middleware

package
v0.0.0-...-886bd2b Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Sep 8, 2025 License: MIT Imports: 42 Imported by: 0

Documentation

Overview

Package middleware provides HTTP middleware for audit logging

Package middleware provides authentication and authorization middleware for the KubeChat API

Package middleware provides comprehensive authentication audit logging for security compliance

Package middleware provides enhanced error context and debugging for RBAC validation (Story 2.5)

Package middleware provides interactive permission resolution for KubeChat (Story 2.5)

Package middleware provides JWT token management for secure authentication

Package middleware provides multi-factor authentication support for KubeChat

Package middleware provides integration between MFA components (Story 2.4 Task 5)

Package middleware provides MFA policy management for enterprise MFA integration

Package middleware provides MFA session state management for KubeChat

Package middleware provides namespace access validation for Kubernetes RBAC integration

Package middleware provides RBAC permission suggestion engine for KubeChat (Story 2.5)

Package middleware provides RBAC permission validation for secure Kubernetes operations

Package middleware provides SAML authentication fallback for legacy enterprise systems

Package middleware provides enhanced security features for authentication

Package middleware provides administrative session management interface for security compliance

Package middleware provides session security hardening for enhanced protection

Index

Constants

This section is empty.

Variables

View Source 
var DefaultMFAOperations = map[string]MFAOperationConfig{
	"delete-namespace": {
		Operation:      "delete-namespace",
		RiskLevel:      MFARiskCritical,
		RequiresMFA:    true,
		MFAValidity:    5 * time.Minute,
		AllowedMethods: []MFAMethod{MFAMethodTOTP, MFAMethodHardwareToken, MFAMethodWebAuthn},
		Description:    "Delete Kubernetes namespace",
	},
	"delete-cluster-resource": {
		Operation:      "delete-cluster-resource",
		RiskLevel:      MFARiskHigh,
		RequiresMFA:    true,
		MFAValidity:    10 * time.Minute,
		AllowedMethods: []MFAMethod{MFAMethodTOTP, MFAMethodHardwareToken, MFAMethodSMS},
		Description:    "Delete cluster-scoped resources",
	},
	"modify-rbac": {
		Operation:      "modify-rbac",
		RiskLevel:      MFARiskHigh,
		RequiresMFA:    true,
		MFAValidity:    15 * time.Minute,
		AllowedMethods: []MFAMethod{MFAMethodTOTP, MFAMethodHardwareToken},
		Description:    "Modify RBAC permissions",
	},
	"access-secrets": {
		Operation:      "access-secrets",
		RiskLevel:      MFARiskHigh,
		RequiresMFA:    true,
		MFAValidity:    10 * time.Minute,
		AllowedMethods: []MFAMethod{MFAMethodTOTP, MFAMethodHardwareToken, MFAMethodWebAuthn},
		Description:    "Access Kubernetes secrets",
	},
	"production-deployment": {
		Operation:      "production-deployment",
		RiskLevel:      MFARiskMedium,
		RequiresMFA:    true,
		MFAValidity:    30 * time.Minute,
		AllowedMethods: []MFAMethod{MFAMethodTOTP, MFAMethodPush, MFAMethodSMS},
		Description:    "Deploy to production environment",
	},
}

High-risk operations that require MFA step-up

Functions

func CreateFallbackHandler 

func CreateFallbackHandler(authMiddleware *AuthMiddleware, samlProvider *SAMLProvider) fiber.Handler

CreateFallbackHandler creates a handler that attempts OIDC first, falls back to SAML

func CreateSAMLRoutes 

func CreateSAMLRoutes(app fiber.Router, samlProvider *SAMLProvider)

CreateSAMLRoutes creates all SAML-related routes

func EncodePrivateKeyToPEM 

func EncodePrivateKeyToPEM(privateKey *rsa.PrivateKey) string

EncodePrivateKeyToPEM encodes an RSA private key to PEM format

func GenerateSecretKey 

func GenerateSecretKey() (string, error)

GenerateSecretKey generates a base64-encoded secret key for HMAC

func GetSAMLProviderTemplates 

func GetSAMLProviderTemplates() map[string]SAMLConfig

SAMLProviderTemplate provides configuration templates for common SAML providers

func GetSupportedProviders 

func GetSupportedProviders() map[string]OIDCProvider

GetSupportedProviders returns a list of pre-configured provider templates

func NewAuditMiddleware 

func NewAuditMiddleware(config AuditConfig) fiber.Handler

NewAuditMiddleware creates a new audit middleware with the provided configuration

func SessionLifecycleAuditMiddleware 

func SessionLifecycleAuditMiddleware(collector EventCollectorInterface, serviceName, serviceVersion string) fiber.Handler

SessionLifecycleAuditMiddleware provides middleware for session lifecycle events

func ValidateProviderConfiguration 

func ValidateProviderConfiguration(provider OIDCProvider) error

ValidateProviderConfiguration validates that a provider configuration is complete

Types

type AccessRequest 

type AccessRequest struct {
	SessionID              string                 `json:"session_id"`
	UserID                 string                 `json:"user_id"`
	Operation              string                 `json:"operation"`
	Namespace              string                 `json:"namespace,omitempty"`
	UserGroups             []string               `json:"user_groups"`
	Role                   string                 `json:"role"`
	IPAddress              string                 `json:"ip_address"`
	UserAgent              string                 `json:"user_agent"`
	SessionContext         map[string]interface{} `json:"session_context"`
	StepUp                 bool                   `json:"step_up"`
	EmergencyAccess        bool                   `json:"emergency_access"`
	EmergencyJustification string                 `json:"emergency_justification,omitempty"`
}

AccessRequest represents a request for access evaluation

type AdminSessionManager 

type AdminSessionManager struct {
	// contains filtered or unexported fields
}

AdminSessionManager handles administrative session management operations

func NewAdminSessionManager 

func NewAdminSessionManager(config SessionAdminConfig) (*AdminSessionManager, error)

NewAdminSessionManager creates a new administrative session manager

func (*AdminSessionManager) BulkExtendSessions 

func (asm *AdminSessionManager) BulkExtendSessions(w http.ResponseWriter, r *http.Request)

BulkExtendSessions handles POST /admin/sessions/bulk/extend

func (*AdminSessionManager) BulkTerminateSessions 

func (asm *AdminSessionManager) BulkTerminateSessions(w http.ResponseWriter, r *http.Request)

BulkTerminateSessions handles POST /admin/sessions/bulk/terminate

func (*AdminSessionManager) GenerateActivityReport 

func (asm *AdminSessionManager) GenerateActivityReport(w http.ResponseWriter, r *http.Request)

GenerateActivityReport handles GET /admin/sessions/report

func (*AdminSessionManager) GenerateComplianceAudit 

func (asm *AdminSessionManager) GenerateComplianceAudit(w http.ResponseWriter, r *http.Request)

GenerateComplianceAudit handles GET /admin/sessions/compliance-audit

func (*AdminSessionManager) GetSecurityEvents 

func (asm *AdminSessionManager) GetSecurityEvents(w http.ResponseWriter, r *http.Request)

GetSecurityEvents handles GET /admin/sessions/security-events

func (*AdminSessionManager) GetSessionActivity 

func (asm *AdminSessionManager) GetSessionActivity(w http.ResponseWriter, r *http.Request)

GetSessionActivity handles GET /admin/sessions/activity

func (*AdminSessionManager) GetSessionDetails 

func (asm *AdminSessionManager) GetSessionDetails(w http.ResponseWriter, r *http.Request)

GetSessionDetails handles GET /admin/sessions/{sessionId}

func (*AdminSessionManager) GetSessionMetrics 

func (asm *AdminSessionManager) GetSessionMetrics(w http.ResponseWriter, r *http.Request)

GetSessionMetrics handles GET /admin/sessions/metrics

func (*AdminSessionManager) GetUserSessions 

func (asm *AdminSessionManager) GetUserSessions(w http.ResponseWriter, r *http.Request)

GetUserSessions handles GET /admin/sessions/user/{userId}

func (*AdminSessionManager) ListActiveSessions 

func (asm *AdminSessionManager) ListActiveSessions(w http.ResponseWriter, r *http.Request)

ListActiveSessions handles GET /admin/sessions

func (*AdminSessionManager) SetupAdminRoutes 

func (asm *AdminSessionManager) SetupAdminRoutes(router *mux.Router)

SetupAdminRoutes sets up admin session management routes

func (*AdminSessionManager) TerminateSession 

func (asm *AdminSessionManager) TerminateSession(w http.ResponseWriter, r *http.Request)

TerminateSession handles DELETE /admin/sessions/{sessionId}

func (*AdminSessionManager) TerminateUserSessions 

func (asm *AdminSessionManager) TerminateUserSessions(w http.ResponseWriter, r *http.Request)

TerminateUserSessions handles DELETE /admin/sessions/user/{userId}

type ApprovalInfo 

type ApprovalInfo struct {
	Required        bool                         `json:"required"`
	Approvers       []models.ApprovalRequirement `json:"approvers"`
	Status          ApprovalStatus               `json:"status"`
	SubmittedAt     *time.Time                   `json:"submitted_at,omitempty"`
	ApprovedAt      *time.Time                   `json:"approved_at,omitempty"`
	ApprovedBy      string                       `json:"approved_by,omitempty"`
	RejectedAt      *time.Time                   `json:"rejected_at,omitempty"`
	RejectedBy      string                       `json:"rejected_by,omitempty"`
	RejectionReason string                       `json:"rejection_reason,omitempty"`
	EscalatedAt     *time.Time                   `json:"escalated_at,omitempty"`
	EscalatedTo     []string                     `json:"escalated_to,omitempty"`
}

ApprovalInfo contains information about approval requirements and status

type ApprovalStatus 

type ApprovalStatus string

ApprovalStatus represents the status of an approval request 

const (
	ApprovalStatusPending   ApprovalStatus = "pending"
	ApprovalStatusApproved  ApprovalStatus = "approved"
	ApprovalStatusRejected  ApprovalStatus = "rejected"
	ApprovalStatusEscalated ApprovalStatus = "escalated"
	ApprovalStatusExpired   ApprovalStatus = "expired"
)

type AuditConfig 

type AuditConfig struct {
	// Collector is the audit event collector
	Collector EventCollectorInterface

	// ServiceName identifies the service generating audit events
	ServiceName string

	// ServiceVersion identifies the service version
	ServiceVersion string

	// SkipPaths are paths to skip auditing (e.g., health checks)
	SkipPaths []string

	// SkipMethods are HTTP methods to skip auditing
	SkipMethods []string

	// LogRequestBody enables request body logging
	LogRequestBody bool

	// LogResponseBody enables response body logging
	LogResponseBody bool

	// MaxBodySize limits the size of request/response bodies to log
	MaxBodySize int64

	// UserContextExtractor extracts user context from the request
	UserContextExtractor func(c fiber.Ctx) (*models.User, *models.SessionAuthContext, error)

	// CorrelationIDExtractor extracts correlation ID from request
	CorrelationIDExtractor func(c fiber.Ctx) string

	// TraceIDExtractor extracts trace ID from request
	TraceIDExtractor func(c fiber.Ctx) string
}

AuditConfig holds configuration for audit middleware

func DefaultAuditConfig 

func DefaultAuditConfig() AuditConfig

DefaultAuditConfig returns default audit middleware configuration

type AuditEntry 

type AuditEntry struct {
	Timestamp      time.Time `json:"timestamp"`
	User           string    `json:"user"`
	SessionID      string    `json:"session_id"`
	ValidationID   string    `json:"validation_id"`
	Resource       string    `json:"resource"`
	Verb           string    `json:"verb"`
	Namespace      string    `json:"namespace"`
	Allowed        bool      `json:"allowed"`
	Reason         string    `json:"reason"`
	ClientIP       string    `json:"client_ip,omitempty"`
	UserAgent      string    `json:"user_agent,omitempty"`
	CommandContext string    `json:"command_context,omitempty"`
}

AuditEntry represents an audit log entry for permission validation

type AuditSeverity 

type AuditSeverity string

AuditSeverity represents the severity level of audit events 

const (
	AuditSeverityInfo     AuditSeverity = "info"
	AuditSeverityWarning  AuditSeverity = "warning"
	AuditSeverityError    AuditSeverity = "error"
	AuditSeverityCritical AuditSeverity = "critical"
)

type AuthAuditConfig 

type AuthAuditConfig struct {
	RedisClient     redis.UniversalClient
	SecretKey       string        // HMAC secret key for tamper-proof signatures
	RetentionPeriod time.Duration // How long to retain audit logs (default: 7 years for compliance)
	SIEMIntegration bool          // Enable SIEM integration
	SIEMEndpoint    string        // SIEM system endpoint
	SIEMAPIKey      string        // SIEM API key
	BatchSize       int           // Batch size for high-performance logging (default: 100)
	FlushInterval   time.Duration // Flush interval for batched logs (default: 5 seconds)
}

AuthAuditConfig holds configuration for the audit logger

type AuthAuditEntry 

type AuthAuditEntry struct {
	// Event identification
	EventID   string        `json:"event_id"`
	EventType AuthEvent     `json:"event_type"`
	EventTime time.Time     `json:"event_time"`
	Severity  AuditSeverity `json:"severity"`

	// User context
	UserID           string   `json:"user_id,omitempty"`
	Username         string   `json:"username,omitempty"`
	Email            string   `json:"email,omitempty"`
	KubernetesUser   string   `json:"kubernetes_user,omitempty"`
	KubernetesGroups []string `json:"kubernetes_groups,omitempty"`

	// Session context
	SessionID         string `json:"session_id,omitempty"`
	DeviceFingerprint string `json:"device_fingerprint,omitempty"`

	// Request context
	IPAddress      string            `json:"ip_address,omitempty"`
	UserAgent      string            `json:"user_agent,omitempty"`
	RequestID      string            `json:"request_id,omitempty"`
	HTTPMethod     string            `json:"http_method,omitempty"`
	RequestPath    string            `json:"request_path,omitempty"`
	RequestHeaders map[string]string `json:"request_headers,omitempty"`

	// Authentication details
	AuthMethod   string `json:"auth_method,omitempty"`   // "oidc", "jwt", "saml"
	OIDCProvider string `json:"oidc_provider,omitempty"` // "google", "azure", "okta"
	TokenType    string `json:"token_type,omitempty"`    // "access", "refresh", "id"

	// Event details
	Success        bool                   `json:"success"`
	FailureReason  string                 `json:"failure_reason,omitempty"`
	ErrorCode      string                 `json:"error_code,omitempty"`
	Message        string                 `json:"message,omitempty"`
	AdditionalData map[string]interface{} `json:"additional_data,omitempty"`

	// Kubernetes command context (Story 2.3 AC2)
	KubernetesCommand    string `json:"kubernetes_command,omitempty"`
	NaturalLanguageInput string `json:"natural_language_input,omitempty"`

	// Security and compliance
	RiskScore       int      `json:"risk_score,omitempty"`       // 1-10 risk assessment
	ComplianceFlags []string `json:"compliance_flags,omitempty"` // SOC2, HIPAA, etc.

