metadata

package
v0.0.0-...-50f8504 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jan 17, 2026 License: MIT Imports: 21 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func GenerateRefreshToken 

func GenerateRefreshToken() (string, error)

GenerateRefreshToken generates a cryptographically secure refresh token (32 bytes)

func HTTPStatusForErrorCode 

func HTTPStatusForErrorCode(code ErrorCode) int

HTTPStatusForErrorCode returns the appropriate HTTP status code for an error code

func LogSecurityEvent 

func LogSecurityEvent(logger *slog.Logger, event string, sessionID, agentName string, result string, err error)

LogSecurityEvent logs security-relevant events

func ValidateBootstrapToken 

func ValidateBootstrapToken(claims *identity.OARClaims) error

ValidateBootstrapToken validates that the token is a bootstrap JWT

func ValidateErrorCode 

func ValidateErrorCode(code ErrorCode) bool

ValidateErrorCode validates that an error code is one of the known codes

func ValidateSessionToken 

func ValidateSessionToken(claims *identity.OARClaims) error

ValidateSessionToken validates that the token is a session JWT

func WriteErrorResponse 

func WriteErrorResponse(w http.ResponseWriter, code ErrorCode, description string)

WriteErrorResponse writes a standardized error response to the response writer

func WriteErrorResponseWithStatus 

func WriteErrorResponseWithStatus(w http.ResponseWriter, statusCode int, code ErrorCode, description string)

WriteErrorResponseWithStatus writes a standardized error response with explicit status code

func WriteErrorResponseWithURI 

func WriteErrorResponseWithURI(w http.ResponseWriter, code ErrorCode, description string, errorURI string)

WriteErrorResponseWithURI writes a standardized error response with error_uri

Types

type AuditEvent 

type AuditEvent struct {
	Timestamp       time.Time `json:"timestamp"`
	Level           string    `json:"level"`
	Event           string    `json:"event"`
	SessionID       string    `json:"session_id,omitempty"`
	AgentName       string    `json:"agent_name,omitempty"`
	ServiceID       string    `json:"service_id,omitempty"`
	RuntimeID       string    `json:"runtime_id,omitempty"`
	Result          string    `json:"result"`
	ErrorMessage    string    `json:"error_message,omitempty"`
	StatusCode      int       `json:"status_code,omitempty"`
	RequestPath     string    `json:"request_path,omitempty"`
	RequestMethod   string    `json:"request_method,omitempty"`
	ClientIP        string    `json:"client_ip,omitempty"`
	SecretName      string    `json:"secret_name,omitempty"`
	RateLimitStatus string    `json:"rate_limit_status,omitempty"`
}

AuditEvent represents a structured audit event

type AuditLogger 

type AuditLogger struct {
	// contains filtered or unexported fields
}

AuditLogger provides structured audit logging functionality

func NewAuditLogger 

func NewAuditLogger(logger *slog.Logger) *AuditLogger

NewAuditLogger creates a new audit logger

func (*AuditLogger) LogAuthenticationFailure 

func (al *AuditLogger) LogAuthenticationFailure(requestPath, requestMethod, reason string)

LogAuthenticationFailure logs authentication failures

func (*AuditLogger) LogAuthorizationFailure 

func (al *AuditLogger) LogAuthorizationFailure(sessionID, agentName, requestPath, requestMethod, reason string)

LogAuthorizationFailure logs authorization failures

func (*AuditLogger) LogBootstrapExchange 

func (al *AuditLogger) LogBootstrapExchange(sessionID, agentName, serviceID, runtimeID string, success bool, errMsg string)

LogBootstrapExchange logs a bootstrap token exchange event

func (*AuditLogger) LogInvalidToken 

func (al *AuditLogger) LogInvalidToken(requestPath, requestMethod, reason string)

LogInvalidToken logs invalid token events

func (*AuditLogger) LogRateLimitViolation 

func (al *AuditLogger) LogRateLimitViolation(requestPath, requestMethod string)

LogRateLimitViolation logs rate limit violations

func (*AuditLogger) LogSecretAccess 

func (al *AuditLogger) LogSecretAccess(sessionID, agentName, secretName string, success bool, errMsg string)

LogSecretAccess logs secret access events

func (*AuditLogger) LogTokenRefresh 

func (al *AuditLogger) LogTokenRefresh(sessionID, agentName string, success bool, errMsg string)

LogTokenRefresh logs a token refresh event

type AuthContext 

type AuthContext struct {
	Token  string
	Claims *identity.OARClaims
}

AuthContext contains extracted authentication information from a request

func ExtractAuthContext 

func ExtractAuthContext(r *http.Request, jwtService jwt.JWTService) (*AuthContext, error)

