Documentation
¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func IsGitHubActions ¶
func IsGitHubActions() bool
IsGitHubActions returns true if running inside GitHub Actions with OIDC support.
Types ¶
type ClaimCondition ¶
ClaimCondition represents a single claim matching rule.
type Claims ¶
type Claims struct {
Issuer string
Subject string
Audience []string
Expiry time.Time
Extra map[string]any
}
Claims represents validated OIDC token claims.
func (*Claims) MatchesClaimConditions ¶
func (c *Claims) MatchesClaimConditions(conditions []ClaimCondition) bool
MatchesClaimConditions checks if all conditions match. A pattern with commas (e.g. "push,workflow_dispatch") means the claim value must match any one of the alternatives.
func (*Claims) MatchesSubjectPattern ¶
MatchesSubjectPattern checks if the token's subject matches a glob pattern. Uses globMatch which matches '*' across '/' characters, unlike path.Match.
type CompositeAuthenticator ¶
type CompositeAuthenticator struct {
// contains filtered or unexported fields
}
CompositeAuthenticator chains a primary authenticator with the OIDC authenticator. It tries the primary first and falls back to OIDC.
func NewCompositeAuthenticator ¶
func NewCompositeAuthenticator(primary rpc.Authenticator, oidc *OIDCAuthenticator) *CompositeAuthenticator
NewCompositeAuthenticator creates a composite authenticator that chains primary and OIDC auth.
func (*CompositeAuthenticator) Authenticate ¶
type CompositeAuthorizer ¶
type CompositeAuthorizer struct {
// contains filtered or unexported fields
}
CompositeAuthorizer handles authorization for both primary and OIDC auth methods.
func NewCompositeAuthorizer ¶
func NewCompositeAuthorizer(primary rpc.Authorizer) *CompositeAuthorizer
NewCompositeAuthorizer creates a composite authorizer that handles both primary and OIDC authorization.
type OIDCAuthenticator ¶
type OIDCAuthenticator struct {
// contains filtered or unexported fields
}
OIDCAuthenticator validates external OIDC bearer tokens against configured oidc_binding entities in the entity store.
func NewOIDCAuthenticator ¶
func NewOIDCAuthenticator(logger *slog.Logger) *OIDCAuthenticator
NewOIDCAuthenticator creates a new OIDC authenticator. The entity access client must be set via SetEAC before authentication will work.
func (*OIDCAuthenticator) Authenticate ¶
func (a *OIDCAuthenticator) Authenticate(ctx context.Context, r *http.Request) (*rpc.Identity, error)
Authenticate checks if the request carries a valid OIDC bearer token that matches a configured oidc_binding entity.
func (*OIDCAuthenticator) SetEAC ¶
func (a *OIDCAuthenticator) SetEAC(eac *entityserver_v1alpha.EntityAccessClient)
SetEAC sets the entity access client for querying OIDC bindings. This is called after the entity store is initialized, since auth is wired before the store.
type Validator ¶
type Validator struct {
// contains filtered or unexported fields
}
Validator validates OIDC tokens by performing discovery and JWKS-based verification.
func (*Validator) ValidateToken ¶
func (v *Validator) ValidateToken(ctx context.Context, tokenString, expectedIssuer, expectedAudience string) (*Claims, error)
ValidateToken validates an OIDC JWT token against the expected issuer and audience. It performs OIDC discovery and JWKS verification automatically.
Source Files