Documentation
¶
Index ¶
- Constants
- Variables
- func GenerateSecretKeyBase62(length int) (string, error)
- func NewAppContext(ctx context.Context, av AppValidator) context.Context
- func NewError(msg string) error
- func NewGrpcAppCredential(ak *AccessKey) credentials.PerRPCCredentials
- func ProtoEqual(obj1, obj2 proto.Message) bool
- func RandHexString(n int) string
- func Sign(header TokenHeader, claims any, key any) (string, error)
- type AccessKey
- func (it *AccessKey) Allow(scopes ...string) bool
- func (*AccessKey) Descriptor() ([]byte, []int)deprecated
- func (it *AccessKey) Export() string
- func (x *AccessKey) GetDescription() string
- func (x *AccessKey) GetId() string
- func (x *AccessKey) GetRoles() []string
- func (x *AccessKey) GetScopes() []string
- func (x *AccessKey) GetSecret() string
- func (x *AccessKey) GetState() string
- func (x *AccessKey) GetType() string
- func (x *AccessKey) GetUser() string
- func (*AccessKey) ProtoMessage()
- func (x *AccessKey) ProtoReflect() protoreflect.Message
- func (x *AccessKey) Reset()
- func (x *AccessKey) String() string
- type AccessKeyManager
- func (it *AccessKeyManager) Count() int
- func (it *AccessKeyManager) Del(id string) error
- func (it *AccessKeyManager) Key(id string) *AccessKey
- func (it *AccessKeyManager) RandKey() *AccessKey
- func (it *AccessKeyManager) Set(k *AccessKey) error
- func (it *AccessKeyManager) SetRole(r *Role) *AccessKeyManager
- type AccessToken
- type AppCredential
- type AppValidator
- type AuthClaims
- type Error
- type IdentityToken
- type Role
- func (*Role) Descriptor() ([]byte, []int)deprecated
- func (x *Role) GetDescription() string
- func (x *Role) GetName() string
- func (x *Role) GetPermissions() []string
- func (x *Role) GetState() string
- func (x *Role) GetTitle() string
- func (*Role) ProtoMessage()
- func (x *Role) ProtoReflect() protoreflect.Message
- func (x *Role) Reset()
- func (x *Role) String() string
- type ServiceStatus
- type SessionManager
- type SessionToken
- type Signer
- type SignerManager
- type TokenHeader
Constants ¶
const ( AccessKey_State_Active = "active" AccessKey_State_Disable = "disable" )
const (
AppHttpHeaderKey = "x-inauth2"
)
Variables ¶
var ( ErrInvalidAccessToken = NewError("invalid access token") ErrInvalidIdentityToken = NewError("invalid identity token") ErrInvalidAppCredential = NewError("invalid app credential") ErrInvalidAppValidator = NewError("invalid app validator") ErrInvalidUserValidator = NewError("invalid user validator") )
var DefaultSigner = &hmacSigner{"HS256", crypto.SHA256}
var File_inauth_proto protoreflect.FileDescriptor
var Signers = SignerManager{ // contains filtered or unexported fields }
Functions ¶
func GenerateSecretKeyBase62 ¶
GenerateSecretKeyBase62 generates a cryptographically random key composed entirely of base62 characters (0-9, a-z, A-Z), producing a URL-safe, human-friendly identifier of the specified length.
To ensure uniform distribution and eliminate modulo bias, only random bytes in the range [0, maxValidByte) are accepted. Since 256 % 62 = 8, the maximum valid byte value is 248, guaranteeing that each of the 62 characters has an exactly equal probability of being selected.
An over-allocated random buffer (length/10 + 1 extra bytes) is used per iteration to minimize the number of syscalls to crypto/rand, as roughly 256-248 = 3.1% of random bytes will be rejected.
func NewAppContext ¶
func NewAppContext(ctx context.Context, av AppValidator) context.Context
func NewGrpcAppCredential ¶
func NewGrpcAppCredential(ak *AccessKey) credentials.PerRPCCredentials
func ProtoEqual ¶
func RandHexString ¶
RandHexString generates a cryptographically random hexadecimal string using crypto/rand. The returned string length is n*2 characters (2 hex chars per byte).
Returns an empty string if the random source fails (should be exceedingly rare).
Types ¶
type AccessKey ¶
type AccessKey struct {
// Unique identifier for this access key.
// Generated as a semi-sequential hex string (e.g., "67f3a1b2c3d4e5f6").