ExtractAuthContext extracts the auth context from request

type BootstrapExchangeRequest 

type BootstrapExchangeRequest struct {
}

BootstrapExchangeRequest represents a bootstrap token exchange request

type BootstrapExchangeResponse 

type BootstrapExchangeResponse struct {
	JWT          string `json:"jwt"`
	RefreshToken string `json:"refresh_token"`
	ExpiresIn    int    `json:"expires_in"`
}

BootstrapExchangeResponse represents a bootstrap token exchange response

type Config 

type Config struct {
	// OIDC and orchestrator settings
	Issuer          string // OAR_ISSUER
	OrchestratorURL string // OAR_ORCHESTRATOR_URL

	// JWKS caching settings
	JWKSCachePath       string // OAR_JWKS_CACHE_PATH (default: /oar/identity/jwks.json)
	JWKSCacheTTL        int    // OAR_METADATA_JWKS_CACHE_TTL (default: 60 minutes)
	JWKSRefreshInterval int    // OAR_JWKS_REFRESH_INTERVAL (default: 30 minutes)

	// Bootstrap identity information (from pod environment)
	SessionID  string // OAR_SESSION_ID
	AgentName  string // OAR_AGENT_NAME
	AgentImage string // OAR_AGENT_IMAGE

	// Secret backend configuration
	SecretBackend         string // OAR_SECRET_BACKEND (aws, gcp, kubernetes, multi)
	SecretNamespace       string // OAR_SECRET_NAMESPACE
	SecretAllowCrossAgent bool   // OAR_SECRET_ALLOW_CROSS_AGENT
	AWSSecretRoleARN      string // OAR_AWS_SECRET_ROLE_ARN
	GCPProjectID          string // OAR_GCP_PROJECT_ID

	// Unix socket settings
	SocketPath string // OAR_METADATA_SOCKET_PATH (default: /oar/identity/metadata.sock)
}

Config holds the metadata service configuration

func NewConfig 

func NewConfig(opts ...ConfigOption) *Config

NewConfig creates a new Config from environment variables

type ConfigOption 

type ConfigOption func(*Config)

