Documentation
¶
Index ¶
- Constants
- Variables
- func FormatRootEmail() string
- func Init()
- func IsPID1() bool
- func LoadToken(key string) (*filer.Resource, bool)
- func MustParseContainerID() string
- func RegisterIdentifierServer(s grpc.ServiceRegistrar, srv IdentifierServer)
- func RegisterLoginProvider(p LoginProvider)
- func RootAuthority() string
- func RootIdentity() string
- func StoreToken(key string, r *filer.Resource)
- type AuthDispatcher
- type AuthFlow
- type AuthenticateHandler
- type IdentifierClient
- type IdentifierServer
- type Identifier_AuthenticateClient
- type Identifier_AuthenticateServer
- type Identity
- func (*Identity) Descriptor() ([]byte, []int)deprecated
- func (x *Identity) GetId() string
- func (x *Identity) GetLocalAuthority() *Identity
- func (x *Identity) GetName() string
- func (x *Identity) GetProvider() isIdentity_Provider
- func (x *Identity) GetRemoteAuthority() *Identity
- func (x *Identity) GetSecret() string
- func (*Identity) ProtoMessage()
- func (x *Identity) ProtoReflect() protoreflect.Message
- func (x *Identity) Reset()
- func (x *Identity) String() string
- type Identity_LocalAuthority
- type Identity_RemoteAuthority
- type Identity_Secret
- type LoginProvider
- type Option
- type UnimplementedIdentifierServer
- func (UnimplementedIdentifierServer) Authenticate(grpc.BidiStreamingServer[Identity, filer.Resource]) error
- func (UnimplementedIdentifierServer) Authority(context.Context, *Identity) (*Identity, error)
- func (UnimplementedIdentifierServer) Identify(context.Context, *filer.Resource) (*Identity, error)
- type UnsafeIdentifierServer
Constants ¶
const ( Identifier_Authenticate_FullMethodName = "/identifier.Identifier/Authenticate" Identifier_Authority_FullMethodName = "/identifier.Identifier/Authority" Identifier_Identify_FullMethodName = "/identifier.Identifier/Identify" )
Variables ¶
var File_identifier_identifier_proto protoreflect.FileDescriptor
var Identifier_ServiceDesc = grpc.ServiceDesc{ ServiceName: "identifier.Identifier", HandlerType: (*IdentifierServer)(nil), Methods: []grpc.MethodDesc{ { MethodName: "Authority", Handler: _Identifier_Authority_Handler, }, { MethodName: "Identify", Handler: _Identifier_Identify_Handler, }, }, Streams: []grpc.StreamDesc{ { StreamName: "Authenticate", Handler: _Identifier_Authenticate_Handler, ServerStreams: true, ClientStreams: true, }, }, Metadata: "identifier/identifier.proto", }
Identifier_ServiceDesc is the grpc.ServiceDesc for Identifier service. It's only intended for direct use with grpc.RegisterService, and not to be introspected or modified (even as a copy)
Functions ¶
func FormatRootEmail ¶
func FormatRootEmail() string
FormatRootEmail returns root_identity@root_authority.
func Init ¶
func Init()
Init is the single public entry point. Call it from main() after flag.Parse(). It runs environment checks, pushes CLI flags into env vars, then blocks on any registered login providers.
func MustParseContainerID ¶
func MustParseContainerID() string
MustParseContainerID tries to extract a 64-char hex container ID from /proc/1/cgroup (useful for logging).
func RegisterIdentifierServer ¶
func RegisterIdentifierServer(s grpc.ServiceRegistrar, srv IdentifierServer)
func RegisterLoginProvider ¶
func RegisterLoginProvider(p LoginProvider)
RegisterLoginProvider adds a login provider that will run during Init().
func RootAuthority ¶
func RootAuthority() string
RootAuthority returns the resolved root authority domain.
func RootIdentity ¶
func RootIdentity() string
RootIdentity returns the resolved root identity name.
func StoreToken ¶
StoreToken writes a Resource into the token map under the given key.
Types ¶
type AuthDispatcher ¶
type AuthDispatcher struct {
Flows []AuthFlow
}
AuthDispatcher implements AuthenticateHandler by reading the first Identity message and dispatching to the first matching AuthFlow.
func (*AuthDispatcher) Handle ¶
func (d *AuthDispatcher) Handle(stream grpc.BidiStreamingServer[Identity, filer.Resource]) error
Handle reads the first Identity from the stream and dispatches to the appropriate flow.
type AuthFlow ¶
type AuthFlow interface {
// Match returns true if this flow should handle the given first
// Identity message from the client.
Match(first *Identity) bool
// Handle runs the flow to completion. The first Identity has
// already been received and is passed in. On success the
// implementation must send at least one Resource back.
Handle(first *Identity, stream grpc.BidiStreamingServer[Identity, filer.Resource]) error
}
AuthFlow handles one authentication exchange on the server side of an Identifier.Authenticate bidi stream. Implementations are stateless — dispatch is based purely on the content of the first Identity message.
type AuthenticateHandler ¶
type AuthenticateHandler interface {
Handle(stream grpc.BidiStreamingServer[Identity, filer.Resource]) error
}
AuthenticateHandler is the interface for pluggable authentication dispatch. It is defined here so that external packages can implement it without creating an import cycle.
type IdentifierClient ¶
type IdentifierClient interface {
// If successful, ultimately returns a resource with a token inside of it owned by the authenticated user, with resource info for Identity.name (eg a user, or group, etc) embedded
// Those help inform the resource targets of a subsequent Plan92.CreateSession (authorization)
// Before then, an auth flow may be required
Authenticate(ctx context.Context, opts ...grpc.CallOption) (grpc.BidiStreamingClient[Identity, filer.Resource], error)
// Determine if the resource of this name belongs to this server, and if so, its local identity, if not, a remote authority
Authority(ctx context.Context, in *Identity, opts ...grpc.CallOption) (*Identity, error)
// Request the identity of the owner of this resource
// Can also be used to check the identity of this service/identity provider, by asking about "system"/id=0
Identify(ctx context.Context, in *filer.Resource, opts ...grpc.CallOption) (*Identity, error)
}
IdentifierClient is the client API for Identifier service.
