-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathmanager.go
More file actions
104 lines (83 loc) · 2.81 KB
/
manager.go
File metadata and controls
104 lines (83 loc) · 2.81 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
// Copyright 2026 Hyperscale. All rights reserved.
// Use of this source code is governed by a MIT
// license that can be found in the LICENSE file.
package security
import (
"context"
"errors"
"fmt"
"go.opentelemetry.io/otel/codes"
)
// Manager orchestrates a chain of [Authenticator]s with first-success-wins
// semantics:
//
// - Authenticators are consulted in registration order.
// - The first authenticator whose Supports() returns true is invoked.
// - On success, the resulting Authentication is returned immediately;
// subsequent authenticators are NOT consulted.
// - On error, the next supporting authenticator is tried; if every one
// fails, the joined error is wrapped in [ErrAuthenticatorRefused].
// - If no authenticator supports the credential, [ErrUnsupportedCredential]
// is returned. The [Engine] then surfaces it as a 400 in the HTTP adapter.
//
// Manager is safe for concurrent use.
type Manager interface {
Authenticate(ctx context.Context, auth Authentication) (Authentication, error)
}
// NewManager returns a [Manager] consulting the given authenticators in
// order. Passing zero authenticators is allowed; the returned manager will
// always return [ErrUnsupportedCredential].
func NewManager(authenticators ...Authenticator) Manager {
cp := make([]Authenticator, len(authenticators))
copy(cp, authenticators)
return &manager{authenticators: cp}
}
type manager struct {
authenticators []Authenticator
}
// Authenticate implements [Manager].
func (m *manager) Authenticate(ctx context.Context, auth Authentication) (Authentication, error) {
ctx, span := tracer().Start(ctx, "security.Manager.Authenticate")
defer span.End()
span.SetAttributes(AttrAuthenticatorsCount.Int(len(m.authenticators)))
var (
anySupported bool
errs []error
)
for _, a := range m.authenticators {
if !a.Supports(auth) {
continue
}
anySupported = true
name := authenticatorName(a)
span.AddEvent("authenticator.try", trAttrName(name))
result, err := a.Authenticate(ctx, auth)
if err == nil {
span.SetAttributes(
AttrAuthenticated.Bool(true),
AttrAuthenticatorName.String(name),
)
return result, nil
}
errs = append(errs, fmt.Errorf("%s: %w", name, err))
}
if !anySupported {
err := ErrUnsupportedCredential
span.SetStatus(codes.Error, err.Error())
span.RecordError(err)
return auth, err
}
joined := errors.Join(errs...)
err := fmt.Errorf("%w: %w", ErrAuthenticatorRefused, joined)
span.SetStatus(codes.Error, ErrAuthenticatorRefused.Error())
span.RecordError(err)
return auth, err
}
// authenticatorName returns the [NamedAuthenticator] name if implemented, or
// the Go type name as a fallback.
func authenticatorName(a Authenticator) string {
if n, ok := a.(NamedAuthenticator); ok {
return n.AuthenticatorName()
}
return fmt.Sprintf("%T", a)
}