rbac

package
v0.2.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jan 13, 2026 License: MIT Imports: 9 Imported by: 0

Documentation

Overview

Package rbac provides role-based access control with permission inheritance.

Index

Constants

This section is empty.

Variables

View Source 
var (
	ErrRoleNotFound      = errors.New("role not found")
	ErrRoleAlreadyExists = errors.New("role already exists")
	ErrInvalidPermission = errors.New("invalid permission format")
	ErrCyclicInheritance = errors.New("cyclic role inheritance detected")
	ErrInvalidRoleName   = errors.New("invalid role name")
)

Common errors for policy operations.

View Source 
var DefaultRoles = []Role{
	{
		Name:        "admin",
		Description: "Full system access",
		Permissions: []Permission{
			"*:*",
		},
		Parents: []string{},
	},
	{
		Name:        "editor",
		Description: "Can read and modify resources",
		Permissions: []Permission{
			"configs:read",
			"configs:create",
			"configs:update",
			"configs:delete",
			"executions:read",
			"executions:create",
			"deployments:read",
			"deployments:create",
		},
		Parents: []string{"viewer"},
	},
	{
		Name:        "viewer",
		Description: "Read-only access",
		Permissions: []Permission{
			"configs:read",
			"executions:read",
			"deployments:read",
			"health:read",
		},
		Parents: []string{},
	},
}

DefaultRoles defines the standard roles with their permissions.

Functions

This section is empty.

Types

type AuthorizeFunc 

type AuthorizeFunc func(r *http.Request, user *auth.User) bool

AuthorizeFunc is a function type for custom authorization logic.

type CachedStorage 

type CachedStorage struct {
	// contains filtered or unexported fields
}

CachedStorage wraps another storage with TTL-based caching.

func NewCachedStorage 

func NewCachedStorage(backend Storage, opts ...CachedStorageOption) *CachedStorage

NewCachedStorage creates a new cached storage wrapper.

func (*CachedStorage) DeleteRole 

func (s *CachedStorage) DeleteRole(ctx context.Context, name string) error

DeleteRole removes a role and invalidates cache.

func (*CachedStorage) GetRole 

func (s *CachedStorage) GetRole(ctx context.Context, name string) (*Role, error)

GetRole retrieves a role by name with caching.

func (*CachedStorage) InvalidateCache 

func (s *CachedStorage) InvalidateCache()

InvalidateCache clears the entire cache.

func (*CachedStorage) InvalidateRole 

func (s *CachedStorage) InvalidateRole(name string)

InvalidateRole removes a specific role from the cache.

func (*CachedStorage) ListRoles 

func (s *CachedStorage) ListRoles(ctx context.Context) ([]*Role, error)

ListRoles returns all roles.

func (*CachedStorage) SaveRole 

func (s *CachedStorage) SaveRole(ctx context.Context, role *Role) error

SaveRole creates or updates a role and invalidates cache.

type CachedStorageOption 

type CachedStorageOption func(*CachedStorage)

CachedStorageOption configures the cached storage.

func WithListTTL 

func WithListTTL(ttl time.Duration) CachedStorageOption

WithListTTL sets the cache TTL for list operations.

func WithTTL 

func WithTTL(ttl time.Duration) CachedStorageOption

WithTTL sets the cache TTL for individual role lookups.

type Engine 

type Engine struct {
	// contains filtered or unexported fields
}

Engine is the RBAC engine that manages roles and permissions.

func NewEngine 

func NewEngine(storage Storage) *Engine

NewEngine creates a new RBAC engine with the given storage backend.

func NewEngineWithLogger 

func NewEngineWithLogger(storage Storage, logger *slog.Logger) *Engine

NewEngineWithLogger creates a new RBAC engine with a custom logger.

func (*Engine) CheckPermission 

func (e *Engine) CheckPermission(ctx context.Context, user *auth.User, permission Permission) bool

CheckPermission checks if the user has the specified permission. It resolves all permissions from the user's roles including inherited ones.

func (*Engine) CheckRole 

func (e *Engine) CheckRole(ctx context.Context, user *auth.User, roleName string) bool

CheckRole checks if the user has the specified role.

func (*Engine) GetUserPermissions 

func (e *Engine) GetUserPermissions(ctx context.Context, user *auth.User) []Permission

GetUserPermissions returns all effective permissions for a user.

func (*Engine) GetUserRoles 

func (e *Engine) GetUserRoles(ctx context.Context, user *auth.User) []string

GetUserRoles returns all effective roles for a user including inherited ones.

func (*Engine) InvalidateCache 

func (e *Engine) InvalidateCache()

InvalidateCache clears the permission cache. Call this when roles or permissions are updated.

type MemoryStorage 

type MemoryStorage struct {
	// contains filtered or unexported fields
}

MemoryStorage is an in-memory implementation of Storage.

func NewMemoryStorage 

func NewMemoryStorage() *MemoryStorage

NewMemoryStorage creates a new in-memory storage.

func NewMemoryStorageWithDefaults 

func NewMemoryStorageWithDefaults() *MemoryStorage

NewMemoryStorageWithDefaults creates a storage with default roles loaded.

func (*MemoryStorage) DeleteRole 

func (s *MemoryStorage) DeleteRole(ctx context.Context, name string) error

DeleteRole removes a role.

func (*MemoryStorage) GetRole 

func (s *MemoryStorage) GetRole(ctx context.Context, name string) (*Role, error)