	// Tamper-proof signature (Story 2.3 requirement)
	Signature       string `json:"signature"`
	SignatureMethod string `json:"signature_method"`
}

AuthAuditEntry represents a comprehensive audit log entry for authentication events

type AuthAuditLogger 

type AuthAuditLogger struct {
	// contains filtered or unexported fields
}

AuthAuditLogger handles comprehensive authentication audit logging

func NewAuthAuditLogger 

func NewAuthAuditLogger(config AuthAuditConfig) (*AuthAuditLogger, error)

NewAuthAuditLogger creates a new authentication audit logger

func (*AuthAuditLogger) GetAuditMetrics 

func (a *AuthAuditLogger) GetAuditMetrics() map[string]interface{}

GetAuditMetrics returns audit logging metrics

func (*AuthAuditLogger) LogAuthEvent 

func (a *AuthAuditLogger) LogAuthEvent(ctx context.Context, event *AuthAuditEntry) error

LogAuthEvent logs a comprehensive authentication event with tamper-proof signature

func (*AuthAuditLogger) LogCommandExecution 

func (a *AuthAuditLogger) LogCommandExecution(ctx context.Context, userID, sessionID string, claims *JWTClaims, naturalLanguageInput, kubectlCommand string, req *http.Request) error

LogCommandExecution logs all commands with authenticated user identity (AC2)

func (*AuthAuditLogger) LogLoginAttempt 

func (a *AuthAuditLogger) LogLoginAttempt(ctx context.Context, userID, username, email string, success bool, failureReason string, req *http.Request) error

LogLoginAttempt logs authentication attempts (AC1)

func (*AuthAuditLogger) LogSessionEvent 

func (a *AuthAuditLogger) LogSessionEvent(ctx context.Context, eventType AuthEvent, sessionID, userID, reason string) error

LogSessionEvent logs session-related events (timeouts, terminations, etc.)

func (*AuthAuditLogger) LogSuspiciousActivity 

func (a *AuthAuditLogger) LogSuspiciousActivity(ctx context.Context, userID, sessionID, activity string, riskScore int, req *http.Request) error

LogSuspiciousActivity logs suspicious authentication patterns

func (*AuthAuditLogger) VerifySignature 

func (a *AuthAuditLogger) VerifySignature(entry *AuthAuditEntry) bool

VerifySignature verifies the tamper-proof signature of an audit entry

type AuthEvent 

type AuthEvent string

AuthEvent represents different types of authentication events for audit logging 

const (
	AuthEventLogin                   AuthEvent = "login"
	AuthEventLoginFailure            AuthEvent = "login_failure"
	AuthEventLogout                  AuthEvent = "logout"
	AuthEventTokenRefresh            AuthEvent = "token_refresh"
	AuthEventTokenRevocation         AuthEvent = "token_revocation"
	AuthEventSessionTimeout          AuthEvent = "session_timeout"
	AuthEventPasswordChange          AuthEvent = "password_change"
	AuthEventMFAChallenge            AuthEvent = "mfa_challenge"
	AuthEventMFASuccess              AuthEvent = "mfa_success"
	AuthEventMFAFailure              AuthEvent = "mfa_failure"
	AuthEventAccountLocked           AuthEvent = "account_locked"
	AuthEventPermissionDenied        AuthEvent = "permission_denied"
	AuthEventSuspiciousActivity      AuthEvent = "suspicious_activity"
	AuthEventSessionTermination      AuthEvent = "session_termination"
	AuthEventConcurrentLimitExceeded AuthEvent = "concurrent_limit_exceeded"
)

type AuthMiddleware 

type AuthMiddleware struct {
	// contains filtered or unexported fields
}

AuthMiddleware handles OIDC authentication for KubeChat

func NewAuthMiddleware 

func NewAuthMiddleware(providers []OIDCProvider, jwtService JWTServiceInterface, groupMapping *config.OIDCGroupMapping, mfaHandler *MFAHandler) (*AuthMiddleware, error)

NewAuthMiddleware creates a new authentication middleware instance

func (*AuthMiddleware) GetAuthURL 

func (m *AuthMiddleware) GetAuthURL(providerName string, state string) (string, error)

GetAuthURL returns the authorization URL for a specific provider

func (*AuthMiddleware) GetProviders 

func (m *AuthMiddleware) GetProviders() []string

GetProviders returns the list of configured provider names

func (*AuthMiddleware) HandleCallback 

func (m *AuthMiddleware) HandleCallback(c fiber.Ctx) error

HandleCallback processes the OIDC callback

func (*AuthMiddleware) ListProviders 

func (m *AuthMiddleware) ListProviders() fiber.Handler

ListProviders returns available authentication providers

func (*AuthMiddleware) RequireAuthentication 

func (m *AuthMiddleware) RequireAuthentication() fiber.Handler

RequireAuthentication middleware that requires valid authentication

type AuthenticationError 

type AuthenticationError struct {
	Code    string `json:"code"`
	Message string `json:"message"`
	Details string `json:"details,omitempty"`
}

AuthenticationError represents authentication-related errors

func (*AuthenticationError) Error 

func (e *AuthenticationError) Error() string

type BruteForceEntry 

type BruteForceEntry struct {
	Attempts    int       `json:"attempts"`
	LastAttempt time.Time `json:"last_attempt"`
	LockedUntil time.Time `json:"locked_until"`
	IsLocked    bool      `json:"is_locked"`
}

BruteForceEntry tracks failed attempts for an identifier

type BruteForceProtection 

type BruteForceProtection struct {
	// contains filtered or unexported fields
}

BruteForceProtection implements account lockout after failed attempts

func (*BruteForceProtection) ClearFailedAttempts 

func (bf *BruteForceProtection) ClearFailedAttempts(identifier string) error

ClearFailedAttempts clears failed attempts for an identifier (on successful login)

func (*BruteForceProtection) IsLocked 

func (bf *BruteForceProtection) IsLocked(identifier string) (bool, time.Time, error)

IsLocked checks if an identifier is currently locked due to brute force attempts

func (*BruteForceProtection) RecordFailedAttempt 

func (bf *BruteForceProtection) RecordFailedAttempt(identifier string) error

RecordFailedAttempt records a failed authentication attempt

type BulkSessionOperation 

type BulkSessionOperation struct {
	Operation   string         `json:"operation"` // "terminate", "extend", "audit"
	Criteria    SessionFilters `json:"criteria"`  // Selection criteria
	Reason      string         `json:"reason"`
	ScheduledAt time.Time      `json:"scheduled_at,omitempty"`
}

BulkSessionOperation represents bulk session operations for security incidents

type CacheAccess 

type CacheAccess struct {
	CacheKey  string        `json:"cache_key"`
	Operation string        `json:"operation"` // "get", "set", "delete"
	Hit       bool          `json:"hit"`
	Value     interface{}   `json:"value,omitempty"`
	TTL       time.Duration `json:"ttl,omitempty"`
	Error     string        `json:"error,omitempty"`
	Timestamp time.Time     `json:"timestamp"`
}

CacheAccess represents a cache access during evaluation

type CircuitBreaker 

type CircuitBreaker struct {
	// contains filtered or unexported fields
}

CircuitBreaker implements the circuit breaker pattern for external service calls

func NewCircuitBreaker 

func NewCircuitBreaker(config CircuitBreakerConfig) *CircuitBreaker

NewCircuitBreaker creates a new circuit breaker with the given configuration

func (*CircuitBreaker) Execute 

func (cb *CircuitBreaker) Execute(fn func() error) error

Execute runs a function with circuit breaker protection

func (*CircuitBreaker) ForceClose 

func (cb *CircuitBreaker) ForceClose()

ForceClose forces the circuit breaker to closed state

func (*CircuitBreaker) ForceOpen 

func (cb *CircuitBreaker) ForceOpen()

ForceOpen forces the circuit breaker to open state

func (*CircuitBreaker) GetMetrics 

func (cb *CircuitBreaker) GetMetrics() map[string]interface{}

GetMetrics returns current metrics for monitoring

func (*CircuitBreaker) IsClosed 

func (cb *CircuitBreaker) IsClosed() bool

IsClosed returns true if the circuit breaker is in closed state

func (*CircuitBreaker) IsHalfOpen 

func (cb *CircuitBreaker) IsHalfOpen() bool

IsHalfOpen returns true if the circuit breaker is in half-open state

func (*CircuitBreaker) IsOpen 

func (cb *CircuitBreaker) IsOpen() bool

IsOpen returns true if the circuit breaker is in open state

type CircuitBreakerConfig 

type CircuitBreakerConfig struct {
	FailureThreshold int                       `json:"failure_threshold"` // Number of failures to trigger open state
	SuccessThreshold int                       `json:"success_threshold"` // Number of successes to close from half-open
	Timeout          time.Duration             `json:"timeout"`           // Time to wait before transitioning to half-open
	MaxRequests      int                       `json:"max_requests"`      // Max requests allowed in half-open state
	OnStateChange    func(CircuitBreakerState) `json:"-"`                 // Callback for state changes
}

CircuitBreakerConfig holds configuration for the circuit breaker

type CircuitBreakerError 

type CircuitBreakerError struct {
	State   CircuitBreakerState `json:"state"`
	Message string              `json:"message"`
}

CircuitBreakerError represents errors from circuit breaker

func (*CircuitBreakerError) Error 

func (e *CircuitBreakerError) Error() string

type CircuitBreakerState 

type CircuitBreakerState int

CircuitBreakerState represents the state of the circuit breaker 

const (
	StateClosed CircuitBreakerState = iota
	StateOpen
	StateHalfOpen
)

type ComplianceConfig 

type ComplianceConfig struct {
	Frameworks      []ComplianceFramework `json:"frameworks"`
	ReportingPeriod string                `json:"reporting_period"` // daily, weekly, monthly
	RetentionDays   int                   `json:"retention_days"`
	AlertThresholds map[string]int        `json:"alert_thresholds"`
	NotificationURL string                `json:"notification_url,omitempty"`
}

Compliance Configuration

type ComplianceContext 

type ComplianceContext struct {
	Framework   ComplianceFramework `json:"framework"`
	ControlID   string              `json:"control_id"`
	Requirement string              `json:"requirement"`
	RiskLevel   string              `json:"risk_level"`
	Evidence    map[string]string   `json:"evidence,omitempty"`
}

Compliance Context

type ComplianceFramework 

type ComplianceFramework string

Compliance Framework Types 

const (
	ComplianceSOX      ComplianceFramework = "sox"
	ComplianceHIPAA    ComplianceFramework = "hipaa"
	CompliancePCI      ComplianceFramework = "pci"
	ComplianceSOC2     ComplianceFramework = "soc2"
	ComplianceGDPR     ComplianceFramework = "gdpr"
	ComplianceISO27001 ComplianceFramework = "iso27001"
)

type ComplianceReport 

type ComplianceReport struct {
	ID              string                   `json:"id"`
	Framework       ComplianceFramework      `json:"framework"`
	Period          string                   `json:"period"`
	GeneratedAt     time.Time                `json:"generated_at"`
	TotalEvents     int64                    `json:"total_events"`
	SecurityEvents  int64                    `json:"security_events"`
	ComplianceScore float64                  `json:"compliance_score"`
	Violations      []ComplianceViolation    `json:"violations"`
	Recommendations []string                 `json:"recommendations"`
	Controls        map[string]ControlStatus `json:"controls"`
}

Compliance Report

type ComplianceViolation 

type ComplianceViolation struct {
	ID          string    `json:"id"`
	ControlID   string    `json:"control_id"`
	Severity    string    `json:"severity"`
	Description string    `json:"description"`
	FirstSeen   time.Time `json:"first_seen"`
	LastSeen    time.Time `json:"last_seen"`
	Count       int       `json:"count"`
	Evidence    []string  `json:"evidence"`
}

type ConflictingPolicy 

type ConflictingPolicy struct {
	PolicyName   string   `json:"policy_name"`
	ConflictType string   `json:"conflict_type"` // "allow_deny", "precedence", "ambiguous"
	Description  string   `json:"description"`
	Resolution   string   `json:"resolution"`
	Affected     []string `json:"affected"`
}

ConflictingPolicy represents conflicting RBAC policies

type ControlStatus 

type ControlStatus struct {
	ID          string    `json:"id"`
	Name        string    `json:"name"`
	Status      string    `json:"status"` // compliant, non-compliant, partial
	Score       float64   `json:"score"`
	LastChecked time.Time `json:"last_checked"`
}

type CorrelationEntry 

type CorrelationEntry struct {
	Timestamp     time.Time              `json:"timestamp"`
	Component     string                 `json:"component"`
	Event         string                 `json:"event"`
	Details       map[string]interface{} `json:"details"`
	CorrelationID string                 `json:"correlation_id"`
}

CorrelationEntry represents an entry in the error correlation trail

type EmergencyAccessConfig 

type EmergencyAccessConfig struct {
	Enabled       bool     `json:"enabled"`
	AdminUsers    []string `json:"admin_users"`
	BypassCodes   []string `json:"bypass_codes"`
	AuditRequired bool     `json:"audit_required"`
}

EmergencyAccessConfig holds emergency access configuration

type EnhancedErrorDetails 

type EnhancedErrorDetails struct {
	PrimaryError         *models.PermissionError `json:"primary_error"`
	RootCause            string                  `json:"root_cause"`
	ErrorHierarchy       []string                `json:"error_hierarchy"`
	SystemContext        map[string]interface{}  `json:"system_context"`
	UserImpact           string                  `json:"user_impact"`
	AdminGuidance        *models.AdminGuidance   `json:"admin_guidance"`
	TroubleshootingSteps []TroubleshootingStep   `json:"troubleshooting_steps"`
	RelatedIssues        []RelatedIssue          `json:"related_issues,omitempty"`
	CorrelationTrail     []CorrelationEntry      `json:"correlation_trail"`
}

EnhancedErrorDetails provides comprehensive error information

type EnhancedRBACContext 

type EnhancedRBACContext struct {
	// contains filtered or unexported fields
}

EnhancedRBACContext provides enhanced error context and debugging for RBAC validation

func NewEnhancedRBACContext 

func NewEnhancedRBACContext(config EnhancedRBACContextConfig) *EnhancedRBACContext

NewEnhancedRBACContext creates a new enhanced RBAC context

func (*EnhancedRBACContext) AnalyzePermissionFailure 

func (ctx *EnhancedRBACContext) AnalyzePermissionFailure(reqCtx context.Context, userClaims *JWTClaims, request *PermissionRequest, originalError error) (*models.PermissionError, error)

AnalyzePermissionFailure provides detailed analysis of permission failures

func (*EnhancedRBACContext) EvaluatePermissionWithContext 

func (ctx *EnhancedRBACContext) EvaluatePermissionWithContext(reqCtx context.Context, userClaims *JWTClaims, request *PermissionRequest) (*PermissionEvaluationContext, error)

