pipeline task path on the constraints struct.

func WithProjectID 

func WithProjectID(id string) func(*constraints)

WithProjectID sets the project ID on the constraints struct.

func WithSubject 

func WithSubject(ctx context.Context, subject string) context.Context

WithSubject adds the subject string to the context

func WithTeamID 

func WithTeamID(id string) func(*constraints)

WithTeamID sets the TeamID on Constraints struct.

func WithUserID 

func WithUserID(id string) func(*constraints)

WithUserID sets the UserID on constraints struct.

Types

type Authenticator 

type Authenticator interface {
	// Authenticate verifies the token and returns a Caller
	Authenticate(ctx context.Context, tokenString string, useCache bool) (Caller, error)
}

Authenticator is used to authenticate JWT tokens

func NewAuthenticator 

func NewAuthenticator(
	userAuth *UserAuth,
	signingKeyManager SigningKeyManager,
	dbClient *db.Client,
	maintenanceMonitor maintenance.Monitor,
	issuerURL string,
) Authenticator

NewAuthenticator creates a new Authenticator instance

type Authorizer 

type Authorizer interface {
	RequirePermissions(ctx context.Context, perms []models.Permission, checks ...func(*constraints)) error
	RequireAccessToInheritableResource(ctx context.Context, resourceType []types.ModelType, checks ...func(*constraints)) error
}

Authorizer is used to authorize access to Phobos resources.

type Caller 

type Caller interface {
	GetSubject() string
	IsAdmin() bool
	RequirePermission(ctx context.Context, perm models.Permission, checks ...func(*constraints)) error
	RequireAccessToInheritableResource(ctx context.Context, resourceType types.ModelType, checks ...func(*constraints)) error
	UnauthorizedError(ctx context.Context, hasViewerAccess bool) error
	Authorized()
}

Caller represents a subject performing an API request

func AuthorizeCaller 

func AuthorizeCaller(ctx context.Context) (Caller, error)

AuthorizeCaller verifies that a caller has been authenticated and returns the caller

func GetCaller 

func GetCaller(ctx context.Context) Caller

GetCaller returns a context's caller. Return nil if no caller was found on the context.

type CreateSessionInput added in v0.42.0 

type CreateSessionInput struct {
	Token     *string
	Username  *string
	Password  *string
	UserAgent string
}

CreateSessionInput is the input for creating a session

type CreateSessionResponse added in v0.42.0 

type CreateSessionResponse struct {
	AccessToken  string
	RefreshToken string
	CSRFToken    string
	Session      *models.UserSession
}

CreateSessionResponse is the response for creating a session

type ExchangeOAuthCodeForSessionTokenInput added in v0.42.0 

type ExchangeOAuthCodeForSessionTokenInput struct {
	OAuthCode         string
	OAuthCodeVerifier string
	RedirectURI       string
}

ExchangeOAuthCodeForSessionTokenInput is the input for exchanging an OAuth code for a session token

type ExchangeOAuthCodeForSessionTokenResponse added in v0.42.0 

type ExchangeOAuthCodeForSessionTokenResponse struct {
	AccessToken string
	ExpiresIn   int
}

ExchangeOAuthCodeForSessionTokenResponse is the response for exchanging an OAuth code for a session token

type InitiateSessionOauthCodeFlowInput added in v0.42.0 

type InitiateSessionOauthCodeFlowInput struct {
	CodeChallenge       string
	CodeChallengeMethod string
	RedirectURI         string
	UserSessionID       string
}

InitiateSessionOauthCodeFlowInput is the input for initiating an OAuth code flow

type JobCaller 

type JobCaller struct {
	JobID     string
	ProjectID string
	// contains filtered or unexported fields
}

JobCaller represents a job subject

func (*JobCaller) Authorized 

func (j *JobCaller) Authorized()

