authz

package
v0.0.3 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 13, 2022 License: Apache-2.0 Imports: 20 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	AnyNamespace = "*"
	AnyResource  = "*"
	AnyTenant    = "*"
)

Variables

View Source 
var (
	PermissionAllowSide_name = map[int32]string{
		0: "BOTH",
		1: "HOST_ONLY",
		2: "TENANT_ONLY",
	}
	PermissionAllowSide_value = map[string]int32{
		"BOTH":        0,
		"HOST_ONLY":   1,
		"TENANT_ONLY": 2,
	}
)

Enum value maps for PermissionAllowSide.

View Source 
var (
	DefNotFoundReason = "PERMISSION_DEF_NOT_FOUND"
)
View Source 
var File_authz_def_proto protoreflect.FileDescriptor
View Source 
var ProviderSet = wire.NewSet(NewDefaultAuthorizationService,
	wire.Bind(new(Service), new(*DefaultAuthorizationService)),
	NewSubjectResolver, wire.Bind(new(SubjectResolver), new(*SubjectResolverImpl)))

Functions

func EnsureForbidden 

func EnsureForbidden(ctx context.Context, mgr PermissionManagementService, checker PermissionChecker, resource Resource, action Action, subject Subject, tenantID string) error

func EnsureGrant 

func EnsureGrant(ctx context.Context, mgr PermissionManagementService, checker PermissionChecker, resource Resource, action Action, subject Subject, tenantID string) error

func FormatError 

func FormatError(ctx context.Context, result *Result, subjects ...Subject) error

func FromAlwaysAuthorizationContext 

func FromAlwaysAuthorizationContext(ctx context.Context) (allow bool, ok bool)

func LoadFromConf added in v0.0.3 

func LoadFromConf(groupConf *PermissionConf)

func LoadFromYaml added in v0.0.3 

func LoadFromYaml(data []byte)

func NewAlwaysAuthorizationContext 

func NewAlwaysAuthorizationContext(ctx context.Context, allow bool) context.Context

NewAlwaysAuthorizationContext create a context for always pass or forbidden authorization check. useful for testing

func NormalizeTenantId added in v0.0.2 

func NormalizeTenantId(ctx context.Context, tenantId string) string

func WalkGroups added in v0.0.2 

func WalkGroups(isHost bool, publicOnly bool, f func(group *PermissionDefGroup))

Types

type Action 

type Action interface {
	HasIdentity
}

type ActionStr 

type ActionStr string
const (
	AnyAction ActionStr = "*"

	CreateAction ActionStr = "create"
	UpdateAction ActionStr = "update"
	DeleteAction ActionStr = "delete"

	ReadAction  ActionStr = "read"
	WriteAction ActionStr = "write"
)

func (ActionStr) GetIdentity 

func (a ActionStr) GetIdentity() string

type ClientSubject 

type ClientSubject struct {
	// contains filtered or unexported fields
}

func NewClientSubject 

func NewClientSubject(clientId string) *ClientSubject

func ParseClientSubject added in v0.0.2 

func ParseClientSubject(subject Subject) (*ClientSubject, bool)

func (*ClientSubject) GetClientId 

func (c *ClientSubject) GetClientId() string

func (*ClientSubject) GetIdentity 

func (c *ClientSubject) GetIdentity() string

type DefaultAuthorizationService 

type DefaultAuthorizationService struct {
	// contains filtered or unexported fields
}

func NewDefaultAuthorizationService 

func NewDefaultAuthorizationService(checker PermissionChecker, sr SubjectResolver, logger log.Logger) *DefaultAuthorizationService

func (*DefaultAuthorizationService) BatchCheck added in v0.0.2 

func (a *DefaultAuthorizationService) BatchCheck(ctx context.Context, requirement RequirementList) (ResultList, error)

func (*DefaultAuthorizationService) BatchCheckForSubjects added in v0.0.2 

func (a *DefaultAuthorizationService) BatchCheckForSubjects(ctx context.Context, requirement RequirementList, subjects ...Subject) (ResultList, error)

func (*DefaultAuthorizationService) Check 

func (a *DefaultAuthorizationService) Check(ctx context.Context, resource Resource, action Action) (*Result, error)

func (*DefaultAuthorizationService) CheckForSubjects 

func (a *DefaultAuthorizationService) CheckForSubjects(ctx context.Context, resource Resource, action Action, subjects ...Subject) (*Result, error)

type Effect 

type Effect int32
const (
	EffectUnknown Effect = iota
	EffectGrant
	EffectForbidden
)

