Documentation
¶
Index ¶
- Constants
- type AddAdditionalClaim
- type AddAuthorityHint
- type AddTrustMark
- type AddTrustMarkIssuer
- type AddTrustMarkOwner
- type AddTrustMarkType
- type AdditionalClaimsStore
- type AlreadyExistsError
- type AuthorityHint
- type AuthorityHintsStore
- type Backends
- type BasicSubordinateInfo
- type CheckerConfig
- type EligibilityConfig
- type EligibilityMode
- type EntityConfigurationAdditionalClaim
- type EventQueryOpts
- type ExtendedSubordinateInfo
- type HistoricalKey
- type IssuedTrustMarkInstance
- type IssuedTrustMarkInstanceStore
- type JWKS
- type KeyValue
- type KeyValueStore
- type LegacySubordinateStorageBackend
- type LegacySubordinateStorageQuery
- type LegacySubordinateStorageQueryFilter
- type NotFoundError
- type PolicyOperator
- type PolicyOperators
- type PublishedTrustMark
- type PublishedTrustMarksStore
- type SelfIssuedTrustMarkSpec
- type StatsStorageBackend
- type Status
- type SubordinateAdditionalClaim
- type SubordinateEntityType
- type SubordinateEvent
- type SubordinateEventStore
- type SubordinateStorageBackend
- type TransactionFunc
- type TrustMarkInstanceStatus
- type TrustMarkIssuer
- type TrustMarkIssuersStore
- type TrustMarkOwner
- type TrustMarkOwnersStore
- type TrustMarkSpec
- type TrustMarkSpecStore
- type TrustMarkSubject
- type TrustMarkType
- type TrustMarkTypesStore
- type TrustMarkedEntitiesStorageBackend
- type UpdateTrustMark
- type User
- type UsersStore
- type ValidationError
Constants ¶
View Source
const ( // EventTypeCreated is recorded when a subordinate is created. EventTypeCreated = "created" // EventTypeDeleted is recorded when a subordinate is deleted. EventTypeDeleted = "deleted" // EventTypeStatusUpdated is recorded when a subordinate's status changes. EventTypeStatusUpdated = "status_updated" // EventTypeUpdated is recorded when a subordinate's basic info is updated. EventTypeUpdated = "updated" // EventTypeJWKAdded is recorded when a JWK is added to a subordinate's JWKS. EventTypeJWKAdded = "jwk_added" // EventTypeJWKRemoved is recorded when a JWK is removed from a subordinate's JWKS. EventTypeJWKRemoved = "jwk_removed" // EventTypeJWKSReplaced is recorded when a subordinate's entire JWKS is replaced. EventTypeJWKSReplaced = "jwks_replaced" // EventTypeMetadataUpdated is recorded when subordinate metadata is updated. EventTypeMetadataUpdated = "metadata_updated" // EventTypeMetadataDeleted is recorded when subordinate metadata is deleted. EventTypeMetadataDeleted = "metadata_deleted" // EventTypePolicyUpdated is recorded when subordinate metadata policy is updated. EventTypePolicyUpdated = "policy_updated" // EventTypePolicyDeleted is recorded when subordinate metadata policy is deleted. EventTypePolicyDeleted = "policy_deleted" // EventTypeConstraintsUpdated is recorded when subordinate constraints are updated. EventTypeConstraintsUpdated = "constraints_updated" // EventTypeConstraintsDeleted is recorded when subordinate constraints are deleted. EventTypeConstraintsDeleted = "constraints_deleted" // EventTypeClaimsUpdated is recorded when subordinate additional claims are updated. EventTypeClaimsUpdated = "claims_updated" // EventTypeClaimDeleted is recorded when a subordinate additional claim is deleted. EventTypeClaimDeleted = "claim_deleted" // EventTypeLifetimeUpdated is recorded when subordinate lifetime is updated. EventTypeLifetimeUpdated = "lifetime_updated" )
Event type constants for subordinate events.
View Source
const ( KeyValueScopeGlobal = "" KeyValueScopeEntityConfiguration = "entity_configuration" KeyValueScopeSubordinateStatement = "subordinate_statement" KeyValueScopeSigning = "signing" KeyValueKeyLifetime = "lifetime" KeyValueKeyMetadataPolicy = "metadata_policy" KeyValueKeyMetadata = "metadata" KeyValueKeyConstraints = "constraints" KeyValueKeyAlg = "alg" KeyValueKeyRSAKeyLen = "rsa_key_len" KeyValueKeyKeyRotation = "key_rotation" KeyValueKeyAdditionalClaims = "additional_claims" KeyValueKeyMetadataPolicyCrit = "metadata_policy_crit" )
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type AddAdditionalClaim ¶
type AddAdditionalClaim struct {
Claim string `json:"claim"`
Value any `json:"value"`
Crit bool `json:"crit"`
}
AddAdditionalClaim is a request to add an additional claim to a subordinate or entity configuration.
type AddAuthorityHint ¶
type AddTrustMark ¶
type AddTrustMark struct {
TrustMarkType string `json:"trust_mark_type,omitempty"`
TrustMarkIssuer string `json:"trust_mark_issuer,omitempty"`
TrustMark string `json:"trust_mark,omitempty"`
Refresh bool `json:"refresh"`
MinLifetime int `json:"min_lifetime,omitempty"`
RefreshGracePeriod int `json:"refresh_grace_period,omitempty"`
RefreshRateLimit int `json:"refresh_rate_limit,omitempty"`
SelfIssuanceSpec *SelfIssuedTrustMarkSpec `json:"self_issuance_spec,omitempty"`
}
AddTrustMark is the request body for creating a trust mark. Provide one of: (1) trust_mark_type and trust_mark_issuer for external fetching, (2) trust_mark JWT directly (type/issuer extracted from JWT if not provided), or (3) self_issuance_spec for self-issued trust marks.
