rpcauth

package
v1.36.5-20250210034820... Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: unknown License: MIT Imports: 5 Imported by: 0

Documentation

Index

Constants

View Source 
const RateRule_Algorithm_not_set_case case_RateRule_Algorithm = 0
View Source 
const RateRule_LeakyBucket_case case_RateRule_Algorithm = 3

Variables

View Source 
var (
	AuthType_name = map[int32]string{
		0: "AUTH_UNSPECIFIED",
		1: "PUBLIC",
		2: "REQUIRED",
	}
	AuthType_value = map[string]int32{
		"AUTH_UNSPECIFIED": 0,
		"PUBLIC":           1,
		"REQUIRED":         2,
	}
)

Enum value maps for AuthType.

View Source 
var (
	RateKeyType_name = map[int32]string{
		0: "LIMIT_UNSPECIFIED",
		1: "IP",
		2: "USER",
		3: "API_KEY",
		4: "GLOBAL",
	}
	RateKeyType_value = map[string]int32{
		"LIMIT_UNSPECIFIED": 0,
		"IP":                1,
		"USER":              2,
		"API_KEY":           3,
		"GLOBAL":            4,
	}
)

Enum value maps for RateKeyType.

View Source 
var (
	PrivacyType_name = map[int32]string{
		0: "PRIVACY_UNSPECIFIED",
		1: "VISIBLE",
		2: "OMIT",
		3: "REDACT",
	}
	PrivacyType_value = map[string]int32{
		"PRIVACY_UNSPECIFIED": 0,
		"VISIBLE":             1,
		"OMIT":                2,
		"REDACT":              3,
	}
)

Enum value maps for PrivacyType.

View Source 
var (
	// Controls field visibility and access requirements.
	//
	// optional rpcauth.PrivacyRule field = 1302;
	E_Field = &file_rpcauth_auth_proto_extTypes[2]
)

Extension fields to descriptorpb.FieldOptions.

View Source 
var (
	// optional rpcauth.AuthRule method = 1301;
	E_Method = &file_rpcauth_auth_proto_extTypes[1]
)

Extension fields to descriptorpb.MethodOptions.

View Source 
var (
	// optional rpcauth.AuthRule service = 1300;
	E_Service = &file_rpcauth_auth_proto_extTypes[0]
)

Extension fields to descriptorpb.ServiceOptions.

View Source 
var File_rpcauth_auth_proto protoreflect.FileDescriptor

Functions

This section is empty.

Types

type AuthRule 

type AuthRule struct {

	// Determines if authentication is required or optional.
	//
	// Who are you?
	Auth AuthType `protobuf:"varint,1,opt,name=auth,proto3,enum=rpcauth.AuthType" json:"auth,omitempty"`
	// Specifies role-based access control rules using Hybrid RBAC (roles and permissions).
	//
	// List of rule sets, where any single rule set grants access (OR relationship). Access is granted
	// if ANY rule set passes. This allows for different combinations of roles/permissions that can
	// grant access.
	//
	// What can you do?
	Access []*RuleSet `protobuf:"bytes,2,rep,name=access,proto3" json:"access,omitempty"`
	// Defines rate limiting parameters.
	//
	// How often can you do it?
	Rate *RateRule `protobuf:"bytes,3,opt,name=rate,proto3" json:"rate,omitempty"`
	// contains filtered or unexported fields
}

Combines authentication, access rules, and rate limiting for controlling access to services and methods.

func (*AuthRule) ClearRate 

func (x *AuthRule) ClearRate()

func (*AuthRule) GetAccess 

func (x *AuthRule) GetAccess() []*RuleSet

func (*AuthRule) GetAuth 

func (x *AuthRule) GetAuth() AuthType

func (*AuthRule) GetRate 

func (x *AuthRule) GetRate() *RateRule

func (*AuthRule) HasRate 

func (x *AuthRule) HasRate() bool

func (*AuthRule) ProtoMessage 

func (*AuthRule) ProtoMessage()

func (*AuthRule) ProtoReflect 

func (x *AuthRule) ProtoReflect() protoreflect.Message

func (*AuthRule) Reset 

func (x *AuthRule) Reset()

func (*AuthRule) SetAccess 

func (x *AuthRule) SetAccess(v []*RuleSet)

func (*AuthRule) SetAuth 

func (x *AuthRule) SetAuth(v AuthType)

func (*AuthRule) SetRate 

func (x *AuthRule) SetRate(v *RateRule)

func (*AuthRule) String 

func (x *AuthRule) String() string

type AuthRule_builder 

type AuthRule_builder struct {

	// Determines if authentication is required or optional.
	//
	// Who are you?
	Auth AuthType
	// Specifies role-based access control rules using Hybrid RBAC (roles and permissions).
	//
	// List of rule sets, where any single rule set grants access (OR relationship). Access is granted
	// if ANY rule set passes. This allows for different combinations of roles/permissions that can
	// grant access.
	//
	// What can you do?
	Access []*RuleSet
	// Defines rate limiting parameters.
	//
	// How often can you do it?
	Rate *RateRule
	// contains filtered or unexported fields
}

func (AuthRule_builder) Build 

func (b0 AuthRule_builder) Build() *AuthRule

type AuthType 

type AuthType int32

Authentication type for a service or method. 

