auth

package
v0.5.11 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jan 13, 2026 License: MIT Imports: 32 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	DatabaseKeyHashSize       = 32
	DatabaseKeyDatabaseIDSize = 16
	DatabaseKeyBranchIDSize   = 16
	DatabaseKeyBaseSize       = DatabaseKeyHashSize + DatabaseKeyDatabaseIDSize + DatabaseKeyBranchIDSize
)
View Source 
const (
	ClusterPrivilegeManage = "cluster:manage"
)

Variables

View Source 
var ErrUserNotFound = errors.New("user not found")
View Source 
var PragmaList = map[string]bool{
	"analysis_limit":            true,
	"application_id":            false,
	"auto_vacuum":               false,
	"automatic_index":           false,
	"busy_timeout":              false,
	"cache_size":                false,
	"cache_spill":               false,
	"case_sensitive_like":       false,
	"cell_size_check":           false,
	"checkpoint_fullfsync":      false,
	"collation_list":            true,
	"compile_options":           true,
	"count_changes":             false,
	"data_store_directory":      false,
	"data_version":              true,
	"database_list":             true,
	"default_cache_size":        false,
	"defer_foreign_keys":        true,
	"empty_result_callbacks":    false,
	"encoding":                  true,
	"foreign_key_check":         true,
	"foreign_key_list":          true,
	"foreign_keys":              true,
	"freelist_count":            true,
	"full_column_names":         false,
	"fullfsync":                 false,
	"function_list":             true,
	"hard_heap_limit":           false,
	"ignore_check_constraints":  true,
	"incremental_vacuum":        false,
	"index_info":                true,
	"index_list":                true,
	"index_xinfo":               true,
	"integrity_check":           true,
	"journal_mode":              false,
	"journal_size_limit":        false,
	"legacy_alter_table":        true,
	"legacy_file_format":        false,
	"locking_mode":              false,
	"max_page_count":            false,
	"mmap_size":                 false,
	"module_list":               true,
	"optimize":                  false,
	"page_count":                true,
	"page_size":                 false,
	"parser_trace":              false,
	"query_only":                false,
	"quick_check":               false,
	"read_uncommitted":          false,
	"recursive_triggers":        false,
	"reverse_unordered_selects": true,
	"schema_version":            false,
	"secure_delete":             false,
	"shrink_memory":             false,
	"soft_heap_limit":           false,
	"stats":                     false,
	"synchronous":               false,
	"table_info":                true,
	"table_list":                true,
	"table_xinfo":               true,
	"temp_store":                false,
	"threads":                   false,
	"trusted_schema":            false,
	"user_version":              false,
	"vdbe_addoptrace":           false,
	"vdbe_debug":                false,
	"vdbe_listing":              false,
	"vdbe_trace":                false,
	"wal_autocheckpoint":        false,
	"wal_checkpoint":            false,
	"writable_schema":           false,

	"litebase_backups_enabled":                    true,
	"litebase_backup_interval":                    true,
	"litebase_backups_retention_days":             true,
	"litebase_incremental_backups_enabled":        true,
	"litebase_incremental_backups_retention_days": true,
	"litebase_query_logs_enabled":                 true,
	"litebase_query_logs_retention_days":          true,
	"litebase_error_logs_enabled":                 true,
	"litebase_error_logs_retention_days":          true,
}
View Source 
var Resources = map[string][]string{
	"access-key": {
		string(AccessKeyPrivilegeCreate),
		string(AccessKeyPrivilegeDelete),
		string(AccessKeyPrivilegeList),
		string(AccessKeyPrivilegeUpdate),
	},
}

Functions

func ActiveEncryptionKey 

func ActiveEncryptionKey(c *config.Config) string

This method is used to retrieve the active key that is based on the encryption key stored in shared file storage. Since this method depends on file i/o, it is not recommended to use this method in a loop or in a hot path.

func ActiveEncryptionKeyHash 

func ActiveEncryptionKeyHash(c *config.Config) string

func AllKeys 

func AllKeys(objectFs *storage.FileSystem) map[string]string

func Authorized 

func Authorized(statements []Statement, resource string, permission Privilege) bool

Determine if an Access Key is authorized to perform an action on a resource.

func EncryptionKeyHash 

func EncryptionKeyHash(encryptionKey string) string

func FindKey 

func FindKey(objectFs *storage.FileSystem, hash string) string

func GetDatabaseKeysPath 

func GetDatabaseKeysPath(key string) string

func GetPrivateKey 

func GetPrivateKey(encryptionKey string, objectFS *storage.FileSystem) (*rsa.PrivateKey, error)

