Documentation
¶
Index ¶
- type AuditRecordRepository
- type Config
- type CreateRequest
- type OrganizationService
- type PolicyService
- type Repository
- type RoleService
- type Service
- func (s *Service) Create(ctx context.Context, req CreateRequest) (patmodels.PAT, string, error)
- func (s *Service) Delete(ctx context.Context, userID, id string) error
- func (s *Service) Get(ctx context.Context, userID, id string) (patmodels.PAT, error)
- func (s *Service) GetByID(ctx context.Context, id string) (patmodels.PAT, error)
- func (s *Service) IsTitleAvailable(ctx context.Context, userID, orgID, title string) (bool, error)
- func (s *Service) List(ctx context.Context, userID, orgID string, query *rql.Query) (patmodels.PATList, error)
- func (s *Service) ListAllowedRoles(ctx context.Context, scopes []string) ([]role.Role, error)
- func (s *Service) Regenerate(ctx context.Context, userID, id string, newExpiresAt time.Time) (patmodels.PAT, string, error)
- func (s *Service) Update(ctx context.Context, toUpdate patmodels.PAT) (patmodels.PAT, error)
- func (s *Service) ValidateExpiry(expiresAt time.Time) error
- type Validator
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type AuditRecordRepository ¶
type AuditRecordRepository interface {
Create(ctx context.Context, auditRecord models.AuditRecord) (models.AuditRecord, error)
}
type Config ¶
type Config struct {
Enabled bool `yaml:"enabled" mapstructure:"enabled" default:"false"`
Prefix string `yaml:"prefix" mapstructure:"prefix" default:"fpt"`
MaxPerUserPerOrg int64 `yaml:"max_per_user_per_org" mapstructure:"max_per_user_per_org" default:"50"`
MaxLifetime string `yaml:"max_lifetime" mapstructure:"max_lifetime" default:"8760h"`
DefaultLifetime string `yaml:"default_lifetime" mapstructure:"default_lifetime" default:"2160h"`
DeniedPermissions []string `yaml:"denied_permissions" mapstructure:"denied_permissions"`
}
func (Config) DeniedPermissionsSet ¶
DeniedPermissionsSet returns denied permissions as a set for efficient lookups.
type CreateRequest ¶
type OrganizationService ¶
type OrganizationService interface {
GetRaw(ctx context.Context, id string) (organization.Organization, error)
}
type PolicyService ¶
type Repository ¶
type Repository interface {
Create(ctx context.Context, pat models.PAT) (models.PAT, error)
CountActive(ctx context.Context, userID, orgID string) (int64, error)
GetByID(ctx context.Context, id string) (models.PAT, error)
List(ctx context.Context, userID, orgID string, query *rql.Query) (models.PATList, error)
GetBySecretHash(ctx context.Context, secretHash string) (models.PAT, error)
IsTitleAvailable(ctx context.Context, userID, orgID, title string) (bool, error)
UpdateLastUsedAt(ctx context.Context, id string, at time.Time) error
Update(ctx context.Context, pat models.PAT) (models.PAT, error)
Regenerate(ctx context.Context, id, secretHash string, expiresAt time.Time) (models.PAT, error)
Delete(ctx context.Context, id string) error
}
type RoleService ¶
type Service ¶
type Service struct {
// contains filtered or unexported fields
}
func NewService ¶
func NewService(logger log.Logger, repo Repository, config Config, orgService OrganizationService, roleService RoleService, policyService PolicyService, auditRecordRepository AuditRecordRepository) *Service
func (*Service) Create ¶
Create generates a new PAT and returns it with the plaintext value. The plaintext value is only available at creation time.
func (*Service) Delete ¶ added in v0.94.0
Delete soft-deletes the PAT first, then removes its SpiceDB policies. Soft-delete before policy cleanup prevents concurrent Update from re-creating policies for a deleted PAT (TOCTOU mitigation).
func (*Service) Get ¶ added in v0.94.0
Get retrieves a PAT by ID, verifying it belongs to the given user. Returns ErrDisabled if PATs are not enabled, ErrNotFound if the PAT does not exist or belongs to a different user.
func (*Service) IsTitleAvailable ¶ added in v0.94.0
IsTitleAvailable checks if a PAT title is available for the given user and org.
func (*Service) List ¶ added in v0.94.0
func (s *Service) List(ctx context.Context, userID, orgID string, query *rql.Query) (patmodels.PATList, error)
List retrieves all PATs for a user in an org and enriches each with scope fields.
func (*Service) ListAllowedRoles ¶ added in v0.94.0
ListAllowedRoles returns predefined roles that are valid for PAT assignment. It lists platform roles filtered by scopes and removes any role containing a denied permission. If scopes is empty, defaults to org + project scopes. Accepts short aliases (e.g. "project", "org") which are normalized to full namespace form (e.g. "app/project", "app/organization").
func (*Service) Regenerate ¶ added in v0.94.0
func (s *Service) Regenerate(ctx context.Context, userID, id string, newExpiresAt time.Time) (patmodels.PAT, string, error)
Regenerate creates a new secret and updates the expiry for an existing PAT. Scope (roles + projects) and policies are preserved. Expired PATs can be regenerated; if reviving one, checks the active count limit.
type Validator ¶ added in v0.93.2
type Validator struct {
// contains filtered or unexported fields
}
Validator validates PAT values during authentication.
func NewValidator ¶ added in v0.93.2
func NewValidator(logger log.Logger, repo Repository, config Config) *Validator
func (*Validator) Validate ¶ added in v0.93.2
Validate checks a PAT value and returns the corresponding PAT. Returns ErrInvalidPAT if the value doesn't match the configured prefix (allowing the auth chain to fall through to the next authenticator). Returns ErrMalformedPAT, ErrExpired, ErrNotFound, or ErrDisabled for terminal auth failures.
Source Files
Directories