Id string `protobuf:"bytes,1,opt,name=id,proto3" json:"id,omitempty" toml:"id,omitempty"`
// The secret key used to sign AccessToken payloads.
// Generated as a 48-character base62 string. Must be kept confidential.
Secret string `protobuf:"bytes,2,opt,name=secret,proto3" json:"secret,omitempty" toml:"secret,omitempty"`
// The user or service principal this key belongs to.
User string `protobuf:"bytes,3,opt,name=user,proto3" json:"user,omitempty" toml:"user,omitempty"`
// The type of credential. Accepted values:
// - "User": human user access key (created via NewUserAccessKey).
// - "App": machine/service access key (created via NewAppAccessKey).
//
// The type affects token validation; for example, "App" tokens enforce
// a strict 60-second issued-at (iat) window to prevent replay attacks.
Type string `protobuf:"bytes,4,opt,name=type,proto3" json:"type,omitempty" toml:"type,omitempty"`
// The lifecycle state of this access key (e.g., "active", "disabled").
State string `protobuf:"bytes,5,opt,name=state,proto3" json:"state,omitempty" toml:"state,omitempty"`
// The names of RBAC roles assigned to this key. Role definitions are
// registered separately via AccessKeyManager.SetRole() and map to a
// set of permissions.
Roles []string `protobuf:"bytes,6,rep,name=roles,proto3" json:"roles,omitempty" toml:"roles,omitempty"`
// Fine-grained permission scopes granted to this key. Scopes are checked
// via the Allow() method, which requires ALL specified scopes to be present.
// Example scopes might include resource-level or action-level identifiers.
Scopes []string `protobuf:"bytes,11,rep,name=scopes,proto3" json:"scopes,omitempty" toml:"scopes,omitempty"`
// Optional. A human-readable description of this access key's purpose.
Description string `protobuf:"bytes,13,opt,name=description,proto3" json:"description,omitempty" toml:"description,omitempty"`
// contains filtered or unexported fields
}
AccessKey represents a long-lived credential used to authenticate and authorize API requests. Each key consists of a publicly visible ID and a secret that must be kept confidential.
AccessKeys are managed by AccessKeyManager and can be of two types:
- "User": represents a human user credential.
- "App": represents a machine/service credential used for programmatic access (e.g., gRPC calls between internal services).
Authentication flow:
- The client presents an AccessToken (signed with the AccessKey secret).
- The server resolves the AccessKey by ID from AccessKeyManager.
- The token signature is verified against the key's secret.
- Authorization is checked via roles, permissions, and scopes.
func NewAccessKey ¶
func NewAccessKey() *AccessKey
func NewAppAccessKey ¶
func NewAppAccessKey() *AccessKey
func NewUserAccessKey ¶
func NewUserAccessKey() *AccessKey
func ParseAccessKey ¶
func (*AccessKey) Descriptor
deprecated
func (*AccessKey) GetDescription ¶
func (*AccessKey) ProtoMessage ¶
func (*AccessKey) ProtoMessage()
func (*AccessKey) ProtoReflect ¶
func (x *AccessKey) ProtoReflect() protoreflect.Message
type AccessKeyManager ¶
type AccessKeyManager struct {
// contains filtered or unexported fields
}
func NewAccessKeyManager ¶
func NewAccessKeyManager() *AccessKeyManager
func (*AccessKeyManager) Count ¶
func (it *AccessKeyManager) Count() int
func (*AccessKeyManager) Del ¶
func (it *AccessKeyManager) Del(id string) error
func (*AccessKeyManager) Key ¶
func (it *AccessKeyManager) Key(id string) *AccessKey
func (*AccessKeyManager) RandKey ¶
func (it *AccessKeyManager) RandKey() *AccessKey
func (*AccessKeyManager) Set ¶
func (it *AccessKeyManager) Set(k *AccessKey) error
func (*AccessKeyManager) SetRole ¶
func (it *AccessKeyManager) SetRole(r *Role) *AccessKeyManager
type AccessToken ¶
type AccessToken struct {
Header TokenHeader
Claims AuthClaims
// contains filtered or unexported fields
}
func NewAccessToken ¶
func NewAccessToken() *AccessToken
func ParseAccessToken ¶
func ParseAccessToken(accessToken string) (*AccessToken, error)
func ParseAccessTokenWithContext ¶
func ParseAccessTokenWithContext(ctx context.Context) (*AccessToken, error)
func ParseAccessTokenWithHttpRequest ¶
func ParseAccessTokenWithHttpRequest(req *http.Request) (*AccessToken, error)
func (*AccessToken) IsExpired ¶
func (it *AccessToken) IsExpired() bool
func (*AccessToken) SignToken ¶
func (it *AccessToken) SignToken(keyMgr *AccessKeyManager) (string, error)
func (*AccessToken) String ¶
func (it *AccessToken) String() string
func (*AccessToken) Verify ¶
func (it *AccessToken) Verify(keyMgr *AccessKeyManager) (*AccessKey, error)
type AppCredential ¶
type AppCredential interface {
AuthToken() string
}
func NewAppCredential ¶
func NewAppCredential(ak *AccessKey, args ...any) AppCredential
type AppValidator ¶
type AppValidator interface {
Verify(keyMgr *AccessKeyManager) error
AccessKey() *AccessKey
Allow(scopes ...string) bool
}
func AppContext ¶
func AppContext(ctx context.Context) AppValidator
func NewAppValidator ¶
func NewAppValidator(token string) (AppValidator, error)
func NewGrpcAppValidator ¶
func NewGrpcAppValidator(ctx context.Context, keyMgr *AccessKeyManager) (AppValidator, error)
type AuthClaims ¶
type AuthClaims struct {
// JWT ID
Jti string `json:"jti,omitempty" toml:"jti,omitempty"`
// Issued At Time
Iat int64 `json:"iat" toml:"iat"`
// Expire time
Exp int64 `json:"exp" toml:"exp"`
// user id
Sub string `json:"sub,omitempty" toml:"sub,omitempty"`
State string `json:"state,omitempty" toml:"state,omitempty"`
}
type IdentityToken ¶
type IdentityToken struct {
Roles []string `json:"roles,omitempty" toml:"roles,omitempty"`
Groups []string `json:"groups,omitempty" toml:"groups,omitempty"`
Scopes []string `json:"scopes,omitempty" toml:"scopes,omitempty"`
Permissions []string `json:"permissions,omitempty" toml:"permissions,omitempty"`
}
type Role ¶
type Role struct {
// The unique name identifier of the role (e.g., "admin", "viewer").
Name string `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty" toml:"name,omitempty"`
// Optional. A human-readable title for the role. Typically this
// is limited to 100 UTF-8 bytes.
Title string `protobuf:"bytes,2,opt,name=title,proto3" json:"title,omitempty" toml:"title,omitempty"`
// Optional. A human-readable description for the role.
Description string `protobuf:"bytes,3,opt,name=description,proto3" json:"description,omitempty" toml:"description,omitempty"`
// The names of the permissions this role grants when bound to an
// AccessKey. Permissions are stored as a set within AccessKeyManager
// for efficient lookup.
Permissions []string `protobuf:"bytes,7,rep,name=permissions,proto3" json:"permissions,omitempty" toml:"permissions,omitempty"`
// The lifecycle state of the role (e.g., "active", "disabled").
State string `protobuf:"bytes,10,opt,name=state,proto3" json:"state,omitempty" toml:"state,omitempty"`
// contains filtered or unexported fields
}
Role defines a named collection of permissions in the RBAC (Role-Based Access Control) system. Roles are registered with AccessKeyManager and then referenced by name from AccessKey.roles.
Permission resolution flow:
AccessKey.roles → Role lookup → Role.permissions
func (*Role) Descriptor
deprecated
func (*Role) GetDescription ¶
func (*Role) GetPermissions ¶
func (*Role) ProtoMessage ¶
func (*Role) ProtoMessage()
func (*Role) ProtoReflect ¶
func (x *Role) ProtoReflect() protoreflect.Message
type ServiceStatus ¶
type ServiceStatus struct {
Code string `json:"code,omitempty" toml:"code,omitempty"`
Message string `json:"message,omitempty" toml:"message,omitempty"`
}
func NewServiceStatus ¶
func NewServiceStatus(code, message string) ServiceStatus
type SessionManager ¶
type SessionManager interface {
IsLogin(accessToken string) (*AccessToken, error)
Token(jti string) *SessionToken
RefreshToken(accessToken string, token *IdentityToken) (*SessionToken, error)
}
type SessionToken ¶
type SessionToken struct {
AccessToken *AccessToken `json:"access_token" toml:"access_token"`
IdentityToken *IdentityToken `json:"identity_token" toml:"identity_token"`
}
type SignerManager ¶
type SignerManager struct {
// contains filtered or unexported fields
}
func (*SignerManager) Register ¶
func (it *SignerManager) Register(s Signer)
func (*SignerManager) Signer ¶
func (it *SignerManager) Signer(name string) Signer