cloudauth

package
v0.5.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 10, 2026 License: Apache-2.0 Imports: 21 Imported by: 0

Documentation

Index

Constants

View Source 
const DefaultCloudURL = "https://api.miren.cloud"

DefaultCloudURL is the default URL for miren.cloud

View Source 
const DefaultRefreshInterval = 60 * time.Second

DefaultRefreshInterval is the default interval for refreshing policies

Variables

This section is empty.

Functions

func PublicKeyFromPEM 

func PublicKeyFromPEM(pemData string) (crypto.PublicKey, error)

PublicKeyFromPEM parses a public key from PEM format

func VerifySignature 

func VerifySignature(publicKey ed25519.PublicKey, message []byte, signatureBase64 string) bool

VerifySignature verifies a signature against the public key

Types

type AuthClient 

type AuthClient struct {
	// contains filtered or unexported fields
}

AuthClient handles service account authentication with miren.cloud

func NewAuthClient 

func NewAuthClient(serverURL string, keyPair *KeyPair) (*AuthClient, error)

NewAuthClient creates a new authentication client

func (*AuthClient) Authenticate 

func (a *AuthClient) Authenticate(ctx context.Context) (string, error)

Authenticate performs the public key authentication flow and returns a JWT

func (*AuthClient) GetToken 

func (a *AuthClient) GetToken(ctx context.Context) (string, error)

GetToken returns a valid JWT, refreshing if necessary

func (*AuthClient) InvalidateToken 

func (a *AuthClient) InvalidateToken()

InvalidateToken clears the cached token

func (*AuthClient) ReportClusterStatus 

func (a *AuthClient) ReportClusterStatus(ctx context.Context, status *StatusReport) error

ReportClusterStatus sends a status report for the specified cluster

type BeginAuthRequest 

type BeginAuthRequest struct {
	Fingerprint string `json:"fingerprint"`
}

BeginAuthRequest is the request to begin authentication

type BeginAuthResponse 

type BeginAuthResponse struct {
	Envelope  string `json:"envelope"`
	Challenge string `json:"challenge"`
}

BeginAuthResponse is the response from begin authentication

type CompleteAuthRequest 

type CompleteAuthRequest struct {
	Envelope  string `json:"envelope"`
	Signature string `json:"signature"`
}

CompleteAuthRequest is the request to complete authentication

type CompleteAuthResponse 

type CompleteAuthResponse struct {
	ServiceAccount struct {
		ID   string `json:"id"`
		Name string `json:"name"`
	} `json:"service_account"`
	Token     string `json:"token"`
	ExpiresIn int    `json:"expires_in,omitempty"` // Optional: seconds until expiry
}

CompleteAuthResponse is the response from complete authentication

type Config 

type Config struct {
	CloudURL   string
	AuthClient *AuthClient
	Logger     *slog.Logger
	Tags       map[string]any // Tags for this runtime/cluster
}

Config for RPCAuthenticator

func (*Config) Validate 

func (c *Config) Validate() error

Validate validates the configuration

type KeyPair 

type KeyPair struct {
	PrivateKey ed25519.PrivateKey
	PublicKey  ed25519.PublicKey
}

KeyPair represents an ED25519 key pair for cluster authentication

func GenerateKeyPair 

func GenerateKeyPair() (*KeyPair, error)

GenerateKeyPair generates a new ED25519 key pair

func LoadKeyPairFromPEM 

func LoadKeyPairFromPEM(privateKeyPEM string) (*KeyPair, error)

LoadKeyPairFromPEM loads a key pair from PEM encoded strings

func (*KeyPair) Fingerprint 

func (kp *KeyPair) Fingerprint() string

Fingerprint returns the SHA256 fingerprint of the public key in the format "SHA256:base64encoded" to match the server

func (*KeyPair) PrivateKeyPEM 

func (kp *KeyPair) PrivateKeyPEM() (string, error)

PrivateKeyPEM returns the private key in PEM format

func (*KeyPair) PublicKeyPEM 

func (kp *KeyPair) PublicKeyPEM() (string, error)

PublicKeyPEM returns the public key in PEM format

func (*KeyPair) Sign 

func (kp *KeyPair) Sign(message []byte) (string, error)

Sign signs a message with the private key

type PolicyFetcher 

type PolicyFetcher struct {
	// contains filtered or unexported fields
}

PolicyFetcher fetches RBAC policies from miren.cloud

func NewPolicyFetcher 

func NewPolicyFetcher(cloudURL string, authClient *AuthClient, opts ...PolicyFetcherOption) *PolicyFetcher