GetRole retrieves a role by name.

func (*MemoryStorage) ListRoles 

func (s *MemoryStorage) ListRoles(ctx context.Context) ([]*Role, error)

ListRoles returns all roles.

func (*MemoryStorage) SaveRole 

func (s *MemoryStorage) SaveRole(ctx context.Context, role *Role) error

SaveRole creates or updates a role.

type Middleware 

type Middleware struct {
	// contains filtered or unexported fields
}

Middleware provides HTTP middleware for authorization checks.

func NewMiddleware 

func NewMiddleware(engine *Engine) *Middleware

NewMiddleware creates a new RBAC middleware with the given engine.

func (*Middleware) Custom 

func (m *Middleware) Custom(authorize AuthorizeFunc) func(http.Handler) http.Handler

Custom returns middleware with custom authorization logic.

func (*Middleware) RequireAllPermissions 

func (m *Middleware) RequireAllPermissions(permissions ...string) func(http.Handler) http.Handler

RequireAllPermissions returns middleware that checks for all specified permissions.

func (*Middleware) RequireAnyPermission 

func (m *Middleware) RequireAnyPermission(permissions ...string) func(http.Handler) http.Handler

RequireAnyPermission returns middleware that checks for any of the specified permissions.

func (*Middleware) RequireAnyRole 

func (m *Middleware) RequireAnyRole(roles ...string) func(http.Handler) http.Handler

RequireAnyRole returns middleware that checks for any of the specified roles.

func (*Middleware) RequirePermission 

func (m *Middleware) RequirePermission(permission string) func(http.Handler) http.Handler

RequirePermission returns middleware that checks for a specific permission. Must be used after authentication middleware.

func (*Middleware) RequireRole 

func (m *Middleware) RequireRole(role string) func(http.Handler) http.Handler

RequireRole returns middleware that checks for a specific role.

func (*Middleware) ResourcePermission 

func (m *Middleware) ResourcePermission(action string, resourceExtractor func(*http.Request) string) func(http.Handler) http.Handler

ResourcePermission returns middleware that checks for a permission on a specific resource. The resource is extracted from the request using the provided function.

type Permission 

type Permission string

Permission represents a permission in the format "resource:action".

func (Permission) Action 

func (p Permission) Action() string

Action returns the action part of the permission.

func (Permission) Matches 

func (p Permission) Matches(target Permission) bool

Matches checks if this permission matches another permission. Supports wildcards: "*:read" matches any resource with read action, "users:*" matches any action on users resource.

func (Permission) Resource 

func (p Permission) Resource() string

Resource returns the resource part of the permission.

func (Permission) String 

func (p Permission) String() string

String returns the string representation of the permission.

type Policy 

type Policy struct {
	Roles       map[string]*Role
	Description string
	Version     string
}

Policy represents a collection of roles and their permissions.

func NewDefaultPolicy 

func NewDefaultPolicy() *Policy

NewDefaultPolicy creates a policy with the default roles.

func NewPolicy 

func NewPolicy() *Policy

NewPolicy creates a new empty policy.

func (*Policy) AddRole 

func (p *Policy) AddRole(role Role) error

AddRole adds a new role to the policy.

func (*Policy) GetRole 

func (p *Policy) GetRole(name string) (*Role, error)

GetRole returns a role by name.

func (*Policy) ListRoles 

func (p *Policy) ListRoles() []*Role

ListRoles returns all roles in the policy.

func (*Policy) RemoveRole 

func (p *Policy) RemoveRole(name string) error

RemoveRole removes a role from the policy.

func (*Policy) UpdateRole 

func (p *Policy) UpdateRole(role Role) error

UpdateRole updates an existing role.

type Role 

type Role struct {
	Name        string
	Description string
	Permissions []Permission
	Parents     []string // Parent roles for inheritance
}

Role represents a role with associated permissions.

type RoleBuilder 

type RoleBuilder struct {
	// contains filtered or unexported fields
}

RoleBuilder provides a fluent API for building roles.

func NewRoleBuilder 

func NewRoleBuilder(name string) *RoleBuilder

NewRoleBuilder creates a new role builder.

func (*RoleBuilder) Build 

func (b *RoleBuilder) Build() Role

Build returns the constructed role.

func (*RoleBuilder) Description 

func (b *RoleBuilder) Description(desc string) *RoleBuilder

Description sets the role description.

func (*RoleBuilder) Inherits 

func (b *RoleBuilder) Inherits(parents ...string) *RoleBuilder

Inherits adds parent roles for inheritance.

func (*RoleBuilder) Permission 

func (b *RoleBuilder) Permission(perm string) *RoleBuilder

Permission adds a permission to the role.

func (*RoleBuilder) Permissions 

func (b *RoleBuilder) Permissions(perms ...string) *RoleBuilder

Permissions adds multiple permissions to the role.

type Storage 

type Storage interface {
	// GetRole retrieves a role by name.
	GetRole(ctx context.Context, name string) (*Role, error)

	// ListRoles returns all roles.
	ListRoles(ctx context.Context) ([]*Role, error)

	// SaveRole creates or updates a role.
	SaveRole(ctx context.Context, role *Role) error

	// DeleteRole removes a role.
	DeleteRole(ctx context.Context, name string) error
}

Storage defines the interface for policy storage backends.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.