Documentation ¶
Index ¶
- Constants
- Variables
- func GetRuntimeInfo() (*runtime.Runtime, error)
- func PaginateMapValues[T any](req api.PaginatedRequest, m map[string]T, less func(a T, b T) bool, ...) (page []T, nbt string, err error)
- func PaginateSlice[T any](req api.PaginatedRequest, values []T, less func(a T, b T) bool, ...) (page []T, npt string, err error)
- func PaginateStorage[T any](req api.PaginatedRequest, storage persistence.Storage, opts PaginationOpts, ...) (page []T, npt string, err error)
- func StartGRPCServer(jwksURL string, opts ...StartGRPCServerOption) (sock net.Listener, srv *grpc.Server, err error)
- func StreamReflectionFilter(info *grpc.StreamServerInfo) bool
- func StreamServerInterceptorWithFilter(in grpc.StreamServerInterceptor, filter func(info *grpc.StreamServerInfo) bool) grpc.StreamServerInterceptor
- func UnaryReflectionFilter(info *grpc.UnaryServerInfo) bool
- func UnaryServerInterceptorWithFilter(in grpc.UnaryServerInterceptor, filter func(info *grpc.UnaryServerInfo) bool) grpc.UnaryServerInterceptor
- func ValidateRequest(req IncomingRequest) (err error)
- type AuthConfig
- type AuthOption
- type AuthorizationStrategy
- type AuthorizationStrategyAllowAll
- type AuthorizationStrategyJWT
- type IncomingRequest
- type OpenIDConnectClaim
- type Option
- type PaginationOpts
- type ProfileClaim
- type RequestType
- type StartGRPCServerOption
Constants ¶
const AuthContextKey = authContextKeyType("token")
AuthContextKey is a key used in RPC context to retrieve the token info with using context.Value.
const DefaultJWKSURL = "http://localhost:8080/.well-known/jwks.json"
DefaultJWKSURL is the default JWKS url pointing to a local authentication server.
Variables ¶
var DefaultPaginationOpts = PaginationOpts{
DefaultPageSize: 50,
MaxPageSize: 1500,
}
DefaultPaginationOpts are sensible defaults for the pagination size.
var ErrPermissionDenied = status.Errorf(codes.PermissionDenied, "access denied")
ErrPermissionDenied represents an error, where permission to fulfill the request is denied.
Functions ¶
func GetRuntimeInfo ¶ added in v1.7.4
GetRuntimeInfo implements method to get Clouditors runtime information
func PaginateMapValues ¶ added in v1.4.6
func PaginateMapValues[T any](req api.PaginatedRequest, m map[string]T, less func(a T, b T) bool, opts PaginationOpts) (page []T, nbt string, err error)
PaginateMapValues is a wrapper around PaginateSlice that uses maps.Values to determine the maps values and sorts them according to the specified less function, to return a deterministic result.
func PaginateSlice ¶ added in v1.4.6
func PaginateSlice[T any](req api.PaginatedRequest, values []T, less func(a T, b T) bool, opts PaginationOpts) (page []T, npt string, err error)
PaginateSlice is a helper function that helps to paginate a slice based on list requests. It parses the necessary information out if a paginated request, e.g. the page token and the desired page size and returns a sliced page as well as the next page token.
func PaginateStorage ¶ added in v1.4.6
func PaginateStorage[T any](req api.PaginatedRequest, storage persistence.Storage, opts PaginationOpts, conds ...interface{}) (page []T, npt string, err error)
PaginateStorage is a helper function that helps to paginate records in persisted storage based on list requests. It parses the necessary information out if a paginated request, e.g. the page token and the desired page size and returns a sliced page as well as the next page token.
func StartGRPCServer ¶
func StreamReflectionFilter ¶ added in v1.5.3
func StreamReflectionFilter(info *grpc.StreamServerInfo) bool
StreamReflectionFilter is a filter that ignores calls to the reflection endpoint
func StreamServerInterceptorWithFilter ¶ added in v1.5.3
func StreamServerInterceptorWithFilter(in grpc.StreamServerInterceptor, filter func(info *grpc.StreamServerInfo) bool) grpc.StreamServerInterceptor
StreamServerInterceptorWithFilter wraps a grpc.StreamServerInterceptor and only invokes the interceptor, if the filter function does not return true.
func UnaryReflectionFilter ¶ added in v1.5.3
func UnaryReflectionFilter(info *grpc.UnaryServerInfo) bool
UnaryReflectionFilter is a filter that ignores calls to the reflection endpoint
func UnaryServerInterceptorWithFilter ¶ added in v1.5.3
func UnaryServerInterceptorWithFilter(in grpc.UnaryServerInterceptor, filter func(info *grpc.UnaryServerInfo) bool) grpc.UnaryServerInterceptor
UnaryServerInterceptorWithFilter wraps a grpc.UnaryServerInterceptor and only invokes the interceptor, if the filter function does not return true.
func ValidateRequest ¶ added in v1.7.0
func ValidateRequest(req IncomingRequest) (err error)
ValidateRequest validates an incoming request according to different criteria:
- If the request is nil, api.ErrEmptyRequest is returned
- The request is validated according to the generated validation method
- Lastly, if the request is a api.PaginatedRequest, an additional check is performed to ensure only valid columns are listed
Note: This function already returns a gRPC error, so the error can be returned directly without any wrapping in a request function.
