auth

package
v0.5.3 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jul 4, 2026 License: Apache-2.0 Imports: 26 Imported by: 0

Documentation

Overview

Package auth authenticates a request into an authz.Principal. It compiles the configured principals + credentials once (auth.New) and exposes a per-listener Middleware that, for each request, tries the methods that listener accepts and attaches the resulting principal (or the anonymous one) to the request context; the HTTP handler then enforces the capability via authz.Policy.

Methods: no-auth (anonymous), Unix-socket peer credentials, bearer token, HTTP-basic password, mTLS client certificate, and an ed25519 challenge/response reusing crypto/keyring's signer verification — so the same key that opens a vault can be the network principal.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func NewConnContext

func NewConnContext(ctx context.Context, c net.Conn) context.Context

NewConnContext returns a context that carries c, for http.Server.ConnContext.

Types

type Authenticator

type Authenticator struct {
	// contains filtered or unexported fields
}

Authenticator holds the compiled credential directory shared by every listener's Middleware. Its maps are read-only after New, so it is safe for concurrent use.

func New

func New(cfg *config.Config, sec secret.Resolver, log *slog.Logger) (*Authenticator, error)

New compiles the configured principals and credentials into an Authenticator. Secret references in credential parameters are resolved eagerly here, so a broken reference fails at startup, not on the first request.

func (*Authenticator) Middleware

func (a *Authenticator) Middleware(lc config.Listener, log *slog.Logger) *Middleware

Middleware builds the per-listener request wrapper. An empty auth list admits the anonymous principal (the pre-auth bind-to-localhost behavior).

type Middleware

type Middleware struct {
	// contains filtered or unexported fields
}

Middleware authenticates each request on one listener and attaches the principal to the context.

func (*Middleware) Wrap

func (m *Middleware) Wrap(next http.Handler) http.Handler

Wrap returns next wrapped with authentication. /_auth/challenge (the challenge/response nonce endpoint) and /_health are public; everything else authenticates and attaches the principal.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL