Documentation
¶
Overview ¶
Package stdcrpcaccess implements an access control layer for Connect RPC.
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func SignTestToken ¶ added in v0.0.100
SignTestToken signs a valid JWT against a well-known private key for testing.
func WithSignedTestToken ¶ added in v0.0.100
func WithSignedTestToken(base connect.HTTPClient, createToken func(r *http.Request) jwt.Token) connect.HTTPClient
WithSignedTestToken is a http client middleware that always adds a valid (self signed) token for testing.
func WithTestAuthBackend ¶ added in v0.0.100
WithTestAuthBackend injects dependencies for allowing tests to sign and validate access tokens.
Types ¶
type AccessControl ¶
type AccessControl[T any] struct { // contains filtered or unexported fields }
AccessControl implements a simple access control scheme.
func New ¶
func New[T any]( logic Logic[T], back AuthBackend, signing jwk.Set, audience string, authBackendIssuer, signingIssuer string, extraValidators []jwt.Validator, ) *AccessControl[T]
New inits the access control.
func (*AccessControl[T]) Close ¶
func (ac *AccessControl[T]) Close(context.Context) error
Close cancels the lifecycle context.
func (*AccessControl[T]) SignAccessToken ¶ added in v0.0.102
func (ac *AccessControl[T]) SignAccessToken( ctx context.Context, info T, signingKeyID string, buildFn ...func(*jwt.Builder) *jwt.Builder, ) ([]byte, error)
SignAccessToken turns auth information T into an access token that is accepted by auth checks. The audience claim is overwritten with what is configured for this access control instance.
type AuthBackend ¶
type AuthBackend interface {
JWKSEndpoint() string
}
AuthBackend represents and OIDC service that we don't control the signing process of.
type Logic ¶ added in v0.0.103
type Logic[T any] interface { // ProcedurePermissions is implemented to turn the claims into permissions for connect RPC procedure annotation. ProcedurePermissions(info T) []string // DecorateContext implements how auth information is stored in the context for the rest of the application to use. DecorateContext(ctx context.Context, info T) context.Context // ReadAccessToken allows the implementation to take information from the access token. This is called // AFTER private claims have been decoded from the access token. ReadAccessToken(ctx context.Context, info T, tok jwt.Token) (T, error) // ToAccessTokenBuilder turns the token into an jwt that can be completed and build by shared code. ToAccessTokenBuilder(ctx context.Context, info T) (*jwt.Builder, error) // AsAnonymous returns a new copy of the info that is usuable to the application for anonymous access. If false is // returned anonymous access is not allowed. AsAnonymous(ctx context.Context, req *http.Request) (T, bool) // PrivateClaimsDecodeTarget must return a pointer to the value that will be used as a decoding target for // private claims. PrivateClaimsDecodeTarget(info *T) any }
Logic defines the auth logic to implement in order to customize the auth process.
type RealAuthBackend ¶
type RealAuthBackend string
RealAuthBackend is used when actually deploying.
func (RealAuthBackend) JWKSEndpoint ¶
func (ap RealAuthBackend) JWKSEndpoint() string
type TestAuthBackend ¶ added in v0.0.100
type TestAuthBackend struct {
// contains filtered or unexported fields
}
TestAuthBackend is an auth backend that is run locally and we control the signing process for.
func NewTestAuthBackend ¶ added in v0.0.100
func NewTestAuthBackend() *TestAuthBackend
NewTestAuthBackend starts a server for testing that serves the key set.
func (TestAuthBackend) JWKSEndpoint ¶ added in v0.0.100
func (ap TestAuthBackend) JWKSEndpoint() string
Source Files