EvaluatePermissionWithContext performs comprehensive permission evaluation with full context

func (*EnhancedRBACContext) GetPermissionTrace 

func (ctx *EnhancedRBACContext) GetPermissionTrace(reqCtx context.Context, requestID string) (*PermissionEvaluationContext, error)

GetPermissionTrace retrieves the full trace of a permission evaluation

type EnhancedRBACContextConfig 

type EnhancedRBACContextConfig struct {
	KubeClient      kubernetes.Interface
	RedisClient     redis.UniversalClient
	Validator       *RBACValidator
	Advisor         *RBACAdvisor
	GuidanceService *models.UserGuidanceService
	AuditLogger     *AuthAuditLogger
	EnableTrace     bool
	CacheTTL        time.Duration
}

EnhancedRBACContextConfig holds configuration for enhanced RBAC context

type EvaluatedRule 

type EvaluatedRule struct {
	RuleSource    string            `json:"rule_source"` // "ClusterRole:admin", "Role:viewer"
	PolicyRule    rbacv1.PolicyRule `json:"policy_rule"`
	Matched       bool              `json:"matched"`
	MatchDetails  RuleMatchDetails  `json:"match_details"`
	Priority      int               `json:"priority"`
	ConflictsWith []string          `json:"conflicts_with,omitempty"`
}

EvaluatedRule represents a single RBAC rule that was evaluated

type EvaluationStep 

type EvaluationStep struct {
	StepNumber  int                    `json:"step_number"`
	StepType    string                 `json:"step_type"` // "cache_check", "api_call", "policy_eval", "decision"
	Description string                 `json:"description"`
	Timestamp   time.Time              `json:"timestamp"`
	Duration    time.Duration          `json:"duration"`
	Success     bool                   `json:"success"`
	Details     map[string]interface{} `json:"details"`
	Error       string                 `json:"error,omitempty"`
}

EvaluationStep represents a single step in permission evaluation

type EventCollectorInterface 

type EventCollectorInterface interface {
	CollectEvent(event *models.AuditEvent) error
	CollectEventWithTimeout(event *models.AuditEvent, timeout time.Duration) error
}

EventCollectorInterface defines the interface for audit event collection

type HardwareTokenConfig 

type HardwareTokenConfig struct {
	SupportedTypes []string          `json:"supported_types"` // "yubikey", "fido2", "webauthn"
	Settings       map[string]string `json:"settings"`
	Timeout        time.Duration     `json:"timeout"`
}

HardwareTokenConfig holds hardware token configuration

type IPSessionCount 

type IPSessionCount struct {
	IPAddress    string `json:"ip_address"`
	SessionCount int64  `json:"session_count"`
}

IPSessionCount represents session count by IP address

type InputRequirement 

type InputRequirement struct {
	Name        string           `json:"name"`
	Type        string           `json:"type"` // "text", "select", "multiselect", "boolean"
	Label       string           `json:"label"`
	Description string           `json:"description"`
	Required    bool             `json:"required"`
	Default     interface{}      `json:"default,omitempty"`
	Options     []StepOption     `json:"options,omitempty"`
	Validation  *InputValidation `json:"validation,omitempty"`
}

InputRequirement defines required user input for a step

type InputValidation 

type InputValidation struct {
	Pattern       string   `json:"pattern,omitempty"`
	MinLength     int      `json:"min_length,omitempty"`
	MaxLength     int      `json:"max_length,omitempty"`
	AllowedValues []string `json:"allowed_values,omitempty"`
	CustomRules   []string `json:"custom_rules,omitempty"`
}

InputValidation defines validation rules for user input

type InteractivePermissionResolver 

type InteractivePermissionResolver struct {
	// contains filtered or unexported fields
}

InteractivePermissionResolver provides interactive resolution workflows for permission issues

func NewInteractivePermissionResolver 

func NewInteractivePermissionResolver(
	kubeClient kubernetes.Interface,
	redisClient redis.UniversalClient,
	rbacContext *EnhancedRBACContext,
	advisor *RBACAdvisor,
	guidanceService *models.UserGuidanceService,
	auditLogger *AuthAuditLogger,
	config ResolverConfig,
) *InteractivePermissionResolver

NewInteractivePermissionResolver creates a new interactive permission resolver

func (*InteractivePermissionResolver) CancelSession 

func (r *InteractivePermissionResolver) CancelSession(ctx context.Context, sessionID string) error

CancelSession cancels an active session

func (*InteractivePermissionResolver) CreateEscalationRequest 

func (r *InteractivePermissionResolver) CreateEscalationRequest(ctx context.Context, sessionID, reason string) error

CreateEscalationRequest creates an escalation request for permission issues

func (*InteractivePermissionResolver) ExecuteNextStep 

func (r *InteractivePermissionResolver) ExecuteNextStep(ctx context.Context, sessionID string, userInput map[string]interface{}) (*InteractiveResolutionSession, error)

ExecuteNextStep executes the next step in an interactive resolution session

func (*InteractivePermissionResolver) GetAvailableAlternatives 

func (r *InteractivePermissionResolver) GetAvailableAlternatives(ctx context.Context, sessionID string) ([]models.AlternativeAction, error)

GetAvailableAlternatives provides alternative approaches for the user

func (*InteractivePermissionResolver) GetSession 

func (r *InteractivePermissionResolver) GetSession(ctx context.Context, sessionID string) (*InteractiveResolutionSession, error)

GetSession retrieves a session by ID (public method)

func (*InteractivePermissionResolver) ListActiveSessions 

func (r *InteractivePermissionResolver) ListActiveSessions(ctx context.Context, userID string) ([]string, error)

ListActiveSessions lists all active sessions for a user

func (*InteractivePermissionResolver) StartInteractiveResolution 

func (r *InteractivePermissionResolver) StartInteractiveResolution(ctx context.Context, userClaims *JWTClaims, permError *models.PermissionError) (*InteractiveResolutionSession, error)

StartInteractiveResolution starts an interactive resolution session for a permission error

func (*InteractivePermissionResolver) TestPermissionsWithDifferentRoles 

func (r *InteractivePermissionResolver) TestPermissionsWithDifferentRoles(ctx context.Context, sessionID string, roles []string) ([]PermissionTestResult, error)

TestPermissionsWithDifferentRoles tests permissions using role impersonation

type InteractiveResolutionSession 

type InteractiveResolutionSession struct {
	SessionID     string                  `json:"session_id"`
	UserContext   *JWTClaims              `json:"user_context"`
	OriginalError *models.PermissionError `json:"original_error"`
	WorkflowSteps []ResolutionStep        `json:"workflow_steps"`
	CurrentStep   int                     `json:"current_step"`
	Status        SessionStatus           `json:"status"`
	CreatedAt     time.Time               `json:"created_at"`
	UpdatedAt     time.Time               `json:"updated_at"`
	ExpiresAt     time.Time               `json:"expires_at"`
	Metadata      map[string]interface{}  `json:"metadata"`
	TestResults   []PermissionTestResult  `json:"test_results,omitempty"`
	ApprovalInfo  *ApprovalInfo           `json:"approval_info,omitempty"`
}

InteractiveResolutionSession represents an active resolution session

type JWTClaims 

type JWTClaims struct {
	// Existing fields (backward compatibility)
	UserID    string    `json:"user_id"`
	Email     string    `json:"email"`
	Name      string    `json:"name"`
	SessionID string    `json:"session_id"`
	IssuedAt  time.Time `json:"iat"`
	ExpiresAt time.Time `json:"exp"`

	// Enhanced RBAC fields
	Role   string   `json:"role"`   // Required KubeChat role
	Groups []string `json:"groups"` // Required OIDC groups

	// NEW: Kubernetes-specific RBAC fields
	KubernetesUser     string   `json:"kubernetes_user"`           // K8s user for impersonation
	KubernetesGroups   []string `json:"kubernetes_groups"`         // K8s groups for RBAC
	DefaultNamespace   string   `json:"default_namespace"`         // User's default namespace
	AllowedNamespaces  []string `json:"allowed_namespaces"`        // Accessible namespaces
	ClusterAccess      bool     `json:"cluster_access"`            // Cluster-level permissions
	ServiceAccountName string   `json:"service_account,omitempty"` // For service account auth

	// Claims metadata
	ClaimsVersion       int       `json:"claims_version"`        // For backward compatibility
	LastPermissionCheck time.Time `json:"last_permission_check"` // Claims freshness

	// MFA fields (Story 2.4)
	MFACompleted        bool          `json:"mfa_completed"`        // MFA validation status
	MFAMethod           string        `json:"mfa_method,omitempty"` // TOTP, SMS, Push, etc.
	MFATimestamp        time.Time     `json:"mfa_timestamp"`        // When MFA was completed
	MFAValidityDuration time.Duration `json:"mfa_validity"`         // How long MFA is valid
	RequiresMFAStepUp   bool          `json:"requires_mfa_stepup"`  // High-risk operation flag

	jwt.RegisteredClaims
}

JWTClaims represents the claims stored in JWT tokens with enhanced RBAC support

type JWTConfig 

type JWTConfig struct {
	PrivateKeyPEM        string        `json:"private_key_pem"`
	RedisAddr            string        `json:"redis_addr"`             // Redis server address (single instance)
	RedisCluster         []string      `json:"redis_cluster"`          // Redis cluster addresses
	RedisPassword        string        `json:"redis_password"`         // Redis password
	RedisDB              int           `json:"redis_db"`               // Redis database number
	TokenDuration        time.Duration `json:"token_duration"`         // Access token lifetime
	RefreshDuration      time.Duration `json:"refresh_duration"`       // Refresh token lifetime
	Issuer               string        `json:"issuer"`                 // JWT issuer
	PoolSize             int           `json:"pool_size"`              // Redis connection pool size
	MinIdleConns         int           `json:"min_idle_conns"`         // Minimum idle connections
	MaxRetries           int           `json:"max_retries"`            // Maximum retry attempts
	RetryDelay           time.Duration `json:"retry_delay"`            // Delay between retries
	DialTimeout          time.Duration `json:"dial_timeout"`           // Connection dial timeout
	ReadTimeout          time.Duration `json:"read_timeout"`           // Read operation timeout
	WriteTimeout         time.Duration `json:"write_timeout"`          // Write operation timeout
	EnableCircuitBreaker bool          `json:"enable_circuit_breaker"` // Enable circuit breaker for Redis failures

	// Enhanced Session Management (Story 2.3 Task 1)
	IdleTimeout     time.Duration `json:"idle_timeout"`      // Session idle timeout (default 4 hours)
	AbsoluteTimeout time.Duration `json:"absolute_timeout"`  // Session absolute timeout (default 24 hours)
	ConcurrentLimit int           `json:"concurrent_limit"`  // Max concurrent sessions per user (default 5)
	EnableIdleCheck bool          `json:"enable_idle_check"` // Enable idle timeout checking (default true)
}

JWTConfig holds configuration for JWT service

type JWTService 

type JWTService struct {
	// contains filtered or unexported fields
}

JWTService handles JWT token generation, validation, and management

func NewJWTService 

func NewJWTService(config JWTConfig) (*JWTService, error)

NewJWTService creates a new JWT service instance

func (*JWTService) BlacklistToken 

func (j *JWTService) BlacklistToken(sessionID string) error

BlacklistToken adds a token to the blacklist

func (*JWTService) CleanupExpiredSessions 

func (j *JWTService) CleanupExpiredSessions() error

CleanupExpiredSessions removes expired sessions from Redis

func (*JWTService) GenerateToken 

func (j *JWTService) GenerateToken(userID, email, name string) (*TokenPair, error)

GenerateToken creates a new JWT token for the user with basic claims

func (*JWTService) GenerateTokenWithClaims 

func (j *JWTService) GenerateTokenWithClaims(claims *JWTClaims) (*TokenPair, error)

GenerateTokenWithClaims creates a new JWT token with provided claims

func (*JWTService) GenerateTokenWithNamespaceValidation 

func (j *JWTService) GenerateTokenWithNamespaceValidation(claims *JWTClaims, validateNamespaces bool) (*TokenPair, error)

GenerateTokenWithNamespaceValidation creates a JWT token with optional namespace validation

func (*JWTService) GetAllActiveSessions 

func (j *JWTService) GetAllActiveSessions(userID string) ([]*SessionInfo, error)

GetAllActiveSessions retrieves all active sessions for a user

func (*JWTService) GetMFAStatus 

func (j *JWTService) GetMFAStatus(sessionID string) (*MFASessionStatus, error)

GetMFAStatus retrieves the MFA status for a session

func (*JWTService) GetPublicKey 

func (j *JWTService) GetPublicKey() *rsa.PublicKey

GetPublicKey returns the RSA public key for token verification

func (*JWTService) GetPublicKeyPEM 

func (j *JWTService) GetPublicKeyPEM() (string, error)

GetPublicKeyPEM returns the public key in PEM format

func (*JWTService) GetSessionInfo 

func (j *JWTService) GetSessionInfo(sessionID string) (*SessionInfo, error)

GetSessionInfo retrieves comprehensive session information

func (*JWTService) GetSessionMetrics 

func (j *JWTService) GetSessionMetrics() *SessionMetrics

GetSessionMetrics returns current session metrics

func (*JWTService) InvalidateMFAForSessions 

func (j *JWTService) InvalidateMFAForSessions(userID string) error

InvalidateMFAForSessions invalidates MFA for all sessions of a user

func (*JWTService) MigrateLegacyClaims 

func (j *JWTService) MigrateLegacyClaims(claims *JWTClaims) *JWTClaims

MigrateLegacyClaims upgrades v1 claims to v2 with default RBAC values

func (*JWTService) RefreshToken 

func (j *JWTService) RefreshToken(refreshToken string) (*TokenPair, error)

RefreshToken creates a new token pair using a refresh token

func (*JWTService) RefreshTokenWithNamespaceValidation 

func (j *JWTService) RefreshTokenWithNamespaceValidation(refreshToken string, validateNamespaces bool) (*TokenPair, error)

RefreshTokenWithNamespaceValidation refreshes a token with optional namespace validation

func (*JWTService) RequiresMFAStepUp 

func (j *JWTService) RequiresMFAStepUp(sessionID string, operation string) (bool, error)

RequiresMFAStepUp checks if a session requires MFA step-up for a specific operation

func (*JWTService) SetMFAHandler 

func (j *JWTService) SetMFAHandler(handler *MFAHandler)

SetMFAHandler sets the MFA handler for the JWT service (Story 2.4 Task 4)

func (*JWTService) SetMFAStepUpRequirement 

func (j *JWTService) SetMFAStepUpRequirement(sessionID string, required bool, operation string) error

SetMFAStepUpRequirement sets the MFA step-up requirement for a session

func (*JWTService) SetNamespaceValidator 

func (j *JWTService) SetNamespaceValidator(validator *NamespaceValidator)

