auth

package

v0.6.1 Latest Latest Go to latest Published: Apr 23, 2026 License: MIT Imports: 17 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/ivangsm/jay

Links

Open Source Insights

Documentation ¶

Index ¶

Variables
func EvaluatePolicy(policy *BucketPolicy, tokenID, action, objectKey, clientIP string) (allowed, denied bool)
func EvaluatePolicyDeny(policy *BucketPolicy, tokenID, action, objectKey, clientIP string) bool
func HashSecret(secret string) (string, error)
type Auth
- func New(db *meta.DB) *Auth
type BucketPolicy
- func (p *BucketPolicy) Compile()
type PolicyConditions
type PolicyStatement

Constants ¶

This section is empty.

Variables ¶

View Source

var (
	ErrNoCredentials      = errors.New("no credentials provided")
	ErrInvalidCredentials = errors.New("invalid credentials")
	ErrTokenExpired       = errors.New("token expired")
	ErrTokenRevoked       = errors.New("token revoked")
	ErrAccessDenied       = errors.New("access denied")
)

Functions ¶

func EvaluatePolicy ¶

func EvaluatePolicy(policy *BucketPolicy, tokenID, action, objectKey, clientIP string) (allowed, denied bool)

EvaluatePolicy is a backward-compatible wrapper around EvaluatePolicyDeny. Deprecated: Use EvaluatePolicyDeny instead. The allowed return value is always false — policies in jay are deny-overlays on token-level permissions.

func EvaluatePolicyDeny ¶

func EvaluatePolicyDeny(policy *BucketPolicy, tokenID, action, objectKey, clientIP string) bool

EvaluatePolicyDeny checks policy deny statements against the request context. Returns true if any deny statement matches (access should be refused).

func HashSecret ¶

func HashSecret(secret string) (string, error)

HashSecret hashes a secret for storage using bcrypt.

Types ¶

type Auth ¶

type Auth struct {
	// contains filtered or unexported fields
}

Auth handles authentication and authorization.

func New ¶

func New(db *meta.DB) *Auth

New creates an Auth instance.

func (*Auth) Authenticate ¶

func (a *Auth) Authenticate(r *http.Request) (*meta.Token, error)

Authenticate extracts and validates credentials from the request. Supports: Authorization: Bearer <token_id>:<secret>

func (*Auth) AuthenticateCredentials ¶

func (a *Auth) AuthenticateCredentials(tokenID, secret string) (*meta.Token, error)

AuthenticateCredentials validates a token_id and secret pair directly, without requiring an HTTP request. Used by the native protocol.

func (*Auth) AuthenticateSigV4 ¶

func (a *Auth) AuthenticateSigV4(r *http.Request) (*meta.Token, error)

AuthenticateSigV4 validates AWS Signature V4 auth from an HTTP request. Format: AWS4-HMAC-SHA256 Credential=<access-key>/<date>/<region>/s3/aws4_request,

SignedHeaders=<headers>, Signature=<signature>

func (*Auth) Authorize ¶

func (a *Auth) Authorize(token *meta.Token, action, bucketName, objectKey string) error

Authorize checks if the token has permission for the given action on the bucket/key.

func (*Auth) AuthorizeWithPolicy ¶

func (a *Auth) AuthorizeWithPolicy(token *meta.Token, action, bucketName, objectKey, clientIP string, policyJSON json.RawMessage) error

AuthorizeWithPolicy performs all existing Authorize checks and additionally evaluates a bucket policy (if provided) against the request context. Deny in the policy always takes precedence.

func (*Auth) InvalidateToken ¶

func (a *Auth) InvalidateToken(tokenID string)

InvalidateToken removes all cache entries for a given token ID. Call this when a token is revoked or modified.

func (*Auth) IsPublicRead ¶

func (a *Auth) IsPublicRead(bucketName string) bool

IsPublicRead checks if a bucket is publicly readable.

type BucketPolicy ¶

type BucketPolicy struct {
	Version    string            `json:"version"`
	Statements []PolicyStatement `json:"statements"`
}

BucketPolicy defines prefix-based access rules for a bucket.

func (*BucketPolicy) Compile ¶

func (p *BucketPolicy) Compile()

Compile pre-parses all CIDRs in the policy statements so that matchesIPConditionNets can use them without re-parsing on every request. Call this after unmarshalling a BucketPolicy.

type PolicyConditions ¶

type PolicyConditions struct {
	IPWhitelist []string `json:"ip_whitelist,omitempty"` // CIDR notation
	// contains filtered or unexported fields
}

PolicyConditions holds optional conditions for a policy statement.

type PolicyStatement ¶

type PolicyStatement struct {
	Effect     string            `json:"effect"`   // "allow" or "deny"
	Actions    []string          `json:"actions"`  // e.g. ["object:get", "object:list"] or ["*"]
	Prefixes   []string          `json:"prefixes"` // e.g. ["public/", "shared/"], empty = all
	Subjects   []string          `json:"subjects"` // token IDs or "*" for any authenticated
	Conditions *PolicyConditions `json:"conditions,omitempty"`
}

PolicyStatement is a single allow/deny rule within a bucket policy.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL