google

Documentation

Index

• Variables
• type Authorizer
  • func New(jsonPath, impersonateUser string, allowedGroups []string, opts ...Option) (*Authorizer, error)
  • func (a *Authorizer) AuthorizeSession(ctx context.Context, _ *header.MachineInfo, _ *oauth2.Token, ...) (enrollprofile.Context, error)
• type Option
  • func WithLogger(logger *slog.Logger) Option
  • func WithWorkerLimit(limit int) Option

Variables

var (
	ErrInvalidEmail      = errors.New("invalid email")
	ErrUnauthorizedEmail = errors.New("unauthorized email")
)

Types

type Authorizer

type Authorizer struct {
	// contains filtered or unexported fields
}

Authorizer verifies a user is in a Google Group or Groups and sets those groups in the returned Context

func New

func New(jsonPath, impersonateUser string, allowedGroups []string, opts ...Option) (*Authorizer, error)

New returns a new Authorizer with the given service account json path, user to impersonate, and list of groups (by group email)

func (*Authorizer) AuthorizeSession

func (a *Authorizer) AuthorizeSession(ctx context.Context, _ *header.MachineInfo, _ *oauth2.Token, idToken *oidc.IDToken) (enrollprofile.Context, error)

AuthorizeSession authorizes the user/device session and returns an EnrollContext that can be passed to an EnrollmentGenerator. If the request is not authorized, an error of type AuthorizationError is returned.

type Option

type Option func(a *Authorizer)

func WithLogger

func WithLogger(logger *slog.Logger) Option

WithLogger configures the authorizer with the given logger If left unconfigured, logging will be disabled

func WithWorkerLimit

func WithWorkerLimit(limit int) Option

WithWorkerLimit configures the authorizer to limit the number of concurrent API requests across all AuthorizeSession calls. If left unconfigured, there is no limit enforced