SetNamespaceValidator sets the namespace validator for the JWT service

func (*JWTService) SetSessionTimeoutPolicies 

func (j *JWTService) SetSessionTimeoutPolicies(idle, absolute time.Duration) error

SetSessionTimeoutPolicies updates session timeout policies

func (*JWTService) TerminateAllUserSessions 

func (j *JWTService) TerminateAllUserSessions(userID string, reason string) error

TerminateAllUserSessions terminates all active sessions for a user

func (*JWTService) TerminateSession 

func (j *JWTService) TerminateSession(sessionID string, reason string) error

TerminateSession terminates a specific session with a reason

func (*JWTService) UpdateMFAStatus 

func (j *JWTService) UpdateMFAStatus(sessionID string, mfaCompleted bool, method string, validity time.Duration) error

UpdateMFAStatus updates the MFA status for a session

func (*JWTService) UpdateSessionActivity 

func (j *JWTService) UpdateSessionActivity(sessionID string) error

UpdateSessionActivity updates the last activity timestamp for a session

func (*JWTService) ValidateMFAForOperation 

func (j *JWTService) ValidateMFAForOperation(sessionID string, operation string) (bool, error)

ValidateMFAForOperation validates MFA status for a specific operation

func (*JWTService) ValidateToken 

func (j *JWTService) ValidateToken(tokenString string) (*JWTClaims, error)

ValidateToken validates and parses a JWT token

func (*JWTService) ValidateTokenWithRefresh 

func (j *JWTService) ValidateTokenWithRefresh(tokenString string, refreshPermissions bool) (*JWTClaims, error)

ValidateTokenWithRefresh validates a token and optionally refreshes permission information

type JWTServiceInterface 

type JWTServiceInterface interface {
	GenerateToken(userID, email, name string) (*TokenPair, error)
	GenerateTokenWithClaims(claims *JWTClaims) (*TokenPair, error)
	GenerateTokenWithNamespaceValidation(claims *JWTClaims, validateNamespaces bool) (*TokenPair, error)
	ValidateToken(tokenString string) (*JWTClaims, error)
	ValidateTokenWithRefresh(tokenString string, refreshPermissions bool) (*JWTClaims, error)
	RefreshToken(refreshToken string) (*TokenPair, error)
	RefreshTokenWithNamespaceValidation(refreshToken string, validateNamespaces bool) (*TokenPair, error)
	BlacklistToken(sessionID string) error
	CleanupExpiredSessions() error
	GetPublicKey() *rsa.PublicKey
	GetPublicKeyPEM() (string, error)
	MigrateLegacyClaims(claims *JWTClaims) *JWTClaims
	SetNamespaceValidator(validator *NamespaceValidator)

	// Enhanced Session Lifecycle Management (Story 2.3 Task 1)
	UpdateSessionActivity(sessionID string) error
	GetSessionInfo(sessionID string) (*SessionInfo, error)
	GetAllActiveSessions(userID string) ([]*SessionInfo, error)
	TerminateSession(sessionID string, reason string) error
	TerminateAllUserSessions(userID string, reason string) error
	SetSessionTimeoutPolicies(idle, absolute time.Duration) error
	GetSessionMetrics() *SessionMetrics

	// MFA Session State Management (Story 2.4 Task 4)
	UpdateMFAStatus(sessionID string, mfaCompleted bool, method string, validity time.Duration) error
	GetMFAStatus(sessionID string) (*MFASessionStatus, error)
	RequiresMFAStepUp(sessionID string, operation string) (bool, error)
	SetMFAStepUpRequirement(sessionID string, required bool, operation string) error
	ValidateMFAForOperation(sessionID string, operation string) (bool, error)
	InvalidateMFAForSessions(userID string) error
}

JWTServiceInterface defines the contract for JWT token operations

type KubernetesAPICall 

type KubernetesAPICall struct {
	CallID       string                 `json:"call_id"`
	APIPath      string                 `json:"api_path"`
	Method       string                 `json:"method"`
	RequestBody  interface{}            `json:"request_body,omitempty"`
	ResponseCode int                    `json:"response_code"`
	ResponseBody interface{}            `json:"response_body,omitempty"`
	Duration     time.Duration          `json:"duration"`
	Error        string                 `json:"error,omitempty"`
	Timestamp    time.Time              `json:"timestamp"`
	Metadata     map[string]interface{} `json:"metadata,omitempty"`
}

KubernetesAPICall represents a call to the Kubernetes API during evaluation

type MFAChallenge 

type MFAChallenge struct {
	ChallengeID  string                 `json:"challenge_id"`
	UserID       string                 `json:"user_id"`
	Method       MFAMethod              `json:"method"`
	CreatedAt    time.Time              `json:"created_at"`
	ExpiresAt    time.Time              `json:"expires_at"`
	AttemptCount int                    `json:"attempt_count"`
	MaxAttempts  int                    `json:"max_attempts"`
	Status       string                 `json:"status"` // "pending", "completed", "failed", "expired"
	ProviderData map[string]interface{} `json:"provider_data,omitempty"`
	SessionData  map[string]interface{} `json:"session_data,omitempty"`
}

MFAChallenge represents an active MFA challenge

type MFAComplianceReport 

type MFAComplianceReport struct {
	ReportID    string    `json:"report_id"`
	GeneratedAt time.Time `json:"generated_at"`
	PeriodStart time.Time `json:"period_start"`
	PeriodEnd   time.Time `json:"period_end"`

	// Overall statistics
	TotalAccessAttempts  int64 `json:"total_access_attempts"`
	MFARequiredAttempts  int64 `json:"mfa_required_attempts"`
	MFACompletedAttempts int64 `json:"mfa_completed_attempts"`
	MFAFailedAttempts    int64 `json:"mfa_failed_attempts"`
	EmergencyAccessCount int64 `json:"emergency_access_count"`

	// Compliance rates
	MFAComplianceRate    float64 `json:"mfa_compliance_rate"`
	PolicyComplianceRate float64 `json:"policy_compliance_rate"`

	// Breakdown by policy
	PolicyStats map[string]*PolicyStats `json:"policy_stats"`

	// Risk analysis
	RiskFactorStats    map[RiskFactorType]int64 `json:"risk_factor_stats"`
	HighRiskOperations []OperationStat          `json:"high_risk_operations"`

	// User analysis
	TopNonCompliantUsers []UserComplianceStats `json:"top_non_compliant_users"`
	MFAMethodUsage       map[MFAMethod]int64   `json:"mfa_method_usage"`
}

MFAComplianceReport represents MFA compliance reporting data

type MFAConfig 

type MFAConfig struct {
	Enabled          bool                   `json:"enabled"`
	RequiredMethods  []MFAMethod            `json:"required_methods"`
	TOTPConfig       TOTPConfig             `json:"totp_config"`
	SMSConfig        SMSConfig              `json:"sms_config"`
	PushConfig       PushConfig             `json:"push_config"`
	HardwareConfig   HardwareTokenConfig    `json:"hardware_config"`
	PolicyConfig     MFAPolicyEngineConfig  `json:"policy_config"`
	ProviderSettings map[string]interface{} `json:"provider_settings"`
}

MFAConfig holds configuration for MFA methods

type MFAHandler 

type MFAHandler struct {
	// contains filtered or unexported fields
}

MFAHandler manages multi-factor authentication challenges and validation

func NewMFAHandler 

func NewMFAHandler(config MFAConfig, redisClient *redis.Client, jwtService JWTServiceInterface) *MFAHandler

NewMFAHandler creates a new MFA handler instance

func (*MFAHandler) CheckEmergencyAccess 

func (h *MFAHandler) CheckEmergencyAccess(ctx context.Context, userID, emergencyCode string) (bool, error)

CheckEmergencyAccess checks if emergency access is allowed

func (*MFAHandler) CreateChallenge 

func (h *MFAHandler) CreateChallenge(ctx context.Context, userID string, method MFAMethod, sessionData map[string]interface{}) (*MFAChallenge, error)

CreateChallenge creates a new MFA challenge for a user

func (*MFAHandler) CreateRetryStrategy 

func (h *MFAHandler) CreateRetryStrategy(challenge *MFAChallenge, failureReason string) map[string]interface{}

CreateRetryStrategy creates a retry strategy for failed MFA attempts

func (*MFAHandler) GenerateTOTPSecret 

func (h *MFAHandler) GenerateTOTPSecret(accountName string) (string, string, error)

GenerateTOTPSecret generates a new TOTP secret for user enrollment

func (*MFAHandler) GetMFAErrorMessage 

func (h *MFAHandler) GetMFAErrorMessage(errorType string, method MFAMethod, context map[string]interface{}) string

GetMFAErrorMessage returns user-friendly error messages

func (*MFAHandler) GetMFAMethodDisplayName 

func (h *MFAHandler) GetMFAMethodDisplayName(method MFAMethod) string

GetMFAMethodDisplayName returns user-friendly display names for MFA methods

func (*MFAHandler) GetMFAStepGuidance 

func (h *MFAHandler) GetMFAStepGuidance(method MFAMethod) []string

GetMFAStepGuidance provides step-by-step guidance for MFA completion

func (*MFAHandler) GetSupportedMethods 

func (h *MFAHandler) GetSupportedMethods() []MFAMethod

GetSupportedMethods returns all supported MFA methods

func (*MFAHandler) GetUserFriendlyInstruction 

func (h *MFAHandler) GetUserFriendlyInstruction(method MFAMethod, step string) string

GetUserFriendlyInstruction returns user-friendly instructions for MFA methods

func (*MFAHandler) HandleEmergencyAccess 

func (h *MFAHandler) HandleEmergencyAccess() fiber.Handler

HandleEmergencyAccess handles emergency access requests

func (*MFAHandler) HandleMFAChallenge 

func (h *MFAHandler) HandleMFAChallenge() fiber.Handler

HandleMFAChallenge creates a new MFA challenge

func (*MFAHandler) HandleMFAMethodSwitch 

func (h *MFAHandler) HandleMFAMethodSwitch() fiber.Handler

HandleMFAMethodSwitch allows users to switch between MFA methods

func (*MFAHandler) HandleMFAValidation 

func (h *MFAHandler) HandleMFAValidation() fiber.Handler

HandleMFAValidation validates an MFA challenge response

func (*MFAHandler) IsHighRiskOperation 

func (h *MFAHandler) IsHighRiskOperation(operation string) bool

IsHighRiskOperation checks if an operation is considered high-risk and requires fresh MFA

func (*MFAHandler) RequiresMFA 

func (h *MFAHandler) RequiresMFA(ctx context.Context, claims *JWTClaims, clientIP string, userAgent string) (bool, []MFAMethod, error)

RequiresMFA determines if MFA is required for a user based on policy

func (*MFAHandler) UpdateMFAStatus 

func (h *MFAHandler) UpdateMFAStatus(claims *JWTClaims, method MFAMethod, validityDuration time.Duration)

UpdateMFAStatus updates the MFA status in JWT claims

func (*MFAHandler) ValidateChallenge 

func (h *MFAHandler) ValidateChallenge(ctx context.Context, challengeID string, response map[string]interface{}) (*MFAResponse, error)

ValidateChallenge validates an MFA challenge response

type MFAIntegrationConfig 

type MFAIntegrationConfig struct {
	DefaultPolicyEngine bool          `json:"default_policy_engine"` // Use default policy engine
	AuditLoggingEnabled bool          `json:"audit_logging_enabled"` // Enable audit logging
	ComplianceMode      bool          `json:"compliance_mode"`       // Enable strict compliance mode
	HealthCheckInterval time.Duration `json:"health_check_interval"` // Health check interval
}

MFAIntegrationConfig holds configuration for MFA integration service

type MFAIntegrationDecision 

type MFAIntegrationDecision struct {
	SessionID          string                 `json:"session_id"`
	UserID             string                 `json:"user_id"`
	Operation          string                 `json:"operation"`
	PolicyDecision     *PolicyDecision        `json:"policy_decision"`
	CurrentMFAStatus   *MFASessionStatus      `json:"current_mfa_status"`
	RequiredAction     MFARequiredAction      `json:"required_action"`
	ChallengeRequired  bool                   `json:"challenge_required"`
	Challenge          *MFAChallenge          `json:"challenge,omitempty"`
	Reason             string                 `json:"reason"`
	ComplianceMetadata map[string]interface{} `json:"compliance_metadata"`
}

MFAIntegrationDecision represents a comprehensive MFA decision

type MFAIntegrationService 

type MFAIntegrationService struct {
	// contains filtered or unexported fields
}

MFAIntegrationService provides unified access to all MFA components

func NewMFAIntegrationService 

func NewMFAIntegrationService(
	handler *MFAHandler,
	policyEngine *MFAPolicyEngine,
	sessionManager *MFASessionManager,
	jwtService JWTServiceInterface,
	config MFAIntegrationConfig,
) *MFAIntegrationService

NewMFAIntegrationService creates a new MFA integration service

func (*MFAIntegrationService) EvaluateAccess 

func (s *MFAIntegrationService) EvaluateAccess(ctx context.Context, request AccessRequest) (*MFAIntegrationDecision, error)

EvaluateAccess performs comprehensive MFA evaluation for access requests

func (*MFAIntegrationService) GenerateComplianceReport 

func (s *MFAIntegrationService) GenerateComplianceReport(ctx context.Context, startTime, endTime time.Time) (*MFAComplianceReport, error)

GenerateComplianceReport generates a comprehensive compliance report

func (*MFAIntegrationService) GetUserMFAStatus 

func (s *MFAIntegrationService) GetUserMFAStatus(ctx context.Context, userID string) (*UserMFAStatus, error)

GetUserMFAStatus provides comprehensive MFA status for a user

func (*MFAIntegrationService) HealthCheck 

func (s *MFAIntegrationService) HealthCheck(ctx context.Context) map[string]interface{}

Health check method

func (*MFAIntegrationService) InvalidateUserMFA 

func (s *MFAIntegrationService) InvalidateUserMFA(ctx context.Context, userID string, reason string) error

InvalidateUserMFA invalidates MFA for all sessions of a user

func (*MFAIntegrationService) RefreshPolicies 

func (s *MFAIntegrationService) RefreshPolicies(ctx context.Context) error

RefreshPolicies reloads MFA policies from storage

func (*MFAIntegrationService) ValidateMFAChallenge 

func (s *MFAIntegrationService) ValidateMFAChallenge(ctx context.Context, challengeID string, response map[string]interface{}) (*MFAValidationResult, error)

ValidateMFAChallenge validates an MFA challenge response and updates session state

type MFAMethod 

type MFAMethod string

MFAMethod represents different MFA methods 

const (
	MFAMethodTOTP          MFAMethod = "TOTP"
	MFAMethodSMS           MFAMethod = "SMS"
	MFAMethodPush          MFAMethod = "PUSH"
	MFAMethodHardwareToken MFAMethod = "HARDWARE_TOKEN"
	MFAMethodFIDO2         MFAMethod = "FIDO2"
	MFAMethodWebAuthn      MFAMethod = "WEBAUTHN"
)

type MFAOperationConfig 

type MFAOperationConfig struct {
	Operation      string           `json:"operation"`
	RiskLevel      MFAOperationRisk `json:"risk_level"`
	RequiresMFA    bool             `json:"requires_mfa"`
	MFAValidity    time.Duration    `json:"mfa_validity"`
	AllowedMethods []MFAMethod      `json:"allowed_methods"`
	Description    string           `json:"description"`
}

