security

package
v1.70.2 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jan 27, 2026 License: Apache-2.0 Imports: 6 Imported by: 0

Documentation

Index

Constants

View Source 
const NamespaceProfile = "default/profile"

Variables

This section is empty.

Functions

func EnrichTenancyClaims added in v1.69.10 

func EnrichTenancyClaims(
	ctx context.Context, tenantID, partitionID, accessID string,
) context.Context

EnrichTenancyClaims internal services act on behalf of different users Although they have their claims in place there may be situations where there is need to login as This is where secondary claims come into play and implementing systems can decide to use the secondary claims This should be done with very high caution though.

func IsTenancyChecksOnClaimSkipped 

func IsTenancyChecksOnClaimSkipped(ctx context.Context) bool

func JwtFromContext 

func JwtFromContext(ctx context.Context) string

JwtFromContext extracts authentication jwt from the supplied context if any exist.

func JwtToContext 

func JwtToContext(ctx context.Context, jwt string) context.Context

JwtToContext adds authentication jwt to the current supplied context.

func SkipTenancyChecksOnClaims 

func SkipTenancyChecksOnClaims(ctx context.Context) context.Context

SkipTenancyChecksOnClaims removes authentication claims from the current supplied context.

Types

type AuditLogger added in v1.70.1 

type AuditLogger interface {
	LogDecision(ctx context.Context, req CheckRequest, result CheckResult, metadata map[string]string) error
}

AuditLogger logs authorization decisions for security audit.

type AuthOption 

type AuthOption func(ctx context.Context, opts *AuthOptions)

func WithAudience 

func WithAudience(audience ...string) AuthOption

WithAudience sets the audience to use overriding any config option.

func WithDisableSecurity 

func WithDisableSecurity() AuthOption

WithDisableSecurity sets the security should be disabled.

func WithDisableSecurityConfig 

func WithDisableSecurityConfig(cfg config.ConfigurationSecurity) AuthOption

WithDisableSecurityConfig adds a security configuration to existing AuthOptions.

func WithIssuer 

func WithIssuer(issuer string) AuthOption

WithIssuer sets the issuer to use overriding any config option.

type AuthOptions 

type AuthOptions struct {
	DisableSecurityCfg config.ConfigurationSecurity
	Audience           []string
	Issuer             string
	DisableSecurity    bool
}

AuthOptions contains configuration for Redis cache.

type AuthenticationClaims 

type AuthenticationClaims struct {
	Ext         map[string]any `json:"ext,omitempty"`
	TenantID    string         `json:"tenant_id,omitempty"`
	PartitionID string         `json:"partition_id,omitempty"`
	AccessID    string         `json:"access_id,omitempty"`
	ContactID   string         `json:"contact_id,omitempty"`
	SessionID   string         `json:"session_id,omitempty"`
	DeviceID    string         `json:"device_id,omitempty"`
	ServiceName string         `json:"service_name,omitempty"`
	Roles       []string       `json:"roles,omitempty"`
	jwt.RegisteredClaims
}

AuthenticationClaims defines the structure for JWT claims, embedding jwt.StandardClaims to include standard fields like expiry time, and adding custom claims.

func ClaimsFromContext 

func ClaimsFromContext(ctx context.Context) *AuthenticationClaims

ClaimsFromContext extracts authentication claims from the supplied context if any exist. For internal systems, the returned claims are enriched with tenancy data from secondary claims.

func ClaimsFromMap 

func ClaimsFromMap(m map[string]string) *AuthenticationClaims

ClaimsFromMap extracts authentication claims from the supplied map if they exist.

func (*AuthenticationClaims) AsMetadata 

func (a *AuthenticationClaims) AsMetadata() map[string]string

AsMetadata Creates a string map to be used as metadata in queue data.

func (*AuthenticationClaims) ClaimsToContext 

func (a *AuthenticationClaims) ClaimsToContext(ctx context.Context) context.Context

ClaimsToContext adds authentication claims to the current supplied context.

func (*AuthenticationClaims) GetAccessID 

func (a *AuthenticationClaims) GetAccessID() string

func (*AuthenticationClaims) GetContactID 

func (a *AuthenticationClaims) GetContactID() string

func (*AuthenticationClaims) GetDeviceID 

func (a *AuthenticationClaims) GetDeviceID() string

func (*AuthenticationClaims) GetPartitionID 

func (a *AuthenticationClaims) GetPartitionID() string

func (*AuthenticationClaims) GetProfileID 

func (a *AuthenticationClaims) GetProfileID() string

func (*AuthenticationClaims) GetRoles 

func (a *AuthenticationClaims) GetRoles() []string

func (*AuthenticationClaims) GetServiceName 

func (a *AuthenticationClaims) GetServiceName() string

func (*AuthenticationClaims) GetSessionID 

func (a *AuthenticationClaims) GetSessionID() string

func (*AuthenticationClaims) GetTenantID 

func (a *AuthenticationClaims) GetTenantID() string

type Authenticator 

type Authenticator interface {
	Authenticate(ctx context.Context, jwtToken string, options ...AuthOption) (context.Context, error)
}

type Authorizer 

type Authorizer interface {
	// Check verifies if a subject has permission on an object.
	Check(ctx context.Context, req CheckRequest) (CheckResult, error)

	// BatchCheck verifies multiple permissions in one call (for efficiency).
	BatchCheck(ctx context.Context, requests []CheckRequest) ([]CheckResult, error)

