Documentation
¶
Index ¶
- func MultiAuthMiddleware(iamService iam.Service) func(http.Handler) http.Handler
- func NewAuthzInterceptor(deps AuthzDependencies) connect.UnaryInterceptorFunc
- func NewAuthzMiddleware(deps AuthzDependencies) (func(http.Handler) http.Handler, error)
- func NewMultiAuthInterceptor(iamService iam.Service) connect.UnaryInterceptorFunc
- type AuthnDependencies
- type AuthzDependencies
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func MultiAuthMiddleware ¶
MultiAuthMiddleware is the Phase 3 unified authentication middleware.
This middleware:
- Extracts headers and cookies from HTTP request
- Calls iamService.AuthenticateRequest() which tries all authenticators
- Sets Principal in context if authentication succeeds
- Continues to next handler (authentication failure handled by authz)
Authentication flow:
- SessionAuthenticator checks grid.session cookie
- JWTAuthenticator checks Authorization: Bearer header
- First successful authenticator wins
- If all return (nil, nil): unauthenticated request (allowed)
- If any returns (nil, error): authentication failed (401)
This replaces the old authn.go middleware which had 7 steps with database queries and Casbin mutation. The new flow delegates everything to the IAM service which uses the immutable cache for lock-free role resolution.
func NewAuthzInterceptor ¶
func NewAuthzInterceptor(deps AuthzDependencies) connect.UnaryInterceptorFunc
NewAuthzInterceptor creates a Connect UnaryInterceptor that enforces Casbin policies. It checks permissions for each RPC call, including loading resource-specific attributes like state labels when necessary for a policy decision.
func NewAuthzMiddleware ¶
NewAuthzMiddleware constructs a Chi middleware that enforces Casbin policies for HTTP requests. This middleware is focused on the Terraform HTTP backend; Connect RPC enforcement is handled via interceptors.
func NewMultiAuthInterceptor ¶
func NewMultiAuthInterceptor(iamService iam.Service) connect.UnaryInterceptorFunc
NewMultiAuthInterceptor is the Phase 3 unified authentication interceptor for Connect RPC.
This interceptor:
- Extracts headers and metadata from Connect request
- Calls iamService.AuthenticateRequest() which tries all authenticators
- Sets Principal in context if authentication succeeds
- Continues to next handler (authentication failure handled by authz)
Authentication flow:
- SessionAuthenticator checks grid.session cookie (via Connect metadata)
- JWTAuthenticator checks Authorization: Bearer header
- First successful authenticator wins
- If all return (nil, nil): unauthenticated request (allowed)
- If any returns (nil, error): authentication failed (401)
This replaces the old session_interceptor.go and jwt_interceptor.go which had scattered authentication logic and Casbin mutation.
Types ¶
type AuthnDependencies ¶
type AuthnDependencies struct {
Sessions repository.SessionRepository
Users repository.UserRepository
UserRoles repository.UserRoleRepository
ServiceAccounts repository.ServiceAccountRepository
RevokedJTIs repository.RevokedJTIRepository
GroupRoles repository.GroupRoleRepository
Roles repository.RoleRepository
Enforcer casbin.IEnforcer
}
AuthnDependencies provides repository access for authentication operations.
Phase 6 Note: This struct is deprecated and will be removed in Phase 6. It's currently still used by auth handlers (HandleInternalLogin, HandleSSOCallback, HandleWhoAmI, HandleLogout) which will be refactored to use the IAM service instead.
New code should use the IAM service (services/iam) instead of this struct.
Source Files