MFAOperationConfig defines MFA requirements for operations

type MFAOperationRisk 

type MFAOperationRisk string

MFAOperationRisk defines risk levels for operations requiring MFA step-up 

const (
	MFARiskLow      MFAOperationRisk = "LOW"
	MFARiskMedium   MFAOperationRisk = "MEDIUM"
	MFARiskHigh     MFAOperationRisk = "HIGH"
	MFARiskCritical MFAOperationRisk = "CRITICAL"
)

type MFAPolicy 

type MFAPolicy struct {
	Name        string `json:"name"`
	Description string `json:"description"`
	Enabled     bool   `json:"enabled"`
	Priority    int    `json:"priority"` // Higher priority overrides lower

	// Target criteria
	UserGroups       []string `json:"user_groups"`       // OIDC/SAML groups
	KubernetesGroups []string `json:"kubernetes_groups"` // K8s RBAC groups
	Roles            []string `json:"roles"`             // KubeChat roles
	Namespaces       []string `json:"namespaces"`        // Namespace restrictions

	// MFA requirements
	RequireMFA          bool          `json:"require_mfa"`
	AllowedMethods      []MFAMethod   `json:"allowed_methods"` // TOTP, SMS, Push, Hardware
	MFAValidityDuration time.Duration `json:"mfa_validity_duration"`
	StepUpOperations    []string      `json:"stepup_operations"` // Operations requiring fresh MFA
	StepUpInterval      time.Duration `json:"stepup_interval"`   // How fresh MFA must be for step-up

	// Risk-based conditions
	RiskFactors    []RiskFactor `json:"risk_factors"`
	ConditionalMFA bool         `json:"conditional_mfa"` // Enable risk-based MFA

	// Emergency access
	AllowEmergencyAccess bool        `json:"allow_emergency_access"`
	EmergencyMethods     []MFAMethod `json:"emergency_methods"`

	// Compliance and audit
	LogAllAccess       bool `json:"log_all_access"`      // Log all access attempts
	ComplianceRequired bool `json:"compliance_required"` // Mark as compliance-critical

	// Temporal restrictions
	ActiveHours    *TimeWindow `json:"active_hours,omitempty"`
	ExpirationDate *time.Time  `json:"expiration_date,omitempty"`

	CreatedAt time.Time `json:"created_at"`
	UpdatedAt time.Time `json:"updated_at"`
	CreatedBy string    `json:"created_by"`
}

MFAPolicy defines MFA requirements for different user groups and scenarios

type MFAPolicyConfig 

type MFAPolicyConfig struct {
	EnforceForAllUsers    bool                   `json:"enforce_for_all_users"`
	UserGroupRequirements map[string][]MFAMethod `json:"user_group_requirements"`
	RiskBasedMFA          RiskBasedMFAConfig     `json:"risk_based_mfa"`
	EmergencyAccess       EmergencyAccessConfig  `json:"emergency_access"`
}

MFAPolicyConfig holds MFA policy configuration

type MFAPolicyEngine 

type MFAPolicyEngine struct {
	// contains filtered or unexported fields
}

MFAPolicyEngine manages enterprise MFA policies and enforcement (Story 2.4 Task 5)

func NewMFAPolicyEngine 

func NewMFAPolicyEngine(redisClient redis.UniversalClient, config MFAPolicyEngineConfig) *MFAPolicyEngine

NewMFAPolicyEngine creates a new MFA policy engine

func (*MFAPolicyEngine) CreatePolicy 

func (e *MFAPolicyEngine) CreatePolicy(policy *MFAPolicy) error

CreatePolicy creates a new MFA policy

func (*MFAPolicyEngine) DeletePolicy 

func (e *MFAPolicyEngine) DeletePolicy(policyName string) error

DeletePolicy deletes an MFA policy

func (*MFAPolicyEngine) EvaluatePolicy 

func (e *MFAPolicyEngine) EvaluatePolicy(ctx context.Context, evalCtx PolicyEvaluationContext) (*PolicyDecision, error)

EvaluatePolicy evaluates MFA policies for a given context

func (*MFAPolicyEngine) GenerateComplianceReport 

func (e *MFAPolicyEngine) GenerateComplianceReport(startTime, endTime time.Time) (*MFAComplianceReport, error)

GenerateComplianceReport generates an MFA compliance report for the specified period

func (*MFAPolicyEngine) GetPolicy 

func (e *MFAPolicyEngine) GetPolicy(policyName string) (*MFAPolicy, error)

GetPolicy retrieves a specific MFA policy

func (*MFAPolicyEngine) ListPolicies 

func (e *MFAPolicyEngine) ListPolicies() map[string]*MFAPolicy

ListPolicies returns all MFA policies

func (*MFAPolicyEngine) UpdatePolicy 

func (e *MFAPolicyEngine) UpdatePolicy(policy *MFAPolicy) error

UpdatePolicy updates an existing MFA policy

type MFAPolicyEngineConfig 

type MFAPolicyEngineConfig struct {
	DefaultPolicy            string        `json:"default_policy"`             // Default policy name
	PolicyRefreshInterval    time.Duration `json:"policy_refresh_interval"`    // How often to refresh policies
	EmergencyAccessEnabled   bool          `json:"emergency_access_enabled"`   // Enable emergency access
	ComplianceLoggingEnabled bool          `json:"compliance_logging_enabled"` // Enable compliance logging
	PolicyCacheTimeout       time.Duration `json:"policy_cache_timeout"`       // Policy cache timeout

	// Legacy fields for backward compatibility with MFAConfig
	EnforceForAllUsers    bool                   `json:"enforce_for_all_users"`
	UserGroupRequirements map[string][]MFAMethod `json:"user_group_requirements"`
	RiskBasedMFA          RiskBasedMFAConfig     `json:"risk_based_mfa"`
	EmergencyAccess       EmergencyAccessConfig  `json:"emergency_access"`
}

MFAPolicyEngineConfig holds configuration for MFA policy engine

type MFARequiredAction 

type MFARequiredAction string

MFARequiredAction defines the required MFA action 

const (
	MFAActionAllow          MFARequiredAction = "allow"           // Allow access without MFA
	MFAActionRequireInitial MFARequiredAction = "require_initial" // Require initial MFA
	MFAActionRequireStepUp  MFARequiredAction = "require_stepup"  // Require MFA step-up
	MFAActionDeny           MFARequiredAction = "deny"            // Deny access
	MFAActionEmergency      MFARequiredAction = "emergency"       // Allow emergency access
)

type MFAResponse 

type MFAResponse struct {
	Success          bool          `json:"success"`
	Message          string        `json:"message"`
	Method           MFAMethod     `json:"method"`
	NextStep         string        `json:"next_step,omitempty"`
	ChallengeID      string        `json:"challenge_id,omitempty"`
	ExpiresAt        time.Time     `json:"expires_at,omitempty"`
	RetryAfter       int           `json:"retry_after,omitempty"` // seconds
	SessionID        string        `json:"session_id,omitempty"`
	UserID           string        `json:"user_id,omitempty"`
	ValidityDuration time.Duration `json:"validity_duration,omitempty"`
	ErrorMessage     string        `json:"error_message,omitempty"`
}

MFAResponse represents the response to an MFA challenge

type MFASessionManager 

type MFASessionManager struct {
	// contains filtered or unexported fields
}

MFASessionManager handles MFA session state and step-up authentication

func NewMFASessionManager 

func NewMFASessionManager(redisClient *redis.Client, jwtService JWTServiceInterface, mfaHandler *MFAHandler, auditLogger *AuthAuditLogger) *MFASessionManager

NewMFASessionManager creates a new MFA session manager

func (*MFASessionManager) CompleteMFAStepUp 

func (m *MFASessionManager) CompleteMFAStepUp(ctx context.Context, sessionID, operation, method string) error

CompleteMFAStepUp completes MFA step-up authentication after successful challenge validation

func (*MFASessionManager) GetMFAOperationRequirements 

func (m *MFASessionManager) GetMFAOperationRequirements() fiber.Handler

GetMFAOperationRequirements returns MFA requirements for all operations

func (*MFASessionManager) GetMFAStatus 

func (m *MFASessionManager) GetMFAStatus(ctx context.Context, sessionID string) (*MFASessionStatus, error)

GetMFAStatus retrieves MFA status for a session

func (*MFASessionManager) GetSessionMFAStatus 

func (m *MFASessionManager) GetSessionMFAStatus() fiber.Handler

GetSessionMFAStatus returns current MFA status for the user's session

func (*MFASessionManager) InvalidateMFAForSessions 

func (m *MFASessionManager) InvalidateMFAForSessions(ctx context.Context, userID string) error

InvalidateMFAForSessions invalidates MFA for all sessions of a user

func (*MFASessionManager) InvalidateSessionMFA 

func (m *MFASessionManager) InvalidateSessionMFA() fiber.Handler

InvalidateSessionMFA invalidates MFA for the current session

func (*MFASessionManager) RequiresMFAMiddleware 

func (m *MFASessionManager) RequiresMFAMiddleware(operation string) fiber.Handler

RequiresMFAMiddleware is a middleware that checks if an operation requires MFA

func (*MFASessionManager) SetMFAStepUpRequirement 

func (m *MFASessionManager) SetMFAStepUpRequirement(ctx context.Context, sessionID string, required bool, operation string) error

SetMFAStepUpRequirement sets MFA step-up requirement for a session

func (*MFASessionManager) UpdateMFAStatus 

func (m *MFASessionManager) UpdateMFAStatus(ctx context.Context, sessionID, userID string, mfaCompleted bool, method string, validity time.Duration) error

UpdateMFAStatus updates the MFA status for a session

func (*MFASessionManager) ValidateMFAForOperation 

func (m *MFASessionManager) ValidateMFAForOperation(ctx context.Context, sessionID, operation string) (bool, error)

ValidateMFAForOperation checks if MFA is valid for a specific operation

type MFASessionStatus 

type MFASessionStatus struct {
	SessionID           string        `json:"session_id"`
	UserID              string        `json:"user_id"`
	MFACompleted        bool          `json:"mfa_completed"`
	MFAMethod           string        `json:"mfa_method,omitempty"`
	MFATimestamp        time.Time     `json:"mfa_timestamp"`
	MFAValidityDuration time.Duration `json:"mfa_validity_duration"`
	MFAExpiresAt        time.Time     `json:"mfa_expires_at"`
	RequiresMFAStepUp   bool          `json:"requires_mfa_stepup"`
	StepUpOperations    []string      `json:"stepup_operations,omitempty"`
	LastMFAValidation   time.Time     `json:"last_mfa_validation"`
	MFAFailureCount     int           `json:"mfa_failure_count"`
	MFALockedUntil      time.Time     `json:"mfa_locked_until,omitempty"`
}

MFASessionStatus represents the MFA status for a session (Story 2.4)

type MFAValidationResult 

type MFAValidationResult struct {
	Success      bool      `json:"success"`
	SessionID    string    `json:"session_id"`
	UserID       string    `json:"user_id"`
	Method       MFAMethod `json:"method"`
	CompletedAt  time.Time `json:"completed_at"`
	ErrorCode    string    `json:"error_code,omitempty"`
	ErrorMessage string    `json:"error_message,omitempty"`
}

MFAValidationResult represents the result of MFA challenge validation

type NamespaceAccessResult 

type NamespaceAccessResult struct {
	AllowedNamespaces []string        `json:"allowed_namespaces"`
	DefaultNamespace  string          `json:"default_namespace"`
	ClusterAccess     bool            `json:"cluster_access"`
	AccessMap         map[string]bool `json:"access_map"` // namespace -> has access
	ValidationTime    time.Time       `json:"validation_time"`
	CacheHit          bool            `json:"cache_hit"`
}

NamespaceAccessResult represents the result of namespace access validation

type NamespaceValidator 

type NamespaceValidator struct {
	// contains filtered or unexported fields
}

NamespaceValidator handles namespace access validation for users

func NewNamespaceValidator 

func NewNamespaceValidator(config NamespaceValidatorConfig) (*NamespaceValidator, error)

NewNamespaceValidator creates a new namespace validator

func (*NamespaceValidator) GetCacheHitRatio 

func (nv *NamespaceValidator) GetCacheHitRatio() float64

GetCacheHitRatio returns the cache hit ratio

func (*NamespaceValidator) GetCacheStats 

func (nv *NamespaceValidator) GetCacheStats(ctx context.Context) (map[string]interface{}, error)

GetCacheStats returns cache statistics

func (*NamespaceValidator) GetMetrics 

func (nv *NamespaceValidator) GetMetrics() *ValidationMetrics

GetMetrics returns current validation metrics

func (*NamespaceValidator) InvalidateAllCache 

func (nv *NamespaceValidator) InvalidateAllCache(ctx context.Context) error

InvalidateAllCache clears all namespace validation cache

func (*NamespaceValidator) InvalidateUserCache 

func (nv *NamespaceValidator) InvalidateUserCache(ctx context.Context, kubernetesUser string) error

InvalidateUserCache invalidates cached results for a user

func (*NamespaceValidator) IsPerformanceTarget 

func (nv *NamespaceValidator) IsPerformanceTarget() map[string]bool

IsPerformanceTarget checks if performance targets are being met

func (*NamespaceValidator) ResetMetrics 

func (nv *NamespaceValidator) ResetMetrics()

ResetMetrics resets all metrics

func (*NamespaceValidator) ValidateNamespaceAccess 

func (nv *NamespaceValidator) ValidateNamespaceAccess(ctx context.Context, request ValidationRequest) (*NamespaceAccessResult, error)

ValidateNamespaceAccess validates which namespaces a user can access

type NamespaceValidatorConfig 

type NamespaceValidatorConfig struct {
	// Kubernetes client configuration
	KubeConfig *rest.Config

	// Redis configuration for caching
	RedisClient   redis.UniversalClient
	CacheTTL      time.Duration
	EnableCaching bool
	CachePrefix   string

	// Performance tuning
	BatchSize      int
	MaxConcurrency int
}

NamespaceValidatorConfig holds configuration for the namespace validator

type OIDCProvider 

type OIDCProvider struct {
	Name         string   `json:"name"`
	Issuer       string   `json:"issuer"`
	ClientID     string   `json:"client_id"`
	ClientSecret string   `json:"client_secret"`
	RedirectURL  string   `json:"redirect_url"`
	Scopes       []string `json:"scopes"`
	// Provider-specific settings
	ExtraParams map[string]string `json:"extra_params,omitempty"`
}