Authorized marks the caller as authorized

func (*JobCaller) GetSubject 

func (j *JobCaller) GetSubject() string

GetSubject returns the subject identifier for this caller

func (*JobCaller) IsAdmin 

func (j *JobCaller) IsAdmin() bool

IsAdmin returns true if the caller is an admin

func (*JobCaller) RequireAccessToInheritableResource 

func (j *JobCaller) RequireAccessToInheritableResource(ctx context.Context, _ types.ModelType, checks ...func(*constraints)) error

RequireAccessToInheritableResource will return an error if caller doesn't have permissions to inherited resources.

func (*JobCaller) RequirePermission 

func (j *JobCaller) RequirePermission(ctx context.Context, perm models.Permission, checks ...func(*constraints)) error

RequirePermission will return an error if the caller doesn't have the specified permissions

func (*JobCaller) UnauthorizedError 

func (j *JobCaller) UnauthorizedError(ctx context.Context, hasViewerAccess bool) error

UnauthorizedError returns the unauthorized error for this specific caller type

type MockAuthenticator added in v0.42.0 

type MockAuthenticator struct {
	mock.Mock
}

MockAuthenticator is an autogenerated mock type for the Authenticator type

func NewMockAuthenticator added in v0.42.0 

func NewMockAuthenticator(t interface {
	mock.TestingT
	Cleanup(func())
}) *MockAuthenticator

NewMockAuthenticator creates a new instance of MockAuthenticator. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations. The first argument is typically a *testing.T value.

func (*MockAuthenticator) Authenticate added in v0.42.0 

func (_m *MockAuthenticator) Authenticate(ctx context.Context, tokenString string, useCache bool) (Caller, error)

Authenticate provides a mock function with given fields: ctx, tokenString, useCache

type MockAuthorizer 

type MockAuthorizer struct {
	mock.Mock
}

MockAuthorizer is an autogenerated mock type for the Authorizer type

func NewMockAuthorizer 

func NewMockAuthorizer(t interface {
	mock.TestingT
	Cleanup(func())
}) *MockAuthorizer

NewMockAuthorizer creates a new instance of MockAuthorizer. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations. The first argument is typically a *testing.T value.

func (*MockAuthorizer) RequireAccessToInheritableResource 

func (_m *MockAuthorizer) RequireAccessToInheritableResource(ctx context.Context, resourceType []types.ModelType, checks ...func(*constraints)) error

RequireAccessToInheritableResource provides a mock function with given fields: ctx, resourceType, checks

func (*MockAuthorizer) RequirePermissions 

func (_m *MockAuthorizer) RequirePermissions(ctx context.Context, perms []models.Permission, checks ...func(*constraints)) error

RequirePermissions provides a mock function with given fields: ctx, perms, checks

type MockCaller 

type MockCaller struct {
	mock.Mock
}

MockCaller is an autogenerated mock type for the Caller type

func NewMockCaller 

func NewMockCaller(t interface {
	mock.TestingT
	Cleanup(func())
}) *MockCaller

NewMockCaller creates a new instance of MockCaller. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations. The first argument is typically a *testing.T value.

func (*MockCaller) Authorized 

func (_m *MockCaller) Authorized()

Authorized provides a mock function with no fields

func (*MockCaller) GetSubject 

func (_m *MockCaller) GetSubject() string

GetSubject provides a mock function with no fields

func (*MockCaller) IsAdmin 

func (_m *MockCaller) IsAdmin() bool

IsAdmin provides a mock function with no fields

func (*MockCaller) RequireAccessToInheritableResource 

func (_m *MockCaller) RequireAccessToInheritableResource(ctx context.Context, resourceType types.ModelType, checks ...func(*constraints)) error

RequireAccessToInheritableResource provides a mock function with given fields: ctx, resourceType, checks

func (*MockCaller) RequirePermission 

func (_m *MockCaller) RequirePermission(ctx context.Context, perm models.Permission, checks ...func(*constraints)) error

RequirePermission provides a mock function with given fields: ctx, perm, checks

func (*MockCaller) UnauthorizedError 

func (_m *MockCaller) UnauthorizedError(ctx context.Context, hasViewerAccess bool) error