const (
	AuthType_AUTH_UNSPECIFIED AuthType = 0
	// Public endpoint, no authentication required.
	AuthType_PUBLIC AuthType = 1
	// Authentication required to access endpoint.
	AuthType_REQUIRED AuthType = 2
)

func (AuthType) Descriptor 

func (AuthType) Descriptor() protoreflect.EnumDescriptor

func (AuthType) Enum 

func (x AuthType) Enum() *AuthType

func (AuthType) Number 

func (x AuthType) Number() protoreflect.EnumNumber

func (AuthType) String 

func (x AuthType) String() string

func (AuthType) Type 

func (AuthType) Type() protoreflect.EnumType

type LeakyBucket 

type LeakyBucket struct {

	// Maximum number of requests the bucket can hold at any one time.
	BurstCapacity uint32 `protobuf:"varint,1,opt,name=burst_capacity,json=burstCapacity,proto3" json:"burst_capacity,omitempty"`
	// Number of requests processed per time window.
	AllowedRequests uint32 `protobuf:"varint,2,opt,name=allowed_requests,json=allowedRequests,proto3" json:"allowed_requests,omitempty"`
	// Duration of the time window (in seconds) over which allowed_requests are processed.
	TimeWindowSeconds uint32 `protobuf:"varint,3,opt,name=time_window_seconds,json=timeWindowSeconds,proto3" json:"time_window_seconds,omitempty"`
	// contains filtered or unexported fields
}

Leaky bucket rate limiting configuration.

Imagine a bucket that:

  • Can hold up to X requests (burst_capacity)
  • Drains (processes) requests at a steady rate of Y requests per Z seconds
  • Rejects any new requests immediately when the bucket is full

Example configuration:

  • burst_capacity: 20 # Can handle bursts of up to 20 requests
  • allowed_requests: 10 # Processes 10 requests per time window
  • time_window_seconds: 60 # Every 60 seconds (i.e. 10 req/min, drain rate ~0.167 req/sec)

In this example, the service processes a maximum of 600 requests per hour (10 per minute), while allowing temporary bursts of up to 20 requests. While the bucket is full, any new incoming requests are immediately rejected. The bucket continuously drains at a rate of 10 requests per 60 seconds, and as space becomes available, new requests can be accepted again.

func (*LeakyBucket) GetAllowedRequests 

func (x *LeakyBucket) GetAllowedRequests() uint32

func (*LeakyBucket) GetBurstCapacity 

func (x *LeakyBucket) GetBurstCapacity() uint32

func (*LeakyBucket) GetTimeWindowSeconds 

func (x *LeakyBucket) GetTimeWindowSeconds() uint32

func (*LeakyBucket) ProtoMessage 

func (*LeakyBucket) ProtoMessage()

func (*LeakyBucket) ProtoReflect 

func (x *LeakyBucket) ProtoReflect() protoreflect.Message

func (*LeakyBucket) Reset 

func (x *LeakyBucket) Reset()

func (*LeakyBucket) SetAllowedRequests 

func (x *LeakyBucket) SetAllowedRequests(v uint32)

func (*LeakyBucket) SetBurstCapacity 

func (x *LeakyBucket) SetBurstCapacity(v uint32)

func (*LeakyBucket) SetTimeWindowSeconds 

func (x *LeakyBucket) SetTimeWindowSeconds(v uint32)

func (*LeakyBucket) String 

func (x *LeakyBucket) String() string

type LeakyBucket_builder 

type LeakyBucket_builder struct {

	// Maximum number of requests the bucket can hold at any one time.
	BurstCapacity uint32
	// Number of requests processed per time window.
	AllowedRequests uint32
	// Duration of the time window (in seconds) over which allowed_requests are processed.
	TimeWindowSeconds uint32
	// contains filtered or unexported fields
}

func (LeakyBucket_builder) Build 

func (b0 LeakyBucket_builder) Build() *LeakyBucket

type PrivacyRule 

type PrivacyRule struct {

	// Behavior when accessing field from unauthorized context.
	Privacy PrivacyType `protobuf:"varint,1,opt,name=privacy,proto3,enum=rpcauth.PrivacyType" json:"privacy,omitempty"`
	// Specific roles that can access the field. If empty, all authenticated users can access.
	VisibleToRoles []string `protobuf:"bytes,2,rep,name=visible_to_roles,json=visibleToRoles,proto3" json:"visible_to_roles,omitempty"`
	// contains filtered or unexported fields
}

