cloudauth

package
v0.10.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jun 10, 2026 License: Apache-2.0 Imports: 23 Imported by: 0

Documentation

Index

Constants

View Source 
const DefaultCloudURL = "https://api.miren.cloud"

DefaultCloudURL is the default URL for miren.cloud

View Source 
const DefaultRefreshInterval = 60 * time.Second

DefaultRefreshInterval is the default interval for refreshing policies

Variables

View Source 
var ErrPrivateAddress = errors.New("client IP is not a public address")

ErrPrivateAddress is returned when the cloud rejects the request because the cluster's IP is private/loopback/link-local.

Functions

func PublicKeyFromPEM 

func PublicKeyFromPEM(pemData string) (crypto.PublicKey, error)

PublicKeyFromPEM parses a public key from PEM format

func VerifySignature 

func VerifySignature(publicKey ed25519.PublicKey, message []byte, signatureBase64 string) bool

VerifySignature verifies a signature against the public key

Types

type AuthClient 

type AuthClient struct {
	// contains filtered or unexported fields
}

AuthClient handles service account authentication with miren.cloud

func NewAuthClient 

func NewAuthClient(serverURL string, keyPair *KeyPair) (*AuthClient, error)

NewAuthClient creates a new authentication client

func (*AuthClient) Authenticate 

func (a *AuthClient) Authenticate(ctx context.Context) (string, error)

Authenticate performs the public key authentication flow and returns a JWT

func (*AuthClient) GetToken 

func (a *AuthClient) GetToken(ctx context.Context) (string, error)

GetToken returns a valid JWT, refreshing if necessary

func (*AuthClient) InvalidateToken 

func (a *AuthClient) InvalidateToken()

InvalidateToken clears the cached token

func (*AuthClient) ReportClusterStatus 

func (a *AuthClient) ReportClusterStatus(ctx context.Context, status *StatusReport) error

ReportClusterStatus sends a status report for the specified cluster

type BeginAuthRequest 

type BeginAuthRequest struct {
	Fingerprint string `json:"fingerprint"`
}

BeginAuthRequest is the request to begin authentication

type BeginAuthResponse 

type BeginAuthResponse struct {
	Envelope  string `json:"envelope"`
	Challenge string `json:"challenge"`
}

BeginAuthResponse is the response from begin authentication

type CompleteAuthRequest 

type CompleteAuthRequest struct {
	Envelope  string `json:"envelope"`
	Signature string `json:"signature"`
}

CompleteAuthRequest is the request to complete authentication

type CompleteAuthResponse 

type CompleteAuthResponse struct {
	ServiceAccount struct {
		ID   string `json:"id"`
		Name string `json:"name"`
	} `json:"service_account"`
	Token     string `json:"token"`
	ExpiresIn int    `json:"expires_in,omitempty"` // Optional: seconds until expiry
}

CompleteAuthResponse is the response from complete authentication

type Config 

type Config struct {
	CloudURL   string
	AuthClient *AuthClient
	Logger     *slog.Logger
	Tags       map[string]any // Tags for this runtime/cluster
}

Config for RPCAuthenticator

func (*Config) Validate 

func (c *Config) Validate() error

Validate validates the configuration

type KeyPair 

type KeyPair struct {
	PrivateKey ed25519.PrivateKey
	PublicKey  ed25519.PublicKey
}

KeyPair represents an ED25519 key pair for cluster authentication

func GenerateKeyPair 

func GenerateKeyPair() (*KeyPair, error)

GenerateKeyPair generates a new ED25519 key pair

func LoadKeyPairFromPEM 

func LoadKeyPairFromPEM(privateKeyPEM string) (*KeyPair, error)

LoadKeyPairFromPEM loads a key pair from PEM encoded strings

func (*KeyPair) Fingerprint 

func (kp *KeyPair) Fingerprint() string

Fingerprint returns the SHA256 fingerprint of the public key in the format "SHA256:base64encoded" to match the server

func (*KeyPair) PrivateKeyPEM 

func (kp *KeyPair) PrivateKeyPEM() (string, error)

