Documentation
¶
Overview ¶
Package auth authenticates a request into an authz.Principal. It compiles the configured principals + credentials once (auth.New) and exposes a per-listener Middleware that, for each request, tries the methods that listener accepts and attaches the resulting principal (or the anonymous one) to the request context; the HTTP handler then enforces the capability via authz.Policy.
Methods: no-auth (anonymous), Unix-socket peer credentials, bearer token, HTTP-basic password, mTLS client certificate, and an ed25519 challenge/response reusing crypto/keyring's signer verification — so the same key that opens a vault can be the network principal.
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
Types ¶
type Authenticator ¶
type Authenticator struct {
// contains filtered or unexported fields
}
Authenticator holds the compiled credential directory shared by every listener's Middleware. Its maps are read-only after New, so it is safe for concurrent use.
func New ¶
New compiles the configured principals and credentials into an Authenticator. Secret references in credential parameters are resolved eagerly here, so a broken reference fails at startup, not on the first request.
func (*Authenticator) Middleware ¶
func (a *Authenticator) Middleware(lc config.Listener, log *slog.Logger) *Middleware
Middleware builds the per-listener request wrapper. An empty auth list admits the anonymous principal (the pre-auth bind-to-localhost behavior).
type Middleware ¶
type Middleware struct {
// contains filtered or unexported fields
}
Middleware authenticates each request on one listener and attaches the principal to the context.