typesystem

package
v1.3.10 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Dec 8, 2023 License: Apache-2.0 Imports: 15 Imported by: 4

Documentation

Overview

Package typesystem contains code to manipulate authorization models

Package typesystem contains code to manipulate authorization models

Index

Constants

View Source 
const (
	SchemaVersion1_0 string = "1.0"
	SchemaVersion1_1 string = "1.1"
)

Variables

View Source 
var (
	ErrModelNotFound          = errors.New("authorization model not found")
	ErrDuplicateTypes         = errors.New("an authorization model cannot contain duplicate types")
	ErrInvalidSchemaVersion   = errors.New("invalid schema version")
	ErrInvalidModel           = errors.New("invalid authorization model encountered")
	ErrRelationUndefined      = errors.New("undefined relation")
	ErrObjectTypeUndefined    = errors.New("undefined object type")
	ErrInvalidUsersetRewrite  = errors.New("invalid userset rewrite definition")
	ErrReservedKeywords       = errors.New("self and this are reserved keywords")
	ErrCycle                  = errors.New("an authorization model cannot contain a cycle")
	ErrNoEntrypoints          = errors.New("no entrypoints defined")
	ErrNoEntryPointsLoop      = errors.New("potential loop")
	ErrNoConditionForRelation = errors.New("no condition defined for relation")
)

Functions

func AssignableRelationError 

func AssignableRelationError(objectType, relation string) error

func ComputedUserset added in v0.2.4 

func ComputedUserset(relation string) *openfgav1.Userset

func ConditionedRelationReference added in v1.3.8 

func ConditionedRelationReference(rel *openfgav1.RelationReference, condition string) *openfgav1.RelationReference

func ContextWithTypesystem added in v0.3.5 

func ContextWithTypesystem(parent context.Context, typesys *TypeSystem) context.Context

ContextWithTypesystem attaches the provided TypeSystem to the parent context.

func Difference added in v0.2.4 

func Difference(base *openfgav1.Userset, sub *openfgav1.Userset) *openfgav1.Userset

func DirectRelationReference added in v0.3.0 

func DirectRelationReference(objectType, relation string) *openfgav1.RelationReference

func GetRelationReferenceAsString added in v0.4.0 

func GetRelationReferenceAsString(rr *openfgav1.RelationReference) string

GetRelationReferenceAsString returns team#member, or team:*, or an empty string if the input is nil.

func Intersection added in v0.2.4 

func Intersection(children ...*openfgav1.Userset) *openfgav1.Userset

func InvalidRelationTypeError 

func InvalidRelationTypeError(objectType, relation, relatedObjectType, relatedRelation string) error

func IsSchemaVersionSupported added in v1.1.0 

func IsSchemaVersionSupported(version string) bool

func NonAssignableRelationError 

func NonAssignableRelationError(objectType, relation string) error

func RewriteContainsExclusion added in v0.2.5 

func RewriteContainsExclusion(rewrite *openfgav1.Userset) bool

RewriteContainsExclusion returns true if the provided userset rewrite is defined by one or more direct or indirect exclusions.

func RewriteContainsIntersection added in v0.2.5 

func RewriteContainsIntersection(rewrite *openfgav1.Userset) bool

RewriteContainsIntersection returns true if the provided userset rewrite is defined by one or more direct or indirect intersections.

func RewriteContainsSelf added in v0.2.5 

func RewriteContainsSelf(rewrite *openfgav1.Userset) bool

RewriteContainsSelf returns true if the provided userset rewrite is defined by one or more self referencing definitions.

func This added in v0.2.4 

func This() *openfgav1.Userset

func TupleToUserset added in v0.2.4 

func TupleToUserset(tupleset, computedUserset string) *openfgav1.Userset

func Union added in v0.2.4 

func Union(children ...*openfgav1.Userset) *openfgav1.Userset

func WalkUsersetRewrite added in v0.3.2 

func WalkUsersetRewrite(rewrite *openfgav1.Userset, handler WalkUsersetRewriteHandler) (interface{}, error)

WalkUsersetRewrite recursively walks the provided userset rewrite and invokes the provided WalkUsersetRewriteHandler to each node in the userset rewrite tree until the first non-nil response is encountered.

