{"id":43662727,"url":"https://github.com/linuxfoundation/lfx-v2-access-check","last_synced_at":"2026-03-12T02:03:13.830Z","repository":{"id":307572652,"uuid":"1024472555","full_name":"linuxfoundation/lfx-v2-access-check","owner":"linuxfoundation","description":"LFX v2 Platform Access Check","archived":false,"fork":false,"pushed_at":"2026-02-02T23:32:58.000Z","size":155,"stargazers_count":0,"open_issues_count":1,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-02-03T12:37:00.376Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":false,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/linuxfoundation.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":"CODEOWNERS","security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2025-07-22T18:50:13.000Z","updated_at":"2025-11-20T15:11:37.000Z","dependencies_parsed_at":null,"dependency_job_id":"d5512f7b-9cc5-407f-9036-db20c2fd5f37","html_url":"https://github.com/linuxfoundation/lfx-v2-access-check","commit_stats":null,"previous_names":["linuxfoundation/lfx-v2-access-check"],"tags_count":7,"template":false,"template_full_name":null,"purl":"pkg:github/linuxfoundation/lfx-v2-access-check","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/linuxfoundation%2Flfx-v2-access-check","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/linuxfoundation%2Flfx-v2-access-check/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/linuxfoundation%2Flfx-v2-access-check/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/linuxfoundation%2Flfx-v2-access-check/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/linuxfoundation","download_url":"https://codeload.github.com/linuxfoundation/lfx-v2-access-check/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/linuxfoundation%2Flfx-v2-access-check/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29097861,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-04T21:05:08.033Z","status":"ssl_error","status_checked_at":"2026-02-04T21:04:53.031Z","response_time":62,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2026-02-04T22:17:47.875Z","updated_at":"2026-02-04T22:17:51.837Z","avatar_url":"https://github.com/linuxfoundation.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# LFX v2 Access Check Service\n\n![Build Status](https://github.com/linuxfoundation/lfx-v2-access-check/workflows/Access%20Check%20Service%20Build/badge.svg)\n![License](https://img.shields.io/badge/License-MIT-blue.svg)\n![Go Version](https://img.shields.io/badge/Go-1.24+-00ADD8?logo=go)\n\nA access check service for the LFX v2 platform, providing centralized authorization and permission management across LFX services.\n\n## ✨ Key Features\n\n- **🚀 Bulk Access Checks**: Process multiple resource-action permission checks in a single HTTP request\n- **🔐 JWT Authentication**: Secure authentication using Heimdall-issued JWT tokens\n- **🔄 Real-time Processing**: Asynchronous message processing via NATS queue\n- **🚢 Cloud Native**: Kubernetes-ready with Helm charts for easy deployment\n\n## 🏗️ Architecture Overview\n\n```mermaid\ngraph TB\n    subgraph \"LFX v2 Platform Gateway\"\n        T[Traefik\u003cbr/\u003eAPI Gateway]\n        H[Heimdall\u003cbr/\u003eAccess Decision Service]\n    end\n\n    subgraph \"Access Check Service\"\n        AC[HTTP Server\u003cbr/\u003e:8080]\n        AS[Access Service\u003cbr/\u003eCore Logic]\n        HE[Health Endpoints\u003cbr/\u003e/livez /readyz]\n    end\n\n    subgraph \"Platform Infrastructure\"\n        N[NATS\u003cbr/\u003eMessage Queue]\n    end\n\n    T --\u003e H\n    H --\u003e AC\n    AC --\u003e AS\n    AC --\u003e HE\n    \n    AS \u003c--\u003e|bulk access checks\u003cbr/\u003eaccess-check subject| N\n```\n\n## 🔄 Access Check Flow\n\n```mermaid\nsequenceDiagram\n    participant Client as API Consumer\n    participant Traefik as Traefik Gateway\n    participant Heimdall as Heimdall Access Decision\n    participant AccessCheck as Access Check Service\n    participant NATS as NATS Queue\n\n    Client-\u003e\u003eTraefik: POST /access-check\u003cbr/\u003eBearer: JWT + resource list\n    Traefik-\u003e\u003eHeimdall: Validate JWT \u0026 authorize\n    Heimdall--\u003e\u003eTraefik: Auth success\n    Traefik-\u003e\u003eAccessCheck: Forward authenticated request\n    \n    AccessCheck-\u003e\u003eAccessCheck: