Documentation
¶
Index ¶
- type AWSConfig
- type AWSIAMProvider
- func (p *AWSIAMProvider) ResolveIdentities(_ context.Context, config json.RawMessage, credentials map[string]string) ([]ExternalIdentity, error)
- func (p *AWSIAMProvider) TestConnection(_ context.Context, config json.RawMessage) error
- func (p *AWSIAMProvider) Type() store.IAMProviderType
- func (p *AWSIAMProvider) ValidateConfig(config json.RawMessage) error
- type ExternalIdentity
- type IAMProvider
- type IAMResolver
- type KubernetesConfig
- type KubernetesProvider
- func (p *KubernetesProvider) ResolveIdentities(_ context.Context, _ json.RawMessage, credentials map[string]string) ([]ExternalIdentity, error)
- func (p *KubernetesProvider) TestConnection(_ context.Context, config json.RawMessage) error
- func (p *KubernetesProvider) Type() store.IAMProviderType
- func (p *KubernetesProvider) ValidateConfig(config json.RawMessage) error
- type OIDCConfig
- type OIDCProvider
- func (p *OIDCProvider) ResolveIdentities(_ context.Context, config json.RawMessage, credentials map[string]string) ([]ExternalIdentity, error)
- func (p *OIDCProvider) TestConnection(_ context.Context, config json.RawMessage) error
- func (p *OIDCProvider) Type() store.IAMProviderType
- func (p *OIDCProvider) ValidateConfig(config json.RawMessage) error
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type AWSIAMProvider ¶
type AWSIAMProvider struct{}
AWSIAMProvider validates AWS IAM ARNs and maps them to roles. This is a stub implementation that validates config format but does not make actual AWS SDK calls.
func (*AWSIAMProvider) ResolveIdentities ¶
func (p *AWSIAMProvider) ResolveIdentities(_ context.Context, config json.RawMessage, credentials map[string]string) ([]ExternalIdentity, error)
func (*AWSIAMProvider) TestConnection ¶
func (p *AWSIAMProvider) TestConnection(_ context.Context, config json.RawMessage) error
func (*AWSIAMProvider) Type ¶
func (p *AWSIAMProvider) Type() store.IAMProviderType
func (*AWSIAMProvider) ValidateConfig ¶
func (p *AWSIAMProvider) ValidateConfig(config json.RawMessage) error
type ExternalIdentity ¶
type ExternalIdentity struct {
Provider string `json:"provider"`
Identifier string `json:"identifier"`
Attributes map[string]string `json:"attributes,omitempty"`
}
ExternalIdentity represents an identity from an external IAM system.
type IAMProvider ¶
type IAMProvider interface {
// Type returns the provider type identifier.
Type() store.IAMProviderType
// ValidateConfig checks that the provider configuration is valid.
ValidateConfig(config json.RawMessage) error
// ResolveIdentities extracts external identities from the given credentials/token.
ResolveIdentities(ctx context.Context, config json.RawMessage, credentials map[string]string) ([]ExternalIdentity, error)
// TestConnection tests that the provider configuration can connect.
TestConnection(ctx context.Context, config json.RawMessage) error
}
IAMProvider defines the interface for an external IAM provider.
type IAMResolver ¶
type IAMResolver struct {
// contains filtered or unexported fields
}
IAMResolver combines IAM providers with the store to resolve external identities to roles.
func NewIAMResolver ¶
func NewIAMResolver(iamStore store.IAMStore) *IAMResolver
NewIAMResolver creates a new IAMResolver.
func (*IAMResolver) GetProvider ¶
func (r *IAMResolver) GetProvider(providerType store.IAMProviderType) (IAMProvider, bool)
GetProvider returns the registered provider for the given type, if any.
func (*IAMResolver) RegisterProvider ¶
func (r *IAMResolver) RegisterProvider(p IAMProvider)
RegisterProvider registers an IAM provider implementation.
func (*IAMResolver) ResolveRole ¶
func (r *IAMResolver) ResolveRole(ctx context.Context, companyID uuid.UUID, identity ExternalIdentity, resourceType string, resourceID uuid.UUID) (store.Role, error)
ResolveRole resolves the highest role for an external identity across all enabled providers in a company for a specific resource.
type KubernetesConfig ¶
type KubernetesConfig struct {
ClusterName string `json:"cluster_name"`
Namespace string `json:"namespace"`
}
KubernetesConfig holds configuration for the Kubernetes RBAC provider.
type KubernetesProvider ¶
type KubernetesProvider struct{}
KubernetesProvider maps Kubernetes ServiceAccounts and Groups to roles. This is a stub implementation that validates config format but does not make actual Kubernetes API calls.
func (*KubernetesProvider) ResolveIdentities ¶
func (p *KubernetesProvider) ResolveIdentities(_ context.Context, _ json.RawMessage, credentials map[string]string) ([]ExternalIdentity, error)
func (*KubernetesProvider) TestConnection ¶
func (p *KubernetesProvider) TestConnection(_ context.Context, config json.RawMessage) error
func (*KubernetesProvider) Type ¶
func (p *KubernetesProvider) Type() store.IAMProviderType
func (*KubernetesProvider) ValidateConfig ¶
func (p *KubernetesProvider) ValidateConfig(config json.RawMessage) error
type OIDCConfig ¶
type OIDCConfig struct {
Issuer string `json:"issuer"`
ClientID string `json:"client_id"`
ClaimKey string `json:"claim_key"` // Which claim to use as the external identifier (e.g. "sub", "email")
}
OIDCConfig holds configuration for the OIDC provider.
type OIDCProvider ¶
type OIDCProvider struct{}
OIDCProvider maps OIDC claims to roles. This is a stub implementation that validates config format but does not make actual OIDC discovery or token validation calls.
func (*OIDCProvider) ResolveIdentities ¶
func (p *OIDCProvider) ResolveIdentities(_ context.Context, config json.RawMessage, credentials map[string]string) ([]ExternalIdentity, error)
func (*OIDCProvider) TestConnection ¶
func (p *OIDCProvider) TestConnection(_ context.Context, config json.RawMessage) error
func (*OIDCProvider) Type ¶
func (p *OIDCProvider) Type() store.IAMProviderType
func (*OIDCProvider) ValidateConfig ¶
func (p *OIDCProvider) ValidateConfig(config json.RawMessage) error
Source Files