func WildcardRelationReference added in v0.3.0 

func WildcardRelationReference(objectType string) *openfgav1.RelationReference

Types

type InvalidRelationError 

type InvalidRelationError struct {
	ObjectType string
	Relation   string
	Cause      error
}

func (*InvalidRelationError) Error added in v0.2.5 

func (e *InvalidRelationError) Error() string

func (*InvalidRelationError) Unwrap added in v0.2.5 

func (e *InvalidRelationError) Unwrap() error

type InvalidTypeError added in v0.3.5 

type InvalidTypeError struct {
	ObjectType string
	Cause      error
}

func (*InvalidTypeError) Error added in v0.3.5 

func (e *InvalidTypeError) Error() string

func (*InvalidTypeError) Unwrap added in v0.3.5 

func (e *InvalidTypeError) Unwrap() error

type ObjectTypeUndefinedError added in v0.2.5 

type ObjectTypeUndefinedError struct {
	ObjectType string
	Err        error
}

func (*ObjectTypeUndefinedError) Error added in v0.2.5 

func (e *ObjectTypeUndefinedError) Error() string

func (*ObjectTypeUndefinedError) Unwrap added in v0.2.5 

func (e *ObjectTypeUndefinedError) Unwrap() error

type RelationConditionError added in v1.3.8 

type RelationConditionError struct {
	Condition string
	Relation  string
	Err       error
}

func (*RelationConditionError) Error added in v1.3.8 

func (e *RelationConditionError) Error() string

func (*RelationConditionError) Unwrap added in v1.3.8 

func (e *RelationConditionError) Unwrap() error

type RelationUndefinedError added in v0.2.5 

type RelationUndefinedError struct {
	ObjectType string
	Relation   string
	Err        error
}

func (*RelationUndefinedError) Error added in v0.2.5 

func (e *RelationUndefinedError) Error() string

func (*RelationUndefinedError) Unwrap added in v0.2.5 

func (e *RelationUndefinedError) Unwrap() error

type TypeSystem 

type TypeSystem struct {
	// contains filtered or unexported fields
}

TypeSystem is a wrapper over an openfgav1.AuthorizationModel.

func New 

func New(model *openfgav1.AuthorizationModel) *TypeSystem

New creates a *TypeSystem from an *openfgav1.AuthorizationModel. It assumes that the input model is valid. If you need to run validations, use NewAndValidate.

func NewAndValidate added in v0.4.0 

func NewAndValidate(ctx context.Context, model *openfgav1.AuthorizationModel) (*TypeSystem, error)

NewAndValidate is like New but also validates the model according to the following rules:

  1. Checks that the *TypeSystem have a valid schema version.
  2. For every rewrite the relations in the rewrite must: a. Be valid relations on the same type in the *TypeSystem (in cases of computedUserset) b. Be valid relations on another existing type (in cases of tupleToUserset)
  3. Do not allow duplicate types or duplicate relations (only need to check types as relations are in a map so cannot contain duplicates)

If the *TypeSystem has a v1.1 schema version (with types on relations), then additionally validate the *TypeSystem according to the following rules:

  1. Every type restriction on a relation must be a valid type: a. For a type (e.g. user) this means checking that this type is in the *TypeSystem b. For a type#relation this means checking that this type with this relation is in the *TypeSystem
  2. Check that a relation is assignable if and only if it has a non-zero list of types

func TypesystemFromContext added in v0.3.5 

func TypesystemFromContext(ctx context.Context) (*TypeSystem, bool)

TypesystemFromContext returns the TypeSystem from the provided context (if any).

func (*TypeSystem) DirectlyRelatedUsersets added in v1.3.1 

func (t *TypeSystem) DirectlyRelatedUsersets(objectType, relation string) ([]*openfgav1.RelationReference, error)

DirectlyRelatedUsersets returns a list of the directly user related types that are usersets

func (*TypeSystem) GetAuthorizationModelID added in v0.3.0 

func (t *TypeSystem) GetAuthorizationModelID() string

GetAuthorizationModelID returns the id for the authorization model this TypeSystem was constructed for.

func (*TypeSystem) GetCondition added in v1.3.8 

func (t *TypeSystem) GetCondition(name string) (*condition.EvaluableCondition, bool)

func (*TypeSystem) GetConditions added in v1.3.8 

func (t *TypeSystem) GetConditions() map[string]*condition.EvaluableCondition

func (*TypeSystem) GetDirectlyRelatedUserTypes added in v0.2.4 

func (t *TypeSystem) GetDirectlyRelatedUserTypes(objectType, relation string) ([]*openfgav1.RelationReference, error)

func (*TypeSystem) GetRelation 

func (t *TypeSystem) GetRelation(objectType, relation string) (*openfgav1.Relation, error)

func (*TypeSystem) GetRelations 

func (t *TypeSystem) GetRelations(objectType string) (map[string]*openfgav1.Relation, error)

