Documentation
¶
Overview ¶
Package authorizer provides an Ory Keto adapter implementation for the security.Authorizer interface.
Index ¶
- Variables
- func NewAuditLogger(config AuditLoggerConfig) security.AuditLogger
- func NewKetoAdapter(cfg config.ConfigurationAuthorization, auditLogger security.AuditLogger) security.Authorizer
- func NewNoOpAuditLogger() security.AuditLogger
- func ToConnectError(err error) error
- func ToGrpcError(err error) error
- func ToHTTPStatusCode(err error) int
- type AuditLoggerConfig
- type AuthzServiceError
- type FunctionChecker
- type FunctionCheckerOption
- type NoOpAuditLogger
- type PermissionDeniedError
- type TenancyAccessChecker
- type TenancyAccessDeniedFunc
- type TenantPermissionCheckerOption
Constants ¶
This section is empty.
Variables ¶
var ( // ErrPermissionDenied indicates the subject lacks the required permission. ErrPermissionDenied = errors.New("permission denied") // ErrInvalidObject indicates an invalid object reference. ErrInvalidObject = errors.New("invalid object reference") // ErrInvalidSubject indicates an invalid subject reference. ErrInvalidSubject = errors.New("invalid subject reference") // ErrTupleNotFound indicates the relationship tuple was not found. ErrTupleNotFound = errors.New("relationship tuple not found") // ErrTupleAlreadyExists indicates the relationship tuple already exists. ErrTupleAlreadyExists = errors.New("relationship tuple already exists") // ErrAuthzServiceDown indicates the authorization service is unavailable. ErrAuthzServiceDown = errors.New("authorization service unavailable") // ErrInvalidPermission indicates an invalid permission was requested. ErrInvalidPermission = errors.New("invalid permission") // ErrInvalidRole indicates an invalid role was specified. ErrInvalidRole = errors.New("invalid role") )
Functions ¶
func NewAuditLogger ¶
func NewAuditLogger(config AuditLoggerConfig) security.AuditLogger
NewAuditLogger creates a new AuditLogger with the given configuration.
func NewKetoAdapter ¶
func NewKetoAdapter( cfg config.ConfigurationAuthorization, auditLogger security.AuditLogger, ) security.Authorizer
NewKetoAdapter creates a new Keto adapter with the given configuration.
func NewNoOpAuditLogger ¶
func NewNoOpAuditLogger() security.AuditLogger
NewNoOpAuditLogger creates a new no-op audit logger.
func ToConnectError ¶ added in v1.76.0
ToConnectError translates authorization errors into ConnectRPC error codes.
Mapping:
- ErrInvalidSubject / ErrInvalidObject → CodeUnauthenticated
- PermissionDeniedError → CodePermissionDenied
- everything else → CodeInternal
func ToGrpcError ¶ added in v1.76.1
ToGrpcError translates authorization errors into gRPC status errors.
Mapping:
- ErrInvalidSubject / ErrInvalidObject → codes.Unauthenticated
- PermissionDeniedError → codes.PermissionDenied
- everything else → codes.Internal
func ToHTTPStatusCode ¶ added in v1.76.1
ToHTTPStatusCode translates authorization errors into HTTP status codes.
Mapping:
- ErrInvalidSubject / ErrInvalidObject → 401 Unauthorized
- PermissionDeniedError → 403 Forbidden
- everything else → 500 Internal Server Error
Types ¶
type AuditLoggerConfig ¶
type AuditLoggerConfig struct {
// SampleRate is the fraction of decisions to log (0.0 to 1.0).
SampleRate float64
}
AuditLoggerConfig holds configuration for the audit logger.
type AuthzServiceError ¶
AuthzServiceError wraps authorization service errors with context.
func NewAuthzServiceError ¶
func NewAuthzServiceError(operation string, cause error) *AuthzServiceError
NewAuthzServiceError creates a new AuthzServiceError.
func (*AuthzServiceError) Error ¶
func (e *AuthzServiceError) Error() string
Error implements the error interface.
func (*AuthzServiceError) Is ¶
func (e *AuthzServiceError) Is(target error) bool
Is allows checking error type.
func (*AuthzServiceError) Unwrap ¶
func (e *AuthzServiceError) Unwrap() error
Unwrap returns the cause for error wrapping support.
type FunctionChecker ¶ added in v1.76.1
type FunctionChecker struct {
// contains filtered or unexported fields
}
FunctionChecker verifies functional permissions in application-specific namespaces (e.g., service_tenancy, service_payment). It extracts tenant and partition from the caller's claims and checks whether the caller has a specific permission in the configured namespace.
