Documentation ¶
Index ¶
- Constants
- Variables
- func EnsureForbidden(ctx context.Context, mgr PermissionManagementService, ...) error
- func EnsureGrant(ctx context.Context, mgr PermissionManagementService, ...) error
- func FormatError(ctx context.Context, result *Result, subjects ...Subject) error
- func FromAlwaysAuthorizationContext(ctx context.Context) (allow bool, ok bool)
- func LoadFromConf(groupConf *PermissionConf)
- func LoadFromYaml(data []byte)
- func NewAlwaysAuthorizationContext(ctx context.Context, allow bool) context.Context
- func NormalizeTenantId(ctx context.Context, tenantId string) string
- func WalkGroups(isHost bool, publicOnly bool, f func(group *PermissionDefGroup))
- type Action
- type ActionStr
- type ClientSubject
- type DefaultAuthorizationService
- func (a *DefaultAuthorizationService) BatchCheck(ctx context.Context, requirement RequirementList) (ResultList, error)
- func (a *DefaultAuthorizationService) BatchCheckForSubjects(ctx context.Context, requirement RequirementList, subjects ...Subject) (ResultList, error)
- func (a *DefaultAuthorizationService) Check(ctx context.Context, resource Resource, action Action) (*Result, error)
- func (a *DefaultAuthorizationService) CheckForSubjects(ctx context.Context, resource Resource, action Action, subjects ...Subject) (*Result, error)
- type Effect
- type EntityResource
- type HasIdentity
- type Option
- type PermissionAllowSide
- func (PermissionAllowSide) Descriptor() protoreflect.EnumDescriptor
- func (x PermissionAllowSide) Enum() *PermissionAllowSide
- func (PermissionAllowSide) EnumDescriptor() ([]byte, []int)deprecated
- func (x PermissionAllowSide) Number() protoreflect.EnumNumber
- func (x PermissionAllowSide) String() string
- func (PermissionAllowSide) Type() protoreflect.EnumType
- type PermissionBean
- type PermissionChecker
- type PermissionConf
- type PermissionDef
- func (*PermissionDef) Descriptor() ([]byte, []int)deprecated
- func (x *PermissionDef) GetAction() string
- func (x *PermissionDef) GetExtra() *structpb.Struct
- func (x *PermissionDef) GetInternal() bool
- func (x *PermissionDef) GetName() string
- func (x *PermissionDef) GetNamespace() string
- func (x *PermissionDef) GetPriority() int32
- func (x *PermissionDef) GetSide() PermissionAllowSide
- func (*PermissionDef) ProtoMessage()
- func (x *PermissionDef) ProtoReflect() protoreflect.Message
- func (x *PermissionDef) Reset()
- func (x *PermissionDef) String() string
- type PermissionDefGroup
- func (x *PermissionDefGroup) AddDef(def *PermissionDef)
- func (*PermissionDefGroup) Descriptor() ([]byte, []int)deprecated
- func (x *PermissionDefGroup) GetDef() []*PermissionDef
- func (x *PermissionDefGroup) GetExtra() *structpb.Struct
- func (x *PermissionDefGroup) GetInternal() bool
- func (x *PermissionDefGroup) GetName() string
- func (x *PermissionDefGroup) GetPriority() int32
- func (x *PermissionDefGroup) GetSide() PermissionAllowSide
- func (x *PermissionDefGroup) NormalizeAndValidate() error
- func (*PermissionDefGroup) ProtoMessage()
- func (x *PermissionDefGroup) ProtoReflect() protoreflect.Message
- func (x *PermissionDefGroup) Reset()
- func (x *PermissionDefGroup) String() string
- func (x *PermissionDefGroup) Walk(isHost bool, publicOnly bool, f func(def *PermissionDef))
- type PermissionManagementService
- type PermissionRequirement
- type Requirement
- type RequirementList
- type Resource
- type Result
- type ResultList
- type RoleSubject
- type Service
- type Subject
- type SubjectContributor
- type SubjectList
- type SubjectResolver
- type SubjectResolverImpl
- type SubjectStr
- type TokenSubject
- type UpdateSubjectPermission
- type UserSubject
Constants ¶
View Source
const ( AnyNamespace = "*" AnyResource = "*" AnyTenant = "*" )
Variables ¶
View Source
var ( PermissionAllowSide_name = map[int32]string{ 0: "BOTH", 1: "HOST_ONLY", 2: "TENANT_ONLY", } PermissionAllowSide_value = map[string]int32{ "BOTH": 0, "HOST_ONLY": 1, "TENANT_ONLY": 2, } )
Enum value maps for PermissionAllowSide.