PrivacyRule controls field visibility and access.

func (*PrivacyRule) GetPrivacy 

func (x *PrivacyRule) GetPrivacy() PrivacyType

func (*PrivacyRule) GetVisibleToRoles 

func (x *PrivacyRule) GetVisibleToRoles() []string

func (*PrivacyRule) ProtoMessage 

func (*PrivacyRule) ProtoMessage()

func (*PrivacyRule) ProtoReflect 

func (x *PrivacyRule) ProtoReflect() protoreflect.Message

func (*PrivacyRule) Reset 

func (x *PrivacyRule) Reset()

func (*PrivacyRule) SetPrivacy 

func (x *PrivacyRule) SetPrivacy(v PrivacyType)

func (*PrivacyRule) SetVisibleToRoles 

func (x *PrivacyRule) SetVisibleToRoles(v []string)

func (*PrivacyRule) String 

func (x *PrivacyRule) String() string

type PrivacyRule_builder 

type PrivacyRule_builder struct {

	// Behavior when accessing field from unauthorized context.
	Privacy PrivacyType
	// Specific roles that can access the field. If empty, all authenticated users can access.
	VisibleToRoles []string
	// contains filtered or unexported fields
}

func (PrivacyRule_builder) Build 

func (b0 PrivacyRule_builder) Build() *PrivacyRule

type PrivacyType 

type PrivacyType int32

PrivacyType is used to determine how to handle sensitive fields. 

const (
	PrivacyType_PRIVACY_UNSPECIFIED PrivacyType = 0
	// Field is not sensitive and can be returned in the response.
	PrivacyType_VISIBLE PrivacyType = 1
	// Field is sensitive and should be omitted from the response entirely.
	PrivacyType_OMIT PrivacyType = 2
	// Field is sensitive and should be redacted from the response (replaced with a configurable
	// placeholder value).
	PrivacyType_REDACT PrivacyType = 3
)

func (PrivacyType) Descriptor 

func (PrivacyType) Descriptor() protoreflect.EnumDescriptor

func (PrivacyType) Enum 

func (x PrivacyType) Enum() *PrivacyType

func (PrivacyType) Number 

func (x PrivacyType) Number() protoreflect.EnumNumber

func (PrivacyType) String 

func (x PrivacyType) String() string

func (PrivacyType) Type 

func (PrivacyType) Type() protoreflect.EnumType

type RateKeyType 

type RateKeyType int32

Different types of rate limit keys. 

const (
	RateKeyType_LIMIT_UNSPECIFIED RateKeyType = 0
	// Limit by client IP address.
	RateKeyType_IP RateKeyType = 1
	// Limit by authenticated user.
	RateKeyType_USER RateKeyType = 2
	// Limit by API key.
	//
	// This is useful for limiting the number of requests per API key, regardless of the USER.
	RateKeyType_API_KEY RateKeyType = 3
	// Global limit across all requests.
	//
	// This is useful for limiting the total number of requests to a service or method, regardless of
	// the client. For example, a method may want to limit the total number of requests to 1000 per
	// second. This is different from the other types of rate limiting, which are per client
	// (anonymous by IP, authenticated user, or API key).
	RateKeyType_GLOBAL RateKeyType = 4
)

func (RateKeyType) Descriptor 

func (RateKeyType) Descriptor() protoreflect.EnumDescriptor

func (RateKeyType) Enum 

func (x RateKeyType) Enum() *RateKeyType

func (RateKeyType) Number 

func (x RateKeyType) Number() protoreflect.EnumNumber

func (RateKeyType) String 

func (x RateKeyType) String() string

func (RateKeyType) Type 

func (RateKeyType) Type() protoreflect.EnumType

type RateRule 

type RateRule struct {

	// What to use as the rate limit key.
	Key RateKeyType `protobuf:"varint,1,opt,name=key,proto3,enum=rpcauth.RateKeyType" json:"key,omitempty"`
	// Roles that bypass rate limiting entirely. Only applies to authenticated users.
	BypassRoles []string `protobuf:"bytes,2,rep,name=bypass_roles,json=bypassRoles,proto3" json:"bypass_roles,omitempty"`
	// Rate limiting algorithm configuration.
	//
	// Types that are valid to be assigned to Algorithm:
	//
	//	*RateRule_LeakyBucket
	Algorithm isRateRule_Algorithm `protobuf_oneof:"algorithm"`
	// contains filtered or unexported fields
}