GetPrivateKey retrieves the private key for the given encryption key.

func HasKey 

func HasKey(encryptionKey string, objectFS *storage.FileSystem) bool

func InitKey 

func InitKey(c *config.Config, objectFS *storage.FileSystem) error

func KeyManagerInit 

func KeyManagerInit(c *config.Config, secretsManager *SecretsManager) error

Initialize the key manager by generating a private key for the encryption key if one does not exist.

func KeyPath 

func KeyPath(keyType string, encryptionKey string) string

Return the path for a key for the given encryption key.

func NextEncryptionKey 

func NextEncryptionKey(auth *Auth, c *config.Config, encryptionKey string) error

Initialize the next encryption key.

func Path 

func Path(key string) string

func SignRequest 

func SignRequest(
	accessKeyID string,
	accessKeySecret string,
	method string,
	path string,
	headers map[string]string,
	data []byte,
	queryParams map[string]string,
) string

func StoreEncryptionKey 

func StoreEncryptionKey(c *config.Config, objectFS *storage.FileSystem, encryptionKey string) error

func ValidateEncryptionKey added in v0.5.0 

func ValidateEncryptionKey(encryptionKey string, objectFS *storage.FileSystem) error

ValidateEncryptionKey validates that the provided encryption key matches the checksum of the last stored encryption key in the .key file

func ValidateEncryptionKeyWithConfig added in v0.5.0 

func ValidateEncryptionKeyWithConfig(c *config.Config, objectFS *storage.FileSystem) error

ValidateEncryptionKeyWithConfig validates the encryption key using the config and object filesystem

Types

type AccessKey 

type AccessKey struct {
	ID              int64       `json:"id"`
	AccessKeyID     string      `json:"accessKeyId"`
	AccessKeySecret string      `json:"accessKeySecret"`
	Description     string      `json:"description"`
	CreatedAt       time.Time   `json:"createdAt"`
	UpdatedAt       time.Time   `json:"updatedAt"`
	Statements      []Statement `json:"statements"`

	AccessKeyManager *AccessKeyManager `json:"-"`
}

func NewAccessKey 

func NewAccessKey(
	accessKeyManager *AccessKeyManager,
	accessKeyId string,
	accessKeySecret string,
	description string,
	statements []Statement,
) *AccessKey

Create a new AccessKey instance.

func (*AccessKey) AuthorizeForResource 

func (accessKey *AccessKey) AuthorizeForResource(resources []string, actions []Privilege) bool

Determine if the AccessKey has authorization for the given resources and actions.

func (*AccessKey) Delete 

func (accessKey *AccessKey) Delete() error

Delete the AccessKey from storage.

func (*AccessKey) Rotate 

func (accessKey *AccessKey) Rotate() error

Rotate the access key.

func (*AccessKey) ToResponse 

func (accessKey *AccessKey) ToResponse() *AccessKeyResponse

Return the response representation of the AccessKey.

func (*AccessKey) Update 

func (accessKey *AccessKey) Update(
	description string,
	statements []Statement,
) error

Update the AccessKey statements.

type AccessKeyManager 

type AccessKeyManager struct {
	// contains filtered or unexported fields
}

func NewAccessKeyManager 

func NewAccessKeyManager(
	accessKeyStorage AccessKeyStorage,
	auth *Auth,
	config *config.Config,
) *AccessKeyManager

Create a new instance of an AccessKeyManager.

func (*AccessKeyManager) All 

func (akm *AccessKeyManager) All() ([]*AccessKey, error)

Retrieve all the access keys.

func (*AccessKeyManager) AllAccessKeyIds 

func (akm *AccessKeyManager) AllAccessKeyIds() ([]string, error)

Return all access key ids.

func (*AccessKeyManager) Create 

func (akm *AccessKeyManager) Create(description string, statements []Statement) (*AccessKey, error)

Create a new access key.

func (*AccessKeyManager) GenerateAccessKeyId 

func (akm *AccessKeyManager) GenerateAccessKeyId() (string, error)

Generate an access key id.

func (*AccessKeyManager) GenerateAccessKeySecret 

func (akm *AccessKeyManager) GenerateAccessKeySecret() string

Generate an access key secret.

func (*AccessKeyManager) Get 

func (akm *AccessKeyManager) Get(accessKeyId string) (*AccessKey, error)

Get an access key.

