Documentation ¶
Index ¶
- Constants
- Variables
- func AssignableRelationError(objectType, relation string) error
- func ComputedUserset(relation string) *openfgapb.Userset
- func ContextWithTypesystem(parent context.Context, typesys *TypeSystem) context.Context
- func Difference(base *openfgapb.Userset, sub *openfgapb.Userset) *openfgapb.Userset
- func DirectRelationReference(objectType, relation string) *openfgapb.RelationReference
- func GetRelationReferenceAsString(rr *openfgapb.RelationReference) string
- func Intersection(children ...*openfgapb.Userset) *openfgapb.Userset
- func InvalidRelationTypeError(objectType, relation, relatedObjectType, relatedRelation string) error
- func IsSchemaVersionSupported(version string) bool
- func NonAssignableRelationError(objectType, relation string) error
- func RewriteContainsExclusion(rewrite *openfgapb.Userset) bool
- func RewriteContainsIntersection(rewrite *openfgapb.Userset) bool
- func RewriteContainsSelf(rewrite *openfgapb.Userset) bool
- func This() *openfgapb.Userset
- func TupleToUserset(tupleset, computedUserset string) *openfgapb.Userset
- func Union(children ...*openfgapb.Userset) *openfgapb.Userset
- func WalkUsersetRewrite(rewrite *openfgapb.Userset, handler WalkUsersetRewriteHandler) (interface{}, error)
- func WildcardRelationReference(objectType string) *openfgapb.RelationReference
- type InvalidRelationError
- type InvalidTypeError
- type ObjectTypeUndefinedError
- type RelationUndefinedError
- type TypeSystem
- func (t *TypeSystem) GetAuthorizationModelID() string
- func (t *TypeSystem) GetDirectlyRelatedUserTypes(objectType, relation string) ([]*openfgapb.RelationReference, error)
- func (t *TypeSystem) GetRelation(objectType, relation string) (*openfgapb.Relation, error)
- func (t *TypeSystem) GetRelations(objectType string) (map[string]*openfgapb.Relation, error)
- func (t *TypeSystem) GetSchemaVersion() string
- func (t *TypeSystem) GetTypeDefinition(objectType string) (*openfgapb.TypeDefinition, bool)
- func (t *TypeSystem) HasTypeInfo(objectType, relation string) (bool, error)
- func (t *TypeSystem) IsDirectlyAssignable(relation *openfgapb.Relation) bool
- func (t *TypeSystem) IsDirectlyRelated(target *openfgapb.RelationReference, source *openfgapb.RelationReference) (bool, error)
- func (t *TypeSystem) IsPubliclyAssignable(target *openfgapb.RelationReference, objectType string) (bool, error)
- func (t *TypeSystem) IsTuplesetRelation(objectType, relation string) (bool, error)
- func (t *TypeSystem) RelationInvolvesExclusion(objectType, relation string) (bool, error)
- func (t *TypeSystem) RelationInvolvesIntersection(objectType, relation string) (bool, error)
- type WalkUsersetRewriteHandler
Constants ¶
const ( SchemaVersion1_0 string = "1.0" SchemaVersion1_1 string = "1.1" )
Variables ¶
var ( ErrDuplicateTypes = errors.New("an authorization model cannot contain duplicate types") ErrInvalidSchemaVersion = errors.New("invalid schema version") ErrInvalidModel = errors.New("invalid authorization model encountered") ErrRelationUndefined = errors.New("undefined relation") ErrObjectTypeUndefined = errors.New("undefined object type") ErrInvalidUsersetRewrite = errors.New("invalid userset rewrite definition") ErrReservedKeywords = errors.New("self and this are reserved keywords") ErrCycle = errors.New("an authorization model cannot contain a cycle") )
Functions ¶
func AssignableRelationError ¶
func ComputedUserset ¶ added in v0.2.4
func ContextWithTypesystem ¶ added in v0.3.5
func ContextWithTypesystem(parent context.Context, typesys *TypeSystem) context.Context
ContextWithTypesystem attaches the provided TypeSystem to the parent context.