View Source
var (
DefNotFoundReason = "PERMISSION_DEF_NOT_FOUND"
)
View Source
var File_authz_def_proto protoreflect.FileDescriptor
View Source
var ProviderSet = wire.NewSet(NewDefaultAuthorizationService, wire.Bind(new(Service), new(*DefaultAuthorizationService)), NewSubjectResolver, wire.Bind(new(SubjectResolver), new(*SubjectResolverImpl)))
Functions ¶
func EnsureForbidden ¶
func EnsureForbidden(ctx context.Context, mgr PermissionManagementService, checker PermissionChecker, resource Resource, action Action, subject Subject, tenantID string) error
func EnsureGrant ¶
func EnsureGrant(ctx context.Context, mgr PermissionManagementService, checker PermissionChecker, resource Resource, action Action, subject Subject, tenantID string) error
func LoadFromConf ¶ added in v0.0.3
func LoadFromConf(groupConf *PermissionConf)
func LoadFromYaml ¶ added in v0.0.3
func LoadFromYaml(data []byte)
func NewAlwaysAuthorizationContext ¶
NewAlwaysAuthorizationContext create a context for always pass or forbidden authorization check. useful for testing
func NormalizeTenantId ¶ added in v0.0.2
func WalkGroups ¶ added in v0.0.2
func WalkGroups(isHost bool, publicOnly bool, f func(group *PermissionDefGroup))
Types ¶
type Action ¶
type Action interface { HasIdentity }
type ClientSubject ¶
type ClientSubject struct {
// contains filtered or unexported fields
}
func NewClientSubject ¶
func NewClientSubject(clientId string) *ClientSubject
func ParseClientSubject ¶ added in v0.0.2
func ParseClientSubject(subject Subject) (*ClientSubject, bool)
func (*ClientSubject) GetClientId ¶
func (c *ClientSubject) GetClientId() string
func (*ClientSubject) GetIdentity ¶
func (c *ClientSubject) GetIdentity() string
type DefaultAuthorizationService ¶
type DefaultAuthorizationService struct {
// contains filtered or unexported fields
}
func NewDefaultAuthorizationService ¶
func NewDefaultAuthorizationService(checker PermissionChecker, sr SubjectResolver, logger log.Logger) *DefaultAuthorizationService
func (*DefaultAuthorizationService) BatchCheck ¶ added in v0.0.2
func (a *DefaultAuthorizationService) BatchCheck(ctx context.Context, requirement RequirementList) (ResultList, error)
func (*DefaultAuthorizationService) BatchCheckForSubjects ¶ added in v0.0.2
func (a *DefaultAuthorizationService) BatchCheckForSubjects(ctx context.Context, requirement RequirementList, subjects ...Subject) (ResultList, error)
func (*DefaultAuthorizationService) CheckForSubjects ¶
type EntityResource ¶
func NewEntityResource ¶
func NewEntityResource(namespace string, id string) *EntityResource
func (*EntityResource) GetIdentity ¶
func (r *EntityResource) GetIdentity() string
func (*EntityResource) GetNamespace ¶
func (r *EntityResource) GetNamespace() string
func (*EntityResource) String ¶ added in v0.0.2
func (r *EntityResource) String() string
type HasIdentity ¶
type HasIdentity interface {
GetIdentity() string
}
type Option ¶
type Option struct {
SubjectContributorList []SubjectContributor
}
func NewAuthorizationOption ¶
func NewAuthorizationOption(subjectContributorList ...SubjectContributor) *Option
type PermissionAllowSide ¶ added in v0.0.3
type PermissionAllowSide int32
const ( PermissionAllowSide_BOTH PermissionAllowSide = 0 PermissionAllowSide_HOST_ONLY PermissionAllowSide = 1 PermissionAllowSide_TENANT_ONLY PermissionAllowSide = 2 )
func (PermissionAllowSide) Descriptor ¶ added in v0.0.3
func (PermissionAllowSide) Descriptor() protoreflect.EnumDescriptor
func (PermissionAllowSide) Enum ¶ added in v0.0.3
func (x PermissionAllowSide) Enum() *PermissionAllowSide
func (PermissionAllowSide) EnumDescriptor
deprecated
added in
v0.0.3
func (PermissionAllowSide) EnumDescriptor() ([]byte, []int)
Deprecated: Use PermissionAllowSide.Descriptor instead.