UnauthorizedError provides a mock function with given fields: ctx, hasViewerAccess

type MockOIDCTokenVerifier added in v0.39.0 

type MockOIDCTokenVerifier struct {
	mock.Mock
}

MockOIDCTokenVerifier is an autogenerated mock type for the OIDCTokenVerifier type

func NewMockOIDCTokenVerifier added in v0.39.0 

func NewMockOIDCTokenVerifier(t interface {
	mock.TestingT
	Cleanup(func())
}) *MockOIDCTokenVerifier

NewMockOIDCTokenVerifier creates a new instance of MockOIDCTokenVerifier. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations. The first argument is typically a *testing.T value.

func (*MockOIDCTokenVerifier) VerifyToken added in v0.39.0 

func (_m *MockOIDCTokenVerifier) VerifyToken(ctx context.Context, token string, validationOptions []jwt.ValidateOption) (jwt.Token, error)

VerifyToken provides a mock function with given fields: ctx, token, validationOptions

type MockOpenIDConfigFetcher added in v0.39.0 

type MockOpenIDConfigFetcher struct {
	mock.Mock
}

MockOpenIDConfigFetcher is an autogenerated mock type for the OpenIDConfigFetcher type

func NewMockOpenIDConfigFetcher added in v0.39.0 

func NewMockOpenIDConfigFetcher(t interface {
	mock.TestingT
	Cleanup(func())
}) *MockOpenIDConfigFetcher

NewMockOpenIDConfigFetcher creates a new instance of MockOpenIDConfigFetcher. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations. The first argument is typically a *testing.T value.

func (*MockOpenIDConfigFetcher) GetOpenIDConfig added in v0.39.0 

func (_m *MockOpenIDConfigFetcher) GetOpenIDConfig(ctx context.Context, issuer string) (*OIDCConfiguration, error)

GetOpenIDConfig provides a mock function with given fields: ctx, issuer

type MockSigningKeyManager added in v0.39.0 

type MockSigningKeyManager struct {
	mock.Mock
}

MockSigningKeyManager is an autogenerated mock type for the SigningKeyManager type

func NewMockSigningKeyManager added in v0.39.0 

func NewMockSigningKeyManager(t interface {
	mock.TestingT
	Cleanup(func())
}) *MockSigningKeyManager

NewMockSigningKeyManager creates a new instance of MockSigningKeyManager. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations. The first argument is typically a *testing.T value.

func (*MockSigningKeyManager) GenerateToken added in v0.39.0 

func (_m *MockSigningKeyManager) GenerateToken(ctx context.Context, input *TokenInput) ([]byte, error)

GenerateToken provides a mock function with given fields: ctx, input

func (*MockSigningKeyManager) GetKeys added in v0.39.0 

func (_m *MockSigningKeyManager) GetKeys(ctx context.Context) ([]byte, error)

GetKeys provides a mock function with given fields: ctx

func (*MockSigningKeyManager) VerifyToken added in v0.39.0 

func (_m *MockSigningKeyManager) VerifyToken(ctx context.Context, token string, validateOptions ...jwt.ValidateOption) (*VerifyTokenOutput, error)

VerifyToken provides a mock function with given fields: ctx, token, validateOptions

type MockUserSessionManager added in v0.42.0 

type MockUserSessionManager struct {
	mock.Mock
}

MockUserSessionManager is an autogenerated mock type for the UserSessionManager type

func NewMockUserSessionManager added in v0.42.0 

func NewMockUserSessionManager(t interface {
	mock.TestingT
	Cleanup(func())
}) *MockUserSessionManager

NewMockUserSessionManager creates a new instance of MockUserSessionManager. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations. The first argument is typically a *testing.T value.

func (*MockUserSessionManager) ClearUserSessionCookies added in v0.42.0 

func (_m *MockUserSessionManager) ClearUserSessionCookies(w http.ResponseWriter)