func (*AccessKeyManager) Purge 

func (akm *AccessKeyManager) Purge(accessKeyId string) error

Purge an access key from the cache.

func (*AccessKeyManager) PurgeAll 

func (akm *AccessKeyManager) PurgeAll() error

Purge all access keys.

type AccessKeyResponse 

type AccessKeyResponse struct {
	AccessKeyID string      `json:"accessKeyId"`
	Description string      `json:"description"`
	CreatedAt   time.Time   `json:"createdAt"`
	UpdatedAt   time.Time   `json:"updatedAt"`
	Statements  []Statement `json:"statements"`
}

type AccessKeyStorage 

type AccessKeyStorage interface {
	Delete(id string) error
	Get(id string) (*AccessKey, error)
	List() ([]*AccessKey, error)
	Store(accessKey *AccessKey) error
	Update(accessKey *AccessKey) error
	UpdateNext(accessKey *AccessKey) error
}

type Auth 

type Auth struct {
	AccessKeyManager *AccessKeyManager
	Config           *config.Config
	ObjectFS         *storage.FileSystem
	SecretsManager   *SecretsManager
	TmpFS            *storage.FileSystem
	UserManager      *UserManager
	TokenManager     *TokenManager
	// contains filtered or unexported fields
}

func NewAuth 

func NewAuth(
	c *config.Config,
	networkFS *storage.FileSystem,
	objectFS *storage.FileSystem,
	tmpFS *storage.FileSystem,
	tmpTieredFS *storage.FileSystem,
) *Auth

func (*Auth) Broadcast 

func (a *Auth) Broadcast(key string, value string)

Broadcast an auth event to all listeners.

func (*Auth) Broadcaster 

func (a *Auth) Broadcaster(f func(key string, value string))

Set a broadcaster function for auth events.

func (*Auth) GetCredential 

func (a *Auth) GetCredential(id string, scheme string) (*Credential, error)

Get the credential by ID and scheme.

func (*Auth) ProvideAccessKeyStorage 

func (a *Auth) ProvideAccessKeyStorage(accessKeyStorage AccessKeyStorage)

Provide the interface that will manage access key storage and create the AccessKeyManager instance.

func (*Auth) ProvideTokenStorage 

func (a *Auth) ProvideTokenStorage(tokenStorage TokenStorage)

Provide the interface that will manage token storage and create the TokenManager instance.

func (*Auth) ProvideUserManagerStorage 

func (a *Auth) ProvideUserManagerStorage(userStorage UserStorage)

Provide the interface that will manage access key storage and create the AccessKeyManager instance.

type Credential 

type Credential struct {
	CredentialID     string `json:"credentialId"`
	CredentialString string `json:"credentialString"`

	Scheme        string   `json:"scheme"`
	SignedHeaders []string `json:"signedHeaders"`
	// contains filtered or unexported fields
}

func CaptureCredential 

func CaptureCredential(auth *Auth, authorizationHeader string) *Credential

Capture credentials from a request authorization header.

func (Credential) AccessKey 

func (c Credential) AccessKey() *AccessKey

Return an AccessKey if it exists on the request.

func (*Credential) CanAccessDatabase 

func (credential *Credential) CanAccessDatabase(databaseId, branchId string) error

Determine if an Access Key is authorized to perform an action on a branch.

func (*Credential) CanAlterTable 

func (credential *Credential) CanAlterTable(databaseId, branchId, database, table string) (bool, error)

Determine if an Access Key is authorized to perform an alter on a database.

func (*Credential) CanAnalyze 

func (credential *Credential) CanAnalyze(databaseId, branchId, table string) (bool, error)

Determine if an Access Key is authorized to perform an analyze on a database.

func (*Credential) CanAttach 

func (credential *Credential) CanAttach(databaseId, branchId, database string) (bool, error)

Determine if an Access Key is authorized to perform an attach on a database.

func (*Credential) CanCreateIndex 

func (credential *Credential) CanCreateIndex(databaseId, branchId, tableName, indexName string) (bool, error)

Determine if an Access Key is authorized to perform a create index on a database.

func (*Credential) CanCreateTable 

func (credential *Credential) CanCreateTable(databaseId, branchId, table string) (bool, error)

Determine if an Access Key is authorized to perform a create table on a database.

func (*Credential) CanCreateTempTable 

func (credential *Credential) CanCreateTempTable(databaseId, branchId, table string) (bool, error)

Determine if an Access Key is authorized to perform a create temp table on a database.

