Documentation ¶
Index ¶
- type Action
- type Invite
- func (inv *Invite) Delete(ctx context.Context, d types.Querier) error
- func (inv *Invite) Load(ctx context.Context, d types.Querier) error
- func (inv *Invite) PrivateKey(encryptionKey *[32]byte) (*ecdh.PrivateKey, error)
- func (inv *Invite) Save(ctx context.Context, d types.Querier, update bool) error
- func (inv *Invite) TokenComposite() (string, error)
- type Permission
- type PermissionTarget
- type Remote
- type Resource
- type Role
- type User
- type UserType
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Action ¶
type Action string
Actions are activities that can be performed on resources.
func ActionFromString ¶
ActionFromString returns a valid Action from a string value.
type Invite ¶
type Invite struct { ID uint64 UUID string CreatedAt time.Time Expires time.Time User *User Token string PublicKey string // contains filtered or unexported fields }
func Invites ¶
Invites returns one or more invites from the database. An optional filter can be passed to limit the results.
func NewInvite ¶
func NewInvite(user *User, ttl time.Duration, uuidgen func() string, encryptionKey *[32]byte) (*Invite, error)
NewInvite creates a new invitation for a remote user. A unique token is created that must be supplied when authenticating to the server. The token is constructed by concatenating random 32 bytes and an ephemeral X25519 public key, encoded as a base 58 string. The encryptionKey is a separate persistent symmetric key used for encrypting the X25519 private key.
func (*Invite) Delete ¶
Delete removes the invite record from the database. Either the invite ID or UUID must be set for the lookup. The UUID may be a prefix, as long as it matches exactly one record. It returns an error if the invite doesn't exist, or if more than one record would be deleted.
func (*Invite) Load ¶
Load the invite record from the database. The invite ID, UUID or token must be set for the lookup.
func (*Invite) PrivateKey ¶
func (inv *Invite) PrivateKey(encryptionKey *[32]byte) (*ecdh.PrivateKey, error)
PrivateKey returns the decrypted X25519 private key.
func (*Invite) Save ¶
Save stores the invite data in the database. If update is true, either the invite ID or UUID must be set for the lookup. The UUID may be a prefix, as long as it matches exactly one record. It returns an error if the invite doesn't exist, or if more than one record would be updated.
func (*Invite) TokenComposite ¶
TokenComposite generates the final token by concatenating the random token with the X25519 public key.
type Permission ¶
type Permission struct { Namespaces map[string]struct{} Actions map[Action]struct{} Target PermissionTarget }
Permission is a combination of access rules. It declares the actions allowed for a specific target in one or more namespaces. Namespaces are arbitrary and can be created at runtime by the user. The target can either be a static resource name, or a pattern that includes wildcards, e.g. 'store:myapp/*'. Namespaces and actions can also be a wildcard, to allow any action in any namespace (e.g. for admin roles).
func (Permission) MarshalText ¶
func (p Permission) MarshalText() ([]byte, error)
MarshalText implements the encoding.TextMarshaler interface for Permission.
func (*Permission) UnmarshalText ¶
func (p *Permission) UnmarshalText(text []byte) error
UnmarshalText implements the encoding.TextUnmarshaler interface for Permission.
type PermissionTarget ¶
type Remote ¶
type Remote struct { ID uint64 CreatedAt time.Time Name string Address string TLSCACert string TLSServerSAN string // contains filtered or unexported fields }
func NewRemote ¶
func NewRemote( name, address, tlsCACert, tlsServerSAN string, tlsClientCertEnc, tlsClientKeyEnc []byte, ) *Remote
NewRemote creates a new remote object.
func Remotes ¶
Remotes returns one or more remotes from the database. An optional filter can be passed to limit the results.
func (*Remote) ClientTLSConfig ¶
ClientTLSConfig returns the TLS client configuration.
func (*Remote) Delete ¶
Delete removes the remote record from the database. Either the remote ID or name must be set for the lookup.
type Resource ¶
type Resource string
Resources are object types that can be acted upon.
func ResourceFromString ¶
ResourceFromString returns a valid Resource from a string value.
type Role ¶
type Role struct { ID uint64 Name string Permissions []Permission // contains filtered or unexported fields }
A Role is a grouping of permissions which guard access to specific resources and actions that can be performed upon them.
func Roles ¶
Roles returns one or more roles from the database. An optional filter can be passed to limit the results.
func (*Role) Delete ¶
Delete removes the role data from the database. Either the user ID or Name must be set for the lookup. It returns an error if the role doesn't exist. If force is true, it will remove the role even if it's currently assigned to existing users.
type User ¶
type User struct { ID uint64 Name string Type UserType Roles []*Role PublicKey *[32]byte PrivateKey *[32]byte PrivateKeyHashEnc sql.Null[string] }
func Users ¶
Users returns one or more users from the database. An optional filter can be passed to limit the results.
func (*User) Delete ¶
Delete removes the user data from the database. Either the user ID or Name must be set for the lookup. It returns an error if the user doesn't exist.