type AddTrustMarkIssuer ¶
type AddTrustMarkIssuer struct {
IssuerID *string `json:"issuer_id,omitempty"`
Issuer string `json:"issuer,omitempty"`
Description string `json:"description,omitempty"`
}
AddTrustMarkIssuer represents the request payload to add/set a trust mark issuer
func (*AddTrustMarkIssuer) UnmarshalJSON ¶
func (a *AddTrustMarkIssuer) UnmarshalJSON(data []byte) error
UnmarshalJSON allows issuer_id to be provided as either a number or a numeric string.
type AddTrustMarkOwner ¶
type AddTrustMarkOwner struct {
OwnerID *string `json:"owner_id,omitempty"`
EntityID string `json:"entity_id,omitempty"`
JWKS JWKS `json:"jwks,omitempty"`
}
AddTrustMarkOwner is the request payload to create/update a TrustMarkOwner
func (*AddTrustMarkOwner) UnmarshalJSON ¶
func (a *AddTrustMarkOwner) UnmarshalJSON(data []byte) error
UnmarshalJSON allows owner_id to be provided as either a number or a numeric string.
type AddTrustMarkType ¶
type AddTrustMarkType struct {
TrustMarkType string `json:"trust_mark_type"`
Description string `json:"description,omitempty"`
TrustMarkOwner *AddTrustMarkOwner `json:"trust_mark_owner,omitempty"`
TrustMarkIssuers []AddTrustMarkIssuer `json:"trust_mark_issuers,omitempty"`
}
AddTrustMarkType is the request payload to create/update a TrustMarkType Optional fields are used by separate endpoints; issuers and owner can be set during creation for convenience.
type AdditionalClaimsStore ¶
type AdditionalClaimsStore interface {
// List returns all additional claims as rows.
List() ([]EntityConfigurationAdditionalClaim, error)
// Set replaces the complete set of additional claims.
Set(items []AddAdditionalClaim) ([]EntityConfigurationAdditionalClaim, error)
// Create inserts a provided claim and returns the resulting row.
Create(item AddAdditionalClaim) (*EntityConfigurationAdditionalClaim, error)
// Get returns a single row by either numeric ID or claim name.
Get(ident string) (*EntityConfigurationAdditionalClaim, error)
// Update updates value/crit for the row identified by numeric ID or claim name.
Update(ident string, item AddAdditionalClaim) (*EntityConfigurationAdditionalClaim, error)
// Delete removes a single row identified by numeric ID or claim name.
Delete(ident string) error
}
AdditionalClaimsStore abstracts CRUD for entity configuration additional claims.
type AlreadyExistsError ¶
type AlreadyExistsError string
AlreadyExistsError signals a uniqueness/conflict violation
func AlreadyExistsErrorFmt ¶
func AlreadyExistsErrorFmt(format string, params ...any) AlreadyExistsError
func (AlreadyExistsError) Error ¶
func (e AlreadyExistsError) Error() string
type AuthorityHint ¶
type AuthorityHint struct {
ID uint `gorm:"primarykey" json:"id"`
CreatedAt int `json:"created_at"`
UpdatedAt int `json:"updated_at"`
DeletedAt gorm.DeletedAt `gorm:"index" json:"-"`
EntityID string `gorm:"uniqueIndex" json:"entity_id"`
Description string `gorm:"type:text" json:"description,omitempty"`
}
AuthorityHint records the entity IDs of superiors published in the entity configuration.
type AuthorityHintsStore ¶
type AuthorityHintsStore interface {
List() ([]AuthorityHint, error)
Create(hint AddAuthorityHint) (*AuthorityHint, error)
Get(ident string) (*AuthorityHint, error)
Update(ident string, update AddAuthorityHint) (*AuthorityHint, error)
Delete(ident string) error
}
AuthorityHintsStore is the abstraction used by handlers.
type Backends ¶
type Backends struct {
Subordinates SubordinateStorageBackend
SubordinateEvents SubordinateEventStore
TrustMarks TrustMarkedEntitiesStorageBackend
TrustMarkSpecs TrustMarkSpecStore
TrustMarkInstances IssuedTrustMarkInstanceStore
AuthorityHints AuthorityHintsStore
TrustMarkTypes TrustMarkTypesStore
TrustMarkOwners TrustMarkOwnersStore
TrustMarkIssuers TrustMarkIssuersStore
AdditionalClaims AdditionalClaimsStore
PublishedTrustMarks PublishedTrustMarksStore
KV KeyValueStore
Users UsersStore
PKStorages func(string) public.PublicKeyStorage
Stats StatsStorageBackend
// Transaction wraps multiple storage operations in a single DB transaction.
// All backends provided to the TransactionFunc operate within the same transaction.
// If the function returns an error, the transaction is rolled back.
// This field is nil when backends are already within a transaction (no nested transactions).
Transaction func(fn TransactionFunc) error
}
Backends groups all storage interfaces used by the application. It provides a single struct that can be passed around instead of multiple return values for each storage backend.
func (*Backends) InTransaction ¶
func (b *Backends) InTransaction(fn TransactionFunc) error
InTransaction executes fn within a transaction if supported, otherwise runs directly. This provides a safe way to use transactions when available while maintaining backward compatibility with backends that don't support transactions.