func Difference ¶ added in v0.2.4
func DirectRelationReference ¶ added in v0.3.0
func DirectRelationReference(objectType, relation string) *openfgapb.RelationReference
func GetRelationReferenceAsString ¶ added in v0.4.0
func GetRelationReferenceAsString(rr *openfgapb.RelationReference) string
GetRelationReferenceAsString returns team#member, or team:*, or an empty string if the input is nil.
func Intersection ¶ added in v0.2.4
func IsSchemaVersionSupported ¶ added in v1.1.0
func RewriteContainsExclusion ¶ added in v0.2.5
RewriteContainsExclusion returns true if the provided userset rewrite is defined by one or more direct or indirect exclusions.
func RewriteContainsIntersection ¶ added in v0.2.5
RewriteContainsIntersection returns true if the provided userset rewrite is defined by one or more direct or indirect intersections.
func RewriteContainsSelf ¶ added in v0.2.5
RewriteContainsSelf returns true if the provided userset rewrite is defined by one or more self referencing definitions.
func TupleToUserset ¶ added in v0.2.4
func WalkUsersetRewrite ¶ added in v0.3.2
func WalkUsersetRewrite(rewrite *openfgapb.Userset, handler WalkUsersetRewriteHandler) (interface{}, error)
WalkUsersetRewrite recursively walks the provided userset rewrite and invokes the provided WalkUsersetRewriteHandler to each node in the userset rewrite tree until the first non-nil response is encountered.
func WildcardRelationReference ¶ added in v0.3.0
func WildcardRelationReference(objectType string) *openfgapb.RelationReference
Types ¶
type InvalidRelationError ¶
func (*InvalidRelationError) Error ¶ added in v0.2.5
func (e *InvalidRelationError) Error() string
func (*InvalidRelationError) Unwrap ¶ added in v0.2.5
func (e *InvalidRelationError) Unwrap() error
type InvalidTypeError ¶ added in v0.3.5
func (*InvalidTypeError) Error ¶ added in v0.3.5
func (e *InvalidTypeError) Error() string
func (*InvalidTypeError) Unwrap ¶ added in v0.3.5
func (e *InvalidTypeError) Unwrap() error
type ObjectTypeUndefinedError ¶ added in v0.2.5
func (*ObjectTypeUndefinedError) Error ¶ added in v0.2.5
func (e *ObjectTypeUndefinedError) Error() string
func (*ObjectTypeUndefinedError) Unwrap ¶ added in v0.2.5
func (e *ObjectTypeUndefinedError) Unwrap() error
type RelationUndefinedError ¶ added in v0.2.5
func (*RelationUndefinedError) Error ¶ added in v0.2.5
func (e *RelationUndefinedError) Error() string
func (*RelationUndefinedError) Unwrap ¶ added in v0.2.5
func (e *RelationUndefinedError) Unwrap() error
type TypeSystem ¶
type TypeSystem struct {
// contains filtered or unexported fields
}
func New ¶
func New(model *openfgapb.AuthorizationModel) *TypeSystem
New creates a *TypeSystem from an *openfgapb.AuthorizationModel. It assumes that the input model is valid. If you need to run validations, use NewAndValidate.
func NewAndValidate ¶ added in v0.4.0
func NewAndValidate(model *openfgapb.AuthorizationModel) (*TypeSystem, error)
NewAndValidate is like New but also validates the model according to the following rules:
- Checks that the *TypeSystem have a valid schema version.
