Documentation
¶
Index ¶
- type AWSConfig
- type AWSIAMProvider
- func (p *AWSIAMProvider) ResolveIdentities(ctx context.Context, cfgRaw json.RawMessage, creds map[string]string) ([]ExternalIdentity, error)
- func (p *AWSIAMProvider) TestConnection(ctx context.Context, cfgRaw json.RawMessage) error
- func (p *AWSIAMProvider) Type() store.IAMProviderType
- func (p *AWSIAMProvider) ValidateConfig(cfgRaw json.RawMessage) error
- type ExternalIdentity
- type IAMProvider
- type IAMResolver
- type KubernetesConfig
- type KubernetesProvider
- func (p *KubernetesProvider) ResolveIdentities(ctx context.Context, config json.RawMessage, credentials map[string]string) ([]ExternalIdentity, error)
- func (p *KubernetesProvider) TestConnection(ctx context.Context, config json.RawMessage) error
- func (p *KubernetesProvider) Type() store.IAMProviderType
- func (p *KubernetesProvider) ValidateConfig(config json.RawMessage) error
- type OIDCConfig
- type OIDCProvider
- func (p *OIDCProvider) ResolveIdentities(ctx context.Context, config json.RawMessage, credentials map[string]string) ([]ExternalIdentity, error)
- func (p *OIDCProvider) TestConnection(ctx context.Context, config json.RawMessage) error
- func (p *OIDCProvider) Type() store.IAMProviderType
- func (p *OIDCProvider) ValidateConfig(config json.RawMessage) error
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type AWSConfig ¶
type AWSConfig struct {
AccountID string `json:"account_id"`
Region string `json:"region"`
AccessKeyID string `json:"access_key_id,omitempty"`
SecretAccessKey string `json:"secret_access_key,omitempty"`
SessionToken string `json:"session_token,omitempty"` //nolint:gosec // field name, not a credential
}
AWSConfig holds configuration for the AWS IAM provider.
type AWSIAMProvider ¶
type AWSIAMProvider struct{}
AWSIAMProvider validates AWS IAM ARNs using STS GetCallerIdentity and IAM GetUser/GetRole calls.
func (*AWSIAMProvider) ResolveIdentities ¶
func (p *AWSIAMProvider) ResolveIdentities(ctx context.Context, cfgRaw json.RawMessage, creds map[string]string) ([]ExternalIdentity, error)
ResolveIdentities resolves an AWS ARN to an ExternalIdentity, using STS GetCallerIdentity and IAM GetUser/GetRole to enrich attributes. Falls back to ARN-only identity when credentials are unavailable.
func (*AWSIAMProvider) TestConnection ¶
func (p *AWSIAMProvider) TestConnection(ctx context.Context, cfgRaw json.RawMessage) error
TestConnection calls sts:GetCallerIdentity to verify connectivity and credentials.
func (*AWSIAMProvider) Type ¶
func (p *AWSIAMProvider) Type() store.IAMProviderType
func (*AWSIAMProvider) ValidateConfig ¶
func (p *AWSIAMProvider) ValidateConfig(cfgRaw json.RawMessage) error
type ExternalIdentity ¶
type ExternalIdentity struct {
Provider string `json:"provider"`
Identifier string `json:"identifier"`
Attributes map[string]string `json:"attributes,omitempty"`
}
ExternalIdentity represents an identity from an external IAM system.
type IAMProvider ¶
type IAMProvider interface {
// Type returns the provider type identifier.
Type() store.IAMProviderType
// ValidateConfig checks that the provider configuration is valid.
ValidateConfig(config json.RawMessage) error
// ResolveIdentities extracts external identities from the given credentials/token.
ResolveIdentities(ctx context.Context, config json.RawMessage, credentials map[string]string) ([]ExternalIdentity, error)
// TestConnection tests that the provider configuration can connect.