type BasicSubordinateInfo ¶
type BasicSubordinateInfo struct {
ID uint `gorm:"primarykey" json:"id"`
CreatedAt int `gorm:"autoCreateTime" json:"created_at"`
UpdatedAt int `gorm:"autoUpdateTime" json:"updated_at"`
DeletedAt gorm.DeletedAt `gorm:"index" json:"-"`
EntityID string `gorm:"uniqueIndex" json:"entity_id"`
Description string `gorm:"type:text" json:"description,omitempty"`
SubordinateEntityTypes []SubordinateEntityType `gorm:"foreignKey:SubordinateID;constraint:OnDelete:CASCADE" json:"registered_entity_types,omitempty"`
Status Status `gorm:"index" json:"status"`
}
type CheckerConfig ¶
type CheckerConfig struct {
Type string `json:"type" yaml:"type"`
Config map[string]any `json:"config,omitempty" yaml:"config,omitempty"`
}
CheckerConfig is the JSON representation of an EntityChecker configuration
type EligibilityConfig ¶
type EligibilityConfig struct {
// Mode determines the eligibility check strategy
Mode EligibilityMode `json:"mode" yaml:"mode"`
// Checker is the entity checker configuration (used based on mode)
Checker *CheckerConfig `json:"checker,omitempty" yaml:"checker,omitempty"`
// CheckCacheTTL is how long to cache eligibility check results (seconds), 0 = no cache
CheckCacheTTL int `json:"check_cache_ttl" yaml:"check_cache_ttl"`
}
EligibilityConfig configures how trust mark eligibility is determined
type EligibilityMode ¶
type EligibilityMode string
EligibilityMode defines how trust mark eligibility is determined
const ( // EligibilityModeDBOnly checks only the TrustMarkSubject database (default) EligibilityModeDBOnly EligibilityMode = "db_only" // EligibilityModeCheckOnly runs only the entity checker, ignores DB EligibilityModeCheckOnly EligibilityMode = "check_only" // EligibilityModeDBOrCheck checks DB first, falls back to entity checker EligibilityModeDBOrCheck EligibilityMode = "db_or_check" // EligibilityModeDBAndCheck requires both DB active status AND checker pass EligibilityModeDBAndCheck EligibilityMode = "db_and_check" // EligibilityModeCustom uses a fully custom checker configuration EligibilityModeCustom EligibilityMode = "custom" )
type EntityConfigurationAdditionalClaim ¶
type EntityConfigurationAdditionalClaim struct {
ID uint `gorm:"primarykey" json:"id"`
CreatedAt int `json:"created_at"`
UpdatedAt int `json:"updated_at"`
DeletedAt gorm.DeletedAt `gorm:"index" json:"-"`
Claim string `gorm:"uniqueIndex" json:"claim"`
Value any `gorm:"serializer:json" json:"value"`
Crit bool `gorm:"index" json:"crit"`
}
EntityConfigurationAdditionalClaim stores one additional claim for the entity configuration.
type EventQueryOpts ¶
type EventQueryOpts struct {
// Limit is the maximum number of events to return (default: 50, max: 100).
Limit int
// Offset is the number of events to skip for pagination.
Offset int
// EventType filters events by type (e.g., "created", "deleted").
EventType *string
// FromTime filters events with timestamp >= this value (unix seconds).
FromTime *int64
// ToTime filters events with timestamp <= this value (unix seconds).
ToTime *int64
}
EventQueryOpts contains options for querying events.
type ExtendedSubordinateInfo ¶
type ExtendedSubordinateInfo struct {
BasicSubordinateInfo
JWKSID uint `json:"-"`
JWKS JWKS `json:"jwks"`
Metadata *oidfed.Metadata `gorm:"serializer:json" json:"metadata,omitempty"`
MetadataPolicy *oidfed.MetadataPolicies `gorm:"serializer:json" json:"metadata_policy,omitempty"`
Constraints *oidfed.ConstraintSpecification `gorm:"serializer:json" json:"constraints,omitempty"`
SubordinateAdditionalClaims []SubordinateAdditionalClaim `gorm:"foreignKey:SubordinateID;constraint:OnDelete:CASCADE" json:"additional_claims,omitempty"`
}
ExtendedSubordinateInfo holds information about a subordinate for storage Table name is set to `subordinates` to replace legacy `subordinate_infos`. Note: MetadataPolicyCrit is stored globally in the KV store, not per-subordinate.
func (ExtendedSubordinateInfo) TableName ¶
func (ExtendedSubordinateInfo) TableName() string
type HistoricalKey ¶
type HistoricalKey struct {
ID uint `gorm:"primarykey" json:"id"`
CreatedAt int `json:"created_at"`
UpdatedAt int `json:"updated_at"`
DeletedAt gorm.DeletedAt `gorm:"index" json:"-"`
KID string `gorm:"index" json:"kid"`
JWK jwk.Key `gorm:"serializer:json" json:"jwk"`
RevokedAt int `json:"revoked_at"`
Reason string `json:"reason"`
}
HistoricalKey represents a previously active key that has been revoked.
type IssuedTrustMarkInstance ¶
type IssuedTrustMarkInstance struct {
JTI string `gorm:"primaryKey" json:"jti"`
CreatedAt int `json:"created_at"`
UpdatedAt int `json:"updated_at"`
ExpiresAt int `gorm:"index" json:"expires_at"`
Revoked bool `gorm:"index" json:"revoked"`
TrustMarkSubjectID uint `gorm:"index" json:"trust_mark_subject_id"`
TrustMarkSubject TrustMarkSubject `json:"trust_mark_subject"`
// TrustMarkType is denormalized for efficient lookups without joins
TrustMarkType string `gorm:"index" json:"trust_mark_type"`
// Subject is the entity ID that received this trust mark (denormalized)
Subject string `gorm:"index" json:"subject"`
}
IssuedTrustMarkInstance represents an instance of a TrustMark in the database. Each record tracks a specific trust mark JWT that was issued, enabling revocation checking and status queries per the OIDC Federation spec.
type IssuedTrustMarkInstanceStore ¶
type IssuedTrustMarkInstanceStore interface {
// Create records a new issued trust mark instance
Create(instance *IssuedTrustMarkInstance) error
// GetByJTI retrieves an instance by its JTI (JWT ID)
GetByJTI(jti string) (*IssuedTrustMarkInstance, error)
// Revoke marks a trust mark instance as revoked
Revoke(jti string) error
// RevokeBySubjectID revokes all instances for a given TrustMarkSubjectID.