	// WriteTuple creates a relationship tuple.
	WriteTuple(ctx context.Context, tuple RelationTuple) error

	// WriteTuples creates multiple relationship tuples atomically.
	WriteTuples(ctx context.Context, tuples []RelationTuple) error

	// DeleteTuple removes a relationship tuple.
	DeleteTuple(ctx context.Context, tuple RelationTuple) error

	// DeleteTuples removes multiple relationship tuples atomically.
	DeleteTuples(ctx context.Context, tuples []RelationTuple) error

	// ListRelations returns all relations for an object.
	ListRelations(ctx context.Context, object ObjectRef) ([]RelationTuple, error)

	// ListSubjectRelations returns all objects a subject has relations to.
	ListSubjectRelations(ctx context.Context, subject SubjectRef, namespace string) ([]RelationTuple, error)

	// Expand returns all subjects with a given relation (for member listing).
	Expand(ctx context.Context, object ObjectRef, relation string) ([]SubjectRef, error)
}

Authorizer is the core authorization service interface. Implementations can be swapped without affecting business logic.

type AuthzOption added in v1.70.1 

type AuthzOption func(ctx context.Context, opts *AuthzOptions)

func WithAuditLogger added in v1.70.1 

func WithAuditLogger(auditLogger AuditLogger) AuthzOption

WithAuditLogger adds an auditor instance to existing AuthzOptions.

func WithAuthorizationConfig added in v1.70.1 

func WithAuthorizationConfig(cfg config.ConfigurationAuthorization) AuthzOption

WithAuthorizationConfig adds configuration to existing AuthzOptions.

func WithClient added in v1.70.1 

func WithClient(cli client.Manager) AuthzOption

WithClient adds client for external calls to existing AuthzOptions.

type AuthzOptions added in v1.70.1 

type AuthzOptions struct {
	Cfg     config.ConfigurationAuthorization
	Client  client.Manager
	Auditor AuditLogger
}

AuthzOptions contains configuration for authorization.

type CheckRequest added in v1.70.1 

type CheckRequest struct {
	Object     ObjectRef
	Permission string // "view", "delete", "send_message", etc.
	Subject    SubjectRef
}

CheckRequest represents a permission check request.

type CheckResult added in v1.70.1 

type CheckResult struct {
	Allowed   bool
	Reason    string // Explanation for audit
	CheckedAt int64  // Unix timestamp
}

CheckResult represents the result of a permission check.

type InternalOauth2ClientHolder 

type InternalOauth2ClientHolder interface {
	JwtClient() map[string]any
	SetJwtClient(clientID, clientSecret string, jwtCli map[string]any)
	JwtClientID() string
	JwtClientSecret() string
}

type Manager 

type Manager interface {
	InternalOauth2ClientHolder
	GetOauth2ClientRegistrar(ctx context.Context) Oauth2ClientRegistrar
	GetAuthenticator(ctx context.Context) Authenticator
	GetAuthorizer(ctx context.Context) Authorizer
}

type Oauth2ClientRegistrar 

type Oauth2ClientRegistrar interface {
	RegisterForJwt(ctx context.Context, iClientHolder InternalOauth2ClientHolder) error
	RegisterForJwtWithParams(ctx context.Context,
		oauth2ServiceAdminHost string, clientName string, clientID string, clientSecret string,
		scope string, audienceList []string, metadata map[string]string) (map[string]any, error)
	UnRegisterForJwt(ctx context.Context,
		oauth2ServiceAdminHost string, clientID string) error
}

type ObjectRef added in v1.70.1 

type ObjectRef struct {
	Namespace string // "room", "message", "profile"
	ID        string // Object identifier
}

ObjectRef represents a reference to an object (resource).

type Option 

type Option func(ctx context.Context, opts *Options)

func WithInvoker 

func WithInvoker(cfg client.Manager) Option

WithInvoker adds an oauth2 configuration to Options.

func WithOauth2Config 

func WithOauth2Config(cfg config.ConfigurationOAUTH2) Option

WithOauth2Config adds an oauth2 configuration to Options.

func WithSecurityConfig 

func WithSecurityConfig(cfg config.ConfigurationSecurity) Option

WithSecurityConfig adds a security configuration to existing Options.

func WithServiceConfig 

func WithServiceConfig(cfg config.ConfigurationService) Option

WithServiceConfig adds service configuration to Options.

type Options 

type Options struct {
	SecurityCfg config.ConfigurationSecurity
	Oath2Cfg    config.ConfigurationOAUTH2
	ServiceCfg  config.ConfigurationService
	Invoker     client.Manager
}

Options contains configuration for security manager.

type RelationTuple added in v1.70.1 

type RelationTuple struct {
	Object   ObjectRef
	Relation string // "owner", "admin", "member", "sender", etc.
	Subject  SubjectRef
}

RelationTuple represents a relationship between object and subject.

type SubjectRef added in v1.70.1 

type SubjectRef struct {
	Namespace string // Usually "profile"
	ID        string // Profile ID
	Relation  string // Optional: for subject sets (e.g., "room:123#member")
}

SubjectRef represents a reference to a subject (actor).

Source Files

View all Source files

Directories

Path Synopsis
Package authorizer provides an Ory Keto adapter implementation for the security.Authorizer interface.
 Package authorizer provides an Ory Keto adapter implementation for the security.Authorizer interface.
interceptors
connect
grpc
httptor

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.