type EntityResource 

type EntityResource struct {
	Namespace string
	Id        string
}

func NewEntityResource 

func NewEntityResource(namespace string, id string) *EntityResource

func (*EntityResource) GetIdentity 

func (r *EntityResource) GetIdentity() string

func (*EntityResource) GetNamespace 

func (r *EntityResource) GetNamespace() string

func (*EntityResource) String added in v0.0.2 

func (r *EntityResource) String() string

type HasIdentity 

type HasIdentity interface {
	GetIdentity() string
}

type Option 

type Option struct {
	SubjectContributorList []SubjectContributor
}

func NewAuthorizationOption 

func NewAuthorizationOption(subjectContributorList ...SubjectContributor) *Option

type PermissionAllowSide added in v0.0.3 

type PermissionAllowSide int32
const (
	PermissionAllowSide_BOTH        PermissionAllowSide = 0
	PermissionAllowSide_HOST_ONLY   PermissionAllowSide = 1
	PermissionAllowSide_TENANT_ONLY PermissionAllowSide = 2
)

func (PermissionAllowSide) Descriptor added in v0.0.3 

func (PermissionAllowSide) Descriptor() protoreflect.EnumDescriptor

func (PermissionAllowSide) Enum added in v0.0.3 

func (x PermissionAllowSide) Enum() *PermissionAllowSide

func (PermissionAllowSide) EnumDescriptor deprecated added in v0.0.3 

func (PermissionAllowSide) EnumDescriptor() ([]byte, []int)

Deprecated: Use PermissionAllowSide.Descriptor instead.

func (PermissionAllowSide) Number added in v0.0.3 

func (x PermissionAllowSide) Number() protoreflect.EnumNumber

func (PermissionAllowSide) String added in v0.0.3 

func (x PermissionAllowSide) String() string

func (PermissionAllowSide) Type added in v0.0.3 

func (PermissionAllowSide) Type() protoreflect.EnumType

type PermissionBean 

type PermissionBean struct {
	Namespace string
	Resource  string
	Action    string
	Subject   string
	TenantID  string
	Effect    Effect
}

func NewPermissionBean 

func NewPermissionBean(resource Resource, action Action, subject Subject, tenantID string, effect Effect) PermissionBean

type PermissionChecker 

type PermissionChecker interface {
	IsGrantTenant(ctx context.Context, requirement RequirementList, tenantID string, subjects ...Subject) ([]Effect, error)
}

type PermissionConf added in v0.0.3 

type PermissionConf struct {
	Groups []*PermissionDefGroup `protobuf:"bytes,1,rep,name=groups,proto3" json:"groups,omitempty"`
	// contains filtered or unexported fields
}

func (*PermissionConf) Descriptor deprecated added in v0.0.3 

func (*PermissionConf) Descriptor() ([]byte, []int)

Deprecated: Use PermissionConf.ProtoReflect.Descriptor instead.

func (*PermissionConf) GetGroups added in v0.0.3 

func (x *PermissionConf) GetGroups() []*PermissionDefGroup

func (*PermissionConf) ProtoMessage added in v0.0.3 

func (*PermissionConf) ProtoMessage()

func (*PermissionConf) ProtoReflect added in v0.0.3 

func (x *PermissionConf) ProtoReflect() protoreflect.Message

func (*PermissionConf) Reset added in v0.0.3 

func (x *PermissionConf) Reset()

func (*PermissionConf) String added in v0.0.3 

func (x *PermissionConf) String() string

type PermissionDef added in v0.0.2 

type PermissionDef struct {
	Name      string              `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"`
	Side      PermissionAllowSide `protobuf:"varint,2,opt,name=side,proto3,enum=authz.PermissionAllowSide" json:"side,omitempty"`
	Namespace string              `protobuf:"bytes,3,opt,name=namespace,proto3" json:"namespace,omitempty"`
	Action    string              `protobuf:"bytes,4,opt,name=action,proto3" json:"action,omitempty"`
	Extra     *structpb.Struct    `protobuf:"bytes,5,opt,name=extra,proto3" json:"extra,omitempty"`
	Internal  bool                `protobuf:"varint,6,opt,name=internal,proto3" json:"internal,omitempty"`
	Priority  int32               `protobuf:"varint,7,opt,name=priority,proto3" json:"priority,omitempty"`
	// contains filtered or unexported fields
}

func FindDef added in v0.0.2 

func FindDef(namespace string, action Action, publicOnly bool) (*PermissionDef, error)

func MustFindDef added in v0.0.2 

func MustFindDef(namespace string, action Action) *PermissionDef

func (*PermissionDef) Descriptor deprecated added in v0.0.3 

func (*PermissionDef) Descriptor() ([]byte, []int)

Deprecated: Use PermissionDef.ProtoReflect.Descriptor instead.

