Documentation ¶
Overview ¶
Package authz contains standard data structures for representing permissions and authorization requests / responses.
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
Types ¶
type Action ¶
type Action string
Action is an authorization-style action that can be requested (and allowed or denied) for a particular queue spec.
type Authorization ¶
type Authorization struct { // An HTTP Authorization header is split into its type and credentials and // included here when available. Type string `json:"type,omitempty"` Credentials string `json:"credentials,omitempty"` // Never use this in practice. This allows the user to be set directly for testing. // The code checks for this and creates an error if present, unless // specifically allowed for testing. TestUser string `json:"testuser,omitempty"` }
AUthorization represents per-request authz information. It can ideally come in many forms. The first supported form is a "token", such as from an Authorization header.
func NewHeaderAuthorization ¶
func NewHeaderAuthorization(val string) *Authorization
NewHeaderAuthorization creates an authorization structure from a header value.
func (*Authorization) String ¶
func (a *Authorization) String() string
String returns the authoriation header value.
type Authorizer ¶
type Authorizer interface { // Authorize sends a request with context to see if something is allowed. // The request contains information about the entity making the request and // a nil error indicates that the request is permitted. A non-nil error can // be returned for system errors, or for permission denied reasons. The // latter will be of type AuthzError and can be detected in standard // errors.Is/As ways.. Authorize(context.Context, *Request) error // Close cleans up any resources, or policy watchdogs, that the authorizer // might need in order to do its work. Close() error }
Authorizer is an abstraction over Rego policy. Provide one of these to manage policy files and changes. The query is expected to return a nil error when authorized, and a non-nil error when not authorized (or smoething else goes wrong). If the non-nil error is an AuthzError, it can be unpacked for information about which queues and actions were disallowed.
type AuthzError ¶
type AuthzError struct { // If Allow is true, then authorization succeeded and we can proceed. // The reason we don't just go with "empty error and failures" is that // non-affirmative things like that tend to cause unwanted authorizations // for other reasons, like parsing JSON with no known fields present. Allow bool `json:"allow"` // Failed contains the queue information for things that were not // found to be allowed by the policy. It will only contain the actions that // were not matched. If multiple actions were desired for a single queue, // only those disallowed are expected to be given back in the response. Failed []*Queue `json:"failed"` // For other kinds of errors. Errors []string `json:"errors"` }
AuthzError contains the reply from OPA.
func (*AuthzError) Error ¶
func (e *AuthzError) Error() string
Error satisfies the error interface, producing a string error that contains unmatched queue/action information.
type Queue ¶
type Queue struct { // An exact name to match. Exact string `yaml:",omitempty" json:"exact,omitempty"` // The kind of matching to do (default exact) Prefix string `yaml:",omitempty" json:"prefix,omitempty"` // Actions contains the desired things to be done with this queue. Actions []Action `yaml:",flow" json:"actions"` }
Queue contains information about a single queue (it is expected that only one match string will be specified. Behavior of multiple specifications is not necessarily well defined, and depends on policy execution order.
type Request ¶
type Request struct { // Authz contains information that came in with the request (headers). Authz *Authorization `json:"authz"` // Queues contains information about what is desired: what queues to // operate on, and what should be done to them. Queues []*Queue `json:"queues"` }
Request conatins an authorization request to send to OPA.
func NewYAMLRequest ¶
NewYAMLRequest creates a request from YAML/JSON.