// Returns the number of revoked instances.
RevokeBySubjectID(subjectID uint) (int64, error)
// GetStatus returns the status of a trust mark instance
GetStatus(jti string) (TrustMarkInstanceStatus, error)
// ListBySubject returns all instances for a given trust mark type and subject
ListBySubject(trustMarkType, entityID string) ([]IssuedTrustMarkInstance, error)
// ListActiveSubjects returns distinct entity IDs that have valid (non-revoked, non-expired)
// trust marks for the given trust mark type. Used by the trust marked entities listing endpoint.
ListActiveSubjects(trustMarkType string) ([]string, error)
// HasActiveInstance checks if an entity has a valid (non-revoked, non-expired)
// trust mark instance for the given trust mark type
HasActiveInstance(trustMarkType, entityID string) (bool, error)
// DeleteExpired removes expired instances older than the given retention period
DeleteExpired(retentionDays int) (int64, error)
// FindSubjectID looks up the TrustMarkSubjectID for a given trust mark type and entity
FindSubjectID(trustMarkType, entityID string) (uint, error)
}
IssuedTrustMarkInstanceStore provides operations for tracking issued trust mark instances
type JWKS ¶
type JWKS struct {
ID uint `gorm:"primarykey"`
CreatedAt int `json:"created_at"`
UpdatedAt int `json:"updated_at"`
DeletedAt gorm.DeletedAt `gorm:"index" json:"-"`
Keys jwx.JWKS `gorm:"serializer:json"`
}
JWKS represents a set of Key, i.e. a jwk.Set in the database
func (JWKS) MarshalJSON ¶
MarshalJSON implements the json.Marshaler interface.
func (*JWKS) UnmarshalJSON ¶
UnmarshalJSON implements the json.Unmarshaler interface.
type KeyValue ¶
type KeyValue struct {
CreatedAt int `gorm:"autoCreateTime" json:"created_at"`
UpdatedAt int `gorm:"autoUpdateTime" json:"updated_at"`
DeletedAt gorm.DeletedAt `gorm:"index" json:"-"`
// Scope allows grouping keys by namespace; empty string is global scope.
Scope string `gorm:"primaryKey" json:"scope"`
// Key is the identifier within a scope.
Key string `gorm:"primaryKey" json:"key"`
// Value is stored as native JSON/JSONB (where supported) using datatypes.JSON.
Value datatypes.JSON `json:"value"`
}
KeyValue stores arbitrary key-value data.
Values are serialized efficiently using GORM's json serializer, which leverages the database JSON type when available (e.g., PostgreSQL, MySQL), and falls back to TEXT in others (e.g., SQLite). The `Scope` field enables namespacing to avoid key collisions across different features.
type KeyValueStore ¶
type KeyValueStore interface {
// Get retrieves the value for a (scope, key). Returns (nil, nil) if not found.
Get(scope, key string) (datatypes.JSON, error)
// GetAs retrieves and unmarshals the value for (scope, key) into out.
// out must be a pointer to the target type. Returns (false, nil) if not found.
GetAs(scope, key string, out any) (bool, error)
// Set stores/replaces the value for a (scope, key).
Set(scope, key string, value datatypes.JSON) error
// SetAny marshals v to JSON and stores it at (scope, key).
SetAny(scope, key string, v any) error
// Delete removes the entry for a (scope, key). No error if missing.
Delete(scope, key string) error
}
KeyValueStore defines common operations for key-value storage. Implementations may apply additional semantics (e.g., default scope) but should honor the uniqueness of (scope,key) and JSON-serialized values.
type LegacySubordinateStorageBackend ¶
type LegacySubordinateStorageBackend interface {
Write(entityID string, info ExtendedSubordinateInfo) error
Delete(entityID string) error
Block(entityID string) error
Approve(entityID string) error
Subordinate(entityID string) (*ExtendedSubordinateInfo, error)
Active() LegacySubordinateStorageQuery
Blocked() LegacySubordinateStorageQuery
Pending() LegacySubordinateStorageQuery
Load() error
}
LegacySubordinateStorageBackend is an interface to store ExtendedSubordinateInfo
type LegacySubordinateStorageQuery ¶
type LegacySubordinateStorageQuery interface {
Subordinates() ([]ExtendedSubordinateInfo, error)
EntityIDs() ([]string, error)
AddFilter(filter LegacySubordinateStorageQueryFilter, value any) error
}
LegacySubordinateStorageQuery is an interface to query ExtendedSubordinateInfo from storage
type LegacySubordinateStorageQueryFilter ¶
type LegacySubordinateStorageQueryFilter func(info ExtendedSubordinateInfo, value any) bool
LegacySubordinateStorageQueryFilter is a function to filter ExtendedSubordinateInfo
type NotFoundError ¶
type NotFoundError string
NotFoundError is an error signaling that something was not found in the database
func NotFoundErrorFmt ¶
func NotFoundErrorFmt(format string, params ...any) NotFoundError
NotFoundErrorFmt returns a NotFoundError from the passed format string and parameters
func (NotFoundError) Error ¶
func (e NotFoundError) Error() string
Error implements the error interface
type PolicyOperator ¶
type PolicyOperator struct {
ID uint `gorm:"primarykey" json:"id"`
CreatedAt int `gorm:"autoCreateTime" json:"created_at"`
UpdatedAt int `gorm:"autoUpdateTime" json:"updated_at"`
DeletedAt gorm.DeletedAt `gorm:"index" json:"-"`
PolicyOperator oidfed.PolicyOperatorName `json:"policy_operator"`
}
PolicyOperator represents a policy operator in the database.