func (PermissionAllowSide) Number ¶ added in v0.0.3
func (x PermissionAllowSide) Number() protoreflect.EnumNumber
func (PermissionAllowSide) String ¶ added in v0.0.3
func (x PermissionAllowSide) String() string
func (PermissionAllowSide) Type ¶ added in v0.0.3
func (PermissionAllowSide) Type() protoreflect.EnumType
type PermissionBean ¶
type PermissionBean struct { Namespace string Resource string Action string Subject string TenantID string Effect Effect }
func NewPermissionBean ¶
type PermissionChecker ¶
type PermissionConf ¶ added in v0.0.3
type PermissionConf struct { Groups []*PermissionDefGroup `protobuf:"bytes,1,rep,name=groups,proto3" json:"groups,omitempty"` // contains filtered or unexported fields }
func (*PermissionConf) Descriptor
deprecated
added in
v0.0.3
func (*PermissionConf) Descriptor() ([]byte, []int)
Deprecated: Use PermissionConf.ProtoReflect.Descriptor instead.
func (*PermissionConf) GetGroups ¶ added in v0.0.3
func (x *PermissionConf) GetGroups() []*PermissionDefGroup
func (*PermissionConf) ProtoMessage ¶ added in v0.0.3
func (*PermissionConf) ProtoMessage()
func (*PermissionConf) ProtoReflect ¶ added in v0.0.3
func (x *PermissionConf) ProtoReflect() protoreflect.Message
func (*PermissionConf) Reset ¶ added in v0.0.3
func (x *PermissionConf) Reset()
func (*PermissionConf) String ¶ added in v0.0.3
func (x *PermissionConf) String() string
type PermissionDef ¶ added in v0.0.2
type PermissionDef struct { Name string `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"` Side PermissionAllowSide `protobuf:"varint,2,opt,name=side,proto3,enum=authz.PermissionAllowSide" json:"side,omitempty"` Namespace string `protobuf:"bytes,3,opt,name=namespace,proto3" json:"namespace,omitempty"` Action string `protobuf:"bytes,4,opt,name=action,proto3" json:"action,omitempty"` Extra *structpb.Struct `protobuf:"bytes,5,opt,name=extra,proto3" json:"extra,omitempty"` Internal bool `protobuf:"varint,6,opt,name=internal,proto3" json:"internal,omitempty"` Priority int32 `protobuf:"varint,7,opt,name=priority,proto3" json:"priority,omitempty"` // contains filtered or unexported fields }
func FindDef ¶ added in v0.0.2
func FindDef(namespace string, action Action, publicOnly bool) (*PermissionDef, error)
func MustFindDef ¶ added in v0.0.2
func MustFindDef(namespace string, action Action) *PermissionDef
func (*PermissionDef) Descriptor
deprecated
added in
v0.0.3
func (*PermissionDef) Descriptor() ([]byte, []int)
Deprecated: Use PermissionDef.ProtoReflect.Descriptor instead.