func (*PermissionDef) GetAction added in v0.0.3 

func (x *PermissionDef) GetAction() string

func (*PermissionDef) GetExtra added in v0.0.3 

func (x *PermissionDef) GetExtra() *structpb.Struct

func (*PermissionDef) GetInternal added in v0.0.3 

func (x *PermissionDef) GetInternal() bool

func (*PermissionDef) GetName added in v0.0.3 

func (x *PermissionDef) GetName() string

func (*PermissionDef) GetNamespace added in v0.0.3 

func (x *PermissionDef) GetNamespace() string

func (*PermissionDef) GetPriority added in v0.0.3 

func (x *PermissionDef) GetPriority() int32

func (*PermissionDef) GetSide added in v0.0.3 

func (x *PermissionDef) GetSide() PermissionAllowSide

func (*PermissionDef) ProtoMessage added in v0.0.3 

func (*PermissionDef) ProtoMessage()

func (*PermissionDef) ProtoReflect added in v0.0.3 

func (x *PermissionDef) ProtoReflect() protoreflect.Message

func (*PermissionDef) Reset added in v0.0.3 

func (x *PermissionDef) Reset()

func (*PermissionDef) String added in v0.0.3 

func (x *PermissionDef) String() string

type PermissionDefGroup added in v0.0.2 

type PermissionDefGroup struct {
	Name     string              `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"`
	Side     PermissionAllowSide `protobuf:"varint,2,opt,name=side,proto3,enum=authz.PermissionAllowSide" json:"side,omitempty"`
	Def      []*PermissionDef    `protobuf:"bytes,3,rep,name=def,proto3" json:"def,omitempty"`
	Extra    *structpb.Struct    `protobuf:"bytes,4,opt,name=extra,proto3" json:"extra,omitempty"`
	Internal bool                `protobuf:"varint,5,opt,name=internal,proto3" json:"internal,omitempty"`
	Priority int32               `protobuf:"varint,6,opt,name=priority,proto3" json:"priority,omitempty"`
	// contains filtered or unexported fields
}

func FindOrAddGroup added in v0.0.3 

func FindOrAddGroup(group *PermissionDefGroup) *PermissionDefGroup

func (*PermissionDefGroup) AddDef added in v0.0.2 

func (x *PermissionDefGroup) AddDef(def *PermissionDef)

func (*PermissionDefGroup) Descriptor deprecated added in v0.0.3 

func (*PermissionDefGroup) Descriptor() ([]byte, []int)

Deprecated: Use PermissionDefGroup.ProtoReflect.Descriptor instead.

func (*PermissionDefGroup) GetDef added in v0.0.3 

func (x *PermissionDefGroup) GetDef() []*PermissionDef

func (*PermissionDefGroup) GetExtra added in v0.0.3 

func (x *PermissionDefGroup) GetExtra() *structpb.Struct

func (*PermissionDefGroup) GetInternal added in v0.0.3 

func (x *PermissionDefGroup) GetInternal() bool

func (*PermissionDefGroup) GetName added in v0.0.3 

func (x *PermissionDefGroup) GetName() string

func (*PermissionDefGroup) GetPriority added in v0.0.3 

func (x *PermissionDefGroup) GetPriority() int32

func (*PermissionDefGroup) GetSide added in v0.0.3 

func (x *PermissionDefGroup) GetSide() PermissionAllowSide

func (*PermissionDefGroup) NormalizeAndValidate added in v0.0.3 

func (x *PermissionDefGroup) NormalizeAndValidate() error

func (*PermissionDefGroup) ProtoMessage added in v0.0.3 

func (*PermissionDefGroup) ProtoMessage()

func (*PermissionDefGroup) ProtoReflect added in v0.0.3 

func (x *PermissionDefGroup) ProtoReflect() protoreflect.Message

func (*PermissionDefGroup) Reset added in v0.0.3 

func (x *PermissionDefGroup) Reset()

func (*PermissionDefGroup) String added in v0.0.3 

func (x *PermissionDefGroup) String() string

func (*PermissionDefGroup) Walk added in v0.0.2 

func (x *PermissionDefGroup) Walk(isHost bool, publicOnly bool, f func(def *PermissionDef))

type PermissionManagementService 

type PermissionManagementService interface {
	AddGrant(ctx context.Context, resource Resource, action Action, subject Subject, tenantID string, effect Effect) error
	//ListAcl list permission of subjects. if not subjects provided, all acl will be returned
	ListAcl(ctx context.Context, subjects ...Subject) ([]PermissionBean, error)
	UpdateGrant(ctx context.Context, subject Subject, acl []UpdateSubjectPermission) error
	RemoveGrant(ctx context.Context, resource Resource, action Action, subject Subject, tenantID string, effects []Effect) error
}