type PolicyOperators ¶
type PolicyOperators []PolicyOperator
PolicyOperators is a collection of PolicyOperator objects. This type provides methods for working with multiple policy operators together.
func NewPolicyOperators ¶
func NewPolicyOperators(operators []oidfed.PolicyOperatorName) PolicyOperators
NewPolicyOperators creates a new PolicyOperators collection from a slice of oidfed.PolicyOperatorName. Each string is converted to a PolicyOperator object.
func NewPolicyOperatorsFromStrings ¶
func NewPolicyOperatorsFromStrings(operators []string) PolicyOperators
NewPolicyOperatorsFromStrings creates a new PolicyOperators collection from a slice of strings. Each string is converted to a PolicyOperator object.
func (PolicyOperators) ToPolicyOperatorNames ¶
func (et PolicyOperators) ToPolicyOperatorNames() []oidfed.PolicyOperatorName
ToPolicyOperatorNames converts a PolicyOperators collection to a slice of oidfed.PolicyOperatorName.
func (PolicyOperators) ToStrings ¶
func (et PolicyOperators) ToStrings() []string
ToStrings converts a PolicyOperators collection to a slice of strings. Each PolicyOperator is extracted into the resulting slice.
type PublishedTrustMark ¶
type PublishedTrustMark struct {
ID uint `gorm:"primarykey" json:"id"`
CreatedAt int `json:"created_at"`
UpdatedAt int `json:"updated_at"`
DeletedAt gorm.DeletedAt `gorm:"index" json:"-"`
// Core fields
TrustMarkType string `gorm:"uniqueIndex" json:"trust_mark_type"`
TrustMarkIssuer string `json:"trust_mark_issuer,omitempty"`
TrustMarkJWT string `gorm:"type:text" json:"trust_mark,omitempty"`
// Refresh configuration
Refresh bool `json:"refresh"`
MinLifetime int `json:"min_lifetime,omitempty"`
RefreshGracePeriod int `json:"refresh_grace_period,omitempty"`
RefreshRateLimit int `json:"refresh_rate_limit,omitempty"`
// Self-issuance specification (stored as JSON)
SelfIssuanceSpec *SelfIssuedTrustMarkSpec `gorm:"serializer:json" json:"self_issuance_spec,omitempty"`
}
PublishedTrustMark represents a trust mark published in the entity configuration (for this entity).
type PublishedTrustMarksStore ¶
type PublishedTrustMarksStore interface {
// List returns all published trust marks.
List() ([]PublishedTrustMark, error)
// Create creates a new trust mark entry.
Create(add AddTrustMark) (*PublishedTrustMark, error)
// Get retrieves a trust mark by ID or trust_mark_type.
Get(ident string) (*PublishedTrustMark, error)
// Update replaces a trust mark entry entirely.
Update(ident string, update AddTrustMark) (*PublishedTrustMark, error)
// Patch partially updates a trust mark entry (only non-nil fields).
Patch(ident string, patch UpdateTrustMark) (*PublishedTrustMark, error)
// Delete removes a trust mark entry.
Delete(ident string) error
}
PublishedTrustMarksStore is the abstraction used by handlers for managing trust marks in the entity configuration.
type SelfIssuedTrustMarkSpec ¶
type SelfIssuedTrustMarkSpec struct {
Lifetime int `json:"lifetime,omitempty"`
Ref string `json:"ref,omitempty"`
LogoURI string `json:"logo_uri,omitempty"`
AdditionalClaims map[string]any `json:"additional_claims,omitempty"`
IncludeExtraClaimsInInfo bool `json:"include_extra_claims_in_info,omitempty"`
}
SelfIssuedTrustMarkSpec contains the specification for a self-issued trust mark.
type StatsStorageBackend ¶
type StatsStorageBackend interface {
// InsertBatch inserts multiple request logs in a single batch operation.
InsertBatch(entries []*stats.RequestLog) error
// Summary queries
GetSummary(from, to time.Time) (*stats.Summary, error)
// Top-N queries
GetTopEndpoints(from, to time.Time, limit int) ([]stats.TopEntry, error)
GetTopUserAgents(from, to time.Time, limit int) ([]stats.TopEntry, error)
GetTopClients(from, to time.Time, limit int) ([]stats.TopEntry, error)
GetTopCountries(from, to time.Time, limit int) ([]stats.TopEntry, error)
GetTopQueryParams(from, to time.Time, endpoint string, limit int) ([]stats.TopEntry, error)
// Time series queries
GetTimeSeries(from, to time.Time, endpoint string, interval stats.Interval) ([]stats.TimeSeriesPoint, error)
GetLatencyPercentiles(from, to time.Time, endpoint string) (*stats.LatencyStats, error)
// Daily aggregation
AggregateDailyStats(date time.Time) error
GetDailyStats(from, to time.Time) ([]stats.DailyStats, error)
// Maintenance
PurgeDetailedLogs(before time.Time) (int64, error)
PurgeAggregatedStats(before time.Time) (int64, error)
// Export
ExportCSV(from, to time.Time, w io.Writer) error
ExportJSON(from, to time.Time, w io.Writer) error
}
StatsStorageBackend defines the interface for statistics storage operations.
type Status ¶
type Status int
Status is a type for holding a status for something that is stored in the database; this type describes the status or state of the entity, e.g. "blocked" or "active"
Constants for Status
func ParseStatus ¶
ParseStatus converts a string to a Status, returning an error for invalid values.
func (Status) MarshalJSON ¶
MarshalJSON encodes the status as a JSON string.
func (*Status) UnmarshalJSON ¶
UnmarshalJSON decodes the status from a JSON string or integer. It supports both formats for backward compatibility with legacy storage.