func (*PermissionDef) GetAction ¶ added in v0.0.3
func (x *PermissionDef) GetAction() string
func (*PermissionDef) GetExtra ¶ added in v0.0.3
func (x *PermissionDef) GetExtra() *structpb.Struct
func (*PermissionDef) GetInternal ¶ added in v0.0.3
func (x *PermissionDef) GetInternal() bool
func (*PermissionDef) GetName ¶ added in v0.0.3
func (x *PermissionDef) GetName() string
func (*PermissionDef) GetNamespace ¶ added in v0.0.3
func (x *PermissionDef) GetNamespace() string
func (*PermissionDef) GetPriority ¶ added in v0.0.3
func (x *PermissionDef) GetPriority() int32
func (*PermissionDef) GetSide ¶ added in v0.0.3
func (x *PermissionDef) GetSide() PermissionAllowSide
func (*PermissionDef) ProtoMessage ¶ added in v0.0.3
func (*PermissionDef) ProtoMessage()
func (*PermissionDef) ProtoReflect ¶ added in v0.0.3
func (x *PermissionDef) ProtoReflect() protoreflect.Message
func (*PermissionDef) Reset ¶ added in v0.0.3
func (x *PermissionDef) Reset()
func (*PermissionDef) String ¶ added in v0.0.3
func (x *PermissionDef) String() string
type PermissionDefGroup ¶ added in v0.0.2
type PermissionDefGroup struct { Name string `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"` Side PermissionAllowSide `protobuf:"varint,2,opt,name=side,proto3,enum=authz.PermissionAllowSide" json:"side,omitempty"` Def []*PermissionDef `protobuf:"bytes,3,rep,name=def,proto3" json:"def,omitempty"` Extra *structpb.Struct `protobuf:"bytes,4,opt,name=extra,proto3" json:"extra,omitempty"` Internal bool `protobuf:"varint,5,opt,name=internal,proto3" json:"internal,omitempty"` Priority int32 `protobuf:"varint,6,opt,name=priority,proto3" json:"priority,omitempty"` // contains filtered or unexported fields }
func FindOrAddGroup ¶ added in v0.0.3
func FindOrAddGroup(group *PermissionDefGroup) *PermissionDefGroup
func (*PermissionDefGroup) AddDef ¶ added in v0.0.2
func (x *PermissionDefGroup) AddDef(def *PermissionDef)
func (*PermissionDefGroup) Descriptor
deprecated
added in
v0.0.3
func (*PermissionDefGroup) Descriptor() ([]byte, []int)
Deprecated: Use PermissionDefGroup.ProtoReflect.Descriptor instead.
func (*PermissionDefGroup) GetDef ¶ added in v0.0.3
func (x *PermissionDefGroup) GetDef() []*PermissionDef
func (*PermissionDefGroup) GetExtra ¶ added in v0.0.3
func (x *PermissionDefGroup) GetExtra() *structpb.Struct
func (*PermissionDefGroup) GetInternal ¶ added in v0.0.3
func (x *PermissionDefGroup) GetInternal() bool
func (*PermissionDefGroup) GetName ¶ added in v0.0.3
func (x *PermissionDefGroup) GetName() string
func (*PermissionDefGroup) GetPriority ¶ added in v0.0.3
func (x *PermissionDefGroup) GetPriority() int32
func (*PermissionDefGroup) GetSide ¶ added in v0.0.3
func (x *PermissionDefGroup) GetSide() PermissionAllowSide
func (*PermissionDefGroup) NormalizeAndValidate ¶ added in v0.0.3
func (x *PermissionDefGroup) NormalizeAndValidate() error
func (*PermissionDefGroup) ProtoMessage ¶ added in v0.0.3
func (*PermissionDefGroup) ProtoMessage()
func (*PermissionDefGroup) ProtoReflect ¶ added in v0.0.3
func (x *PermissionDefGroup) ProtoReflect() protoreflect.Message
func (*PermissionDefGroup) Reset ¶ added in v0.0.3
func (x *PermissionDefGroup) Reset()
func (*PermissionDefGroup) String ¶ added in v0.0.3
func (x *PermissionDefGroup) String() string
func (*PermissionDefGroup) Walk ¶ added in v0.0.2
func (x *PermissionDefGroup) Walk(isHost bool, publicOnly bool, f func(def *PermissionDef))
type PermissionManagementService ¶
type PermissionManagementService interface { AddGrant(ctx context.Context, resource Resource, action Action, subject Subject, tenantID string, effect Effect) error //ListAcl list permission of subjects. if not subjects provided, all acl will be returned ListAcl(ctx context.Context, subjects ...Subject) ([]PermissionBean, error) UpdateGrant(ctx context.Context, subject Subject, acl []UpdateSubjectPermission) error RemoveGrant(ctx context.Context, resource Resource, action Action, subject Subject, tenantID string, effects []Effect) error }