GetRelations returns all relations in the TypeSystem for a given type

func (*TypeSystem) GetSchemaVersion 

func (t *TypeSystem) GetSchemaVersion() string

func (*TypeSystem) GetTypeDefinition 

func (t *TypeSystem) GetTypeDefinition(objectType string) (*openfgav1.TypeDefinition, bool)

func (*TypeSystem) HasCycle added in v1.3.2 

func (t *TypeSystem) HasCycle(objectType, relationName string) (bool, error)

HasCycle runs a cycle detection test on the provided `objectType#relation` to see if the relation defines a rewrite rule that is self-referencing in any way (through computed relationships).

func (*TypeSystem) HasTypeInfo added in v0.2.5 

func (t *TypeSystem) HasTypeInfo(objectType, relation string) (bool, error)

func (*TypeSystem) IsDirectlyAssignable 

func (t *TypeSystem) IsDirectlyAssignable(relation *openfgav1.Relation) bool

func (*TypeSystem) IsDirectlyRelated added in v0.2.4 

func (t *TypeSystem) IsDirectlyRelated(target *openfgav1.RelationReference, source *openfgav1.RelationReference) (bool, error)

IsDirectlyRelated determines whether the type of the target DirectRelationReference contains the source DirectRelationReference.

func (*TypeSystem) IsPubliclyAssignable added in v0.3.2 

func (t *TypeSystem) IsPubliclyAssignable(target *openfgav1.RelationReference, objectType string) (bool, error)

* IsPubliclyAssignable returns true if the provided objectType is part of a typed wildcard type restriction * on the target relation. * * type user * * type document * relations * define viewer: [user:*] * * In the example above, the 'user' objectType is publicly assignable to the 'document#viewer' relation.

func (*TypeSystem) IsTuplesetRelation added in v0.3.0 

func (t *TypeSystem) IsTuplesetRelation(objectType, relation string) (bool, error)

IsTuplesetRelation returns a boolean indicating if the provided relation is defined under a TupleToUserset rewrite as a tupleset relation (i.e. the right hand side of a `X from Y`).

func (*TypeSystem) RelationInvolvesExclusion added in v0.2.5 

func (t *TypeSystem) RelationInvolvesExclusion(objectType, relation string) (bool, error)

RelationInvolvesExclusion returns true if the provided relation's userset rewrite is defined by one or more direct or indirect exclusions or any of the types related to the provided relation are defined by one or more direct or indirect exclusions.

func (*TypeSystem) RelationInvolvesIntersection added in v0.2.5 

func (t *TypeSystem) RelationInvolvesIntersection(objectType, relation string) (bool, error)

RelationInvolvesIntersection returns true if the provided relation's userset rewrite is defined by one or more direct or indirect intersections or any of the types related to the provided relation are defined by one or more direct or indirect intersections.

type TypesystemResolverFunc added in v1.2.0 

type TypesystemResolverFunc func(ctx context.Context, storeID, modelID string) (*TypeSystem, error)

TypesystemResolverFunc is a function that implementations can implement to provide lookup and resolution of a Typesystem.

func MemoizedTypesystemResolverFunc added in v1.2.0 

func MemoizedTypesystemResolverFunc(datastore storage.AuthorizationModelReadBackend) TypesystemResolverFunc

MemoizedTypesystemResolverFunc returns a TypesystemResolverFunc that either fetches the provided authorization model (if provided) or looks up the latest authorization model, and then it constructs a TypeSystem from the resolved model. The type-system resolution is memoized so if another lookup of the same model occurs, then the earlier TypeSystem that was constructed will be used.

The memoized resolver function is safe for concurrent use.

type WalkUsersetRewriteHandler added in v0.3.2 

type WalkUsersetRewriteHandler func(rewrite *openfgav1.Userset) interface{}

WalkUsersetRewriteHandler is a userset rewrite handler that is applied to a node in a userset rewrite tree. Implementations of the WalkUsersetRewriteHandler should return a non-nil value when the traversal over the rewrite tree should terminate and nil if traversal should proceed to other nodes in the tree.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.