func (*Credential) CanCreateTempTrigger 

func (credential *Credential) CanCreateTempTrigger(databaseId, branchId, tableName, triggerName string) (bool, error)

Determine if an Access Key is authorized to perform a create temp trigger on a database.

func (*Credential) CanCreateTempView 

func (credential *Credential) CanCreateTempView(databaseId, branchId, table string) (bool, error)

Determine if an Access Key is authorized to perform a create temp view on a database.

func (*Credential) CanCreateTrigger 

func (credential *Credential) CanCreateTrigger(databaseId, branchId, tableName, triggerName string) (bool, error)

Determine if an Access Key is authorized to perform a create trigger on a database.

func (*Credential) CanCreateVTable 

func (credential *Credential) CanCreateVTable(databaseId, branchId, moduleName, vtable string) (bool, error)

Determine if an Access Key is authorized to perform a create vtable on a database.

func (*Credential) CanCreateView 

func (credential *Credential) CanCreateView(databaseId, branchId, view string) (bool, error)

Determine if an Access Key is authorized to perform a create view on a database.

func (*Credential) CanDelete 

func (credential *Credential) CanDelete(databaseId, branchId string, table string) (bool, error)

Determine if an Access Key is authorized to perform a delete on a database.

func (*Credential) CanDetach 

func (credential *Credential) CanDetach(databaseId, branchId, database string) (bool, error)

Determine if an Access Key is authorized to perform a detach on a database.

func (*Credential) CanDropIndex 

func (credential *Credential) CanDropIndex(databaseId, branchId, table, index string) (bool, error)

Determine if an Access Key is authorized to perform a drop index on a database.

func (*Credential) CanDropTable 

func (credential *Credential) CanDropTable(databaseId, branchId, table string) (bool, error)

Determine if an Access Key is authorized to perform a drop table on a database.

func (*Credential) CanDropTrigger 

func (credential *Credential) CanDropTrigger(databaseId, branchId, table, trigger string) (bool, error)

Determine if an Access Key is authorized to perform a drop trigger on a database.

func (*Credential) CanDropView 

func (credential *Credential) CanDropView(databaseId, branchId, view string) (bool, error)

Determine if an Access Key is authorized to perform a drop view on a database.

func (*Credential) CanFunction 

func (credential *Credential) CanFunction(databaseId, branchId, function string) (bool, error)

Determine if an Access Key is authorized to perform a function on a database.

func (*Credential) CanInsert 

func (credential *Credential) CanInsert(databaseId, branchId, table string) (bool, error)

Determine if an Access Key is authorized to perform a function on a database.

func (*Credential) CanPragma 

func (credential *Credential) CanPragma(databaseId, branchId, pragma, value string) (bool, error)

Determine if an Access Key is authorized to perform a pragma on a database.

func (*Credential) CanRead 

func (credential *Credential) CanRead(databaseId, branchId, table, column string) (bool, error)

Determine if an Access Key is authorized to perform a read on a database.

func (*Credential) CanRecursive 

func (credential *Credential) CanRecursive(databaseId, branchId string) (bool, error)

Determine if an Access Key is authorized to perform a recursive on a database.

func (*Credential) CanReindex 

func (credential *Credential) CanReindex(databaseId, branchId, index string) (bool, error)

Determine if an Access Key is authorized to perform a reindex on a database.

func (*Credential) CanSavepoint 

func (credential *Credential) CanSavepoint(databaseId, branchId, operation, savepoint string) (bool, error)

Determine if an Access Key is authorized to perform a savepoint on a database.

func (*Credential) CanSelect 

func (credential *Credential) CanSelect(databaseId, branchId string) (bool, error)

Determine if an Access Key is authorized to perform a select on a database.

func (*Credential) CanTransaction 

func (credential *Credential) CanTransaction(databaseId, branchId, operation string) (bool, error)

Determine if an Access Key is authorized to perform a transaction on a database.

func (*Credential) CanUpdate 

func (credential *Credential) CanUpdate(databaseId, branchId, table, column string) (bool, error)

Determine if an Access Key is authorized to perform an update on a database.

func (*Credential) Hash 

func (c *Credential) Hash() [32]byte

Return the hash of the Credential.

func (Credential) Invalid 

func (c Credential) Invalid() bool

Check if the request credential is invalid.

func (Credential) IsAccessKey 

func (c Credential) IsAccessKey() bool

Determine if the request credential is an AccessKey.

func (Credential) IsBasicAuth 

func (c Credential) IsBasicAuth() bool

Determine if the request credential is a BasicAuth.