type PermissionRequirement ¶ added in v0.0.2
type Requirement ¶
func NewRequirement ¶ added in v0.0.2
func NewRequirement(resource Resource, action Action) *Requirement
type RequirementList ¶ added in v0.0.2
type RequirementList []*Requirement
type Resource ¶
type Resource interface { HasIdentity GetNamespace() string }
type Result ¶
type Result struct { Allowed bool Requirements []*Requirement }
func NewAllowAuthorizationResult ¶
func NewAllowAuthorizationResult() *Result
func NewDisallowAuthorizationResult ¶
func NewDisallowAuthorizationResult(requirements ...*Requirement) *Result
type ResultList ¶ added in v0.0.2
type ResultList []*Result
type RoleSubject ¶
type RoleSubject struct {
// contains filtered or unexported fields
}
func NewRoleSubject ¶
func NewRoleSubject(id string) *RoleSubject
func ParseRoleSubject ¶ added in v0.0.2
func ParseRoleSubject(subject Subject) (*RoleSubject, bool)
func (*RoleSubject) GetIdentity ¶
func (r *RoleSubject) GetIdentity() string
func (*RoleSubject) GetName ¶
func (r *RoleSubject) GetName() string
func (*RoleSubject) GetRoleId ¶
func (r *RoleSubject) GetRoleId() string
type Service ¶
type Service interface { //CheckForSubjects permission of these subjects directly CheckForSubjects(ctx context.Context, resource Resource, action Action, subjects ...Subject) (*Result, error) //Check resolve subject from ctx, then check permission of these subjects Check(ctx context.Context, resource Resource, action Action) (*Result, error) BatchCheckForSubjects(ctx context.Context, requirement RequirementList, subjects ...Subject) (ResultList, error) BatchCheck(ctx context.Context, requirement RequirementList) (ResultList, error) }
type Subject ¶
type Subject interface { HasIdentity }
type SubjectContributor ¶
type SubjectContributor interface {
Process(ctx context.Context, subject Subject) ([]Subject, error)
}
SubjectContributor receive one Subject and retrieve as list of subjects
type SubjectList ¶ added in v0.0.2
type SubjectList []Subject
type SubjectResolver ¶
type SubjectResolverImpl ¶
type SubjectResolverImpl struct {
// contains filtered or unexported fields
}
func NewSubjectResolver ¶
func NewSubjectResolver(opt *Option) *SubjectResolverImpl
func (*SubjectResolverImpl) ResolveFromContext ¶
func (s *SubjectResolverImpl) ResolveFromContext(ctx context.Context) ([]Subject, error)
func (*SubjectResolverImpl) ResolveProcessed ¶
type SubjectStr ¶
type SubjectStr string
func (SubjectStr) GetIdentity ¶
func (s SubjectStr) GetIdentity() string
type TokenSubject ¶
type TokenSubject struct {
// contains filtered or unexported fields
}
func NewTokenSubject ¶
func NewTokenSubject(token string) *TokenSubject
func ParseTokenSubject ¶ added in v0.0.2
func ParseTokenSubject(subject Subject) (*TokenSubject, bool)
func (*TokenSubject) GetIdentity ¶
func (t *TokenSubject) GetIdentity() string
func (*TokenSubject) GetName ¶
func (t *TokenSubject) GetName() string
func (*TokenSubject) GetToken ¶
func (t *TokenSubject) GetToken() string
type UpdateSubjectPermission ¶
type UpdateSubjectPermission struct { Resource Resource Action Action Effect Effect TenantID string }
func NewUpdateSubjectPermission ¶
func NewUpdateSubjectPermission(resource Resource, action Action, tenantID string, effect Effect) *UpdateSubjectPermission
type UserSubject ¶
type UserSubject struct {
// contains filtered or unexported fields
}
func NewUserSubject ¶
func NewUserSubject(userId string) *UserSubject
func ParseUserSubject ¶ added in v0.0.2
func ParseUserSubject(subject Subject) (*UserSubject, bool)
func (*UserSubject) GetIdentity ¶
func (u *UserSubject) GetIdentity() string
func (*UserSubject) GetName ¶
func (u *UserSubject) GetName() string
func (*UserSubject) GetUserId ¶
func (u *UserSubject) GetUserId() string
Click to show internal directories.
Click to hide internal directories.