ConfigOption is a functional option for configuring Config

func WithAWSSecretRoleARN 

func WithAWSSecretRoleARN(roleARN string) ConfigOption

WithAWSSecretRoleARN sets the AWS role ARN for secret access

func WithAgentImage 

func WithAgentImage(image string) ConfigOption

WithAgentImage sets the agent image

func WithAgentName 

func WithAgentName(name string) ConfigOption

WithAgentName sets the agent name

func WithGCPProjectID 

func WithGCPProjectID(projectID string) ConfigOption

WithGCPProjectID sets the GCP project ID for secret access

func WithIssuer 

func WithIssuer(issuer string) ConfigOption

WithIssuer sets the issuer URL

func WithJWKSCachePath 

func WithJWKSCachePath(path string) ConfigOption

WithJWKSCachePath sets the JWKS cache path

func WithJWKSCacheTTL 

func WithJWKSCacheTTL(minutes int) ConfigOption

WithJWKSCacheTTL sets the JWKS cache TTL in minutes

func WithJWKSRefreshInterval 

func WithJWKSRefreshInterval(minutes int) ConfigOption

WithJWKSRefreshInterval sets the JWKS refresh interval in minutes

func WithOrchestratorURL 

func WithOrchestratorURL(url string) ConfigOption

WithOrchestratorURL sets the orchestrator URL

func WithSecretAllowCrossAgent 

func WithSecretAllowCrossAgent(allow bool) ConfigOption

WithSecretAllowCrossAgent allows cross-agent secret access

func WithSecretBackend 

func WithSecretBackend(backend string) ConfigOption

WithSecretBackend sets the secret backend type

func WithSecretNamespace 

func WithSecretNamespace(namespace string) ConfigOption

WithSecretNamespace sets the secret namespace prefix

func WithSessionID 

func WithSessionID(id string) ConfigOption

WithSessionID sets the session ID

func WithSocketPath 

func WithSocketPath(path string) ConfigOption

WithSocketPath sets the Unix socket path

type ErrorCode 

type ErrorCode string

ErrorCode represents a standardized error code 

const (
	// InvalidToken indicates a token validation failure
	InvalidToken ErrorCode = "invalid_token"
	// Unauthorized indicates an authentication failure
	Unauthorized ErrorCode = "unauthorized"
	// NotFound indicates a resource was not found
	NotFound ErrorCode = "not_found"
	// RateLimitExceeded indicates the rate limit was exceeded
	RateLimitExceeded ErrorCode = "rate_limit_exceeded"
	// InternalError indicates an internal server error
	InternalError ErrorCode = "internal_error"
	// CircuitOpen indicates the circuit breaker is open
	CircuitOpen ErrorCode = "circuit_open"
	// InvalidRequest indicates a malformed or invalid request
	InvalidRequest ErrorCode = "invalid_request"
	// MethodNotAllowed indicates the HTTP method is not allowed
	MethodNotAllowed ErrorCode = "method_not_allowed"
	// ServiceUnavailable indicates a service is temporarily unavailable
	ServiceUnavailable ErrorCode = "service_unavailable"
)

func ErrorCodeFromError 

func ErrorCodeFromError(err error) ErrorCode

ErrorCodeFromError attempts to map an error to an appropriate ErrorCode Returns InternalError if the error doesn't match known patterns

type ErrorResponse 

type ErrorResponse struct {
	Error            ErrorCode `json:"error"`
	ErrorDescription string    `json:"error_description"`
	ErrorURI         string    `json:"error_uri,omitempty"`
}

ErrorResponse represents a standardized error response

func NewErrorResponse 

func NewErrorResponse(code ErrorCode, description string) *ErrorResponse

NewErrorResponse creates a new ErrorResponse with the given code and description

func NewErrorResponseWithURI 

func NewErrorResponseWithURI(code ErrorCode, description string, errorURI string) *ErrorResponse

NewErrorResponseWithURI creates a new ErrorResponse with the given code, description, and error_uri

func (*ErrorResponse) MarshalJSON 

func (er *ErrorResponse) MarshalJSON() ([]byte, error)

MarshalJSON implements custom JSON marshaling for ErrorResponse

func (*ErrorResponse) String 

func (er *ErrorResponse) String() string

String returns the JSON string representation of the error response

type Handlers 

type Handlers struct {
	// contains filtered or unexported fields
}

Handlers manages HTTP request handlers for the metadata service

func NewHandlers 

func NewHandlers(
	jwtService jwt.JWTService,
	refreshTokenStore tokenstore.RefreshTokenStore,
	config *Config,
	logger *slog.Logger,
	opts ...HandlersOption,
) *Handlers

NewHandlers creates a new handlers instance

func (*Handlers) HandleBootstrapExchange 

func (h *Handlers) HandleBootstrapExchange(w http.ResponseWriter, r *http.Request)

HandleBootstrapExchange handles POST /identity/bootstrap requests Exchanges a bootstrap JWT for a session JWT + refresh token

func (*Handlers) HandleGetSecret 

func (h *Handlers) HandleGetSecret(w http.ResponseWriter, r *http.Request)

HandleGetSecret handles GET /secrets/{secret_name} requests Retrieves a secret value from the configured secret backend

func (*Handlers) HandleIdentityInfo 

func (h *Handlers) HandleIdentityInfo(w http.ResponseWriter, r *http.Request)

HandleIdentityInfo handles GET /identity/info requests Returns current identity information from JWT claims

func (*Handlers) HandleRefreshToken 

func (h *Handlers) HandleRefreshToken(w http.ResponseWriter, r *http.Request)

HandleRefreshToken handles POST /identity/refresh requests Refreshes a session JWT using a refresh token

type HandlersOption 

type HandlersOption func(*Handlers)

HandlersOption is a functional option for configuring Handlers

func WithHandlerSecretBackend 

func WithHandlerSecretBackend(backend secrets.SecretBackend) HandlersOption

WithHandlerSecretBackend sets the secret backend for the handlers

type HealthHandler 

type HealthHandler struct {
	// contains filtered or unexported fields
}

HealthHandler handles health check endpoints

func NewHealthHandler 

func NewHealthHandler(jwksManager *JWKSManager, server *Server, logger *slog.Logger) *HealthHandler

NewHealthHandler creates a new health handler

func (*HealthHandler) HandleLiveness 

func (h *HealthHandler) HandleLiveness(w http.ResponseWriter, r *http.Request)

HandleLiveness handles GET /healthz requests (liveness probe) Returns 200 if HTTP server is responding

func (*HealthHandler) HandleReadiness 

func (h *HealthHandler) HandleReadiness(w http.ResponseWriter, r *http.Request)

HandleReadiness handles GET /ready requests (readiness probe) Returns 200 if JWKS is loaded and fresh, socket is accepting connections

type IdentityInfoResponse 

type IdentityInfoResponse struct {
	ServiceID  string `json:"service_id"`
	RuntimeID  string `json:"runtime_id"`
	AgentName  string `json:"agent_name"`
	AgentImage string `json:"agent_image"`
	SessionID  string `json:"session_id"`
}