TestConnection(ctx context.Context, config json.RawMessage) error
}
IAMProvider defines the interface for an external IAM provider.
type IAMResolver ¶
type IAMResolver struct {
// contains filtered or unexported fields
}
IAMResolver combines IAM providers with the store to resolve external identities to roles.
func NewIAMResolver ¶
func NewIAMResolver(iamStore store.IAMStore) *IAMResolver
NewIAMResolver creates a new IAMResolver.
func (*IAMResolver) GetProvider ¶
func (r *IAMResolver) GetProvider(providerType store.IAMProviderType) (IAMProvider, bool)
GetProvider returns the registered provider for the given type, if any.
func (*IAMResolver) RegisterProvider ¶
func (r *IAMResolver) RegisterProvider(p IAMProvider)
RegisterProvider registers an IAM provider implementation.
func (*IAMResolver) ResolveRole ¶
func (r *IAMResolver) ResolveRole(ctx context.Context, companyID uuid.UUID, identity ExternalIdentity, resourceType string, resourceID uuid.UUID) (store.Role, error)
ResolveRole resolves the highest role for an external identity across all enabled providers in a company for a specific resource.
type KubernetesConfig ¶
type KubernetesConfig struct {
// ClusterName is a human-readable identifier for the cluster (required).
ClusterName string `json:"cluster_name"`
// Namespace to look up ServiceAccounts in (default: "default").
Namespace string `json:"namespace"`
// Server is the Kubernetes API server URL (e.g. https://kubernetes.default.svc).
// If empty, uses the in-cluster service account token.
Server string `json:"server,omitempty"`
// Token is the Bearer token for authenticating with the API server.
// If empty, reads from /var/run/secrets/kubernetes.io/serviceaccount/token.
Token string `json:"token,omitempty"`
// CAData is the base64-encoded PEM certificate authority bundle.
// If empty, uses the in-cluster CA at /var/run/secrets/kubernetes.io/serviceaccount/ca.crt.
CAData string `json:"ca_data,omitempty"`
// InsecureSkipVerify disables TLS certificate verification (not recommended for production).
InsecureSkipVerify bool `json:"insecure_skip_verify,omitempty"`
}
KubernetesConfig holds configuration for the Kubernetes RBAC provider.
type KubernetesProvider ¶
type KubernetesProvider struct{}
KubernetesProvider maps Kubernetes ServiceAccounts and Groups to roles by performing real Kubernetes API calls.
func (*KubernetesProvider) ResolveIdentities ¶
func (p *KubernetesProvider) ResolveIdentities(ctx context.Context, config json.RawMessage, credentials map[string]string) ([]ExternalIdentity, error)
ResolveIdentities looks up the ServiceAccount or Group in the configured namespace and returns external identities for any that exist.
func (*KubernetesProvider) TestConnection ¶
func (p *KubernetesProvider) TestConnection(ctx context.Context, config json.RawMessage) error
TestConnection attempts to connect to the Kubernetes API server and list namespaces.
func (*KubernetesProvider) Type ¶
func (p *KubernetesProvider) Type() store.IAMProviderType
func (*KubernetesProvider) ValidateConfig ¶
func (p *KubernetesProvider) ValidateConfig(config json.RawMessage) error
type OIDCConfig ¶
type OIDCConfig struct {
Issuer string `json:"issuer"`
ClientID string `json:"client_id"`
ClaimKey string `json:"claim_key,omitempty"` // Which claim to use as the external identifier (e.g. "sub", "email")
JWKSURL string `json:"jwks_url,omitempty"`
DiscoveryURL string `json:"discovery_url,omitempty"`
}
OIDCConfig holds configuration for the OIDC provider.
type OIDCProvider ¶
type OIDCProvider struct {
// HTTPClient is the HTTP client used for OIDC discovery and JWKS requests.
// If nil, http.DefaultClient is used.
HTTPClient *http.Client
// contains filtered or unexported fields
}
OIDCProvider maps OIDC claims to roles using OIDC discovery and JWT validation.
func (*OIDCProvider) ResolveIdentities ¶
func (p *OIDCProvider) ResolveIdentities(ctx context.Context, config json.RawMessage, credentials map[string]string) ([]ExternalIdentity, error)
func (*OIDCProvider) TestConnection ¶
func (p *OIDCProvider) TestConnection(ctx context.Context, config json.RawMessage) error
func (*OIDCProvider) Type ¶
func (p *OIDCProvider) Type() store.IAMProviderType
func (*OIDCProvider) ValidateConfig ¶
func (p *OIDCProvider) ValidateConfig(config json.RawMessage) error
Source Files
Click to show internal directories.
Click to hide internal directories.