func (Credential) IsToken 

func (c Credential) IsToken() bool

Determine if the request credential is a Token.

func (Credential) Statements 

func (c Credential) Statements() []Statement

Return the statements associated with the credential.

func (Credential) Token 

func (c Credential) Token() *Token

Return a Token if it exists.

func (Credential) Type 

func (c Credential) Type() CredentialType

Determine the type of credential.

func (Credential) User 

func (c Credential) User() *User

Return a User if it exists.

func (Credential) Valid 

func (c Credential) Valid() bool

Determine if the credential is valid.

func (*Credential) WithAccessKey 

func (c *Credential) WithAccessKey(accessKey *AccessKey) *Credential

Set the AccessKey for the credential.

func (*Credential) WithToken 

func (c *Credential) WithToken(token *Token) *Credential

Set the Token for the credential.

func (*Credential) WithUser 

func (c *Credential) WithUser(user *User) *Credential

Set the User for the credential.

type CredentialType 

type CredentialType string
const (
	CredentialTypeAccessKey CredentialType = "access_key"
	CredentialTypeBasicAuth CredentialType = "basic_auth"
	CredentialTypeToken     CredentialType = "token"
	CredentialTypeUnknown   CredentialType = "unknown"
)

type DatabaseAccessError 

type DatabaseAccessError struct {
	// contains filtered or unexported fields
}

func NewDatabaseAccessError 

func NewDatabaseAccessError() DatabaseAccessError

func (DatabaseAccessError) Error 

func (e DatabaseAccessError) Error() string

type DatabaseKey 

type DatabaseKey struct {
	DatabaseBranchID   string `json:"databaseBranchId"`
	DatabaseBranchName string `json:"databaseBranchName"`
	DatabaseHash       string `json:"databaseHash"`
	DatabaseID         string `json:"databaseId"`
	DatabaseName       string `json:"databaseName"`
}

DatabaseKey represents a database key with its associated metadata. This data structure associates a string that is used to access the database with the database hash, database ID, and branch ID.

When encoded as binary, the database key is stored in a file with the following structure: - 16 bytes for the key - 32 bytes for the database hash - 16 bytes for the database ID - 16 bytes for the branch ID

func NewDatabaseKey 

func NewDatabaseKey(databaseID, databaseName, branchID, branchName string) *DatabaseKey

type DatabasePrivilegeError 

type DatabasePrivilegeError struct {
	// contains filtered or unexported fields
}

func NewDatabasePrivilegeError 

func NewDatabasePrivilegeError(privilege Privilege) DatabasePrivilegeError

func (DatabasePrivilegeError) Error 

func (e DatabasePrivilegeError) Error() string

type DecryptedSecret 

type DecryptedSecret struct {
	Key   string
	Value string
}

type Encrypter 

type Encrypter struct {
	// contains filtered or unexported fields
}

func NewEncrypter 

func NewEncrypter(key []byte) *Encrypter

func (*Encrypter) Decrypt 

func (encrypter *Encrypter) Decrypt(text string) (DecryptedSecret, error)

func (*Encrypter) Encrypt 

func (encrypter *Encrypter) Encrypt(plaintext string) (string, error)

type InvalidAccessKeyError 

type InvalidAccessKeyError struct {
	// contains filtered or unexported fields
}

func NewInvalidAccessKeyError 

func NewInvalidAccessKeyError(message string) InvalidAccessKeyError

func (InvalidAccessKeyError) Error 

func (e InvalidAccessKeyError) Error() string

type KeyEncrypter 

type KeyEncrypter struct {
	// contains filtered or unexported fields
}

func NewKeyEncrypter 

func NewKeyEncrypter(secretsManager *SecretsManager, encryptionKey string) *KeyEncrypter

func (*KeyEncrypter) Decrypt 

func (k *KeyEncrypter) Decrypt(data []byte) (DecryptedSecret, error)

func (*KeyEncrypter) Encrypt 

func (k *KeyEncrypter) Encrypt(data []byte) ([]byte, error)

type MapSecret 

type MapSecret struct {
	Value     string    `json:"value"`
	ExpiresAt time.Time `json:"expiresAt"`
}

type MapSecretsStore 

type MapSecretsStore struct {
	// contains filtered or unexported fields
}

func NewMapSecretsStore 

func NewMapSecretsStore() *MapSecretsStore

func (*MapSecretsStore) Flush 

func (store *MapSecretsStore) Flush() error

func (*MapSecretsStore) Forget 

func (store *MapSecretsStore) Forget(key string)