Types ¶
type AuthConfig ¶
type AuthConfig struct { // Jwks contains a JSON Web Key Set, that is used if JWKS support is enabled. Otherwise a // stored public key will be used Jwks *keyfunc.JWKS AuthFunc grpc_auth.AuthFunc // contains filtered or unexported fields }
func ConfigureAuth ¶
func ConfigureAuth(opts ...AuthOption) *AuthConfig
ConfigureAuth creates a new AuthConfig, which can be used in gRPC middleware to provide an authentication layer.
type AuthOption ¶
type AuthOption func(*AuthConfig)
AuthOption is a function-style option type to fine-tune authentication
func WithJWKSURL ¶
func WithJWKSURL(url string) AuthOption
WithJWKSURL is an option to provide a URL that contains a JSON Web Key Set (JWKS). The JWKS will be used to validate tokens coming from RPC clients against public keys contains in the JWKS.
func WithPublicKey ¶
func WithPublicKey(publicKey *ecdsa.PublicKey) AuthOption
WithPublicKey is an option to directly provide a ECDSA public key which is used to verify tokens coming from RPC clients.
type AuthorizationStrategy ¶ added in v1.6.2
type AuthorizationStrategy interface { CheckAccess(ctx context.Context, typ RequestType, req api.CloudServiceRequest) bool AllowedCloudServices(ctx context.Context) (all bool, IDs []string) }
AuthorizationStrategy is an interface that implements a function which checkers whether the current cloud service request can be fulfilled using the supplied context (e.g., based on the authenticated user).
type AuthorizationStrategyAllowAll ¶ added in v1.6.2
type AuthorizationStrategyAllowAll struct{}
AuthorizationStrategyAllowAll is an AuthorizationStrategy that allows all requests.
func (*AuthorizationStrategyAllowAll) AllowedCloudServices ¶ added in v1.6.2
func (*AuthorizationStrategyAllowAll) AllowedCloudServices(_ context.Context) (all bool, list []string)
AllowedCloudServices retrieves a list of allowed cloud service IDs according to the current access strategy. Returns `all = true` since strategy is `AuthorizationStrategyAllowAll`
func (*AuthorizationStrategyAllowAll) CheckAccess ¶ added in v1.6.2
func (*AuthorizationStrategyAllowAll) CheckAccess(_ context.Context, _ RequestType, _ api.CloudServiceRequest) bool
CheckAccess checks whether the current request can be fulfilled using the current access strategy. Returns true since strategy is `AuthorizationStrategyAllowAll`
type AuthorizationStrategyJWT ¶ added in v1.6.2
type AuthorizationStrategyJWT struct {
Key string
}
AuthorizationStrategyJWT is an AuthorizationStrategy that expects a list of cloud service IDs to be in a specific JWT claim key.
func (*AuthorizationStrategyJWT) AllowedCloudServices ¶ added in v1.6.2
func (a *AuthorizationStrategyJWT) AllowedCloudServices(ctx context.Context) (all bool, list []string)
AllowedCloudServices retrieves a list of allowed cloud service IDs according to the current access strategy.
func (*AuthorizationStrategyJWT) CheckAccess ¶ added in v1.6.2
func (a *AuthorizationStrategyJWT) CheckAccess(ctx context.Context, _ RequestType, req api.CloudServiceRequest) bool
CheckAccess checks whether the current request can be fulfilled using the current access strategy.
type IncomingRequest ¶ added in v1.7.0
type OpenIDConnectClaim ¶ added in v1.4.15
type OpenIDConnectClaim struct { *jwt.RegisteredClaims *ProfileClaim }
OpenIDConnectClaim represents a claim that supports some aspects of a token issued by an OpenID Connect provider. It contains the regular registered JWT claims as well as some specific optional claims, which are empty if Open ID Connect is not used.
type Option ¶ added in v1.4.11
type Option[T any] func(*T)
Option is a functional option type to configure services.
type PaginationOpts ¶ added in v1.4.6
type PaginationOpts struct { // DefaultPageSize is the page size that is used as a default if the request does not specify one DefaultPageSize int32 // MaxPageSize is the maximum page size that can be requested MaxPageSize int32 }
PaginationOpts can be used to fine-tune the pagination, especially with regards to the page sizes. This can be important if the messages within a page are extremly large and thus the page size needs to be decreased.
type ProfileClaim ¶ added in v1.4.15
type ProfileClaim struct { PreferredUsername string `json:"preferred_username"` Name string `json:"name"` GivenName string `json:"given_name"` FamilyName string `json:"family_name"` }
ProfileClaim represents claims that are contained in the profile scope of OpenID Connect.
type RequestType ¶ added in v1.6.2
type RequestType int
RequestType specifies the type of request, usually CRUD.
const ( AccessCreate RequestType = iota AccessRead AccessUpdate AccessDelete )
type StartGRPCServerOption ¶
func WithDiscovery ¶
func WithDiscovery(svc discovery.DiscoveryServer) StartGRPCServerOption
func WithEvidenceStore ¶
func WithEvidenceStore(svc evidence.EvidenceStoreServer) StartGRPCServerOption
func WithOrchestrator ¶
func WithOrchestrator(svc orchestrator.OrchestratorServer) StartGRPCServerOption