ClearUserSessionCookies provides a mock function with given fields: w

func (*MockUserSessionManager) CreateSession added in v0.42.0 

func (_m *MockUserSessionManager) CreateSession(ctx context.Context, input *CreateSessionInput) (*CreateSessionResponse, error)

CreateSession provides a mock function with given fields: ctx, input

func (*MockUserSessionManager) ExchangeOAuthCodeForSessionToken added in v0.42.0 

func (_m *MockUserSessionManager) ExchangeOAuthCodeForSessionToken(ctx context.Context, input *ExchangeOAuthCodeForSessionTokenInput) (*ExchangeOAuthCodeForSessionTokenResponse, error)

ExchangeOAuthCodeForSessionToken provides a mock function with given fields: ctx, input

func (*MockUserSessionManager) GetCurrentSession added in v0.42.0 

func (_m *MockUserSessionManager) GetCurrentSession(ctx context.Context) (*models.UserSession, error)

GetCurrentSession provides a mock function with given fields: ctx

func (*MockUserSessionManager) GetUserSessionAccessTokenCookieName added in v0.42.0 

func (_m *MockUserSessionManager) GetUserSessionAccessTokenCookieName() string

GetUserSessionAccessTokenCookieName provides a mock function with no fields

func (*MockUserSessionManager) GetUserSessionCSRFTokenCookieName added in v0.42.0 

func (_m *MockUserSessionManager) GetUserSessionCSRFTokenCookieName() string

GetUserSessionCSRFTokenCookieName provides a mock function with no fields

func (*MockUserSessionManager) GetUserSessionRefreshTokenCookieName added in v0.42.0 

func (_m *MockUserSessionManager) GetUserSessionRefreshTokenCookieName() string

GetUserSessionRefreshTokenCookieName provides a mock function with no fields

func (*MockUserSessionManager) InitiateSessionOauthCodeFlow added in v0.42.0 

func (_m *MockUserSessionManager) InitiateSessionOauthCodeFlow(ctx context.Context, input *InitiateSessionOauthCodeFlowInput) (string, error)

InitiateSessionOauthCodeFlow provides a mock function with given fields: ctx, input

func (*MockUserSessionManager) InvalidateSession added in v0.42.0 

func (_m *MockUserSessionManager) InvalidateSession(ctx context.Context, accessToken string, refreshToken string) error

InvalidateSession provides a mock function with given fields: ctx, accessToken, refreshToken

func (*MockUserSessionManager) RefreshSession added in v0.42.0 

func (_m *MockUserSessionManager) RefreshSession(ctx context.Context, refreshToken string) (*RefreshSessionResponse, error)

RefreshSession provides a mock function with given fields: ctx, refreshToken

func (*MockUserSessionManager) SetUserSessionCookies added in v0.42.0 

func (_m *MockUserSessionManager) SetUserSessionCookies(w http.ResponseWriter, input *SetUserSessionCookiesInput)

SetUserSessionCookies provides a mock function with given fields: w, input

func (*MockUserSessionManager) VerifyCSRFToken added in v0.42.0 

func (_m *MockUserSessionManager) VerifyCSRFToken(ctx context.Context, requestSessionID string, csrfToken string) error

VerifyCSRFToken provides a mock function with given fields: ctx, requestSessionID, csrfToken

type OIDCConfiguration 

type OIDCConfiguration struct {
	Issuer        string `json:"issuer"`
	JwksURI       string `json:"jwks_uri"`
	TokenEndpoint string `json:"token_endpoint"`
	AuthEndpoint  string `json:"authorization_endpoint"`
}

OIDCConfiguration contains the OIDC information for an identity provider

type OIDCTokenVerifier added in v0.39.0 

type OIDCTokenVerifier interface {
	// VerifyToken verifies the OIDC token and returns the decoded token
	// If the token is not valid, it returns an error
	VerifyToken(ctx context.Context, token string, validationOptions []jwt.ValidateOption) (jwt.Token, error)
}