func (*MapSecretsStore) Get 

func (store *MapSecretsStore) Get(key string, cacheItemType any) any

func (*MapSecretsStore) Put 

func (store *MapSecretsStore) Put(key string, value any, seconds time.Duration) bool

type Privilege 

type Privilege string
const (
	AccessKeyPrivilegeCreate Privilege = "access-key:create"
	AccessKeyPrivilegeDelete Privilege = "access-key:delete"
	AccessKeyPrivilegeList   Privilege = "access-key:list"
	AccessKeyPrivilegeRead   Privilege = "access-key:read"
	AccessKeyPrivilegeUpdate Privilege = "access-key:update"
)
const (
	DatabasePrivilegeCreate Privilege = "database:create"
	DatabasePrivilegeList   Privilege = "database:list"
	DatabasePrivilegeShow   Privilege = "database:show"
	DatabasePrivilegeManage Privilege = "database:manage"

	DatabaseBranchPrivilegeCreate Privilege = "database:branch:create"
	DatabaseBranchPrivilegeList   Privilege = "database:branch:list"
	DatabaseBranchPrivilegeShow   Privilege = "database:branch:show"
	DatabaseBranchPrivilegeManage Privilege = "database:branch:manage"

	DatabasePrivilegeBackup  Privilege = "database:backup"
	DatabasePrivilegeRestore Privilege = "database:restore"
	DatabasePrivilegeExport  Privilege = "database:export"
	DatabasePrivilegeImport  Privilege = "database:import"

	DatabasePrivilegeQuery Privilege = "database:query"

	DatabasePrivilegeAnalyze           Privilege = "database:analyze"
	DatabasePrivilegeAttach            Privilege = "database:attach"
	DatabasePrivilegeAlterTable        Privilege = "database:alter_table"
	DatabasePrivilegeCreateIndex       Privilege = "database:create_index"
	DatabasePrivilegeCreateTable       Privilege = "database:create_table"
	DatabasePrivilegeCreateTempTable   Privilege = "database:create_temp_table"
	DatabasePrivilegeCreateTempTrigger Privilege = "database:create_temp_trigger"
	DatabasePrivilegeCreateTempView    Privilege = "database:create_temp_view"
	DatabasePrivilegeCreateTrigger     Privilege = "database:create_trigger"
	DatabasePrivilegeCreateView        Privilege = "database:create_view"
	DatabasePrivilegeCreateVTable      Privilege = "database:create_vtable"
	DatabasePrivilegeDelete            Privilege = "database:delete"
	DatabasePrivilegeDetach            Privilege = "database:detach"
	DatabasePrivilegeDropIndex         Privilege = "database:drop_index"
	DatabasePrivilegeDropTable         Privilege = "database:drop_table"
	DatabasePrivilegeDropTrigger       Privilege = "database:drop_trigger"
	DatabasePrivilegeDropView          Privilege = "database:drop_view"
	DatabasePrivilegeFunction          Privilege = "database:function"
	DatabasePrivilegeInsert            Privilege = "database:insert"
	DatabasePrivilegePragma            Privilege = "database:pragma"
	DatabasePrivilegeRead              Privilege = "database:read"
	DatabasePrivilegeRecursive         Privilege = "database:recursive"
	DatabasePrivilegeReindex           Privilege = "database:reindex"
	DatabasePrivilegeSavepoint         Privilege = "database:savepoint"
	DatabasePrivilegeSelect            Privilege = "database:select"
	DatabasePrivilegeTransaction       Privilege = "database:transaction"
	DatabasePrivilegeUpdate            Privilege = "database:update"
)
const (
	TokenPrivilegeCreate Privilege = "token:create"
	TokenPrivilegeDelete Privilege = "token:delete"
	TokenPrivilegeList   Privilege = "token:list"
	TokenPrivilegeRead   Privilege = "token:read"
	TokenPrivilegeUpdate Privilege = "token:update"
)
const (
	// PrivilegeWildcard represents all privileges (wildcard permission)
	PrivilegeWildcard Privilege = "*"
)

type Resource 

type Resource string

func (Resource) HasPrefix 

func (r Resource) HasPrefix(prefix string) bool

Check if the access key resource has a prefix.

func (Resource) IsValid 

func (r Resource) IsValid() bool

Validate if the access key resource is valid.