Rate limiting configuration for an RPC method.

func (*RateRule) ClearAlgorithm 

func (x *RateRule) ClearAlgorithm()

func (*RateRule) ClearLeakyBucket 

func (x *RateRule) ClearLeakyBucket()

func (*RateRule) GetAlgorithm 

func (x *RateRule) GetAlgorithm() isRateRule_Algorithm

func (*RateRule) GetBypassRoles 

func (x *RateRule) GetBypassRoles() []string

func (*RateRule) GetKey 

func (x *RateRule) GetKey() RateKeyType

func (*RateRule) GetLeakyBucket 

func (x *RateRule) GetLeakyBucket() *LeakyBucket

func (*RateRule) HasAlgorithm 

func (x *RateRule) HasAlgorithm() bool

func (*RateRule) HasLeakyBucket 

func (x *RateRule) HasLeakyBucket() bool

func (*RateRule) ProtoMessage 

func (*RateRule) ProtoMessage()

func (*RateRule) ProtoReflect 

func (x *RateRule) ProtoReflect() protoreflect.Message

func (*RateRule) Reset 

func (x *RateRule) Reset()

func (*RateRule) SetBypassRoles 

func (x *RateRule) SetBypassRoles(v []string)

func (*RateRule) SetKey 

func (x *RateRule) SetKey(v RateKeyType)

func (*RateRule) SetLeakyBucket 

func (x *RateRule) SetLeakyBucket(v *LeakyBucket)

func (*RateRule) String 

func (x *RateRule) String() string

func (*RateRule) WhichAlgorithm 

func (x *RateRule) WhichAlgorithm() case_RateRule_Algorithm

type RateRule_LeakyBucket 

type RateRule_LeakyBucket struct {
	// Leaky bucket configuration.
	LeakyBucket *LeakyBucket `protobuf:"bytes,3,opt,name=leaky_bucket,json=leakyBucket,proto3,oneof"`
}

type RateRule_builder 

type RateRule_builder struct {

	// What to use as the rate limit key.
	Key RateKeyType
	// Roles that bypass rate limiting entirely. Only applies to authenticated users.
	BypassRoles []string

	// Fields of oneof Algorithm:
	// Leaky bucket configuration.
	LeakyBucket *LeakyBucket
	// contains filtered or unexported fields
}

func (RateRule_builder) Build 

func (b0 RateRule_builder) Build() *RateRule

type RuleSet 

type RuleSet struct {

	// Required roles for this rule set.
	Roles []string `protobuf:"bytes,1,rep,name=roles,proto3" json:"roles,omitempty"`
	// Required permissions for this rule set.
	Permissions []string `protobuf:"bytes,2,rep,name=permissions,proto3" json:"permissions,omitempty"`
	// contains filtered or unexported fields
}

A set of roles and permissions that together grant access. All roles and permissions within a set must match (AND relationship).

Examples:

  • roles: ["admin"] AND permissions: ["delete"]
  • roles: ["support", "manager"] AND permissions: ["view", "update"]
  • (must have BOTH roles AND BOTH permissions)

TODO(mf): let's consider expanding this to support an expression language for more complex rules. See https://github.com/protolayer/rpcauth-proto/issues/1 for more details.

func (*RuleSet) GetPermissions 

func (x *RuleSet) GetPermissions() []string

func (*RuleSet) GetRoles 

func (x *RuleSet) GetRoles() []string

func (*RuleSet) ProtoMessage 

func (*RuleSet) ProtoMessage()

func (*RuleSet) ProtoReflect 

func (x *RuleSet) ProtoReflect() protoreflect.Message

func (*RuleSet) Reset 

func (x *RuleSet) Reset()

func (*RuleSet) SetPermissions 

func (x *RuleSet) SetPermissions(v []string)

func (*RuleSet) SetRoles 

func (x *RuleSet) SetRoles(v []string)

func (*RuleSet) String 

func (x *RuleSet) String() string

type RuleSet_builder 

type RuleSet_builder struct {

	// Required roles for this rule set.
	Roles []string
	// Required permissions for this rule set.
	Permissions []string
	// contains filtered or unexported fields
}

func (RuleSet_builder) Build 

func (b0 RuleSet_builder) Build() *RuleSet

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.