README
¶
Identity Provider (IAM) Service
This package provides a robust, zero-trust Identity and Access Management (IAM) service. It integrates authentication, authorization, and automated lifecycle management (SCIM) into a single, modular system designed for mesh-native environments.
Architecture
This service is built on three core pillars:
secure_bootstrap: Handles user authentication via hardware-backed Passkeys and establishes secure session bindings.secure_policy: Manages Attribute-Based Access Control (ABAC/PBAC) to govern what users and machines can access across the mesh.secure_networking: Provides the encrypted transport layer (Noise protocol over QUIC) and event-driven RPC mechanisms to propagate state across the edge nodes.
Key Features
- Event-Driven SCIM Provisioning: Asynchronous lifecycle management ensures that when a user is assigned to an application, accounts are automatically provisioned in downstream systems without blocking the UI.
- Zero-Trust Middleware: Enforces access policy checks at the router level, ensuring that every request is evaluated against the
secure_policyengine. - Admin Controller: A unified management layer for registering applications, assigning user access, and auditing security events.
- Identity Context: Unified
Identitystruct that seamlessly bridges human (Passkey) and service (Noise static key) identities.
Getting Started
1. Register an Application
Use the AdminController to define your application and its required policy:
app := Application{
ID: "app_123",
Name: "Internal Dashboard",
SCIMEndpoint: "https://api.target.app/scim",
SCIMToken: "your-bearer-token",
}
admin.RegisterApp(app)
2. Enforce Policy
Protect your routes using the built-in middleware:
r.Mux.HandleFunc("/secure-data", EnforcePolicy(policyEngine, "read", "data_resource")(func(w http.ResponseWriter, r *http.Request) {
w.Write([]byte("Authorized Content"))
}))
Testing
The package includes a comprehensive test suite (identity_provider_test.go) that validates the entire lifecycle:
- Lifecycle: Confirms app registration and user assignment logic.
- Provisioning: Uses a mock transport to verify that SCIM
POSTrequests are correctly formatted and dispatched asynchronously. - Middleware: Verifies that requests without valid session cookies or insufficient policy permissions are correctly rejected.
To run the tests:
go test -v ./...
Developed as part of the Zero-Trust IAM suite.
Documentation
¶
Index ¶
- Constants
- func EnforcePolicy(pe *secure_policy.PolicyEngine, sm *secure_policy.SessionManager, ...) func(http.HandlerFunc) http.HandlerFunc
- func GetSDFGrant(ctx context.Context) string
- func GetSubject(ctx context.Context) string
- func RegisterRoutes(r *secure_network.Router, admin *AdminController, audit *AuditController, ...)
- func WithSDFGrant(ctx context.Context, token string) context.Context
- func WithSubject(ctx context.Context, subject string) context.Context
- type AdminController
- type Application
- type AuditController
- type Config
- type Identity
- type IdentityType
- type IngestPayload
- type LogDisplay
- type RouteConfig
- type SCIMDaemon
- type SCIMUser
Constants ¶
const AppRegistryPageID ultimate_db.PageID = 20
AppRegistryPageID safely isolates the IAM application registry from orchid_sync's Index (10) and Metadata (11) pages.
Variables ¶
This section is empty.
Functions ¶
func EnforcePolicy ¶
func EnforcePolicy(pe *secure_policy.PolicyEngine, sm *secure_policy.SessionManager, sdf *secure_data_format.SecureDataEngine, sysLog *logger.LogDispatcher, action, resource string) func(http.HandlerFunc) http.HandlerFunc
EnforcePolicy intercepts incoming requests, validates the cryptographic session, evaluates the Zero-Trust policy, synthesizes a programmatic access grant via SDF, and logs the resulting state transition to the dispatcher.
func GetSDFGrant ¶
GetSDFGrant safely extracts the compiled SDF token from the context
func GetSubject ¶
GetSubject safely extracts the identity string from the context
func RegisterRoutes ¶
func RegisterRoutes(r *secure_network.Router, admin *AdminController, audit *AuditController, pe *secure_policy.PolicyEngine, sm *secure_policy.SessionManager, Logger *logger.LogDispatcher, configPath string)
RegisterRoutes sets up the endpoint bindings, bridging incoming router traffic to controllers powered by the secure data format execution layer.