type SecretsManager 

type SecretsManager struct {
	NetworkFS *storage.FileSystem

	ObjectFS *storage.FileSystem
	TmpFS    *storage.FileSystem
	// contains filtered or unexported fields
}

func NewSecretsManager 

func NewSecretsManager(
	auth *Auth,
	config *config.Config,
	networkFS *storage.FileSystem,
	objectFS *storage.FileSystem,
	tmpFS *storage.FileSystem,
	tmpTieredFS *storage.FileSystem,
) *SecretsManager

Create a new instance of the SecretsManager

func (*SecretsManager) Decrypt 

func (s *SecretsManager) Decrypt(encryptionKey string, data []byte) (DecryptedSecret, error)

Decrypt the given text using the given encryption key

func (*SecretsManager) Encrypt 

func (s *SecretsManager) Encrypt(encryptionKey string, data []byte) ([]byte, error)

Encrypt the given data using the given key

func (*SecretsManager) Encrypter 

func (s *SecretsManager) Encrypter(encryptionKey string) *KeyEncrypter

Get the KeyEncrypter for the given key

func (*SecretsManager) FlushTransients 

func (s *SecretsManager) FlushTransients() error

Flush the transient cache

func (*SecretsManager) GetAccessKeySecret 

func (s *SecretsManager) GetAccessKeySecret(accessKeyId string) (string, error)

Get the access key secret for the given access key id

func (*SecretsManager) Init 

func (s *SecretsManager) Init() error

Initialize the SecretsManager

func (*SecretsManager) PurgeDatabaseSettings 

func (s *SecretsManager) PurgeDatabaseSettings(databaseId string, branchId string) error

Purge database settings for the given database id and branch id from cache

func (*SecretsManager) PurgeExpiredSecrets 

func (s *SecretsManager) PurgeExpiredSecrets() error

Purge expired database settings from cache

func (*SecretsManager) SecretsPath 

func (s *SecretsManager) SecretsPath(encryptionKey, key string) string

Get the path for the given encryption key and key

type SecretsStore 

type SecretsStore interface {
	Flush() error
	Forget(key string)
	Get(key string, cacheItemType any) any
	Put(key string, value any, seconds time.Duration) bool
}

type Statement 

type Statement struct {
	Effect   StatementEffect `json:"effect" validate:"required,validateFn=IsValid" example:"allow" description:"Allow or deny effect for the statement"`
	Resource Resource        `json:"resource" validate:"required,validateFn=IsValid" example:"database:*" description:"Resource identifier or pattern"`
	Actions  []Privilege     `` /* 128-byte string literal not displayed */
}

func (Statement) IsValid 

func (s Statement) IsValid() bool

This method validates if all of the actions in the statement align with the selected resource.

type StatementEffect 

type StatementEffect string
const (
	StatementEffectAllow StatementEffect = "allow"
	StatementEffectDeny  StatementEffect = "deny"
)

func (StatementEffect) IsValid 

func (e StatementEffect) IsValid() bool

Determines if the StatementEffect is valid.

type Token 

type Token struct {
	ID          int64       `json:"id"`
	TokenID     string      `json:"tokenId"`
	TokenHash   string      `json:"tokenHash"`
	TokenSecret string      `json:"tokenSecret,omitempty"`
	Statements  []Statement `json:"statements"`
	Description string      `json:"description"`
	CreatedAt   time.Time   `json:"createdAt"`
	UpdatedAt   time.Time   `json:"updatedAt"`

	TokenManager *TokenManager `json:"-"`
}

func NewToken 

func NewToken(
	tokenManager *TokenManager,
	tokenID string,
	tokenSecret string,
	tokenHash string,
	description string,
	statements []Statement,
) *Token

Create a new instance of a token

func (*Token) Authenticate 

func (t *Token) Authenticate(secret string) bool

Authenticate the token using the provided secret.

func (*Token) AuthorizeForResource 

func (t *Token) AuthorizeForResource(resources []string, actions []Privilege) bool

Determine if the Token has authorization for the given resources and actions.

func (*Token) Delete 

func (t *Token) Delete() error

Delete a token.

func (*Token) Hash 

func (t *Token) Hash() string

Return the hash of the Token.

func (*Token) Rotate 

func (t *Token) Rotate() error

Rotate the token.

func (*Token) ToResponse 

func (t *Token) ToResponse() *TokenResponse

Convert the Token to a response object.

func (*Token) Update 

func (t *Token) Update(description string, statements []Statement) error

Update the Token statements.

func (*Token) Value 

func (t *Token) Value() (string, error)

Return the token value. The token secret must still be available.