type SubordinateAdditionalClaim ¶
type SubordinateAdditionalClaim struct {
ID uint `gorm:"primarykey" json:"id"`
CreatedAt int `json:"created_at"`
UpdatedAt int `json:"updated_at"`
DeletedAt gorm.DeletedAt `gorm:"index" json:"-"`
SubordinateID uint `gorm:"index;uniqueIndex:idx_subordinate_claim" json:"subordinate_id"`
Claim string `gorm:"uniqueIndex:idx_subordinate_claim" json:"claim"`
Value any `gorm:"serializer:json" json:"value"`
Crit bool `gorm:"index" json:"crit"`
}
SubordinateAdditionalClaim stores one additional claim for a subordinate. value is stored as JSON; claim name is indexed; crit marks if claim is critical. The composite unique index ensures each subordinate can have unique claim names.
type SubordinateEntityType ¶
type SubordinateEntityType struct {
SubordinateID uint `gorm:"index;uniqueIndex:uidx_sub_ent" json:"-"`
EntityType string `gorm:"size:255;uniqueIndex:uidx_sub_ent" json:"entity_type"`
}
SubordinateEntityType is a join row mapping subordinates to entity type strings.
func (SubordinateEntityType) MarshalJSON ¶
func (et SubordinateEntityType) MarshalJSON() ([]byte, error)
MarshalJSON customizes ExtendedSubordinateInfo JSON to expose entity types as []string
func (*SubordinateEntityType) UnmarshalJSON ¶
func (s *SubordinateEntityType) UnmarshalJSON(b []byte) error
UnmarshalJSON accepts entity_types as []string and populates join rows
type SubordinateEvent ¶
type SubordinateEvent struct {
ID uint `gorm:"primarykey" json:"id"`
CreatedAt int `json:"created_at"`
UpdatedAt int `json:"updated_at"`
DeletedAt gorm.DeletedAt `gorm:"index" json:"-"`
SubordinateID uint `gorm:"index" json:"subordinate_id"`
Timestamp int64 `gorm:"index" json:"timestamp"`
Type string `gorm:"index" json:"type"`
Status *string `json:"status,omitempty"`
Message *string `json:"message,omitempty"`
Actor *string `json:"actor,omitempty"`
}
SubordinateEvent stores an event related to a subordinate.
type SubordinateEventStore ¶
type SubordinateEventStore interface {
// Add creates a new event record.
Add(event SubordinateEvent) error
// GetBySubordinateID returns events for a subordinate with optional filtering and pagination.
GetBySubordinateID(subordinateID uint, opts EventQueryOpts) ([]SubordinateEvent, int64, error)
// DeleteBySubordinateID removes all events for a subordinate (used on subordinate deletion).
DeleteBySubordinateID(subordinateID uint) error
}
SubordinateEventStore is an interface for storing and retrieving subordinate events.
type SubordinateStorageBackend ¶
type SubordinateStorageBackend interface {
Add(info ExtendedSubordinateInfo) error
Update(entityID string, info ExtendedSubordinateInfo) error
Delete(entityID string) error
DeleteByDBID(id string) error
UpdateStatus(entityID string, status Status) error
UpdateStatusByDBID(id string, status Status) error
UpdateJWKSByDBID(id string, jwks JWKS) (*JWKS, error)
Get(entityID string) (*ExtendedSubordinateInfo, error)
GetByDBID(id string) (*ExtendedSubordinateInfo, error)
GetAll() ([]BasicSubordinateInfo, error)
GetByStatus(status Status) ([]BasicSubordinateInfo, error)
GetByEntityTypes(entityTypes []string) ([]BasicSubordinateInfo, error)
GetByAnyEntityType(entityTypes []string) ([]BasicSubordinateInfo, error)
GetByStatusAndEntityTypes(status Status, entityTypes []string) ([]BasicSubordinateInfo, error)
GetByStatusAndAnyEntityType(status Status, entityTypes []string) ([]BasicSubordinateInfo, error)
Load() error
// Additional claims CRUD for a specific subordinate
ListAdditionalClaims(subordinateDBID string) ([]SubordinateAdditionalClaim, error)
SetAdditionalClaims(subordinateDBID string, claims []AddAdditionalClaim) ([]SubordinateAdditionalClaim, error)
CreateAdditionalClaim(subordinateDBID string, claim AddAdditionalClaim) (*SubordinateAdditionalClaim, error)
GetAdditionalClaim(subordinateDBID string, claimID string) (*SubordinateAdditionalClaim, error)
UpdateAdditionalClaim(subordinateDBID string, claimID string, claim AddAdditionalClaim) (*SubordinateAdditionalClaim, error)
DeleteAdditionalClaim(subordinateDBID string, claimID string) error
}
SubordinateStorageBackend is an interface to store ExtendedSubordinateInfo
type TransactionFunc ¶
TransactionFunc is a function that executes within a database transaction. All storage backends in the provided Backends operate within the same transaction. If the function returns an error, the transaction is rolled back.
