Documentation
¶
Overview ¶
Package keyimpl Package auth provides authentication and authorization mechanisms for both HTTP and gRPC services.
Index ¶
- type Config
- type Provider
- func (p *Provider) AuthorizeGRPC(ctx context.Context, path, tokenString string) (models.User, error)
- func (p *Provider) AuthorizeHTTP(ctx context.Context, method, path, tokenString string) (models.User, error)
- func (p *Provider) DeserializeJwkSet(serializedJwkSet string) (jwk.Set, error)
- func (p *Provider) FetchJWKSet(ctx context.Context) (jwk.Set, error)
- func (p *Provider) IsSecureEndpoint(rule models.SecureEndpoint) bool
- func (p *Provider) IsUserHaveRoles(roles []string, userRoles []string) bool
- func (p *Provider) KeyFunc(ctx context.Context) jwt.Keyfunc
- func (p *Provider) RegisterEndpoint(rules ...models.EndpointInfo) error
- func (p *Provider) SerializeJwkSet(key jwk.Set) (string, error)
- func (p *Provider) VerifyToken(ctx context.Context, tokenString string) (*jwt.Token, error)
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Config ¶
type Config struct {
// PublicJWKUri - URI to get the public JWK.
// Must be set in the configuration (environment variables or file).
PublicJWKUri string `env:"PUBLIC_JWK_URI" json:"public_jwk_uri" yaml:"public_jwk_uri" validate:"required"`
// RefreshJWKTimeout - timeout for JWK refresh.
// If not specified, the default value of 3 hours is used.
RefreshJWKTimeout time.Duration `env:"REFRESH_JWK_TIMEOUT" json:"refresh_jwk_timeout" yaml:"refresh_jwk_timeout" env-default:"3h"`
// ClientID - client identifier for authentication.
// Must be specified in the configuration (environment variables or file).
ClientID string `env:"CLIENT_ID" json:"client_id" yaml:"client_id" validate:"required"`
}
Config contains the configuration for the authentication provider, including the URI for the public JWK, the timeout for updating the JWK, and the client ID.
func LoadConfig ¶
type Provider ¶
type Provider struct {
// contains filtered or unexported fields
}
Provider implements the AuthProvider interface and manages authentication and authorization for both HTTP and gRPC services. It supports role-based access control and maintains a registry of protected endpoints.
func NewGRPCProvider ¶
NewGRPCProvider creates and initializes a new Provider instance configured for gRPC endpoints. It sets up the necessary components for gRPC-specific authentication and authorization.
Parameters:
- config: Configuration settings for the provider
- redis: Redis client for token management
Returns:
- *Provider: A new Provider instance configured for gRPC
Example:
provider := NewGRPCProvider(config, redisClient)
provider.RegisterEndpoint(EndpointRule{
Path: "/package.service/Method",
Roles: []string{"admin"},
})
func NewHTTPProvider ¶
NewHTTPProvider creates and initializes a new Provider instance configured for HTTP endpoints. It sets up the necessary components for HTTP-specific authentication and authorization.
Parameters:
- config: Configuration settings for the provider
- redis: Redis client for token management
Returns:
- *Provider: A new Provider instance configured for HTTP
Example:
provider := NewHTTPProvider(config, redisClient)
provider.RegisterEndpoint(EndpointRule{
Method: "GET",
Path: "/api/users",
Roles: []string{"admin"},
})
func (*Provider) AuthorizeGRPC ¶
func (p *Provider) AuthorizeGRPC(ctx context.Context, path, tokenString string) (models.User, error)
AuthorizeGRPC authorizes the user based on the passed token and endpoint path. Checks the validity of the token and whether the user has the necessary roles for access. Parameters: - path: path of the protected endpoint - tokenString: string with user's JWT token Returns user and error (if any).
func (*Provider) AuthorizeHTTP ¶
func (p *Provider) AuthorizeHTTP(ctx context.Context, method, path, tokenString string) (models.User, error)
AuthorizeHTTP authorizes the user based on the passed token, HTTP method, and endpoint path. Checks the validity of the token and whether the user has the necessary roles for access. Parameters: - method: HTTP method (e.g., "GET", "POST", "PUT", "DELETE"). - path: path of the protected endpoint (e.g., "/api/v1/user"). - tokenString: string with the user's JWT token. Returns user and error (if any).
func (*Provider) DeserializeJwkSet ¶
DeserializeJwkSet deserializes a JSON string back to a JWK Set. In case of an error, returns nil and an error.
func (*Provider) FetchJWKSet ¶
FetchJWKSet retrieves the JWK (JSON Web Key) set from the Redis cache or requests it from a remote server. If the JWK is already in the cache, it is deserialized and returned. If the JWK is not in the cache, it is loaded from the remote server and then stored in the cache for future requests.
func (*Provider) IsSecureEndpoint ¶
func (p *Provider) IsSecureEndpoint(rule models.SecureEndpoint) bool
IsSecureEndpoint checks if the provided endpoint (path and method) is registered as a secure endpoint. It verifies if the endpoint is present in the secureEndpoints map depending on the provider type (HTTP or gRPC). For HTTP providers, it checks using a combination of path and method as the key. For gRPC providers, it checks using only the path as the key. Parameters: - rule: models.EndpointInfo containing the path, method (for HTTP), and associated roles for the endpoint. Returns: - true if the endpoint is registered as secure, false otherwise.
func (*Provider) IsUserHaveRoles ¶
IsUserHaveRoles checks if the user has at least one of the required roles.
func (*Provider) KeyFunc ¶
KeyFunc returns a function that is used to retrieve the public key for token signature verification. This function gets the JWK Set, retrieves the key by ID and returns it for verification.
func (*Provider) RegisterEndpoint ¶
func (p *Provider) RegisterEndpoint(rules ...models.EndpointInfo) error
RegisterEndpoint registers a secure endpoint with associated roles
func (*Provider) SerializeJwkSet ¶
SerializeJwkSet serializes a JWK Set into a JSON string.
Source Files