Documentation
¶
Overview ¶
Package auth provides authentication and authorization interfaces and implementations for CallFS. It includes API key authentication for REST endpoints and Unix socket authorization for local access.
Index ¶
Constants ¶
This section is empty.
Variables ¶
var ( ErrAuthenticationFailed = errors.New("authentication failed") ErrPermissionDenied = errors.New("permission denied") ErrInvalidToken = errors.New("invalid token") )
Common authentication/authorization errors
Functions ¶
This section is empty.
Types ¶
type APIKeyAuthenticator ¶
type APIKeyAuthenticator struct {
// contains filtered or unexported fields
}
APIKeyAuthenticator implements authentication using static API keys. The internal proxy secret is registered with a dedicated "internal-proxy" user ID so that cross-server proxy operations authenticate successfully on the public API.
func NewAPIKeyAuthenticator ¶
func NewAPIKeyAuthenticator(keys []string, internalProxySecret string) *APIKeyAuthenticator
NewAPIKeyAuthenticator creates a new API key authenticator. The internalProxySecret is registered as a valid key with the "internal-proxy" user ID so cross-server operations (UpdateFileOnInstance, etc.) can authenticate on peers.
func (*APIKeyAuthenticator) Authenticate ¶
Authenticate validates a token and returns the associated user ID
type Authenticator ¶
type Authenticator interface {
// Authenticate validates a token and returns the associated user ID
Authenticate(ctx context.Context, token string) (userID string, err error)
}
Authenticator defines the interface for user authentication
type Authorizer ¶
type Authorizer interface {
// Authorize checks if a user has the specified permission for a path
Authorize(ctx context.Context, userID string, path string, perm PermissionType) error
}
Authorizer defines the interface for authorization checks
type PermissionType ¶
type PermissionType int
PermissionType represents different permission types for authorization
const ( ReadPerm PermissionType = iota WritePerm DeletePerm )
type UnixAuthorizer ¶
type UnixAuthorizer struct {
// contains filtered or unexported fields
}
UnixAuthorizer implements permission checking using app-level ownership. Authorization is based on the app user ID string (Owner field in metadata), NOT on OS-level UIDs/GIDs. App users have no relationship to OS users.
func NewUnixAuthorizer ¶
func NewUnixAuthorizer(metadataStore metadata.Store) *UnixAuthorizer
NewUnixAuthorizer creates a new authorizer
func (*UnixAuthorizer) Authorize ¶
func (a *UnixAuthorizer) Authorize(ctx context.Context, userID string, path string, perm PermissionType) error
Authorize checks if a user has the specified permission for a path
Source Files