OIDCTokenVerifier is an interface for verifying OIDC tokens

func NewOIDCTokenVerifier added in v0.39.0 

func NewOIDCTokenVerifier(ctx context.Context, issuers []string, oidcConfigFetcher OpenIDConfigFetcher, enableCache bool) OIDCTokenVerifier

NewOIDCTokenVerifier creates a new OIDCTokenVerifier instance

type OpenIDConfigFetcher 

type OpenIDConfigFetcher interface {
	// GetOpenIDConfig returns the OIDC configuration for the given issuer
	GetOpenIDConfig(ctx context.Context, issuer string) (*OIDCConfiguration, error)
}

OpenIDConfigFetcher is an interface for fetching OIDC configuration

func NewOpenIDConfigFetcher 

func NewOpenIDConfigFetcher() OpenIDConfigFetcher

NewOpenIDConfigFetcher returns a new NewOpenIDConfigFetcher

type RefreshSessionResponse added in v0.42.0 

type RefreshSessionResponse struct {
	AccessToken  string
	RefreshToken string
	Session      *models.UserSession
}

RefreshSessionResponse is the response for updating a session

type SCIMCaller 

type SCIMCaller struct {
	// contains filtered or unexported fields
}

SCIMCaller represents a SCIM subject.

func NewSCIMCaller 

func NewSCIMCaller(dbClient *db.Client, maintenanceMonitor maintenance.Monitor) *SCIMCaller

NewSCIMCaller returns a new SCIM caller.

func (*SCIMCaller) Authorized 

func (s *SCIMCaller) Authorized()

Authorized marks the caller as authorized

func (*SCIMCaller) GetSubject 

func (s *SCIMCaller) GetSubject() string

GetSubject returns the subject identifier for this caller.

func (*SCIMCaller) IsAdmin 

func (s *SCIMCaller) IsAdmin() bool

IsAdmin returns true if the caller is an admin.

func (*SCIMCaller) RequireAccessToInheritableResource 

func (s *SCIMCaller) RequireAccessToInheritableResource(ctx context.Context, _ types.ModelType, _ ...func(*constraints)) error

RequireAccessToInheritableResource will return an error if the caller doesn't have access to the specified resource type.

func (*SCIMCaller) RequirePermission 

func (s *SCIMCaller) RequirePermission(ctx context.Context, perm models.Permission, checks ...func(*constraints)) error

RequirePermission will return an error if the caller doesn't have the specified models.

func (*SCIMCaller) UnauthorizedError 

func (s *SCIMCaller) UnauthorizedError(_ context.Context, hasViewerAccess bool) error

UnauthorizedError returns the unauthorized error for this specific caller type

type ServiceAccountCaller 

type ServiceAccountCaller struct {
	ServiceAccountID  string
	ServiceAccountPRN string
	// contains filtered or unexported fields
}

ServiceAccountCaller represents a service account subject

func NewServiceAccountCaller 

func NewServiceAccountCaller(
	id,
	prn string,
	authorizer Authorizer,
	dbClient *db.Client,
	maintenanceMonitor maintenance.Monitor,
) *ServiceAccountCaller

NewServiceAccountCaller returns a new ServiceAccountCaller

func (*ServiceAccountCaller) Authorized 

func (s *ServiceAccountCaller) Authorized()

Authorized marks the caller as authorized

func (*ServiceAccountCaller) GetSubject 

func (s *ServiceAccountCaller) GetSubject() string

GetSubject returns the subject identifier for this caller

func (*ServiceAccountCaller) IsAdmin 

func (s *ServiceAccountCaller) IsAdmin() bool

IsAdmin returns true if the caller is an admin

func (*ServiceAccountCaller) RequireAccessToInheritableResource 

func (s *ServiceAccountCaller) RequireAccessToInheritableResource(ctx context.Context, resourceType types.ModelType, checks ...func(*constraints)) error

RequireAccessToInheritableResource will return an error if caller doesn't have permissions to inherited resources.