NewPolicyFetcher creates a new policy fetcher

func (*PolicyFetcher) Fetch 

func (pf *PolicyFetcher) Fetch(ctx context.Context) error

Fetch performs an immediate, synchronous fetch of the policy This is useful for one-time operations like debugging

func (*PolicyFetcher) GetPolicy 

func (pf *PolicyFetcher) GetPolicy() *rbac.Policy

GetPolicy returns the current policy

func (*PolicyFetcher) RefreshIfNeeded 

func (pf *PolicyFetcher) RefreshIfNeeded(ctx context.Context)

RefreshIfNeeded performs an immediate refresh if more than 30 seconds have passed since last refresh

func (*PolicyFetcher) SetEvaluator 

func (pf *PolicyFetcher) SetEvaluator(evaluator *rbac.Evaluator)

SetEvaluator sets the RBAC evaluator (for cache clearing on refresh)

func (*PolicyFetcher) Start 

func (pf *PolicyFetcher) Start(ctx context.Context) error

Start begins periodic policy fetching

func (*PolicyFetcher) Stop 

func (pf *PolicyFetcher) Stop()

Stop stops the policy fetcher

type PolicyFetcherOption 

type PolicyFetcherOption func(*PolicyFetcherOptions)

PolicyFetcherOption is a functional option for PolicyFetcher

func WithHTTPTimeout 

func WithHTTPTimeout(timeout time.Duration) PolicyFetcherOption

WithHTTPTimeout sets the HTTP client timeout

func WithLogger 

func WithLogger(logger *slog.Logger) PolicyFetcherOption

WithLogger sets the logger

func WithRefreshInterval 

func WithRefreshInterval(interval time.Duration) PolicyFetcherOption

WithRefreshInterval sets the refresh interval for policy fetching

type PolicyFetcherOptions 

type PolicyFetcherOptions struct {
	CloudURL        string
	AuthClient      *AuthClient
	Logger          *slog.Logger
	RefreshInterval time.Duration
	HTTPTimeout     time.Duration
}

PolicyFetcherOptions configures a PolicyFetcher

type RPCAuthenticator 

type RPCAuthenticator struct {
	// contains filtered or unexported fields
}

RPCAuthenticator adapts cloud authentication for RPC usage

func NewRPCAuthenticator 

func NewRPCAuthenticator(ctx context.Context, config Config) (*RPCAuthenticator, error)

NewRPCAuthenticator creates a new RPC authenticator

func (*RPCAuthenticator) Authenticate added in v0.3.1 

func (a *RPCAuthenticator) Authenticate(ctx context.Context, r *http.Request) (*rpc.Identity, error)

Authenticate implements rpc.Authenticator. It tries JWT authentication first, then falls back to TLS client certificate. Authorization (RBAC) is handled separately via the Authorize method.

func (*RPCAuthenticator) Authorize added in v0.3.1 

func (a *RPCAuthenticator) Authorize(ctx context.Context, identity *rpc.Identity, resource, action string) error

Authorize implements rpc.Authorizer. It performs RBAC evaluation to determine if the identity can perform the action.

func (*RPCAuthenticator) GetEvaluator 

func (a *RPCAuthenticator) GetEvaluator() *rbac.Evaluator

GetEvaluator returns the RBAC evaluator

func (*RPCAuthenticator) GetPolicyFetcher 

func (a *RPCAuthenticator) GetPolicyFetcher() *PolicyFetcher

GetPolicyFetcher returns the policy fetcher

func (*RPCAuthenticator) Stop 

func (a *RPCAuthenticator) Stop()

Stop stops background tasks

type ResourceUsage 

type ResourceUsage struct {
	CPUCores       float64 `json:"cpu_cores,omitempty"`
	CPUPercent     float64 `json:"cpu_percent,omitempty"`
	MemoryBytes    int64   `json:"memory_bytes,omitempty"`
	MemoryPercent  float64 `json:"memory_percent,omitempty"`
	StorageBytes   int64   `json:"storage_bytes,omitempty"`
	StoragePercent float64 `json:"storage_percent,omitempty"`
}

ResourceUsage represents resource utilization metrics

type StatusReport 

type StatusReport struct {
	ClusterID         string            `json:"cluster_id"`
	Version           string            `json:"version,omitempty"`
	State             string            `json:"state"` // required: active, degraded, inactive, unknown
	NodeCount         int               `json:"node_count,omitempty"`
	WorkloadCount     int               `json:"workload_count,omitempty"`
	ResourceUsage     ResourceUsage     `json:"resource_usage,omitempty"`
	HealthChecks      map[string]string `json:"health_checks,omitempty"`
	RBACRulesVersion  string            `json:"rbac_rules_version,omitempty"`
	LastRBACSync      *time.Time        `json:"last_rbac_sync,omitempty"`
	APIAddresses      []string          `json:"api_addresses,omitempty"`
	CACertFingerprint string            `json:"ca_cert_fingerprint,omitempty"`
}

StatusReport represents the cluster status to report

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.