OIDCProvider represents configuration for different OIDC providers

type OperationStat 

type OperationStat struct {
	Operation        string `json:"operation"`
	Count            int64  `json:"count"`
	MFARequiredCount int64  `json:"mfa_required_count"`
	FailureCount     int64  `json:"failure_count"`
}

OperationStat holds statistics for high-risk operations

type PermissionEvaluationContext 

type PermissionEvaluationContext struct {
	RequestID          string                      `json:"request_id"`
	Timestamp          time.Time                   `json:"timestamp"`
	UserContext        *JWTClaims                  `json:"user_context"`
	Request            *PermissionRequest          `json:"request"`
	EvaluationPath     []EvaluationStep            `json:"evaluation_path"`
	KubernetesAPICalls []KubernetesAPICall         `json:"kubernetes_api_calls"`
	CacheAccesses      []CacheAccess               `json:"cache_accesses"`
	Result             *PermissionEvaluationResult `json:"result"`
	Duration           time.Duration               `json:"duration"`
	ErrorDetails       *EnhancedErrorDetails       `json:"error_details,omitempty"`
}

PermissionEvaluationContext represents the full context of a permission evaluation

type PermissionEvaluationResult 

type PermissionEvaluationResult struct {
	Allowed             bool                       `json:"allowed"`
	Reason              string                     `json:"reason"`
	EvaluatedRules      []EvaluatedRule            `json:"evaluated_rules"`
	ApplicableRoles     []string                   `json:"applicable_roles"`
	ApplicableBindings  []string                   `json:"applicable_bindings"`
	ConflictingPolicies []ConflictingPolicy        `json:"conflicting_policies,omitempty"`
	Recommendations     *PermissionRecommendations `json:"recommendations,omitempty"`
	AuditTrail          []models.AuditEntry        `json:"audit_trail"`
}

PermissionEvaluationResult represents the final result of permission evaluation

type PermissionGap 

type PermissionGap struct {
	MissingPermissions []models.RequiredPermission `json:"missing_permissions"`
	ExcessPermissions  []models.RequiredPermission `json:"excess_permissions"`
	CurrentRoles       []string                    `json:"current_roles"`
	CurrentBindings    []string                    `json:"current_bindings"`
	Recommendations    *PermissionRecommendations  `json:"recommendations"`
}

PermissionGap represents the difference between current and required permissions

type PermissionRecommendations 

type PermissionRecommendations struct {
	SuggestedRoles         []RoleRecommendation        `json:"suggested_roles"`
	SuggestedBindings      []RoleBindingRecommendation `json:"suggested_bindings"`
	KubectlCommands        []string                    `json:"kubectl_commands"`
	SecurityConsiderations []string                    `json:"security_considerations"`
	MinimalPermissionSet   []models.RequiredPermission `json:"minimal_permission_set"`
}

PermissionRecommendations provides specific RBAC recommendations

type PermissionRequest 

type PermissionRequest struct {
	// User context from JWT claims
	KubernetesUser   string   `json:"kubernetes_user"`   // From JWT claims
	KubernetesGroups []string `json:"kubernetes_groups"` // From JWT claims
	SessionID        string   `json:"session_id"`        // From JWT claims

	// Resource details to check
	Namespace    string `json:"namespace"`     // Target namespace
	Verb         string `json:"verb"`          // K8s verb (get, list, create, etc.)
	Resource     string `json:"resource"`      // K8s resource type (pods, deployments, etc.)
	ResourceName string `json:"resource_name"` // Specific resource name (optional)
	APIGroup     string `json:"api_group"`     // K8s API group (optional)
	Subresource  string `json:"subresource"`   // K8s subresource (optional)

	// Additional context
	CommandContext string   `json:"command_context"` // Natural language context
	AllowedActions []string `json:"allowed_actions"` // Pre-validated actions from JWT
}

PermissionRequest represents a request to validate Kubernetes permissions

type PermissionResponse 

type PermissionResponse struct {
	Allowed      bool          `json:"allowed"`
	Reason       string        `json:"reason"`
	EvaluatedAt  time.Time     `json:"evaluated_at"`
	CacheHit     bool          `json:"cache_hit"`
	ResponseTime time.Duration `json:"response_time"`

	// Detailed permission information
	UserInfo       UserPermissionInfo `json:"user_info"`
	ResourceAccess ResourceAccess     `json:"resource_access"`
	Suggestions    []string           `json:"suggestions,omitempty"`

	// Audit trail
	ValidationID string     `json:"validation_id"`
	AuditTrail   AuditEntry `json:"audit_trail"`
}

PermissionResponse represents the result of permission validation

type PermissionTestResult 

type PermissionTestResult struct {
	TestID      string                    `json:"test_id"`
	TestType    string                    `json:"test_type"` // "current", "impersonation", "proposed"
	TestedAs    string                    `json:"tested_as"` // User or role being tested
	Permission  models.RequiredPermission `json:"permission"`
	Result      bool                      `json:"result"`
	Reason      string                    `json:"reason"`
	TestCommand string                    `json:"test_command"`
	ExecutedAt  time.Time                 `json:"executed_at"`
	Duration    time.Duration             `json:"duration"`
	RawOutput   string                    `json:"raw_output,omitempty"`
}

PermissionTestResult represents the result of testing permissions

type PolicyDecision 

type PolicyDecision struct {
	Allow               bool          `json:"allow"`
	RequireMFA          bool          `json:"require_mfa"`
	AllowedMethods      []MFAMethod   `json:"allowed_methods"`
	MFAValidityDuration time.Duration `json:"mfa_validity_duration"`
	RequireStepUp       bool          `json:"require_stepup"`
	StepUpInterval      time.Duration `json:"stepup_interval"`
	AppliedPolicies     []string      `json:"applied_policies"`
	RiskFactorsDetected []RiskFactor  `json:"risk_factors_detected"`
	EmergencyAccess     bool          `json:"emergency_access"`
	Reason              string        `json:"reason"`
	ComplianceRequired  bool          `json:"compliance_required"`
}

PolicyDecision represents the result of policy evaluation

type PolicyEvaluationContext 

type PolicyEvaluationContext struct {
	UserID             string                 `json:"user_id"`
	Email              string                 `json:"email"`
	UserGroups         []string               `json:"user_groups"`       // OIDC/SAML groups
	KubernetesGroups   []string               `json:"kubernetes_groups"` // K8s RBAC groups
	Role               string                 `json:"role"`              // KubeChat role
	RequestedOperation string                 `json:"requested_operation"`
	TargetNamespace    string                 `json:"target_namespace"`
	IPAddress          string                 `json:"ip_address"`
	UserAgent          string                 `json:"user_agent"`
	DeviceFingerprint  string                 `json:"device_fingerprint"`
	SessionContext     map[string]interface{} `json:"session_context"`
	Timestamp          time.Time              `json:"timestamp"`
}

PolicyEvaluationContext contains context for policy evaluation

type PolicyStats 

type PolicyStats struct {
	PolicyName       string  `json:"policy_name"`
	TotalEvaluations int64   `json:"total_evaluations"`
	AllowedCount     int64   `json:"allowed_count"`
	DeniedCount      int64   `json:"denied_count"`
	MFARequiredCount int64   `json:"mfa_required_count"`
	ComplianceRate   float64 `json:"compliance_rate"`
}

PolicyStats holds statistics for a specific policy

type ProviderConfig 

type ProviderConfig struct {
	Provider     *oidc.Provider
	OAuth2Config oauth2.Config
	Settings     OIDCProvider
	Verifier     *oidc.IDTokenVerifier
}

ProviderConfig holds runtime configuration for an OIDC provider

type PushConfig 

type PushConfig struct {
	Providers []string          `json:"providers"` // "okta_verify", "duo", "auth0_guardian"
	Settings  map[string]string `json:"settings"`
	Timeout   time.Duration     `json:"timeout"`
}

PushConfig holds push notification MFA configuration

type RBACAdvisor 

type RBACAdvisor struct {
	// contains filtered or unexported fields
}

RBACAdvisor provides intelligent RBAC permission suggestions and analysis

func NewRBACAdvisor 

func NewRBACAdvisor(config RBACAdvisorConfig) (*RBACAdvisor, error)

NewRBACAdvisor creates a new RBAC advisor instance

func (*RBACAdvisor) AnalyzePermissionGap 

func (advisor *RBACAdvisor) AnalyzePermissionGap(ctx context.Context, userContext *JWTClaims, requiredPermissions []models.RequiredPermission) (*PermissionGap, error)

AnalyzePermissionGap analyzes the gap between current and required permissions

func (*RBACAdvisor) GenerateKubectlCommands 

func (advisor *RBACAdvisor) GenerateKubectlCommands(ctx context.Context, userContext *JWTClaims, missingPermissions []models.RequiredPermission) ([]string, error)

GenerateKubectlCommands generates specific kubectl commands for permission resolution

func (*RBACAdvisor) GetMetrics 

func (advisor *RBACAdvisor) GetMetrics() *RBACAdvisorMetrics

GetMetrics returns current metrics

func (*RBACAdvisor) GetRoleSuggestions 

func (advisor *RBACAdvisor) GetRoleSuggestions(ctx context.Context, requiredPermissions []models.RequiredPermission) ([]RoleRecommendation, error)

GetRoleSuggestions provides intelligent role suggestions based on permission patterns

func (*RBACAdvisor) SuggestMinimalPermissions 

func (advisor *RBACAdvisor) SuggestMinimalPermissions(ctx context.Context, requiredPermissions []models.RequiredPermission) ([]models.RequiredPermission, error)

SuggestMinimalPermissions suggests the minimal set of permissions required

type RBACAdvisorConfig 

type RBACAdvisorConfig struct {
	KubeClient    kubernetes.Interface
	RedisClient   redis.UniversalClient
	Validator     *RBACValidator
	CacheTTL      time.Duration
	EnableCaching bool
	CachePrefix   string
}

RBACAdvisorConfig holds configuration for the RBAC advisor

type RBACAdvisorMetrics 

type RBACAdvisorMetrics struct {
	AnalysisRequests       int64         `json:"analysis_requests"`
	CacheHits              int64         `json:"cache_hits"`
	CacheMisses            int64         `json:"cache_misses"`
	AverageAnalysisTime    time.Duration `json:"average_analysis_time"`
	RecommendationAccuracy float64       `json:"recommendation_accuracy"`
	// contains filtered or unexported fields
}

RBACAdvisorMetrics tracks advisor performance and usage

type RBACValidationMetrics 

type RBACValidationMetrics struct {
	TotalValidations    int64         `json:"total_validations"`
	AllowedValidations  int64         `json:"allowed_validations"`
	DeniedValidations   int64         `json:"denied_validations"`
	CacheHits           int64         `json:"cache_hits"`
	CacheMisses         int64         `json:"cache_misses"`
	AverageLatency      time.Duration `json:"average_latency"`
	MaxLatency          time.Duration `json:"max_latency"`
	MinLatency          time.Duration `json:"min_latency"`
	TotalLatency        time.Duration `json:"total_latency"`
	K8sAPICallCount     int64         `json:"k8s_api_call_count"`
	CircuitBreakerTrips int64         `json:"circuit_breaker_trips"`
	ErrorCount          int64         `json:"error_count"`
	LastValidationTime  time.Time     `json:"last_validation_time"`
	// contains filtered or unexported fields
}

RBACValidationMetrics tracks RBAC validation performance metrics

type RBACValidator 

type RBACValidator struct {
	// contains filtered or unexported fields
}

RBACValidator handles Kubernetes RBAC permission validation

func NewRBACValidator 

func NewRBACValidator(config RBACValidatorConfig) (*RBACValidator, error)

NewRBACValidator creates a new RBAC validator with Kubernetes client integration

func (*RBACValidator) GetCacheHitRatio 

func (r *RBACValidator) GetCacheHitRatio() float64

GetCacheHitRatio returns the cache hit ratio for performance monitoring

func (*RBACValidator) GetMetrics 

func (r *RBACValidator) GetMetrics() *RBACValidationMetrics

GetMetrics returns current validation metrics

func (*RBACValidator) InvalidateUserCache 

func (r *RBACValidator) InvalidateUserCache(ctx context.Context, kubernetesUser string) error

InvalidateUserCache invalidates all cached results for a user

func (*RBACValidator) IsPerformanceTarget 

func (r *RBACValidator) IsPerformanceTarget() map[string]bool

IsPerformanceTarget checks if performance targets are being met

func (*RBACValidator) ValidatePermission 

func (r *RBACValidator) ValidatePermission(ctx context.Context, request PermissionRequest) (*PermissionResponse, error)

ValidatePermission validates user permissions against Kubernetes RBAC

type RBACValidatorConfig 

type RBACValidatorConfig struct {
	// Kubernetes client configuration
	KubeConfig *rest.Config

	// Redis configuration for caching
	RedisClient   redis.UniversalClient
	CacheTTL      time.Duration
	EnableCaching bool
	CachePrefix   string

	// Circuit breaker configuration for K8s API reliability
	CircuitBreakerConfig CircuitBreakerConfig
}

RBACValidatorConfig holds configuration for the RBAC validator

type RateLimitEntry 

type RateLimitEntry struct {
	Count     int       `json:"count"`
	ResetTime time.Time `json:"reset_time"`
}

RateLimitEntry tracks rate limit data for a client

type RateLimiter 

type RateLimiter struct {
	// contains filtered or unexported fields
}

RateLimiter implements distributed rate limiting

func (*RateLimiter) IsAllowed 

func (rl *RateLimiter) IsAllowed(identifier string) (bool, time.Time, error)

IsAllowed checks if a request is allowed under rate limiting rules

type RelatedIssue 

type RelatedIssue struct {
	IssueID     string    `json:"issue_id"`
	Description string    `json:"description"`
	Frequency   int       `json:"frequency"`
	LastSeen    time.Time `json:"last_seen"`
	Resolution  string    `json:"resolution,omitempty"`
	Similarity  float64   `json:"similarity"` // 0.0-1.0
}

RelatedIssue represents related permission issues that might be relevant

type RequestInfo 

type RequestInfo struct {
	Method      string            `json:"method"`
	URL         string            `json:"url"`
	Path        string            `json:"path"`
	Headers     map[string]string `json:"headers"`
	QueryParams map[string]string `json:"query_params"`
	Body        string            `json:"body,omitempty"`
	BodySize    int64             `json:"body_size"`
	IPAddress   string            `json:"ip_address"`
	UserAgent   string            `json:"user_agent"`
}

RequestInfo holds captured request information

type ResolutionStep 

type ResolutionStep struct {
	StepID        string                 `json:"step_id"`
	StepNumber    int                    `json:"step_number"`
	Type          ResolutionStepType     `json:"type"`
	Title         string                 `json:"title"`
	Description   string                 `json:"description"`
	Status        StepStatus             `json:"status"`
	UserInput     map[string]interface{} `json:"user_input,omitempty"`
	SystemOutput  map[string]interface{} `json:"system_output,omitempty"`
	Options       []StepOption           `json:"options,omitempty"`
	RequiredInput []InputRequirement     `json:"required_input,omitempty"`
	Validation    *models.StepValidation `json:"validation,omitempty"`
	ExecutedAt    *time.Time             `json:"executed_at,omitempty"`
	Duration      time.Duration          `json:"duration,omitempty"`
	Error         string                 `json:"error,omitempty"`
}