IdentityInfoResponse represents identity information

type JWKSManager 

type JWKSManager struct {
	// contains filtered or unexported fields
}

JWKSManager handles fetching and caching of JWKS from the orchestrator

func NewJWKSManager 

func NewJWKSManager(config *Config, logger *slog.Logger) *JWKSManager

NewJWKSManager creates a new JWKS manager

func (*JWKSManager) GetJWKS 

func (m *JWKSManager) GetJWKS() (interface{}, error)

GetJWKS returns the current cached JWKS

func (*JWKSManager) GetJWKSBytes 

func (m *JWKSManager) GetJWKSBytes() ([]byte, error)

GetJWKSBytes returns the current cached JWKS as JSON bytes

func (*JWKSManager) IsStale 

func (m *JWKSManager) IsStale() bool

IsStale checks if JWKS is stale (age > 2x TTL)

func (*JWKSManager) LastRefreshTime 

func (m *JWKSManager) LastRefreshTime() time.Time

LastRefreshTime returns the time of the last successful refresh

func (*JWKSManager) Start 

func (m *JWKSManager) Start(ctx context.Context) error

Start starts the JWKS manager and performs initial fetch with exponential backoff

func (*JWKSManager) Stop 

func (m *JWKSManager) Stop(ctx context.Context) error

Stop stops the JWKS manager and background refresh

type LivenessResponse 

type LivenessResponse struct {
	Status string `json:"status"`
}

LivenessResponse represents the response from the liveness probe

type RateLimiter 

type RateLimiter struct {
	// contains filtered or unexported fields
}

RateLimiter provides rate limiting functionality for metadata service endpoints

func NewRateLimiter 

func NewRateLimiter(requestsPerMinute int, logger *slog.Logger) *RateLimiter

NewRateLimiter creates a new rate limiter with the specified requests per minute requestsPerMinute: maximum requests allowed per minute (e.g., 100) burst: number of requests allowed in a burst (typically same as requestsPerMinute)

func (*RateLimiter) RateLimitMiddleware 

func (rl *RateLimiter) RateLimitMiddleware(next http.Handler) http.Handler

RateLimitMiddleware returns an HTTP middleware that enforces rate limiting Returns 429 Too Many Requests when the rate limit is exceeded

type ReadinessResponse 

type ReadinessResponse struct {
	Status string          `json:"status"`
	Checks map[string]bool `json:"checks"`
}

ReadinessResponse represents the response from the readiness probe

type RefreshTokenRequest 

type RefreshTokenRequest struct {
	RefreshToken string `json:"refresh_token"`
}

RefreshTokenRequest represents a refresh token request

type RefreshTokenResponse 

type RefreshTokenResponse struct {
	JWT       string `json:"jwt"`
	ExpiresIn int    `json:"expires_in"`
}

RefreshTokenResponse represents a refresh token response

type SecretResponse 

type SecretResponse struct {
	Value   string `json:"value"`
	Version string `json:"version"`
}

SecretResponse represents a secret value response

type Server 

type Server struct {
	// contains filtered or unexported fields
}

Server represents a metadata service HTTP server listening on a Unix socket

func NewServer 

func NewServer(config *Config, logger *slog.Logger, opts ...ServerOption) *Server

NewServer creates a new metadata service server

func (*Server) GetListener 

func (s *Server) GetListener() net.Listener

GetListener returns the underlying listener (primarily for testing)

func (*Server) RegisterHandler 

func (s *Server) RegisterHandler(pattern string, handler http.Handler)

RegisterHandler registers an HTTP handler for a path with rate limiting

func (*Server) RegisterHandlerFunc 

func (s *Server) RegisterHandlerFunc(pattern string, handler http.HandlerFunc)

RegisterHandlerFunc registers an HTTP handler function for a path with rate limiting

func (*Server) RegisterHealthHandlers 

func (s *Server) RegisterHealthHandlers(jwksManager *JWKSManager)

RegisterHealthHandlers registers health check handlers with the server

func (*Server) Start 

func (s *Server) Start(ctx context.Context) error

Start starts the metadata service server

func (*Server) Stop 

func (s *Server) Stop(ctx context.Context) error

Stop gracefully stops the metadata service server

type ServerOption 

type ServerOption func(*Server)

ServerOption is a functional option for configuring Server

func WithServerLogger 

func WithServerLogger(logger *slog.Logger) ServerOption

WithServerLogger sets the logger for the server

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.