config

Documentation

Index

• type Identities
  • func (p *Identities) Load(baseDir, defaultFilename string) ([]Identity, error)
  • func (p *Identities) UnmarshalJSON(data []byte) error
• type Identity
• type Keycloak
• type Root
  • func Default() Root
  • func ReadConfig(data []byte) (Root, error)
• type Secret
• type System
• type User

Types

type Identities

type Identities struct {
	// contains filtered or unexported fields
}

Identities represents configured accounts and secrets for users and tenants. Identities can be unmarshalled from json in different ways that affect how Load behaves:

1. true indicates that Load should read identities from the defaults provided
2. false indicates that Load will always return no identities or error
3. A string represents a path, rooted in baseDir, to a file containing identities to load
4. A JSON array that contains a list of identities explicitly defined and returned by Load

func (*Identities) Load

func (p *Identities) Load(baseDir, defaultFilename string) ([]Identity, error)

func (*Identities) UnmarshalJSON

func (p *Identities) UnmarshalJSON(data []byte) error

type Identity

type Identity struct {
	Title   string   `json:"title,omitempty"`
	ID      string   `json:"id,omitempty"`
	Secrets []Secret `json:"secrets,omitempty"`
	Zones   []string `json:"zones,omitempty"`
	Roles   []string `json:"roles,omitempty"`
}

type Keycloak

type Keycloak struct {
	URL      string `json:"url,omitempty"`
	Realm    string `json:"realm,omitempty"`
	ClientID string `json:"clientID,omitempty"`
}

type Root

type Root struct {
	system.Config
	// User configures user credential and access token validation for applications acting on behalf of a user.
	// This includes the ability to login using a username and password through OIDC authentication servers like KeyCloak.
	User *User `json:"user,omitempty"`
	// System configures credential and access token validation for applications acting on their own behalf.
	// This includes OAuth2 Client Credentials key exchange and validation backed by different key stores.
	System *System `json:"system,omitempty"`
}

func Default

func Default() Root

func ReadConfig

func ReadConfig(data []byte) (Root, error)

type Secret

type Secret struct {
	Note string `json:"note,omitempty"`
	Hash string `json:"hash,omitempty"`
}

type System

type System struct {
	// Validity defaults to 15 minutes and specifies how long access tokens generated by client credentials key exchange are valid for.
	Validity *jsontypes.Duration `json:"validity,omitempty"`

	// FileAccounts, when non-nil, causes the system to validate system tokens using a local
	// file of identities and secrets.
	// See Identities for how this field can be represented/configured in JSON.
	FileAccounts *Identities `json:"fileAccounts,omitempty"`
	// TenantAccounts causes the system to validate system tokens using the tenants system.
	// All tokens are deemed invalid if the tenants system is not available.
	TenantAccounts bool `json:"tenantAccounts,omitempty"`
	// CohortAccounts causes the system to validate system tokens using the cohort manager, setup via enrollment.
	// All tokens are deemed invalid if the manager is not known (i.e. the controller is not enrolled), or the manager doesn't support TenantApi.
	CohortAccounts bool `json:"cohortAccounts,omitempty"`
}

type User

type User struct {
	// Validity defaults to 24 hours and specifies how long access tokens generated by user key exchange are valid for.
	Validity *jsontypes.Duration `json:"validity,omitempty"`

	// FileAccounts enumerates a list of identities that incoming credentials are validated against.
	FileAccounts *Identities `json:"fileAccounts,omitempty"`
	// Keycloak configures access token validation against a KeyCloak server using OIDC.
	Keycloak *keycloak.Config `json:"keycloakAccounts,omitempty"`
}