PrivateKeyPEM returns the private key in PEM format

func (*KeyPair) PublicKeyPEM 

func (kp *KeyPair) PublicKeyPEM() (string, error)

PublicKeyPEM returns the public key in PEM format

func (*KeyPair) Sign 

func (kp *KeyPair) Sign(message []byte) (string, error)

Sign signs a message with the private key

type NetcheckDualStackResult added in v0.7.0 

type NetcheckDualStackResult struct {
	IPv4 *NetcheckResponse
	IPv6 *NetcheckResponse
}

NetcheckDualStackResult holds netcheck responses for both address families.

func NetcheckDualStack added in v0.7.0 

func NetcheckDualStack(ctx context.Context, cloudURL string, ports []NetcheckPort) (*NetcheckDualStackResult, error)

NetcheckDualStack calls the netcheck endpoint concurrently over IPv4 and IPv6 to discover public addresses on both address families. Each call gets its own timeout so a missing address family fails fast without blocking the other. Either result may be nil if the address family is unavailable or the check fails. Returns an error only if both checks fail.

type NetcheckPort added in v0.6.1 

type NetcheckPort struct {
	Port     int    `json:"port"`
	Protocol string `json:"protocol"` // "http", "https", "http3"
}

NetcheckPort describes a port and protocol to check for reachability.

type NetcheckRequest added in v0.6.1 

type NetcheckRequest struct {
	Ports []NetcheckPort `json:"ports"`
}

NetcheckRequest is the request body for the netcheck endpoint.

type NetcheckResponse added in v0.6.1 

type NetcheckResponse struct {
	SourceAddress string           `json:"source_address"`
	Results       []NetcheckResult `json:"results"`
	DurationMs    int              `json:"duration_ms"`
}

NetcheckResponse is the response from the netcheck endpoint.

func Netcheck added in v0.6.1 

func Netcheck(ctx context.Context, cloudURL string, ports []NetcheckPort, network string) (*NetcheckResponse, error)

Netcheck calls the cloud's netcheck endpoint to determine whether the cluster is publicly reachable on the given ports. The endpoint requires no authentication — it uses the request's source IP for probing.

The network parameter controls the address family: "tcp4" forces IPv4, "tcp6" forces IPv6, and "" uses the OS default.

type NetcheckResult added in v0.6.1 

type NetcheckResult struct {
	Port      int    `json:"port"`
	Protocol  string `json:"protocol"`
	Reachable bool   `json:"reachable"`
	LatencyMs int    `json:"latency_ms"`
	Error     string `json:"error,omitempty"`
}

NetcheckResult is the result of a single port check.

type PolicyFetcher 

type PolicyFetcher struct {
	// contains filtered or unexported fields
}

PolicyFetcher fetches RBAC policies from miren.cloud

func NewPolicyFetcher 

func NewPolicyFetcher(cloudURL string, authClient *AuthClient, opts ...PolicyFetcherOption) *PolicyFetcher

NewPolicyFetcher creates a new policy fetcher

func (*PolicyFetcher) Fetch 

func (pf *PolicyFetcher) Fetch(ctx context.Context) error

Fetch performs an immediate, synchronous fetch of the policy This is useful for one-time operations like debugging

func (*PolicyFetcher) GetPolicy 

func (pf *PolicyFetcher) GetPolicy() *rbac.Policy

GetPolicy returns the current policy

func (*PolicyFetcher) RefreshIfNeeded 

func (pf *PolicyFetcher) RefreshIfNeeded(ctx context.Context)

RefreshIfNeeded performs an immediate refresh if more than 30 seconds have passed since last refresh

func (*PolicyFetcher) SetEvaluator 

func (pf *PolicyFetcher) SetEvaluator(evaluator *rbac.Evaluator)

SetEvaluator sets the RBAC evaluator (for cache clearing on refresh)

func (*PolicyFetcher) Start 

func (pf *PolicyFetcher) Start(ctx context.Context) error

Start begins periodic policy fetching

func (*PolicyFetcher) Stop 

func (pf *PolicyFetcher) Stop()