Unlike TenancyAccessChecker, FunctionChecker has no provisioning callback — it performs a pure permission check. Data access should be verified separately using TenancyAccessChecker before calling FunctionChecker.
func NewFunctionChecker ¶ added in v1.76.1
func NewFunctionChecker( auth security.Authorizer, objectNamespace string, opts ...FunctionCheckerOption, ) *FunctionChecker
NewFunctionChecker creates a checker that verifies functional permissions against the given objectNamespace.
type FunctionCheckerOption ¶ added in v1.76.1
type FunctionCheckerOption func(*FunctionChecker)
FunctionCheckerOption configures a FunctionChecker.
func WithFunctionSubjectNamespace ¶ added in v1.76.1
func WithFunctionSubjectNamespace(ns string) FunctionCheckerOption
WithFunctionSubjectNamespace overrides the default subject namespace.
type NoOpAuditLogger ¶
type NoOpAuditLogger struct{}
NoOpAuditLogger is an audit logger that does nothing.
func (*NoOpAuditLogger) LogDecision ¶
func (n *NoOpAuditLogger) LogDecision( _ context.Context, _ security.CheckRequest, _ security.CheckResult, _ map[string]string, ) error
LogDecision implements AuditLogger but does nothing.
type PermissionDeniedError ¶
type PermissionDeniedError struct {
Object security.ObjectRef
Permission string
Subject security.SubjectRef
Reason string
}
PermissionDeniedError provides detailed denial information.
func NewPermissionDeniedError ¶
func NewPermissionDeniedError( object security.ObjectRef, permission string, subject security.SubjectRef, reason string, ) *PermissionDeniedError
NewPermissionDeniedError creates a new PermissionDeniedError.
func (*PermissionDeniedError) Error ¶
func (e *PermissionDeniedError) Error() string
Error implements the error interface.
func (*PermissionDeniedError) Is ¶
func (e *PermissionDeniedError) Is(target error) bool
Is allows checking if an error is a PermissionDeniedError.
func (*PermissionDeniedError) Unwrap ¶
func (e *PermissionDeniedError) Unwrap() error
Unwrap returns the base error for error wrapping support.
type TenancyAccessChecker ¶ added in v1.76.0
type TenancyAccessChecker struct {
// contains filtered or unexported fields
}
TenancyAccessChecker extracts claims from context, builds a CheckRequest against a tenant-scoped object namespace, and calls the authorizer. For system_internal callers it supports a self-healing callback that provisions missing tuples and retries.
func NewTenancyAccessChecker ¶ added in v1.76.0
func NewTenancyAccessChecker( auth security.Authorizer, objectNamespace string, opts ...TenantPermissionCheckerOption, ) *TenancyAccessChecker
NewTenancyAccessChecker creates a checker that verifies permissions against objectNamespace using the provided authorizer.
func (*TenancyAccessChecker) Check ¶ added in v1.76.0
func (c *TenancyAccessChecker) Check(ctx context.Context, permission string) error
Check verifies that the caller in ctx has the given permission on the tenant identified in their claims.
func (*TenancyAccessChecker) CheckAccess ¶ added in v1.76.1
func (c *TenancyAccessChecker) CheckAccess(ctx context.Context) error
CheckAccess verifies that the caller has data access to the partition identified in their claims. For regular users it checks the "member" relation; for system_internal callers it checks the "service" relation.
type TenancyAccessDeniedFunc ¶ added in v1.76.0
type TenancyAccessDeniedFunc func(ctx context.Context, auth security.Authorizer, tenantID, subjectID string) error
TenancyAccessDeniedFunc is called when a system_internal caller is denied permission. It should provision the necessary tuples so that a retry succeeds.
type TenantPermissionCheckerOption ¶ added in v1.76.0
type TenantPermissionCheckerOption func(*TenancyAccessChecker)
TenantPermissionCheckerOption configures a TenancyAccessChecker.
func WithOnTenancyAccessDenied ¶ added in v1.76.0
func WithOnTenancyAccessDenied(fn TenancyAccessDeniedFunc) TenantPermissionCheckerOption
WithOnTenancyAccessDenied registers a callback invoked when a system_internal caller is denied. The callback should provision the required tuples so that a subsequent retry can succeed.
func WithSubjectNamespace ¶ added in v1.76.0
func WithSubjectNamespace(ns string) TenantPermissionCheckerOption
WithSubjectNamespace overrides the default subject namespace (security.NamespaceProfile).
Source Files