- For every rewrite the relations in the rewrite must: a. Be valid relations on the same type in the *TypeSystem (in cases of computedUserset) b. Be valid relations on another existing type (in cases of tupleToUserset)
- Do not allow duplicate types or duplicate relations (only need to check types as relations are in a map so cannot contain duplicates)
If the *TypeSystem has a v1.1 schema version (with types on relations), then additionally validate the *TypeSystem according to the following rules:
- Every type restriction on a relation must be a valid type: a. For a type (e.g. user) this means checking that this type is in the *TypeSystem b. For a type#relation this means checking that this type with this relation is in the *TypeSystem
- Check that a relation is assignable if and only if it has a non-zero list of types
func TypesystemFromContext ¶ added in v0.3.5
func TypesystemFromContext(ctx context.Context) (*TypeSystem, bool)
TypesystemFromContext returns the TypeSystem from the provided context (if any).
func (*TypeSystem) GetAuthorizationModelID ¶ added in v0.3.0
func (t *TypeSystem) GetAuthorizationModelID() string
GetAuthorizationModelID returns the id for the authorization model this TypeSystem was constructed for.
func (*TypeSystem) GetDirectlyRelatedUserTypes ¶ added in v0.2.4
func (t *TypeSystem) GetDirectlyRelatedUserTypes(objectType, relation string) ([]*openfgapb.RelationReference, error)
func (*TypeSystem) GetRelation ¶
func (t *TypeSystem) GetRelation(objectType, relation string) (*openfgapb.Relation, error)
func (*TypeSystem) GetRelations ¶
GetRelations returns all relations in the TypeSystem for a given type
func (*TypeSystem) GetSchemaVersion ¶
func (t *TypeSystem) GetSchemaVersion() string
func (*TypeSystem) GetTypeDefinition ¶
func (t *TypeSystem) GetTypeDefinition(objectType string) (*openfgapb.TypeDefinition, bool)
func (*TypeSystem) HasTypeInfo ¶ added in v0.2.5
func (t *TypeSystem) HasTypeInfo(objectType, relation string) (bool, error)
func (*TypeSystem) IsDirectlyAssignable ¶
func (t *TypeSystem) IsDirectlyAssignable(relation *openfgapb.Relation) bool
func (*TypeSystem) IsDirectlyRelated ¶ added in v0.2.4
func (t *TypeSystem) IsDirectlyRelated(target *openfgapb.RelationReference, source *openfgapb.RelationReference) (bool, error)
IsDirectlyRelated determines whether the type of the target DirectRelationReference contains the source DirectRelationReference.
func (*TypeSystem) IsPubliclyAssignable ¶ added in v0.3.2
func (t *TypeSystem) IsPubliclyAssignable(target *openfgapb.RelationReference, objectType string) (bool, error)
* IsPubliclyAssignable returns true if the provided objectType is part of a typed wildcard type restriction * on the target relation. * * type user * * type document * relations * define viewer: [user:*] * * In the example above, the 'user' objectType is publicly assignable to the 'document#viewer' relation.
func (*TypeSystem) IsTuplesetRelation ¶ added in v0.3.0
func (t *TypeSystem) IsTuplesetRelation(objectType, relation string) (bool, error)
IsTuplesetRelation returns a boolean indicating if the provided relation is defined under a TupleToUserset rewrite as a tupleset relation (i.e. the right hand side of a `X from Y`).
func (*TypeSystem) RelationInvolvesExclusion ¶ added in v0.2.5
func (t *TypeSystem) RelationInvolvesExclusion(objectType, relation string) (bool, error)
RelationInvolvesExclusion returns true if the provided relation's userset rewrite is defined by one or more direct or indirect exclusions or any of the types related to the provided relation are defined by one or more direct or indirect exclusions.
func (*TypeSystem) RelationInvolvesIntersection ¶ added in v0.2.5
func (t *TypeSystem) RelationInvolvesIntersection(objectType, relation string) (bool, error)
RelationInvolvesIntersection returns true if the provided relation's userset rewrite is defined by one or more direct or indirect intersections or any of the types related to the provided relation are defined by one or more direct or indirect intersections.
type WalkUsersetRewriteHandler ¶ added in v0.3.2
WalkUsersetRewriteHandler is a userset rewrite handler that is applied to a node in a userset rewrite tree. Implementations of the WalkUsersetRewriteHandler should return a non-nil value when the traversal over the rewrite tree should terminate and nil if traversal should proceed to other nodes in the tree.