func (*ServiceAccountCaller) RequirePermission 

func (s *ServiceAccountCaller) RequirePermission(ctx context.Context, perm models.Permission, checks ...func(*constraints)) error

RequirePermission will return an error if the caller doesn't have the specified permissions

func (*ServiceAccountCaller) UnauthorizedError 

func (s *ServiceAccountCaller) UnauthorizedError(_ context.Context, hasViewerAccess bool) error

UnauthorizedError returns the unauthorized error for this specific caller type

type SetUserSessionCookiesInput added in v0.42.0 

type SetUserSessionCookiesInput struct {
	AccessToken       string
	RefreshToken      string
	CsrfToken         *string
	SessionExpiration time.Time
}

SetUserSessionCookiesInput is the input for setting user session cookies

type SigningKeyManager added in v0.39.0 

type SigningKeyManager interface {
	// GenerateToken creates a new JWT token
	GenerateToken(ctx context.Context, input *TokenInput) ([]byte, error)
	// VerifyToken verifies that the token is valid
	VerifyToken(ctx context.Context, token string, validateOptions ...jwt.ValidateOption) (*VerifyTokenOutput, error)
	// GetKeys returns the JSON Web Key Set (JWKS)
	GetKeys(ctx context.Context) ([]byte, error)
}

SigningKeyManager is an interface for generating and verifying JWT tokens

func NewSigningKeyManager added in v0.39.0 

func NewSigningKeyManager(
	ctx context.Context,
	logger logger.Logger,
	jwsPlugin jwsplugin.Provider,
	dbClient *db.Client,
	eventManager *events.EventManager,
	cfg *config.Config,
) (SigningKeyManager, error)

NewSigningKeyManager initializes the SigningKeyManager type

type SystemCaller 

type SystemCaller struct {
	Subject string
}

SystemCaller is the caller subject for internal system calls

func (*SystemCaller) Authorized 

func (s *SystemCaller) Authorized()

Authorized marks the caller as authorized

func (*SystemCaller) GetSubject 

func (s *SystemCaller) GetSubject() string

GetSubject returns the subject identifier for this caller

func (*SystemCaller) IsAdmin 

func (s *SystemCaller) IsAdmin() bool

IsAdmin returns true if the caller is an admin

func (*SystemCaller) RequireAccessToInheritableResource 

func (s *SystemCaller) RequireAccessToInheritableResource(ctx context.Context, _ types.ModelType, _ ...func(*constraints)) error

RequireAccessToInheritableResource will return an error if the caller doesn't have access to the specified resource type

func (*SystemCaller) RequirePermission 

func (s *SystemCaller) RequirePermission(ctx context.Context, _ models.Permission, _ ...func(*constraints)) error

RequirePermission will return an error if the caller doesn't have the specified permissions

func (*SystemCaller) UnauthorizedError 

func (s *SystemCaller) UnauthorizedError(_ context.Context, _ bool) error

UnauthorizedError returns the unauthorized error for this specific caller type

type TokenInput 

type TokenInput struct {
	Expiration *time.Time
	Claims     map[string]string
	Subject    string
	JwtID      string
	Audience   string
}

TokenInput provides options for creating a new service account token

type UserAuth 

type UserAuth struct {
	// contains filtered or unexported fields
}

UserAuth implements JWT authentication

func NewUserAuth 

func NewUserAuth(
	ctx context.Context,
	identityProviders []config.IdpConfig,
	logger logger.Logger,
	dbClient *db.Client,
	maintenanceMonitor maintenance.Monitor,
	oidcConfigFetcher OpenIDConfigFetcher,
) *UserAuth

NewUserAuth creates an instance of UserAuth

func (*UserAuth) Authenticate 

func (u *UserAuth) Authenticate(ctx context.Context, tokenString string, useCache bool) (Caller, error)

Authenticate validates a user JWT and returns a UserCaller

func (*UserAuth) GetUsernameClaim 

func (u *UserAuth) GetUsernameClaim(token jwt.Token) (string, error)

