cloudauth

package
v0.0.3 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Dec 8, 2025 License: Apache-2.0 Imports: 20 Imported by: 0

Documentation

Index

Constants

View Source 
const DefaultCloudURL = "https://api.miren.cloud"

DefaultCloudURL is the default URL for miren.cloud

View Source 
const DefaultRefreshInterval = 60 * time.Second

DefaultRefreshInterval is the default interval for refreshing policies

Variables

This section is empty.

Functions

func PublicKeyFromPEM 

func PublicKeyFromPEM(pemData string) (crypto.PublicKey, error)

PublicKeyFromPEM parses a public key from PEM format

func VerifySignature 

func VerifySignature(publicKey ed25519.PublicKey, message []byte, signatureBase64 string) bool

VerifySignature verifies a signature against the public key

Types

type AuthClient 

type AuthClient struct {
	// contains filtered or unexported fields
}

AuthClient handles service account authentication with miren.cloud

func NewAuthClient 

func NewAuthClient(serverURL string, keyPair *KeyPair) (*AuthClient, error)

NewAuthClient creates a new authentication client

func (*AuthClient) Authenticate 

func (a *AuthClient) Authenticate(ctx context.Context) (string, error)

Authenticate performs the public key authentication flow and returns a JWT

func (*AuthClient) GetToken 

func (a *AuthClient) GetToken(ctx context.Context) (string, error)

GetToken returns a valid JWT, refreshing if necessary

func (*AuthClient) InvalidateToken 

func (a *AuthClient) InvalidateToken()

InvalidateToken clears the cached token

func (*AuthClient) ReportClusterStatus 

func (a *AuthClient) ReportClusterStatus(ctx context.Context, status *StatusReport) error

ReportClusterStatus sends a status report for the specified cluster

type BeginAuthRequest 

type BeginAuthRequest struct {
	Fingerprint string `json:"fingerprint"`
}

BeginAuthRequest is the request to begin authentication

type BeginAuthResponse 

type BeginAuthResponse struct {
	Envelope  string `json:"envelope"`
	Challenge string `json:"challenge"`
}

BeginAuthResponse is the response from begin authentication

type CompleteAuthRequest 

type CompleteAuthRequest struct {
	Envelope  string `json:"envelope"`
	Signature string `json:"signature"`
}

CompleteAuthRequest is the request to complete authentication

type CompleteAuthResponse 

type CompleteAuthResponse struct {
	ServiceAccount struct {
		ID   string `json:"id"`
		Name string `json:"name"`
	} `json:"service_account"`
	Token     string `json:"token"`
	ExpiresIn int    `json:"expires_in,omitempty"` // Optional: seconds until expiry
}

CompleteAuthResponse is the response from complete authentication

type Config 

type Config struct {
	CloudURL   string
	AuthClient *AuthClient
	Logger     *slog.Logger
	Tags       map[string]any // Tags for this runtime/cluster
}

Config for RPCAuthenticator

func (*Config) Validate 

func (c *Config) Validate() error

Validate validates the configuration

type KeyPair 

type KeyPair struct {
	PrivateKey ed25519.PrivateKey
	PublicKey  ed25519.PublicKey
}

KeyPair represents an ED25519 key pair for cluster authentication

func GenerateKeyPair 

func GenerateKeyPair() (*KeyPair, error)

GenerateKeyPair generates a new ED25519 key pair

func LoadKeyPairFromPEM 

func LoadKeyPairFromPEM(privateKeyPEM string) (*KeyPair, error)

LoadKeyPairFromPEM loads a key pair from PEM encoded strings

func (*KeyPair) Fingerprint 

func (kp *KeyPair) Fingerprint() string

Fingerprint returns the SHA256 fingerprint of the public key in the format "SHA256:base64encoded" to match the server

func (*KeyPair) PrivateKeyPEM 

func (kp *KeyPair) PrivateKeyPEM() (string, error)

PrivateKeyPEM returns the private key in PEM format

func (*KeyPair) PublicKeyPEM 

func (kp *KeyPair) PublicKeyPEM() (string, error)

PublicKeyPEM returns the public key in PEM format

func (*KeyPair) Sign 

func (kp *KeyPair) Sign(message []byte) (string, error)

Sign signs a message with the private key

type PolicyFetcher 

type PolicyFetcher struct {
	// contains filtered or unexported fields
}

PolicyFetcher fetches RBAC policies from miren.cloud

func NewPolicyFetcher 

func NewPolicyFetcher(cloudURL string, authClient *AuthClient, opts ...PolicyFetcherOption) *PolicyFetcher

