blob: 0d2afc59ece43137cbaff4184ff072c19a955ac5 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
|
package sts
// Store Types
const (
StoreTypeMemory = "memory"
StoreTypeFiler = "filer"
StoreTypeRedis = "redis"
)
// Provider Types
const (
ProviderTypeOIDC = "oidc"
ProviderTypeLDAP = "ldap"
ProviderTypeSAML = "saml"
)
// Policy Effects
const (
EffectAllow = "Allow"
EffectDeny = "Deny"
)
// Default Paths - aligned with filer /etc/ convention
const (
DefaultSessionBasePath = "/etc/iam/sessions"
DefaultPolicyBasePath = "/etc/iam/policies"
DefaultRoleBasePath = "/etc/iam/roles"
)
// Default Values
const (
DefaultTokenDuration = 3600 // 1 hour in seconds
DefaultMaxSessionLength = 43200 // 12 hours in seconds
DefaultIssuer = "seaweedfs-sts"
DefaultStoreType = StoreTypeFiler // Default store type for persistence
MinSigningKeyLength = 16 // Minimum signing key length in bytes
)
// Configuration Field Names
const (
ConfigFieldFilerAddress = "filerAddress"
ConfigFieldBasePath = "basePath"
ConfigFieldIssuer = "issuer"
ConfigFieldClientID = "clientId"
ConfigFieldClientSecret = "clientSecret"
ConfigFieldJWKSUri = "jwksUri"
ConfigFieldScopes = "scopes"
ConfigFieldUserInfoUri = "userInfoUri"
ConfigFieldRedirectUri = "redirectUri"
)
// Error Messages
const (
ErrConfigCannotBeNil = "config cannot be nil"
ErrProviderCannotBeNil = "provider cannot be nil"
ErrProviderNameEmpty = "provider name cannot be empty"
ErrProviderTypeEmpty = "provider type cannot be empty"
ErrTokenCannotBeEmpty = "token cannot be empty"
ErrSessionTokenCannotBeEmpty = "session token cannot be empty"
ErrSessionIDCannotBeEmpty = "session ID cannot be empty"
ErrSTSServiceNotInitialized = "STS service not initialized"
ErrProviderNotInitialized = "provider not initialized"
ErrInvalidTokenDuration = "token duration must be positive"
ErrInvalidMaxSessionLength = "max session length must be positive"
ErrIssuerRequired = "issuer is required"
ErrSigningKeyTooShort = "signing key must be at least %d bytes"
ErrFilerAddressRequired = "filer address is required"
ErrClientIDRequired = "clientId is required for OIDC provider"
ErrUnsupportedStoreType = "unsupported store type: %s"
ErrUnsupportedProviderType = "unsupported provider type: %s"
ErrInvalidTokenFormat = "invalid session token format: %w"
ErrSessionValidationFailed = "session validation failed: %w"
ErrInvalidToken = "invalid token: %w"
ErrTokenNotValid = "token is not valid"
ErrInvalidTokenClaims = "invalid token claims"
ErrInvalidIssuer = "invalid issuer"
ErrMissingSessionID = "missing session ID"
)
// JWT Claims
const (
JWTClaimIssuer = "iss"
JWTClaimSubject = "sub"
JWTClaimAudience = "aud"
JWTClaimExpiration = "exp"
JWTClaimIssuedAt = "iat"
JWTClaimTokenType = "token_type"
)
// Token Types
const (
TokenTypeSession = "session"
TokenTypeAccess = "access"
TokenTypeRefresh = "refresh"
)
// AWS STS Actions
const (
ActionAssumeRole = "sts:AssumeRole"
ActionAssumeRoleWithWebIdentity = "sts:AssumeRoleWithWebIdentity"
ActionAssumeRoleWithCredentials = "sts:AssumeRoleWithCredentials"
ActionValidateSession = "sts:ValidateSession"
)
// Session File Prefixes
const (
SessionFilePrefix = "session_"
SessionFileExt = ".json"
PolicyFilePrefix = "policy_"
PolicyFileExt = ".json"
RoleFileExt = ".json"
)
// HTTP Headers
const (
HeaderAuthorization = "Authorization"
HeaderContentType = "Content-Type"
HeaderUserAgent = "User-Agent"
)
// Content Types
const (
ContentTypeJSON = "application/json"
ContentTypeFormURLEncoded = "application/x-www-form-urlencoded"
)
// Default Test Values
const (
TestSigningKey32Chars = "test-signing-key-32-characters-long"
TestIssuer = "test-sts"
TestClientID = "test-client"
TestSessionID = "test-session-123"
TestValidToken = "valid_test_token"
TestInvalidToken = "invalid_token"
TestExpiredToken = "expired_token"
)
|