type TokenCreatedResponse added in v0.5.0 

type TokenCreatedResponse struct {
	TokenID     string      `json:"tokenId"`
	Token       string      `json:"token"`
	Statements  []Statement `json:"statements"`
	Description string      `json:"description"`
	CreatedAt   time.Time   `json:"createdAt"`
	UpdatedAt   time.Time   `json:"updatedAt"`
}

type TokenManager 

type TokenManager struct {
	// contains filtered or unexported fields
}

func NewTokenManager 

func NewTokenManager(tokenStorage TokenStorage, auth *Auth) *TokenManager

Create a new instance of a TokenManager.

func (*TokenManager) All 

func (tm *TokenManager) All() ([]*Token, error)

Retrieve all tokens.

func (*TokenManager) AllTokenIDs 

func (tm *TokenManager) AllTokenIDs() ([]string, error)

Retrieve all token IDs.

func (*TokenManager) AllTokens added in v0.5.0 

func (tm *TokenManager) AllTokens() ([]*Token, error)

Retrieve all tokens.

func (*TokenManager) Create 

func (tm *TokenManager) Create(description string, statements []Statement) (*Token, error)

Create a new token.

func (*TokenManager) GenerateTokenID 

func (tm *TokenManager) GenerateTokenID() (string, error)

Generate a unique token ID.

func (*TokenManager) GenerateTokenSecret 

func (tm *TokenManager) GenerateTokenSecret() string

Generate a random token secret.

func (*TokenManager) Get 

func (tm *TokenManager) Get(tokenID string) (*Token, error)

Get a token by ID.

func (*TokenManager) Purge 

func (tm *TokenManager) Purge(tokenID string) error

Purge a token from the cache.

func (*TokenManager) PurgeAll 

func (tm *TokenManager) PurgeAll() error

Purge all tokens.

type TokenResponse 

type TokenResponse struct {
	TokenID     string      `json:"tokenId"`
	Statements  []Statement `json:"statements"`
	Description string      `json:"description"`
	CreatedAt   time.Time   `json:"createdAt"`
	UpdatedAt   time.Time   `json:"updatedAt"`
}

type TokenStorage 

type TokenStorage interface {
	Delete(id string) error
	Get(id string) (*Token, error)
	List() ([]*Token, error)
	Store(token *Token) error
	Update(token *Token) error
}

type User 

type User struct {
	Username    string      `json:"username"`
	Password    string      `json:"password"`
	Description string      `json:"description"`
	Statements  []Statement `json:"statements"`
	CreatedAt   time.Time   `json:"createdAt"`
	UpdatedAt   time.Time   `json:"updatedAt"`
}

func (*User) AuthorizeForResource 

func (u *User) AuthorizeForResource(resources []string, actions []Privilege) bool

Check if the user has authorization for the given resources and actions

type UserManager 

type UserManager struct {
	// contains filtered or unexported fields
}

func NewUserManager 

func NewUserManager(
	userStorage UserStorage,
	auth *Auth,
	config *config.Config,
) *UserManager

Create a new instance of the UserManager.

func (*UserManager) All 

func (u *UserManager) All() []User

Return all users without passwords.

func (*UserManager) Authenticate 

func (u *UserManager) Authenticate(username, password string) bool

Authenticate a user with username and password.

func (*UserManager) Create 

func (u *UserManager) Create(username, password, description string, statements []Statement) (*User, error)

Create a new user and store it.

func (*UserManager) Get 

func (u *UserManager) Get(username string) (*User, error)

Get a user by username.

func (*UserManager) Init 

func (u *UserManager) Init() error

Initialize the UserManager.

func (*UserManager) Purge 

func (u *UserManager) Purge(username string) error

Purge a user by username from memory.

func (*UserManager) Remove 

func (u *UserManager) Remove(username string) error

Remove a user by username.

func (*UserManager) Update 

func (u *UserManager) Update(user *User) error

Update an existing user.

type UserResponse 

type UserResponse struct {
	Username    string      `json:"username" example:"admin" description:"The username"`
	Description string      `json:"description" example:"Administrator user" description:"The user description"`
	Statements  []Statement `json:"statements" description:"List of permission statements defining what the user can access"`
	CreatedAt   time.Time   `json:"createdAt" description:"Creation timestamp"`
	UpdatedAt   time.Time   `json:"updatedAt" description:"Last update timestamp"`
}

type UserStorage 

type UserStorage interface {
	Delete(username string) error
	Get(username string) (*User, error)
	List() ([]*User, error)
	Store(user *User) error
	Update(user *User) error
}

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.