inventory-service

Getting Started

Add resources: fabrica add resource
Generate code: fabrica generate
Run the server: go run ./cmd/server/

Configuration

The server supports configuration via:

Command line flags
Environment variables (INVENTORY-SERVICE_*)
Configuration file (~/.inventory-service.yaml)

Features

💾 Database storage (sqlite3)

Security (TokenSmith)

This service can be generated with TokenSmith-based authentication (AuthN) and authorization (AuthZ).

Public endpoints (bypass AuthN/AuthZ)

The following endpoints are structurally public by default:

GET /health

If OpenAPI/docs are enabled in your generated service, those endpoints are also public.

Authentication (AuthN)

When AuthN is enabled, the server validates JWTs using TokenSmith.

Required environment variables:

TOKENSMITH_JWKS_URL (required): URL to a JWKS endpoint used to validate incoming JWTs.

Notes:

OPTIONS preflight requests are not blocked by AuthN middleware.

Authorization (AuthZ)

When AuthZ is enabled, requests are classified into a (subject, object, action) tuple and enforced using TokenSmith/Casbin integration.

AuthZ mode:

enforce: deny requests that fail policy evaluation (HTTP 403).
shadow: allow requests that fail policy evaluation, but emit a structured decision log/event.

AuthZ configuration (environment variables):

TOKENSMITH_AUTHZ_MODE: enforce (default) or shadow
TOKENSMITH_CASBIN_MODEL: Casbin model definition (typically a file path like ./authz/model.conf)
TOKENSMITH_CASBIN_POLICY: Casbin policy source (typically a file path like ./authz/policy.csv)

Policy tuple examples (defaults)

The default classifier uses:

object: the chi route pattern (preferred), e.g. /bmcs, /bmcs/{uid}, /bmcs/{uid}/status
action: the HTTP method, e.g. GET, POST, PATCH, DELETE
subject: derived from the authenticated identity (JWT claims) by the TokenSmith integration

Example policy tuples you will typically write policies against:

alice, /bmcs, GET
alice, /bmcs/{uid}, PATCH
service-account:my-controller, /bmcs/{uid}/status, PUT

Where to customize classification:

Edit cmd/server/authz_classifier.go (create-once, regeneration-safe). This lets you mark routes as public/protected and adjust tuple derivation.

Development

# Install dependencies
go mod tidy

# Run the server
go run ./cmd/server/ serve

# Run with custom config
go run ./cmd/server/ serve --config config.yaml

Name		Name	Last commit message	Last commit date
Latest commit History 51 Commits
.github/workflows		.github/workflows
apis/inventory-service.openchami.org/v1		apis/inventory-service.openchami.org/v1
cmd		cmd
internal		internal
pkg		pkg
resttests		resttests
tests		tests
.fabrica.yaml		.fabrica.yaml
.gitignore		.gitignore
.goreleaser.yaml		.goreleaser.yaml
Dockerfile		Dockerfile
Makefile		Makefile
README.md		README.md
apis.yaml		apis.yaml
go.mod		go.mod
go.sum		go.sum

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Repository files navigation

inventory-service

Getting Started

Configuration

Features

Security (TokenSmith)

Public endpoints (bypass AuthN/AuthZ)

Authentication (AuthN)

Authorization (AuthZ)

Development

About

Uh oh!

Releases 1

Packages

Uh oh!

Contributors

Uh oh!

Languages

Folders and files

Latest commit

History

Repository files navigation

inventory-service

Getting Started

Configuration

Features

Security (TokenSmith)

Public endpoints (bypass AuthN/AuthZ)

Authentication (AuthN)

Authorization (AuthZ)

Development

About

Resources

Code of conduct

Contributing

Security policy

Uh oh!

Stars

Watchers

Forks

Releases 1

Packages 0

Uh oh!

Contributors

Uh oh!

Languages

Packages