auth

package
v0.0.0-...-75e6539 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 4, 2024 License: Apache-2.0 Imports: 11 Imported by: 0

Documentation

Overview

Package auth provides authentication and authorization support. Authentication: You are who you say you are. Authorization: You have permission to do what you are requesting to do.

Index

Constants

View Source 
const (
	RuleAuthenticate   = "auth"
	RuleAny            = "rule_any"
	RuleAdminOnly      = "rule_admin_only"
	RuleUserOnly       = "rule_user_only"
	RuleAdminOrSubject = "rule_admin_or_subject"
)

These the current set of rules we have for auth.

Variables

View Source 
var ErrForbidden = errors.New("attempted action is not allowed")

ErrForbidden is returned when a auth issue is identified.

Functions

func IsAuthError 

func IsAuthError(err error) bool

IsAuthError checks if an error of type AuthError exists.

func NewAuthError 

func NewAuthError(format string, args ...any) error

NewAuthError creates an AuthError for the provided message.

func SetClaims 

func SetClaims(ctx context.Context, claims Claims) context.Context

SetClaims stores the claims in the context.

Types

type Auth 

type Auth struct {
	// contains filtered or unexported fields
}

Auth is used to authenticate clients. It can generate a token for a set of user claims and recreate the claims by parsing the token.

func New 

func New(cfg Config) (*Auth, error)

New creates an Auth to support authentication/authorization.

func (*Auth) Authenticate 

func (a *Auth) Authenticate(ctx context.Context, bearerToken string) (Claims, error)

Authenticate processes the token(signature of the jwt) to validate the sender's token is valid using the public key pair of the private key that signed the jwt.

func (*Auth) Authorize 

func (a *Auth) Authorize(ctx context.Context, claims Claims, userID uuid.UUID, rule string) error

Authorize attempts to authorize the user with the provided input roles, if none of the input roles are within the user's claims, we return an error otherwise the user is authorized.

func (*Auth) GenerateToken 

func (a *Auth) GenerateToken(kid string, claims Claims) (string, error)

GenerateToken generates a signed JWT token string representing the user Claims.

type Claims 

type Claims struct {
	jwt.RegisteredClaims
	Roles []user.Role `json:"roles"`
}

Claims represents the authorization claims transmitted via a JWT.

func GetClaims 

func GetClaims(ctx context.Context) Claims

GetClaims returns the claims from the context.

type Config 

type Config struct {
	Log       *zap.SugaredLogger
	KeyLookup KeyLookup
	Issuer    string
}

Config represents information required to initialize auth.

type KeyLookup 

type KeyLookup interface {
	PrivateKey(kid string) (key string, err error)
	PublicKey(kid string) (key string, err error)
}

KeyLookup declares a method set of behavior for looking up private and public keys for JWT use. The return could be a PEM encoded string or a JWS based key. 

The interface methods return the pem encoded data. Because OPA wants pem encoded data to do the validation. So we should name the first return

value as `pem` not `key`. Right? Well no, because there are other formats other than pem that might represent the key and OPA supports them as well. So we keep it more generic by naming it `key` instead of `pem`. Because the key can come in many forms like pem or ... .

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.