NewPolicyFetcher creates a new policy fetcher

func (*PolicyFetcher) Fetch 

func (pf *PolicyFetcher) Fetch(ctx context.Context) error

Fetch performs an immediate, synchronous fetch of the policy This is useful for one-time operations like debugging

func (*PolicyFetcher) GetPolicy 

func (pf *PolicyFetcher) GetPolicy() *rbac.Policy

GetPolicy returns the current policy

func (*PolicyFetcher) RefreshIfNeeded 

func (pf *PolicyFetcher) RefreshIfNeeded(ctx context.Context)

RefreshIfNeeded performs an immediate refresh if more than 30 seconds have passed since last refresh

func (*PolicyFetcher) SetEvaluator 

func (pf *PolicyFetcher) SetEvaluator(evaluator *rbac.Evaluator)

SetEvaluator sets the RBAC evaluator (for cache clearing on refresh)

func (*PolicyFetcher) Start 

func (pf *PolicyFetcher) Start(ctx context.Context) error

Start begins periodic policy fetching

func (*PolicyFetcher) Stop 

func (pf *PolicyFetcher) Stop()

Stop stops the policy fetcher

type PolicyFetcherOption 

type PolicyFetcherOption func(*PolicyFetcherOptions)

PolicyFetcherOption is a functional option for PolicyFetcher

func WithHTTPTimeout 

func WithHTTPTimeout(timeout time.Duration) PolicyFetcherOption

WithHTTPTimeout sets the HTTP client timeout

func WithLogger 

func WithLogger(logger *slog.Logger) PolicyFetcherOption

WithLogger sets the logger

func WithRefreshInterval 

func WithRefreshInterval(interval time.Duration) PolicyFetcherOption

WithRefreshInterval sets the refresh interval for policy fetching

type PolicyFetcherOptions 

type PolicyFetcherOptions struct {
	CloudURL        string
	AuthClient      *AuthClient
	Logger          *slog.Logger
	RefreshInterval time.Duration
	HTTPTimeout     time.Duration
}

PolicyFetcherOptions configures a PolicyFetcher

type RPCAuthenticator 

type RPCAuthenticator struct {
	// contains filtered or unexported fields
}

RPCAuthenticator adapts cloud authentication for RPC usage

func NewRPCAuthenticator 

func NewRPCAuthenticator(ctx context.Context, config Config) (*RPCAuthenticator, error)

NewRPCAuthenticator creates a new RPC authenticator

func (*RPCAuthenticator) AuthenticateRequest 

func (a *RPCAuthenticator) AuthenticateRequest(ctx context.Context, r *http.Request) (bool, string, error)

AuthenticateRequest implements rpc.Authenticator This is called before any RPC method is invoked. It's not currently wired into the RPC layer at the method call layer, but it's also ONLY used to authenticate HTTP requests that are routed to RPC methods.

func (*RPCAuthenticator) GetEvaluator 

func (a *RPCAuthenticator) GetEvaluator() *rbac.Evaluator

GetEvaluator returns the RBAC evaluator

func (*RPCAuthenticator) GetPolicyFetcher 

func (a *RPCAuthenticator) GetPolicyFetcher() *PolicyFetcher

GetPolicyFetcher returns the policy fetcher

func (*RPCAuthenticator) NoAuthorization 

func (a *RPCAuthenticator) NoAuthorization(ctx context.Context, r *http.Request) (bool, string, error)

NoAuthorization implements rpc.Authenticator

func (*RPCAuthenticator) Stop 

func (a *RPCAuthenticator) Stop()

Stop stops background tasks

type ResourceUsage 

type ResourceUsage struct {
	CPUCores       float64 `json:"cpu_cores,omitempty"`
	CPUPercent     float64 `json:"cpu_percent,omitempty"`
	MemoryBytes    int64   `json:"memory_bytes,omitempty"`
	MemoryPercent  float64 `json:"memory_percent,omitempty"`
	StorageBytes   int64   `json:"storage_bytes,omitempty"`
	StoragePercent float64 `json:"storage_percent,omitempty"`
}

ResourceUsage represents resource utilization metrics

type StatusReport 

type StatusReport struct {
	ClusterID         string            `json:"cluster_id"`
	Version           string            `json:"version,omitempty"`
	State             string            `json:"state"` // required: active, degraded, inactive, unknown
	NodeCount         int               `json:"node_count,omitempty"`
	WorkloadCount     int               `json:"workload_count,omitempty"`
	ResourceUsage     ResourceUsage     `json:"resource_usage,omitempty"`
	HealthChecks      map[string]string `json:"health_checks,omitempty"`
	RBACRulesVersion  string            `json:"rbac_rules_version,omitempty"`
	LastRBACSync      *time.Time        `json:"last_rbac_sync,omitempty"`
	APIAddresses      []string          `json:"api_addresses,omitempty"`
	CACertFingerprint string            `json:"ca_cert_fingerprint,omitempty"`
}

StatusReport represents the cluster status to report

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.