func WithSDFGrant ¶
WithSDFGrant safely injects the compiled SDF token into the context
Types ¶
type AdminController ¶
type AdminController struct {
DB *ultimate_db.DB
PolicyEngine *secure_policy.PolicyEngine
LocalBus chan secure_network.SystemEvent
Logger *logger.LogDispatcher
SDFEngine *secure_data_format.SecureDataEngine // Unified SDF compilation engine
}
func NewAdminController ¶
func NewAdminController(db *ultimate_db.DB, pe *secure_policy.PolicyEngine, bus chan secure_network.SystemEvent, log *logger.LogDispatcher, sdf *secure_data_format.SecureDataEngine) *AdminController
NewAdminController instantiates the controller with fully integrated SDF capability
func (*AdminController) AssignUserToApp ¶
func (a *AdminController) AssignUserToApp(identity Identity, appID string, actor string) error
AssignUserToApp evaluates the entitlement rule through the SDF script token synthesis layer, updates the active policy engine, and safely triggers the outbound async SCIM daemon provisioning pipeline.
func (*AdminController) RegisterApp ¶
func (a *AdminController) RegisterApp(app Application, actor string) error
RegisterApp compiles a structural application registration schema via SDF and appends an immutable record to the ledger state.
func (*AdminController) SynthesizeIdentityToken ¶
func (a *AdminController) SynthesizeIdentityToken(script, targetAddress, actor string, nonce uint64, profile secure_data_format.TokenProfile, args map[string]interface{}) (string, error)
SynthesizeIdentityToken acts as a bridge for HTTP handlers to dynamically compile ad-hoc SDF tokens
type Application ¶
type Application struct {
ID string `json:"app_id"`
Name string `json:"name"`
TargetURL string `json:"target_url"`
AuthProtocol string `json:"auth_protocol"`
RequiredPolicy string `json:"required_policy"`
SCIMEndpoint string `json:"scim_endpoint,omitempty"`
SCIMToken string `json:"scim_token,omitempty"`
RegistryToken string `json:"registry_token,omitempty"` // Stores the 10-year archival ProfileStructuredLog compilation receipt
}
Application represents a registered integration in your Zero-Trust catalog, now integrated with structural registry identity fields.
func (Application) ToSDFArgs ¶
func (a Application) ToSDFArgs() map[string]interface{}
ToSDFArgs normalizes the application catalog specifications into a standardized schema mapping context
type AuditController ¶
type AuditController struct {
SearchEngine *orchid_sync.Engine
UI *guikit.GUIKit
SDFEngine *secure_data_format.SecureDataEngine // Integrated polymorphic engine
// contains filtered or unexported fields
}
func NewAuditController ¶
func NewAuditController(search *orchid_sync.Engine, ui *guikit.GUIKit, sdf *secure_data_format.SecureDataEngine) *AuditController
NewAuditController initializes the UI, Search, and SDF controller for audit logs.
type Config ¶
type Config struct {
Routes []RouteConfig `yaml:"routes"`
}
type Identity ¶
type Identity struct {
Subject string `json:"sub"`
Type IdentityType `json:"type"`
Attributes map[string]string `json:"attr,omitempty"`
HardwareBound bool `json:"hw_bound"` // Indicates if identity is backed by TPM/Passkey
ExpiresAt time.Time `json:"exp"`
SessionID string `json:"sid,omitempty"`
SDFToken string `json:"sdf_token,omitempty"` // Captures the active ephemeral ProfileGrant or PoP token string
StateRootHash string `json:"state_root_hash,omitempty"` // Caches the deterministic state signature for rapid mesh verification checks
}
Identity acts as the universal passport across the mesh and policy engines, now expanded to support polymorphic SDF verification tracking.
type IdentityType ¶
type IdentityType string
IdentityType uses string constants for explicit JSON serialization across the QUIC mesh
const ( IdentityHuman IdentityType = "human" IdentityMachine IdentityType = "machine" // Aligns with TPM 2.0 / Service Key terminology )
type IngestPayload ¶
type LogDisplay ¶
type LogDisplay struct {
LevelClass string
Level string
Time string
Service string
Message string
TokenHash string // Captures the cryptographic signature trailing segment for active verification checks
}
LogDisplay is used specifically to format logs for the GML frontend UI.
type RouteConfig ¶
type SCIMDaemon ¶
type SCIMDaemon struct {
DB *ultimate_db.DB
LocalBus chan secure_network.SystemEvent
Client *http.Client
Logger *logger.LogDispatcher
SDFEngine *secure_data_format.SecureDataEngine // Integrated SDF compilation engine
}
SCIMDaemon handles asynchronous lifecycle management and external provisioning, now expanded with SDF for verifiable downstream state compilation.
func NewSCIMDaemon ¶
func NewSCIMDaemon(db *ultimate_db.DB, bus chan secure_network.SystemEvent, sysLog *logger.LogDispatcher, sdf *secure_data_format.SecureDataEngine) *SCIMDaemon
NewSCIMDaemon initializes the SCIM background worker with the attached SDF engine
func (*SCIMDaemon) Start ¶
func (s *SCIMDaemon) Start()
Start begins listening to the LocalBus for SCIM provisioning events
Source Files