Stop stops the policy fetcher

type PolicyFetcherOption 

type PolicyFetcherOption func(*PolicyFetcherOptions)

PolicyFetcherOption is a functional option for PolicyFetcher

func WithHTTPTimeout 

func WithHTTPTimeout(timeout time.Duration) PolicyFetcherOption

WithHTTPTimeout sets the HTTP client timeout

func WithLogger 

func WithLogger(logger *slog.Logger) PolicyFetcherOption

WithLogger sets the logger

func WithRefreshInterval 

func WithRefreshInterval(interval time.Duration) PolicyFetcherOption

WithRefreshInterval sets the refresh interval for policy fetching

type PolicyFetcherOptions 

type PolicyFetcherOptions struct {
	CloudURL        string
	AuthClient      *AuthClient
	Logger          *slog.Logger
	RefreshInterval time.Duration
	HTTPTimeout     time.Duration
}

PolicyFetcherOptions configures a PolicyFetcher

type RPCAuthenticator 

type RPCAuthenticator struct {
	// contains filtered or unexported fields
}

RPCAuthenticator adapts cloud authentication for RPC usage

func NewRPCAuthenticator 

func NewRPCAuthenticator(ctx context.Context, config Config) (*RPCAuthenticator, error)

NewRPCAuthenticator creates a new RPC authenticator

func (*RPCAuthenticator) Authenticate added in v0.3.1 

func (a *RPCAuthenticator) Authenticate(ctx context.Context, r *http.Request) (*rpc.Identity, error)

Authenticate implements rpc.Authenticator. It tries JWT authentication first, then falls back to TLS client certificate. Authorization (RBAC) is handled separately via the Authorize method.

func (*RPCAuthenticator) Authorize added in v0.3.1 

func (a *RPCAuthenticator) Authorize(ctx context.Context, identity *rpc.Identity, resource, action string) error

Authorize implements rpc.Authorizer. It performs RBAC evaluation to determine if the identity can perform the action.

func (*RPCAuthenticator) GetEvaluator 

func (a *RPCAuthenticator) GetEvaluator() *rbac.Evaluator

GetEvaluator returns the RBAC evaluator

func (*RPCAuthenticator) GetPolicyFetcher 

func (a *RPCAuthenticator) GetPolicyFetcher() *PolicyFetcher

GetPolicyFetcher returns the policy fetcher

func (*RPCAuthenticator) Stop 

func (a *RPCAuthenticator) Stop()

Stop stops background tasks

type ResourceUsage 

type ResourceUsage struct {
	CPUCores       float64 `json:"cpu_cores,omitempty"`
	CPUPercent     float64 `json:"cpu_percent,omitempty"`
	MemoryBytes    int64   `json:"memory_bytes,omitempty"`
	MemoryPercent  float64 `json:"memory_percent,omitempty"`
	StorageBytes   int64   `json:"storage_bytes,omitempty"`
	StoragePercent float64 `json:"storage_percent,omitempty"`
}

ResourceUsage represents resource utilization metrics

type StatusReport 

type StatusReport struct {
	ClusterID         string            `json:"cluster_id"`
	Version           string            `json:"version,omitempty"`
	State             string            `json:"state"` // required: active, degraded, inactive, unknown
	NodeCount         int               `json:"node_count,omitempty"`
	WorkloadCount     int               `json:"workload_count,omitempty"`
	ResourceUsage     ResourceUsage     `json:"resource_usage,omitempty"`
	HealthChecks      map[string]string `json:"health_checks,omitempty"`
	RBACRulesVersion  string            `json:"rbac_rules_version,omitempty"`
	LastRBACSync      *time.Time        `json:"last_rbac_sync,omitempty"`
	APIAddresses      []string          `json:"api_addresses,omitempty"`
	CACertFingerprint string            `json:"ca_cert_fingerprint,omitempty"`
}

StatusReport represents the cluster status to report

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.