ResolutionStep represents a single step in the interactive resolution workflow

type ResolutionStepType 

type ResolutionStepType string

ResolutionStepType defines the type of resolution step 

const (
	StepTypeAnalysis          ResolutionStepType = "analysis"
	StepTypeUserInput         ResolutionStepType = "user_input"
	StepTypePermissionTest    ResolutionStepType = "permission_test"
	StepTypeRoleImpersonation ResolutionStepType = "role_impersonation"
	StepTypeWorkflowExecution ResolutionStepType = "workflow_execution"
	StepTypeApprovalRequest   ResolutionStepType = "approval_request"
	StepTypeNotification      ResolutionStepType = "notification"
	StepTypeVerification      ResolutionStepType = "verification"
)

type ResolverConfig 

type ResolverConfig struct {
	EnableTesting        bool          `json:"enable_testing"`
	EnableImpersonation  bool          `json:"enable_impersonation"`
	EnableSelfService    bool          `json:"enable_self_service"`
	WorkflowTimeout      time.Duration `json:"workflow_timeout"`
	MaxRetries           int           `json:"max_retries"`
	RequireApproval      bool          `json:"require_approval"`
	AutoApprovalRoles    []string      `json:"auto_approval_roles"`
	EscalationTimeout    time.Duration `json:"escalation_timeout"`
	NotificationChannels []string      `json:"notification_channels"`
}

ResolverConfig holds configuration for the interactive permission resolver

type ResourceAccess 

type ResourceAccess struct {
	Namespace    string   `json:"namespace"`
	Resource     string   `json:"resource"`
	Verb         string   `json:"verb"`
	AllowedVerbs []string `json:"allowed_verbs,omitempty"`
	DeniedReason string   `json:"denied_reason,omitempty"`
}

ResourceAccess contains detailed resource access information

type ResponseInfo 

type ResponseInfo struct {
	StatusCode int               `json:"status_code"`
	Headers    map[string]string `json:"headers"`
	Body       string            `json:"body,omitempty"`
	BodySize   int64             `json:"body_size"`
}

ResponseInfo holds captured response information

type RiskAction 

type RiskAction string

RiskAction defines actions to take when risk factors are detected 

const (
	RiskActionRequireMFA RiskAction = "require_mfa"
	RiskActionStepUpMFA  RiskAction = "stepup_mfa"
	RiskActionDenyAccess RiskAction = "deny_access"
	RiskActionLogOnly    RiskAction = "log_only"
)

type RiskBasedMFAConfig 

type RiskBasedMFAConfig struct {
	Enabled                  bool     `json:"enabled"`
	UnknownIPRequiresMFA     bool     `json:"unknown_ip_requires_mfa"`
	UnknownDeviceRequiresMFA bool     `json:"unknown_device_requires_mfa"`
	OffHoursRequiresMFA      bool     `json:"off_hours_requires_mfa"`
	HighRiskCountries        []string `json:"high_risk_countries"`
	TrustedNetworks          []string `json:"trusted_networks"`
}

RiskBasedMFAConfig holds risk-based MFA configuration

type RiskFactor 

type RiskFactor struct {
	Type        RiskFactorType `json:"type"`
	Threshold   string         `json:"threshold"`
	Action      RiskAction     `json:"action"`
	Description string         `json:"description"`
}

RiskFactor defines conditions that increase authentication risk

type RiskFactorType 

type RiskFactorType string

RiskFactorType defines types of risk factors 

const (
	RiskFactorUnknownIP          RiskFactorType = "unknown_ip"
	RiskFactorUnknownDevice      RiskFactorType = "unknown_device"
	RiskFactorOffHours           RiskFactorType = "off_hours"
	RiskFactorHighPrivilege      RiskFactorType = "high_privilege"
	RiskFactorSuspiciousLocation RiskFactorType = "suspicious_location"
	RiskFactorConcurrentSessions RiskFactorType = "concurrent_sessions"
)

type RoleBindingRecommendation 

type RoleBindingRecommendation struct {
	Name                 string `json:"name"`
	Type                 string `json:"type"` // "ClusterRoleBinding" or "RoleBinding"
	RoleName             string `json:"role_name"`
	Namespace            string `json:"namespace,omitempty"`
	Subject              string `json:"subject"`
	SubjectType          string `json:"subject_type"` // "User", "Group", "ServiceAccount"
	Justification        string `json:"justification"`
	TemporarySuggestion  bool   `json:"temporary_suggestion"`
	ExpiryRecommendation string `json:"expiry_recommendation,omitempty"`
}

RoleBindingRecommendation suggests specific role bindings

type RoleRecommendation 

type RoleRecommendation struct {
	Name          string   `json:"name"`
	Type          string   `json:"type"` // "ClusterRole" or "Role"
	Namespace     string   `json:"namespace,omitempty"`
	Reason        string   `json:"reason"`
	Permissions   []string `json:"permissions"`
	SecurityLevel string   `json:"security_level"` // "minimal", "standard", "elevated"
	Exists        bool     `json:"exists"`         // Whether role already exists
}

RoleRecommendation suggests specific roles for the user

type RuleMatchDetails 

type RuleMatchDetails struct {
	APIGroupMatch  bool    `json:"api_group_match"`
	ResourceMatch  bool    `json:"resource_match"`
	VerbMatch      bool    `json:"verb_match"`
	NamespaceMatch bool    `json:"namespace_match"`
	FailureReason  string  `json:"failure_reason,omitempty"`
	MatchScore     float64 `json:"match_score"` // 0.0-1.0 indicating closeness of match
}

RuleMatchDetails provides details about how a rule matched (or didn't match)

type SAMLAssertion 

type SAMLAssertion struct {
	Subject      string                 `json:"subject"`
	NameID       string                 `json:"name_id"`
	Email        string                 `json:"email"`
	DisplayName  string                 `json:"display_name"`
	GivenName    string                 `json:"given_name"`
	Surname      string                 `json:"surname"`
	Groups       []string               `json:"groups"`
	Attributes   map[string]interface{} `json:"attributes"`
	SessionIndex string                 `json:"session_index"`
	NotOnOrAfter time.Time              `json:"not_on_or_after"`
	// MFA fields (Story 2.4)
	MFACompleted bool      `json:"mfa_completed"`
	MFAMethod    string    `json:"mfa_method,omitempty"`
	MFATimestamp time.Time `json:"mfa_timestamp,omitempty"`
	AuthContexts []string  `json:"auth_contexts,omitempty"` // SAML AuthnContext values
}

SAMLAssertion represents processed SAML assertion data

type SAMLConfig 

type SAMLConfig struct {
	EntityID       string `json:"entity_id"`        // Service Provider Entity ID
	ACSURL         string `json:"acs_url"`          // Assertion Consumer Service URL
	SLOUrl         string `json:"slo_url"`          // Single Logout URL
	IDPMetadataURL string `json:"idp_metadata_url"` // Identity Provider metadata URL
	IDPMetadataXML string `json:"idp_metadata_xml"` // Alternative: raw IDP metadata XML
	PrivateKeyPEM  string `json:"private_key_pem"`  // Private key for signing
	CertificatePEM string `json:"certificate_pem"`  // Certificate for signing
	SignRequests   bool   `json:"sign_requests"`    // Whether to sign SAML requests
	ForceAuthn     bool   `json:"force_authn"`      // Force re-authentication
	AllowIDPInit   bool   `json:"allow_idp_init"`   // Allow IDP-initiated login
}

SAMLConfig holds configuration for SAML authentication

type SAMLError 

type SAMLError struct {
	Code    string `json:"code"`
	Message string `json:"message"`
	Details string `json:"details,omitempty"`
}

SAMLError represents SAML-specific errors

func (*SAMLError) Error 

func (e *SAMLError) Error() string

type SAMLProvider 

type SAMLProvider struct {
	// contains filtered or unexported fields
}

SAMLProvider manages SAML authentication

func NewSAMLProvider 

func NewSAMLProvider(config SAMLConfig, jwtService JWTServiceInterface, mfaHandler *MFAHandler) (*SAMLProvider, error)

NewSAMLProvider creates a new SAML authentication provider

func (*SAMLProvider) GenerateMetadata 

func (sp *SAMLProvider) GenerateMetadata() (string, error)

GenerateMetadata generates SAML metadata for the service provider

func (*SAMLProvider) GetAuthURL 

func (sp *SAMLProvider) GetAuthURL(relayState string) (string, error)

GetAuthURL returns the SAML authentication URL

func (*SAMLProvider) GetMetadata 

func (sp *SAMLProvider) GetMetadata() fiber.Handler

GetMetadata returns the SAML service provider metadata

func (*SAMLProvider) GetSupportedSAMLBindings 

func (sp *SAMLProvider) GetSupportedSAMLBindings() []string

GetSupportedSAMLBindings returns supported SAML bindings

func (*SAMLProvider) HandleAssertion 

func (sp *SAMLProvider) HandleAssertion() fiber.Handler

HandleAssertion processes SAML assertion and creates JWT token

func (*SAMLProvider) HandleSingleLogout 

func (sp *SAMLProvider) HandleSingleLogout() fiber.Handler

HandleSingleLogout processes SAML single logout requests

func (*SAMLProvider) ProcessAssertion 

func (sp *SAMLProvider) ProcessAssertion(samlResponse string, clientIP, userAgent string) (*JWTClaims, bool, error)

ProcessAssertion processes SAML assertion with MFA support (Story 2.4)

func (*SAMLProvider) ValidateAssertion 

func (sp *SAMLProvider) ValidateAssertion(samlResponse string) (*SAMLAssertion, error)

ValidateAssertion validates a SAML assertion (placeholder for actual validation)

type SAMLUserMapper 

type SAMLUserMapper struct {
	EmailAttribute   string            `json:"email_attribute"`
	NameAttribute    string            `json:"name_attribute"`
	GroupsAttribute  string            `json:"groups_attribute"`
	AttributeMapping map[string]string `json:"attribute_mapping"`
	DefaultRole      string            `json:"default_role"`
}

SAMLUserMapper maps SAML assertions to internal user model

func (*SAMLUserMapper) MapSAMLUser 

func (mapper *SAMLUserMapper) MapSAMLUser(assertion *SAMLAssertion) map[string]interface{}

MapSAMLUser maps a SAML assertion to user attributes

type SIEMConfig 

type SIEMConfig struct {
	Provider       SIEMProvider      `json:"provider"`
	Endpoint       string            `json:"endpoint"`
	APIKey         string            `json:"api_key,omitempty"`
	Username       string            `json:"username,omitempty"`
	Password       string            `json:"password,omitempty"`
	Index          string            `json:"index,omitempty"`
	CustomHeaders  map[string]string `json:"custom_headers,omitempty"`
	TLSConfig      *tls.Config       `json:"-"`
	BatchSize      int               `json:"batch_size"`
	FlushInterval  time.Duration     `json:"flush_interval"`
	RetryAttempts  int               `json:"retry_attempts"`
	TimeoutSeconds int               `json:"timeout_seconds"`
}

SIEM Configuration

type SIEMEvent 

type SIEMEvent struct {
	Timestamp         time.Time              `json:"timestamp"`
	EventID           string                 `json:"event_id"`
	Source            string                 `json:"source"`
	EventType         string                 `json:"event_type"`
	Severity          string                 `json:"severity"`
	UserID            string                 `json:"user_id,omitempty"`
	SessionID         string                 `json:"session_id,omitempty"`
	IPAddress         string                 `json:"ip_address,omitempty"`
	UserAgent         string                 `json:"user_agent,omitempty"`
	Description       string                 `json:"description"`
	Metadata          map[string]interface{} `json:"metadata,omitempty"`
	ComplianceContext *ComplianceContext     `json:"compliance_context,omitempty"`
}

SIEM Event Formats

type SIEMIntegrationManager 

type SIEMIntegrationManager struct {
	// contains filtered or unexported fields
}

SIEM Integration Manager

func NewSIEMIntegrationManager 

func NewSIEMIntegrationManager(siemConfig SIEMConfig, complianceConfig ComplianceConfig, redisClient redis.Cmdable) *SIEMIntegrationManager

Create new SIEM Integration Manager

func (*SIEMIntegrationManager) Close 

func (s *SIEMIntegrationManager) Close() error

Close SIEM Integration

func (*SIEMIntegrationManager) GenerateComplianceReport 

func (s *SIEMIntegrationManager) GenerateComplianceReport(framework ComplianceFramework, period string) (*ComplianceReport, error)

Generate Compliance Report

func (*SIEMIntegrationManager) SendAuthEvent 

func (s *SIEMIntegrationManager) SendAuthEvent(entry AuthAuditEntry) error

Send Authentication Event to SIEM

func (*SIEMIntegrationManager) SendSecurityEvent 

func (s *SIEMIntegrationManager) SendSecurityEvent(eventType, description, userID, sessionID, ipAddress string, severity AuditSeverity, metadata map[string]string) error

Send Security Event to SIEM

type SIEMProvider 

type SIEMProvider string

SIEM Integration Types 

const (
	SIEMSplunk   SIEMProvider = "splunk"
	SIEMElastic  SIEMProvider = "elastic"
	SIEMArcSight SIEMProvider = "arcsight"
	SIEMQRadar   SIEMProvider = "qradar"
	SIEMSentinel SIEMProvider = "sentinel"
)

type SMSConfig 

type SMSConfig struct {
	Provider        string            `json:"provider"` // "twilio", "aws_sns", "azure", etc.
	Settings        map[string]string `json:"settings"`
	MessageTemplate string            `json:"message_template"`
	CodeLength      int               `json:"code_length"`
	CodeExpiry      time.Duration     `json:"code_expiry"`
}

SMSConfig holds SMS MFA configuration

type SecurityConfig 

type SecurityConfig struct {
	// Rate limiting configuration
	RateLimitRequests int           `json:"rate_limit_requests"` // Max requests per window
	RateLimitWindow   time.Duration `json:"rate_limit_window"`   // Rate limit time window

	// Brute force protection
	MaxFailedAttempts int           `json:"max_failed_attempts"` // Max failed login attempts
	LockoutDuration   time.Duration `json:"lockout_duration"`    // Account lockout duration

	// JWT token rotation
	TokenRotationEnabled bool          `json:"token_rotation_enabled"` // Enable automatic token rotation
	RotationInterval     time.Duration `json:"rotation_interval"`      // How often to rotate tokens

	// Redis configuration for distributed security features
	RedisClient redis.UniversalClient `json:"-"` // Redis client for distributed storage
}

SecurityConfig holds configuration for security middleware

type SecurityContext 

type SecurityContext struct {
	SessionID         string
	UserID            string
	DeviceFingerprint string
	IPAddress         string
	UserAgent         string
	CreatedAt         time.Time
	LastActivity      time.Time
	LoginAttempts     int
	SuspiciousFlags   []string
	Locked            bool
	LockReason        string
	LockExpiry        time.Time
}

