Documentation
¶
Overview ¶
Package stdcrpcaccess implements an access control layer for Connect RPC.
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func SignTestToken ¶ added in v0.0.100
SignTestToken signs a valid JWT against a well-known private key for testing.
func WithSignedTestToken ¶ added in v0.0.100
func WithSignedTestToken(base connect.HTTPClient, createToken func(r *http.Request) jwt.Token) connect.HTTPClient
WithSignedTestToken is a http client middleware that always adds a valid (self signed) token for testing.
func WithTestAuthBackend ¶ added in v0.0.100
WithTestAuthBackend injects dependencies for allowing tests to sign and validate access tokens.
Types ¶
type AccessControl ¶
type AccessControl[T any] struct { // contains filtered or unexported fields }
AccessControl implements a simple access control scheme.
func New ¶
func New[T any]( logic Logic[T], back AuthBackend, signing jwk.Set, audience string, authBackendIssuer, signingIssuer string, extraValidators []jwt.Validator, ) *AccessControl[T]
New inits the access control.
func (*AccessControl[T]) Close ¶
func (ac *AccessControl[T]) Close(context.Context) error
Close cancels the lifecycle context.
func (*AccessControl[T]) SignAccessToken ¶ added in v0.0.102
func (ac *AccessControl[T]) SignAccessToken( bldr *jwt.Builder, signingKeyID string, ) ([]byte, error)
SignAccessToken turns auth information T into an access token that is accepted by auth checks. The audience claim is overwritten with what is configured for this access control instance.
type AuthBackend ¶
type AuthBackend interface {
JWKSEndpoint() string
}
AuthBackend represents and OIDC service that we don't control the signing process of.
type Logic ¶ added in v0.0.103
type Logic[T any] interface { // ProcedurePermissions is implemented to turn the claims into permissions for connect RPC procedure annotation. ProcedurePermissions(info T) []string // DecorateContext implements how auth information is stored in the context for the rest of the application to use. DecorateContext(ctx context.Context, info T) context.Context // InitAsAnonymous is called to initialize auth information when there is no access token. InitAsAnonymous(ctx context.Context, req *http.Request) (T, bool) // InitFromAccessToken is called to initialize a auth information when there is a valid access token. InitFromAccessToken(ctx context.Context, tok jwt.Token) (T, error) }
Logic defines the auth logic to implement in order to customize the auth process.
type RealAuthBackend ¶
type RealAuthBackend string
RealAuthBackend is used when actually deploying.
func (RealAuthBackend) JWKSEndpoint ¶
func (ap RealAuthBackend) JWKSEndpoint() string
type TestAuthBackend ¶ added in v0.0.100
type TestAuthBackend struct {
// contains filtered or unexported fields
}
TestAuthBackend is an auth backend that is run locally and we control the signing process for.
func NewTestAuthBackend ¶ added in v0.0.100
func NewTestAuthBackend() *TestAuthBackend
NewTestAuthBackend starts a server for testing that serves the key set.
func (TestAuthBackend) JWKSEndpoint ¶ added in v0.0.100
func (ap TestAuthBackend) JWKSEndpoint() string
Source Files