type TrustMarkInstanceStatus ¶
type TrustMarkInstanceStatus string
TrustMarkInstanceStatus represents the status of an issued trust mark instance
const ( // TrustMarkStatusActive indicates the trust mark is valid and active TrustMarkStatusActive TrustMarkInstanceStatus = "active" // TrustMarkStatusExpired indicates the trust mark has expired TrustMarkStatusExpired TrustMarkInstanceStatus = "expired" // TrustMarkStatusRevoked indicates the trust mark was revoked TrustMarkStatusRevoked TrustMarkInstanceStatus = "revoked" // TrustMarkStatusInvalid indicates the trust mark signature validation failed TrustMarkStatusInvalid TrustMarkInstanceStatus = "invalid" )
type TrustMarkIssuer ¶
type TrustMarkIssuer struct {
ID uint `gorm:"primarykey" json:"id"`
CreatedAt int `json:"created_at"`
UpdatedAt int `json:"updated_at"`
DeletedAt gorm.DeletedAt `gorm:"index" json:"-"`
Issuer string `gorm:"uniqueIndex" json:"issuer"`
Description string `gorm:"type:text" json:"description,omitempty"`
Types []TrustMarkType `gorm:"many2many:trust_mark_type_issuers" json:"types,omitempty"`
}
TrustMarkIssuer represents the issuer object returned by the API
type TrustMarkIssuersStore ¶
type TrustMarkIssuersStore interface {
List() ([]TrustMarkIssuer, error)
Create(req AddTrustMarkIssuer) (*TrustMarkIssuer, error)
Get(ident string) (*TrustMarkIssuer, error)
Update(ident string, req AddTrustMarkIssuer) (*TrustMarkIssuer, error)
Delete(ident string) error
// Relations
Types(ident string) ([]uint, error)
SetTypes(ident string, typeIdents []string) ([]uint, error)
AddType(ident string, typeID uint) ([]uint, error)
DeleteType(ident string, typeID uint) ([]uint, error)
}
TrustMarkIssuersStore manages global issuers and their relations to types.
type TrustMarkOwner ¶
type TrustMarkOwner struct {
ID uint `gorm:"primarykey" json:"id"`
CreatedAt int `json:"created_at"`
UpdatedAt int `json:"updated_at"`
DeletedAt gorm.DeletedAt `gorm:"index" json:"-"`
EntityID string `gorm:"uniqueIndex" json:"entity_id"`
JWKSID uint `json:"-"`
JWKS JWKS `json:"jwks"`
Description string `gorm:"type:text" json:"description,omitempty"`
}
TrustMarkOwner represents the owner of a trust mark type. Contains the owner's Entity ID and JWKS.
type TrustMarkOwnersStore ¶
type TrustMarkOwnersStore interface {
List() ([]TrustMarkOwner, error)
Create(req AddTrustMarkOwner) (*TrustMarkOwner, error)
Get(ident string) (*TrustMarkOwner, error)
Update(ident string, req AddTrustMarkOwner) (*TrustMarkOwner, error)
Delete(ident string) error
// Relations
Types(ident string) ([]uint, error)
SetTypes(ident string, typeIdents []string) ([]uint, error)
AddType(ident string, typeID uint) ([]uint, error)
DeleteType(ident string, typeID uint) ([]uint, error)
}
TrustMarkOwnersStore manages global owners and their relations to types.
type TrustMarkSpec ¶
type TrustMarkSpec struct {
ID uint `gorm:"primarykey" json:"id"`
CreatedAt int `json:"created_at"`
UpdatedAt int `json:"updated_at"`
DeletedAt gorm.DeletedAt `gorm:"index" json:"-"`
TrustMarkType string `gorm:"uniqueIndex" json:"trust_mark_type"`
Lifetime uint `json:"lifetime,omitempty"`
Ref string `json:"ref,omitempty"`
LogoURI string `json:"logo_uri,omitempty"`
DelegationJWT string `gorm:"type:text" json:"delegation_jwt,omitempty"`
AdditionalClaims map[string]any `gorm:"serializer:json" json:"additional_claims,omitempty"`
Description string `gorm:"type:text" json:"description,omitempty"`
// EligibilityConfig defines how eligibility for this trust mark is determined
EligibilityConfig *EligibilityConfig `gorm:"serializer:json" json:"eligibility_config,omitempty"`
// CacheTTL is how long to cache issued trust marks for this type (in seconds).
// This reduces signing operations and database writes for repeated requests.
// 0 = no caching (default)
CacheTTL int `json:"cache_ttl,omitempty"`
}
TrustMarkSpec represents the issuance specification for a trust mark type.
type TrustMarkSpecStore ¶
type TrustMarkSpecStore interface {
// Spec operations
List() ([]TrustMarkSpec, error)
Create(spec *TrustMarkSpec) (*TrustMarkSpec, error)
Get(ident string) (*TrustMarkSpec, error)
GetByType(trustMarkType string) (*TrustMarkSpec, error)
Update(ident string, spec *TrustMarkSpec) (*TrustMarkSpec, error)
Patch(ident string, updates map[string]any) (*TrustMarkSpec, error)
Delete(ident string) error
// Subject operations
ListSubjects(specIdent string, status *Status) ([]TrustMarkSubject, error)
CreateSubject(specIdent string, subject *TrustMarkSubject) (*TrustMarkSubject, error)
GetSubject(specIdent, subjectIdent string) (*TrustMarkSubject, error)
UpdateSubject(specIdent, subjectIdent string, subject *TrustMarkSubject) (*TrustMarkSubject, error)
DeleteSubject(specIdent, subjectIdent string) error
ChangeSubjectStatus(specIdent, subjectIdent string, status Status) (*TrustMarkSubject, error)
}
TrustMarkSpecStore provides CRUD for TrustMarkSpec and TrustMarkSubject entities
type TrustMarkSubject ¶
type TrustMarkSubject struct {
ID uint `gorm:"primarykey" json:"id"`
CreatedAt int `json:"created_at"`
UpdatedAt int `json:"updated_at"`
DeletedAt gorm.DeletedAt `gorm:"index" json:"-"`
TrustMarkSpecID uint `gorm:"uniqueIndex:idx_tmsubject_spec_entity" json:"-"`
TrustMarkSpec TrustMarkSpec `json:"-"`
EntityID string `gorm:"uniqueIndex:idx_tmsubject_spec_entity" json:"entity_id"`
Status Status `gorm:"index" json:"status"`
AdditionalClaims map[string]any `gorm:"serializer:json" json:"additional_claims,omitempty"`
Description string `gorm:"type:text" json:"description,omitempty"`
}
TrustMarkSubject represents a subject eligible for a specific trust mark issuance.