SecurityContext represents security context for a session

type SecurityMiddleware 

type SecurityMiddleware struct {
	// contains filtered or unexported fields
}

SecurityMiddleware provides enhanced security features

func NewSecurityMiddleware 

func NewSecurityMiddleware(config SecurityConfig, jwtService JWTServiceInterface) *SecurityMiddleware

NewSecurityMiddleware creates a new security middleware instance

func (*SecurityMiddleware) BruteForceProtectionMiddleware 

func (s *SecurityMiddleware) BruteForceProtectionMiddleware() fiber.Handler

BruteForceProtectionMiddleware returns a Fiber middleware for brute force protection

func (*SecurityMiddleware) Cleanup 

func (s *SecurityMiddleware) Cleanup()

Cleanup performs cleanup of expired entries and resources

func (*SecurityMiddleware) GetSecurityMetrics 

func (s *SecurityMiddleware) GetSecurityMetrics() map[string]interface{}

GetSecurityMetrics returns current security metrics

func (*SecurityMiddleware) RateLimitMiddleware 

func (s *SecurityMiddleware) RateLimitMiddleware() fiber.Handler

RateLimitMiddleware returns a Fiber middleware for rate limiting

func (*SecurityMiddleware) TokenRotationMiddleware 

func (s *SecurityMiddleware) TokenRotationMiddleware() fiber.Handler

TokenRotationMiddleware adds token rotation headers

type SessionActivityReport 

type SessionActivityReport struct {
	Period             string           `json:"period"`
	TotalSessions      int64            `json:"total_sessions"`
	ActiveSessions     int64            `json:"active_sessions"`
	ExpiredSessions    int64            `json:"expired_sessions"`
	TerminatedSessions int64            `json:"terminated_sessions"`
	SessionsByType     map[string]int64 `json:"sessions_by_type"`
	SessionsByUser     map[string]int64 `json:"sessions_by_user"`
	AverageSessionTime time.Duration    `json:"average_session_time"`
	SecurityEvents     int64            `json:"security_events"`
	ComplianceIssues   int64            `json:"compliance_issues"`
	TopIPAddresses     []IPSessionCount `json:"top_ip_addresses"`
}

SessionActivityReport represents session activity metrics

type SessionAdminConfig 

type SessionAdminConfig struct {
	JWTService   JWTServiceInterface
	AuditLogger  *AuthAuditLogger
	AllowedRoles []string // Roles that can access admin endpoints
}

SessionAdminConfig holds configuration for session administration

type SessionCookieConfig 

type SessionCookieConfig struct {
	Name     string
	Domain   string
	Path     string
	MaxAge   int
	Secure   bool
	HttpOnly bool
	SameSite http.SameSite
}

SessionCookieConfig represents secure cookie configuration

type SessionFilters 

type SessionFilters struct {
	UserID      string `json:"user_id,omitempty"`
	Active      *bool  `json:"active,omitempty"`
	SessionType string `json:"session_type,omitempty"`
	IPAddress   string `json:"ip_address,omitempty"`
	Since       string `json:"since,omitempty"`
	Until       string `json:"until,omitempty"`
}

SessionFilters represents filters for session queries

type SessionInfo 

type SessionInfo struct {
	SessionID          string        `json:"session_id"`
	UserID             string        `json:"user_id"`
	Email              string        `json:"email"`
	Name               string        `json:"name"`
	KubernetesUser     string        `json:"kubernetes_user"`
	KubernetesGroups   []string      `json:"kubernetes_groups"`
	CreatedAt          time.Time     `json:"created_at"`
	LastActivity       time.Time     `json:"last_activity"`
	ExpiresAt          time.Time     `json:"expires_at"`
	RefreshExpiresAt   time.Time     `json:"refresh_expires_at"`
	Active             bool          `json:"active"`
	IPAddress          string        `json:"ip_address,omitempty"`
	UserAgent          string        `json:"user_agent,omitempty"`
	DeviceFingerprint  string        `json:"device_fingerprint,omitempty"`
	SessionType        string        `json:"session_type"` // "web", "api", "mobile"
	IdleTimeout        time.Duration `json:"idle_timeout"`
	AbsoluteTimeout    time.Duration `json:"absolute_timeout"`
	TerminationReason  string        `json:"termination_reason,omitempty"`
	ConcurrentSessions int           `json:"concurrent_sessions"`
	// MFA fields (Story 2.4)
	MFACompleted      bool      `json:"mfa_completed"`
	MFAMethod         string    `json:"mfa_method,omitempty"`
	MFATimestamp      time.Time `json:"mfa_timestamp"`
	MFAExpiresAt      time.Time `json:"mfa_expires_at"`
	RequiresMFAStepUp bool      `json:"requires_mfa_stepup"`
}

SessionInfo represents comprehensive session information

type SessionListResponse 

type SessionListResponse struct {
	Sessions []*SessionInfo `json:"sessions"`
	Total    int            `json:"total"`
	Page     int            `json:"page"`
	PageSize int            `json:"page_size"`
	HasMore  bool           `json:"has_more"`
	Filters  SessionFilters `json:"filters_applied,omitempty"`
}

SessionListResponse represents the response for listing sessions

type SessionMetrics 

type SessionMetrics struct {
	TotalActiveSessions     int64            `json:"total_active_sessions"`
	TotalExpiredSessions    int64            `json:"total_expired_sessions"`
	TotalTerminatedSessions int64            `json:"total_terminated_sessions"`
	AverageSessionDuration  time.Duration    `json:"average_session_duration"`
	ActiveSessionsByType    map[string]int64 `json:"active_sessions_by_type"`
	SessionTimeouts         int64            `json:"session_timeouts"`
	ConcurrentSessionLimits int64            `json:"concurrent_session_limits"`
}

SessionMetrics provides session-related metrics

type SessionSecurityConfig 

type SessionSecurityConfig struct {
	JWTService           JWTServiceInterface
	AuditLogger          *AuthAuditLogger
	ConcurrentLimit      int           // Max concurrent sessions per user (default: 5)
	EnableFingerprinting bool          // Enable device fingerprinting (default: true)
	EnableIPBinding      bool          // Bind sessions to IP addresses (default: true)
	EnableUserAgentCheck bool          // Check user agent consistency (default: true)
	SuspiciousThreshold  int           // Threshold for suspicious activity (default: 3)
	LockoutDuration      time.Duration // Account lockout duration (default: 30 minutes)
}

SessionSecurityConfig holds configuration for session security

type SessionSecurityManager 

type SessionSecurityManager struct {
	// contains filtered or unexported fields
}

SessionSecurityManager handles session security hardening and protection

func NewSessionSecurityManager 

func NewSessionSecurityManager(config SessionSecurityConfig) (*SessionSecurityManager, error)

NewSessionSecurityManager creates a new session security manager

func (*SessionSecurityManager) CleanupExpiredSessions 

func (ssm *SessionSecurityManager) CleanupExpiredSessions()

CleanupExpiredSessions removes expired and inactive sessions

func (*SessionSecurityManager) CreateSessionWithSecurity 

func (ssm *SessionSecurityManager) CreateSessionWithSecurity(ctx context.Context, userID, email, name string, r *http.Request) (*TokenPair, error)

CreateSessionWithSecurity creates a new session with security hardening

func (*SessionSecurityManager) GetSecurityMetrics 

func (ssm *SessionSecurityManager) GetSecurityMetrics() map[string]interface{}

GetSecurityMetrics returns security-related metrics

func (*SessionSecurityManager) SecureSessionMiddleware 

func (ssm *SessionSecurityManager) SecureSessionMiddleware(next http.Handler) http.Handler

SecureSessionMiddleware creates middleware for secure session handling

type SessionStatus 

type SessionStatus string

SessionStatus represents the status of a resolution session 

const (
	SessionStatusActive           SessionStatus = "active"
	SessionStatusPending          SessionStatus = "pending"
	SessionStatusCompleted        SessionStatus = "completed"
	SessionStatusFailed           SessionStatus = "failed"
	SessionStatusExpired          SessionStatus = "expired"
	SessionStatusCancelled        SessionStatus = "cancelled"
	SessionStatusAwaitingApproval SessionStatus = "awaiting_approval"
)

type SessionTerminationRequest 

type SessionTerminationRequest struct {
	SessionIDs []string `json:"session_ids"`
	UserIDs    []string `json:"user_ids,omitempty"`
	Reason     string   `json:"reason"`
	Force      bool     `json:"force"` // Force termination even for active operations
}

SessionTerminationRequest represents a request to terminate sessions

type SessionTerminationResponse 

type SessionTerminationResponse struct {
	TerminatedSessions []string `json:"terminated_sessions"`
	FailedSessions     []string `json:"failed_sessions"`
	Errors             []string `json:"errors,omitempty"`
	TotalTerminated    int      `json:"total_terminated"`
}

SessionTerminationResponse represents the response for session termination

type SessionTimeoutPolicy 

type SessionTimeoutPolicy struct {
	IdleTimeout     time.Duration `json:"idle_timeout"`     // Default 4 hours
	AbsoluteTimeout time.Duration `json:"absolute_timeout"` // Default 24 hours
	EnableIdleCheck bool          `json:"enable_idle_check"`
}

SessionTimeoutPolicy defines timeout policies for sessions

type StepOption 

type StepOption struct {
	ID          string                 `json:"id"`
	Label       string                 `json:"label"`
	Description string                 `json:"description"`
	Value       interface{}            `json:"value"`
	Metadata    map[string]interface{} `json:"metadata,omitempty"`
	Recommended bool                   `json:"recommended"`
}

StepOption represents an option in an interactive step

type StepStatus 

type StepStatus string

StepStatus represents the status of a workflow step 

const (
	StepStatusPending   StepStatus = "pending"
	StepStatusActive    StepStatus = "active"
	StepStatusCompleted StepStatus = "completed"
	StepStatusSkipped   StepStatus = "skipped"
	StepStatusFailed    StepStatus = "failed"
)

type SuspiciousTracker 

type SuspiciousTracker struct {
	UserID             string
	FailedLogins       int
	LastFailedLogin    time.Time
	SuspiciousIPs      map[string]int
	DeviceChanges      int
	ConcurrentSessions int
	RiskScore          int
	AlertTriggered     bool
}

SuspiciousTracker tracks suspicious activities for a user

type TOTPConfig 

type TOTPConfig struct {
	Issuer       string `json:"issuer"`
	AccountName  string `json:"account_name"`
	SecretLength int    `json:"secret_length"`
	Period       uint   `json:"period"`
	Skew         uint   `json:"skew"`
	Digits       int    `json:"digits"`
}

TOTPConfig holds TOTP-specific configuration

type TimeWindow 

type TimeWindow struct {
	StartHour  int      `json:"start_hour"`   // 0-23
	EndHour    int      `json:"end_hour"`     // 0-23
	DaysOfWeek []string `json:"days_of_week"` // "monday", "tuesday", etc.
	TimeZone   string   `json:"timezone"`     // IANA timezone
}

TimeWindow defines time-based restrictions

type TokenPair 

type TokenPair struct {
	AccessToken  string    `json:"access_token"`
	RefreshToken string    `json:"refresh_token"`
	ExpiresAt    time.Time `json:"expires_at"`
	TokenType    string    `json:"token_type"`
}

TokenPair represents access and refresh tokens

type TokenRotator 

type TokenRotator struct {
	// contains filtered or unexported fields
}

TokenRotator manages automatic JWT token rotation

func (*TokenRotator) Stop 

func (tr *TokenRotator) Stop()

stop stops the token rotation process

type TokenValidationError 

type TokenValidationError struct {
	Code    string `json:"code"`
	Message string `json:"message"`
}

TokenValidationError represents JWT validation errors

func (*TokenValidationError) Error 

func (e *TokenValidationError) Error() string

type TroubleshootingStep 

type TroubleshootingStep struct {
	StepNumber     int      `json:"step_number"`
	Title          string   `json:"title"`
	Description    string   `json:"description"`
	Commands       []string `json:"commands"`
	ExpectedResult string   `json:"expected_result"`
	NextSteps      []string `json:"next_steps"`
	Difficulty     string   `json:"difficulty"` // "easy", "medium", "hard"
}

TroubleshootingStep represents a troubleshooting step for administrators

type UserComplianceStats 

type UserComplianceStats struct {
	UserID              string    `json:"user_id"`
	Email               string    `json:"email"`
	TotalAttempts       int64     `json:"total_attempts"`
	MFARequiredAttempts int64     `json:"mfa_required_attempts"`
	MFAFailedAttempts   int64     `json:"mfa_failed_attempts"`
	ComplianceRate      float64   `json:"compliance_rate"`
	LastViolation       time.Time `json:"last_violation"`
}

UserComplianceStats holds compliance statistics for a user

type UserMFAStatus 

type UserMFAStatus struct {
	UserID              string    `json:"user_id"`
	ActiveSessions      int       `json:"active_sessions"`
	MFAEnabledSessions  int       `json:"mfa_enabled_sessions"`
	LastMFACompletion   time.Time `json:"last_mfa_completion"`
	ApplicablePolicies  []string  `json:"applicable_policies"`
	ComplianceStatus    string    `json:"compliance_status"` // "compliant", "non_compliant", "partially_compliant"
	EmergencyAccessUsed bool      `json:"emergency_access_used"`
}

UserMFAStatus represents comprehensive MFA status for a user

type UserPermissionInfo 

type UserPermissionInfo struct {
	User                string   `json:"user"`
	Groups              []string `json:"groups"`
	ServiceAccount      string   `json:"service_account,omitempty"`
	ClusterRoleBindings []string `json:"cluster_role_bindings,omitempty"`
	RoleBindings        []string `json:"role_bindings,omitempty"`
}

UserPermissionInfo contains user permission details

type ValidationMetrics 

type ValidationMetrics struct {
	CacheHits          int64         `json:"cache_hits"`
	CacheMisses        int64         `json:"cache_misses"`
	ValidationCount    int64         `json:"validation_count"`
	AverageLatency     time.Duration `json:"average_latency"`
	MaxLatency         time.Duration `json:"max_latency"`
	MinLatency         time.Duration `json:"min_latency"`
	TotalLatency       time.Duration `json:"total_latency"`
	K8sAPICallCount    int64         `json:"k8s_api_call_count"`
	FailureCount       int64         `json:"failure_count"`
	LastValidationTime time.Time     `json:"last_validation_time"`
	// contains filtered or unexported fields
}

ValidationMetrics tracks performance metrics for namespace validation

type ValidationRequest 

type ValidationRequest struct {
	KubernetesUser   string   `json:"kubernetes_user"`
	KubernetesGroups []string `json:"kubernetes_groups"`
	RequestedNS      []string `json:"requested_namespaces,omitempty"` // If empty, validate all
}

ValidationRequest represents a request to validate namespace access

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.