Extract principal from JWT\n    AccessCheck-\u003e\u003eAccessCheck: Build resource-action pairs\n    AccessCheck-\u003e\u003eNATS: Publish bulk access check\u003cbr/\u003eSubject: access-check\n    \n    NATS--\u003e\u003eAccessCheck: Return authorization results\n    AccessCheck--\u003e\u003eTraefik: JSON response with decisions\n    Traefik--\u003e\u003eClient: Access check results\n\n    Note over AccessCheck: Optimized for bulk operations\u003cbr/\u003ewith comprehensive logging\n```\n\n## 🚀 Quick Start\n\n### Prerequisites\n\n- **Go**: 1.24.0 \n- **Docker**: For containerized deployment\n- **NATS**: Message queue for service communication\n- **Heimdall**: JWT authentication provider\n\n### Local Development\n\n1. **Clone the repository**\n   ```bash\n   git clone https://github.com/linuxfoundation/lfx-v2-access-check.git\n   cd lfx-v2-access-check\n   ```\n\n2. **Install dependencies**\n   ```bash\n   make deps\n   ```\n\n3. **Generate API code** (if needed)\n   ```bash\n   make apigen\n   ```\n\n4. **Build the service**\n   ```bash\n   make build\n   ```\n\n5. **Run tests**\n   ```bash\n   make test\n   ```\n\n6. **Start the service**\n   ```bash\n   ./bin/lfx-access-check\n   ```\n\n### Configuration\n\nThe service is configured via environment variables:\n\n| Variable | Description | Default |\n|----------|-------------|---------|\n| `HOST` | Server host address | `0.0.0.0` |\n| `PORT` | Server port | `8080` |\n| `DEBUG` | Enable debug logging | `false` |\n| `JWKS_URL` | Heimdall JWKS endpoint | `http://heimdall:4457/.well-known/jwks` |\n| `AUDIENCE` | JWT audience | `lfx-v2-access-check` |\n| `ISSUER` | JWT issuer | `heimdall` |\n| `NATS_URL` | NATS server URL | `nats://nats:4222` |\n\n### Docker Deployment\n\n```bash\n# Build image\nmake docker-build\n\n# Run container\ndocker run -p 8080:8080 \\\n  -e JWKS_URL=http://heimdall:4457/.well-known/jwks \\\n  -e NATS_URL=nats://nats:4222 \\\n  linuxfoundation/lfx-access-check:latest\n```\n\n### Health Endpoints\n\n- **Liveness**: `GET /livez` - Basic service health\n- **Readiness**: `GET /readyz` - Service + dependencies health\n\n## 🏛️ Architecture Details\n\n### Core Components\n\n1. **HTTP Server** (`cmd/lfx-access-check/`)\n   - Goa-based REST API server\n   - JWT authentication middleware\n   - Request ID tracking\n   - Structured logging\n\n2. **Access Service** (`internal/service/`)\n   - Core business logic\n   - JWT token validation\n   - NATS message publishing\n   - Response aggregation\n\n3. **Infrastructure Layer** (`internal/infrastructure/`)\n   - **Auth Repository**: Heimdall JWT validation\n   - **Messaging Repository**: NATS communication\n   - **Config**: Environment-based configuration\n\n4. **Domain Contracts** (`internal/domain/contracts/`)\n   - Shared data structures\n   - JWT claims modeling\n   - Service interfaces\n\n### Project Structure\n\n```\n├── cmd/lfx-access-check/    # Application entry point\n├── design/                  # Goa API design definitions\n├── gen/                     # Generated API code (Goa)\n├── internal/\n│   ├── container/          # Dependency injection\n│   ├── domain/contracts/   # Domain models \u0026 interfaces\n│   ├── infrastructure/     # External service adapters\n│   ├── middleware/         # HTTP middleware\n│   ├── service/           # Core business logic\n│   └── mocks/             # Test mocks\n├── pkg/\n│   ├── constants/         # Application constants\n│   └── log/              # Structured logging utilities\n├── test/integration/      # Integration tests\n└── charts/               # Helm deployment charts\n```\n\n## 🚢 Deployment\n\n### Kubernetes with Helm\n\n```bash\n# Install/upgrade with Helm\nhelm upgrade --install lfx-v2-access-check ./charts/lfx-v2-access-check \\\n  --set image.tag=latest \\\n  --set config.jwksUrl=http://heimdall:4457/.well-known/jwks \\\n  --set config.natsUrl=nats://nats:4222\n```\n\n## 📄 License\n\nThis project is licensed under the MIT License - see the [LICENSE](LICENSE) file for details.\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Flinuxfoundation%2Flfx-v2-access-check","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Flinuxfoundation%2Flfx-v2-access-check","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Flinuxfoundation%2Flfx-v2-access-check/lists"}