type TrustMarkType ¶
type TrustMarkType struct {
ID uint `gorm:"primarykey" json:"id"`
CreatedAt int `json:"created_at"`
UpdatedAt int `json:"updated_at"`
DeletedAt gorm.DeletedAt `gorm:"index" json:"-"`
TrustMarkType string `gorm:"uniqueIndex" json:"trust_mark_type"`
OwnerID *uint `json:"owner_id,omitempty"`
Owner *TrustMarkOwner `json:"owner,omitempty"`
Description string `gorm:"type:text" json:"description,omitempty"`
Issuers []TrustMarkIssuer `gorm:"many2many:trust_mark_type_issuers" json:"issuers,omitempty"`
}
TrustMarkType represents a trust mark type in the database
type TrustMarkTypesStore ¶
type TrustMarkTypesStore interface {
// Types
List() ([]TrustMarkType, error)
Create(req AddTrustMarkType) (*TrustMarkType, error)
Get(ident string) (*TrustMarkType, error)
Update(ident string, req AddTrustMarkType) (*TrustMarkType, error)
Delete(ident string) error
// Aggregates
OwnersByType() (oidfed.TrustMarkOwners, error)
IssuersByType() (oidfed.AllowedTrustMarkIssuers, error)
// Issuers
ListIssuers(ident string) ([]TrustMarkIssuer, error)
SetIssuers(ident string, issuers []AddTrustMarkIssuer) ([]TrustMarkIssuer, error)
AddIssuer(ident string, issuer AddTrustMarkIssuer) ([]TrustMarkIssuer, error)
DeleteIssuerByID(ident string, issuerID uint) ([]TrustMarkIssuer, error)
// Owner
GetOwner(ident string) (*TrustMarkOwner, error)
CreateOwner(ident string, req AddTrustMarkOwner) (*TrustMarkOwner, error)
UpdateOwner(ident string, req AddTrustMarkOwner) (*TrustMarkOwner, error)
DeleteOwner(ident string) error
}
TrustMarkTypesStore abstracts CRUD and relations for TrustMarkType, its owner, and issuers.
type TrustMarkedEntitiesStorageBackend ¶
type TrustMarkedEntitiesStorageBackend interface {
// Delete marks that a certain trust mark is no longer valid for a certain entity
Delete(trustMarkType, entityID string) error
// Block marks that a certain trust mark is blocked for a certain entity
Block(trustMarkType, entityID string) error
// Approve marks that a certain trust mark is valid for a certain entity
Approve(trustMarkType, entityID string) error
// Request marks that a certain trust mark is pending (waiting for approval) for a certain entity
Request(trustMarkType, entityID string) error
// TrustMarkedStatus returns the Status for the trustMarkType
// entityID combination
TrustMarkedStatus(trustMarkType, entityID string) (Status, error)
// HasTrustMark checks if a certain entity has a certain trust mark or not
HasTrustMark(trustMarkType, entityID string) (bool, error)
// Active returns a list of entity ids that have a certain trust mark; if an
// empty trustMarkType is passed all entities that have at least one valid
// trust mark are returned
Active(trustMarkType string) ([]string, error)
// Blocked returns a list of entity ids that have been blocked from a
// certain trust mark
Blocked(trustMarkType string) ([]string, error)
// Pending returns a list of entity ids that have pending approval for a
// certain trust mark
Pending(trustMarkType string) ([]string, error)
// Load loads the storage
Load() error
}
TrustMarkedEntitiesStorageBackend is an interface to store information about trust marked entities
type UpdateTrustMark ¶
type UpdateTrustMark struct {
TrustMarkIssuer *string `json:"trust_mark_issuer,omitempty"`
TrustMark *string `json:"trust_mark,omitempty"`
Refresh *bool `json:"refresh,omitempty"`
MinLifetime *int `json:"min_lifetime,omitempty"`
RefreshGracePeriod *int `json:"refresh_grace_period,omitempty"`
RefreshRateLimit *int `json:"refresh_rate_limit,omitempty"`
SelfIssuanceSpec *SelfIssuedTrustMarkSpec `json:"self_issuance_spec,omitempty"`
}
UpdateTrustMark is the request body for partial updates (PATCH). Only non-nil fields will be updated.
type User ¶
type User struct {
ID uint `gorm:"primaryKey" json:"id"`
CreatedAt time.Time `json:"created_at"`
UpdatedAt time.Time `json:"updated_at"`
// Username is unique identifier for login
Username string `gorm:"uniqueIndex" json:"username"`
// PasswordHash stores a PHC-formatted argon2id hash of the user's password
PasswordHash string `json:"-"`
// DisplayName is optional, for UI friendliness
DisplayName string `json:"display_name"`
// Disabled allows soft-disable of a user without deletion
Disabled bool `json:"disabled"`
}
User represents an admin user that can access the admin API. When no users exist, the admin API is open; when one or more users exist, only authenticated users may access it.
type UsersStore ¶
type UsersStore interface {
// Count returns the number of users present in the store
Count() (int64, error)
// List returns all users (without password hashes)
List() ([]User, error)
// Get returns a user by username
Get(username string) (*User, error)
// Create creates a user; the implementation must hash the password
Create(username, password, displayName string) (*User, error)
// Update updates username/display name and optionally password
Update(username string, displayName *string, newPassword *string, disabled *bool) (*User, error)
// Delete deletes a user by username
Delete(username string) error
// Authenticate checks a username/password combo and returns the user
Authenticate(username, password string) (*User, error)
}
UsersStore abstracts CRUD and authentication helpers for admin users.
type ValidationError ¶
type ValidationError string
ValidationError signals invalid input data
func ValidationErrorFmt ¶
func ValidationErrorFmt(format string, params ...any) ValidationError
func (ValidationError) Error ¶
func (e ValidationError) Error() string
Source Files
Click to show internal directories.
Click to hide internal directories.