For semantics around ctx use and closing/ending streaming RPCs, please refer to https://pkg.go.dev/google.golang.org/grpc/?tab=doc#ClientConn.NewStream.
func NewIdentifierClient ¶
func NewIdentifierClient(cc grpc.ClientConnInterface) IdentifierClient
type IdentifierServer ¶
type IdentifierServer interface {
// If successful, ultimately returns a resource with a token inside of it owned by the authenticated user, with resource info for Identity.name (eg a user, or group, etc) embedded
// Those help inform the resource targets of a subsequent Plan92.CreateSession (authorization)
// Before then, an auth flow may be required
Authenticate(grpc.BidiStreamingServer[Identity, filer.Resource]) error
// Determine if the resource of this name belongs to this server, and if so, its local identity, if not, a remote authority
Authority(context.Context, *Identity) (*Identity, error)
// Request the identity of the owner of this resource
// Can also be used to check the identity of this service/identity provider, by asking about "system"/id=0
Identify(context.Context, *filer.Resource) (*Identity, error)
// contains filtered or unexported methods
}
IdentifierServer is the server API for Identifier service. All implementations must embed UnimplementedIdentifierServer for forward compatibility.
func NewIdentifierServer ¶
func NewIdentifierServer(opts ...Option) IdentifierServer
NewIdentifierServer creates an IdentifierServer.
type Identifier_AuthenticateClient ¶
type Identifier_AuthenticateClient = grpc.BidiStreamingClient[Identity, filer.Resource]
This type alias is provided for backwards compatibility with existing code that references the prior non-generic stream type by name.
type Identifier_AuthenticateServer ¶
type Identifier_AuthenticateServer = grpc.BidiStreamingServer[Identity, filer.Resource]
This type alias is provided for backwards compatibility with existing code that references the prior non-generic stream type by name.
type Identity ¶
type Identity struct {
// Identity name according to the provider
Id string `protobuf:"bytes,1,opt,name=id,proto3" json:"id,omitempty"`
// Local identity the user wishes to authenticate as here. Can be the same as id
Name string `protobuf:"bytes,2,opt,name=name,proto3" json:"name,omitempty"`
// Types that are valid to be assigned to Provider:
//
// *Identity_LocalAuthority
// *Identity_RemoteAuthority
// *Identity_Secret
Provider isIdentity_Provider `protobuf_oneof:"provider"`
// contains filtered or unexported fields
}
func (*Identity) Descriptor
deprecated
func (*Identity) GetLocalAuthority ¶
func (*Identity) GetProvider ¶
func (x *Identity) GetProvider() isIdentity_Provider
func (*Identity) GetRemoteAuthority ¶
func (*Identity) ProtoMessage ¶
func (*Identity) ProtoMessage()
func (*Identity) ProtoReflect ¶
func (x *Identity) ProtoReflect() protoreflect.Message
type Identity_LocalAuthority ¶
type Identity_LocalAuthority struct {
LocalAuthority *Identity `protobuf:"bytes,3,opt,name=local_authority,json=localAuthority,proto3,oneof"`
}
type Identity_RemoteAuthority ¶
type Identity_RemoteAuthority struct {
RemoteAuthority *Identity `protobuf:"bytes,4,opt,name=remote_authority,json=remoteAuthority,proto3,oneof"`
}
type Identity_Secret ¶
type Identity_Secret struct {
Secret string `protobuf:"bytes,5,opt,name=secret,proto3,oneof"`
}
type LoginProvider ¶
type LoginProvider interface {
// Name returns a human-readable name for this provider.
Name() string
// Login blocks until authentication completes or fails.
Login() (*filer.Resource, error)
}
LoginProvider authenticates a user during startup (client-initiated). Login providers run before the gRPC server starts and may block until authentication completes.
type Option ¶
type Option func(*identifierServer)
Option configures the identifier server.
func WithAuthHandler ¶
func WithAuthHandler(h AuthenticateHandler) Option
WithAuthHandler sets the authentication handler.
func WithAuthority ¶
WithAuthority sets the authority and owner names for the server.
type UnimplementedIdentifierServer ¶
type UnimplementedIdentifierServer struct{}
UnimplementedIdentifierServer must be embedded to have forward compatible implementations.
NOTE: this should be embedded by value instead of pointer to avoid a nil pointer dereference when methods are called.
func (UnimplementedIdentifierServer) Authenticate ¶
func (UnimplementedIdentifierServer) Authenticate(grpc.BidiStreamingServer[Identity, filer.Resource]) error
type UnsafeIdentifierServer ¶
type UnsafeIdentifierServer interface {
// contains filtered or unexported methods
}
UnsafeIdentifierServer may be embedded to opt out of forward compatibility for this service. Use of this interface is not recommended, as added methods to IdentifierServer will result in compilation errors.
Source Files
Directories