type PermissionRequirement added in v0.0.2 

type PermissionRequirement struct {
	Resource Resource
	Action   Action
}

type Requirement 

type Requirement struct {
	Resource Resource
	Action   Action
}

func NewRequirement added in v0.0.2 

func NewRequirement(resource Resource, action Action) *Requirement

type RequirementList added in v0.0.2 

type RequirementList []*Requirement

type Resource 

type Resource interface {
	HasIdentity
	GetNamespace() string
}

type Result 

type Result struct {
	Allowed      bool
	Requirements []*Requirement
}

func NewAllowAuthorizationResult 

func NewAllowAuthorizationResult() *Result

func NewDisallowAuthorizationResult 

func NewDisallowAuthorizationResult(requirements ...*Requirement) *Result

type ResultList added in v0.0.2 

type ResultList []*Result

type RoleSubject 

type RoleSubject struct {
	// contains filtered or unexported fields
}

func NewRoleSubject 

func NewRoleSubject(id string) *RoleSubject

func ParseRoleSubject added in v0.0.2 

func ParseRoleSubject(subject Subject) (*RoleSubject, bool)

func (*RoleSubject) GetIdentity 

func (r *RoleSubject) GetIdentity() string

func (*RoleSubject) GetName 

func (r *RoleSubject) GetName() string

func (*RoleSubject) GetRoleId 

func (r *RoleSubject) GetRoleId() string

type Service 

type Service interface {
	//CheckForSubjects permission of these subjects directly
	CheckForSubjects(ctx context.Context, resource Resource, action Action, subjects ...Subject) (*Result, error)
	//Check resolve subject from ctx, then check permission of these subjects
	Check(ctx context.Context, resource Resource, action Action) (*Result, error)

	BatchCheckForSubjects(ctx context.Context, requirement RequirementList, subjects ...Subject) (ResultList, error)
	BatchCheck(ctx context.Context, requirement RequirementList) (ResultList, error)
}

type Subject 

type Subject interface {
	HasIdentity
}

type SubjectContributor 

type SubjectContributor interface {
	Process(ctx context.Context, subject Subject) ([]Subject, error)
}

SubjectContributor receive one Subject and retrieve as list of subjects

type SubjectList added in v0.0.2 

type SubjectList []Subject

type SubjectResolver 

type SubjectResolver interface {
	//ResolveFromContext extract subjects from current ctx
	ResolveFromContext(ctx context.Context) ([]Subject, error)
	//ResolveProcessed recursively find related subjects. (RBAC)
	ResolveProcessed(ctx context.Context, subjects ...Subject) ([]Subject, error)
}

type SubjectResolverImpl 

type SubjectResolverImpl struct {
	// contains filtered or unexported fields
}

func NewSubjectResolver 

func NewSubjectResolver(opt *Option) *SubjectResolverImpl

func (*SubjectResolverImpl) ResolveFromContext 

func (s *SubjectResolverImpl) ResolveFromContext(ctx context.Context) ([]Subject, error)

func (*SubjectResolverImpl) ResolveProcessed 

func (s *SubjectResolverImpl) ResolveProcessed(ctx context.Context, subjects ...Subject) ([]Subject, error)

type SubjectStr 

type SubjectStr string

func (SubjectStr) GetIdentity 

func (s SubjectStr) GetIdentity() string

type TokenSubject 

type TokenSubject struct {
	// contains filtered or unexported fields
}

func NewTokenSubject 

func NewTokenSubject(token string) *TokenSubject

func ParseTokenSubject added in v0.0.2 

func ParseTokenSubject(subject Subject) (*TokenSubject, bool)

func (*TokenSubject) GetIdentity 

func (t *TokenSubject) GetIdentity() string

func (*TokenSubject) GetName 

func (t *TokenSubject) GetName() string

func (*TokenSubject) GetToken 

func (t *TokenSubject) GetToken() string

type UpdateSubjectPermission 

type UpdateSubjectPermission struct {
	Resource Resource
	Action   Action
	Effect   Effect
	TenantID string
}

func NewUpdateSubjectPermission 

func NewUpdateSubjectPermission(resource Resource, action Action, tenantID string, effect Effect) *UpdateSubjectPermission

type UserSubject 

type UserSubject struct {
	// contains filtered or unexported fields
}

func NewUserSubject 

func NewUserSubject(userId string) *UserSubject

func ParseUserSubject added in v0.0.2 

func ParseUserSubject(subject Subject) (*UserSubject, bool)

func (*UserSubject) GetIdentity 

func (u *UserSubject) GetIdentity() string

func (*UserSubject) GetName 

func (u *UserSubject) GetName() string

func (*UserSubject) GetUserId 

func (u *UserSubject) GetUserId() string

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.