GetUsernameClaim returns the username from a JWT token

func (*UserAuth) Use added in v0.39.0 

func (u *UserAuth) Use(token jwt.Token) bool

Use checks if the UserAuth instance can handle the given issuer URL

type UserCaller 

type UserCaller struct {
	User          *models.User
	UserSessionID *string
	// contains filtered or unexported fields
}

UserCaller represents a user subject

func NewUserCaller 

func NewUserCaller(user *models.User, authorizer Authorizer, dbClient *db.Client, maintenanceMonitor maintenance.Monitor, userSessionID *string) *UserCaller

NewUserCaller returns a new UserCaller

func (*UserCaller) Authorized 

func (u *UserCaller) Authorized()

Authorized marks the caller as authorized

func (*UserCaller) GetSubject 

func (u *UserCaller) GetSubject() string

GetSubject returns the subject identifier for this caller

func (*UserCaller) GetTeams 

func (u *UserCaller) GetTeams(ctx context.Context) ([]models.Team, error)

GetTeams does lazy initialization of the list of teams for this user caller.

func (*UserCaller) IsAdmin 

func (u *UserCaller) IsAdmin() bool

IsAdmin returns true if the caller is an admin

func (*UserCaller) RequireAccessToInheritableResource 

func (u *UserCaller) RequireAccessToInheritableResource(ctx context.Context, resourceType types.ModelType, checks ...func(*constraints)) error

RequireAccessToInheritableResource will return an error if caller doesn't have permissions to inherited resources.

func (*UserCaller) RequirePermission 

func (u *UserCaller) RequirePermission(ctx context.Context, perm models.Permission, checks ...func(*constraints)) error

RequirePermission will return an error if the caller doesn't have the specified permissions

func (*UserCaller) UnauthorizedError 

func (u *UserCaller) UnauthorizedError(_ context.Context, hasViewerAccess bool) error

UnauthorizedError returns the unauthorized error for this specific caller type

type UserSessionManager added in v0.42.0 

type UserSessionManager interface {
	GetCurrentSession(ctx context.Context) (*models.UserSession, error)
	CreateSession(ctx context.Context, input *CreateSessionInput) (*CreateSessionResponse, error)
	RefreshSession(ctx context.Context, refreshToken string) (*RefreshSessionResponse, error)
	InvalidateSession(ctx context.Context, accessToken, refreshToken string) error
	VerifyCSRFToken(ctx context.Context, requestSessionID string, csrfToken string) error
	ExchangeOAuthCodeForSessionToken(ctx context.Context, input *ExchangeOAuthCodeForSessionTokenInput) (*ExchangeOAuthCodeForSessionTokenResponse, error)
	InitiateSessionOauthCodeFlow(ctx context.Context, input *InitiateSessionOauthCodeFlowInput) (string, error)
	SetUserSessionCookies(w http.ResponseWriter, input *SetUserSessionCookiesInput)
	ClearUserSessionCookies(w http.ResponseWriter)
	GetUserSessionAccessTokenCookieName() string
	GetUserSessionRefreshTokenCookieName() string
	GetUserSessionCSRFTokenCookieName() string
}

UserSessionManager interface defines the operations for managing user sessions

func NewUserSessionManager added in v0.42.0 

func NewUserSessionManager(
	dbClient *db.Client,
	signingKeyManager SigningKeyManager,
	authenticator Authenticator,
	logger logger.Logger,
	accessTokenExpirationMinutes int,
	refreshTokenExpirationMinutes int,
	maxSessionsPerUser int,
	phobosAPIURL string,
	phobosUIURL string,
	userCredentialLoginEnabled bool,
) (UserSessionManager, error)

NewUserSessionManager creates a new UserSessionManager instance

type VerifyTokenOutput 

type VerifyTokenOutput struct {
	Token         jwt.Token
	PrivateClaims map[string]string
}

VerifyTokenOutput is the response from verifying a token

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.