permissions

package
v0.0.2 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Nov 24, 2025 License: Apache-2.0 Imports: 12 Imported by: 0

README ΒΆ

AuthSome Permissions Plugin

Enterprise-grade permissions system with ABAC, dynamic resources, and CEL policy language.

Features

πŸš€ Advanced Authorization
  • ABAC (Attribute-Based Access Control) - Policy decisions based on user, resource, and request attributes
  • CEL Policy Language - Google's Common Expression Language for safe, fast policy evaluation
  • Dynamic Resources - Organizations define their own resource types and actions
  • Sub-millisecond latency - <5ms p99 with 10K+ policies per org
🏒 Multi-Tenant SaaS
  • Organization-scoped namespaces - Complete isolation between tenants
  • Custom resource definitions - Each org defines what they need to protect
  • Policy templates - Pre-built patterns for common scenarios
  • Platform inheritance - Share common policies across organizations
⚑ Performance
  • Three-tier caching - Local LRU + Redis + Database
  • Compiled policies - Parse once, evaluate millions of times
  • Parallel evaluation - Concurrent policy checks with early exit
  • Query optimization - Cost-based evaluation ordering
πŸ”§ Production-Ready
  • Migration tool - Seamless migration from existing RBAC
  • Hybrid mode - Run both systems during transition
  • Comprehensive metrics - Prometheus + OpenTelemetry integration
  • Audit logging - Complete trail of policy changes
  • Policy versioning - Rollback to previous versions

Quick Start

1. Enable the Plugin

Add to your authsome.yaml:

auth:
  permissions:
    enabled: true
    mode: hybrid  # Use hybrid mode during migration
    
    engine:
      maxPolicyComplexity: 100
      evaluationTimeout: 10ms
      parallelEvaluation: true
    
    cache:
      enabled: true
      backend: redis
      localCacheSize: 10000
2. Register the Plugin
import (
    "github.com/xraph/authsome"
    "github.com/xraph/authsome/plugins/permissions"
)

func main() {
    auth := authsome.New(authsome.Config{
        ModeSaaS: true,
        // ... other config
    })
    
    // Register permissions plugin
    auth.RegisterPlugin(permissions.NewPlugin())
    
    // Initialize
    if err := auth.Init(); err != nil {
        log.Fatal(err)
    }
}
3. Create Your First Policy
curl -X POST http://localhost:8080/api/permissions/policies \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "Document owners can edit",
    "expression": "resource.owner == principal.id",
    "resourceType": "document",
    "actions": ["read", "write", "delete"],
    "enabled": true
  }'
4. Evaluate Permissions
curl -X POST http://localhost:8080/api/permissions/evaluate \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "principalId": "user_123",
    "action": "write",
    "resourceType": "document",
    "resourceId": "doc_456"
  }'

Response:

{
  "allowed": true,
  "matchedPolicies": ["policy_789"],
  "evaluationTime": "2.3ms"
}

Policy Examples

Owner-Only Access
resource.owner == principal.id
Admin or Owner
has_role("admin") || resource.owner == principal.id
Business Hours Only
is_weekday() && in_time_range("09:00", "17:00")
IP Allowlist
ip_in_range(["10.0.0.0/8", "192.168.0.0/16"])
Team Members
principal.team_id == resource.team_id && 
principal.department in ["engineering", "operations"]
Time-Limited Access
request.time < resource.expires_at && 
days_since(resource.created_at) < 90
Confidentiality-Based
resource.metadata.confidentiality == "public" ||
(resource.metadata.confidentiality == "internal" && is_member_of(resource.org_id)) ||
(resource.metadata.confidentiality == "restricted" && principal.clearance_level >= 3)

Organization Setup

1. Create Namespace
curl -X POST http://localhost:8080/api/permissions/namespaces \
  -H "Authorization: Bearer $TOKEN" \
  -d '{
    "orgId": "org_abc123",
    "inheritPlatform": true,
    "templateId": "enterprise-base"
  }'
2. Define Custom Resources
curl -X POST http://localhost:8080/api/permissions/resources \
  -H "Authorization: Bearer $TOKEN" \
  -d '{
    "namespaceId": "ns_xyz",
    "type": "document",
    "attributes": [
      {"name": "owner", "type": "string", "required": true},
      {"name": "team_id", "type": "string"},
      {"name": "confidentiality", "type": "string"},
      {"name": "tags", "type": "array"}
    ]
  }'
3. Define Actions
curl -X POST http://localhost:8080/api/permissions/actions \
  -H "Authorization: Bearer $TOKEN" \
  -d '{
    "namespaceId": "ns_xyz",
    "name": "export",
    "description": "Export resource data"
  }'

Migration from RBAC

Automatic Migration
curl -X POST http://localhost:8080/api/permissions/migrate/rbac \
  -H "Authorization: Bearer $TOKEN" \
  -d '{
    "orgId": "org_abc123",
    "dryRun": true,
    "validateEquivalence": true
  }'
Hybrid Mode

Run both systems during migration:

auth:
  permissions:
    mode: hybrid  # Try permissions first, fallback to RBAC

Check migration status:

curl http://localhost:8080/api/permissions/migrate/rbac/status?orgId=org_abc123 \
  -H "Authorization: Bearer $TOKEN"

Configuration Reference

Engine Settings
engine:
  maxPolicyComplexity: 100      # Max operations per policy
  evaluationTimeout: 10ms       # Max evaluation time
  maxPoliciesPerOrg: 10000      # Policy limit per org
  parallelEvaluation: true      # Concurrent evaluation
  maxParallelEvaluations: 4     # Concurrency level
  enableAttributeCaching: true  # Cache attributes
  attributeCacheTTL: 5m         # Attribute cache TTL
Cache Settings
cache:
  enabled: true
  backend: hybrid               # memory, redis, hybrid
  localCacheSize: 10000         # LRU cache size
  localCacheTTL: 5m             # Local TTL
  redisTTL: 15m                 # Redis TTL
  warmupOnStart: true           # Pre-load on startup
  invalidateOnChange: true      # Immediate invalidation
Performance Tuning
performance:
  enableMetrics: true           # Prometheus metrics
  enableTracing: false          # OpenTelemetry traces
  traceSamplingRate: 0.01       # 1% sampling
  slowQueryThreshold: 5ms       # Log slow queries
  enableProfiling: false        # pprof endpoints

Performance Benchmarks

Scenario Latency (p50) Latency (p99) Throughput
Simple policy (owner check) <1ms <2ms 50K RPS
Complex policy (ABAC) 2ms 4ms 25K RPS
1K policies, local cache 1ms 3ms 30K RPS
1K policies, Redis cache 2ms 5ms 20K RPS
10K policies, optimized 3ms 8ms 15K RPS

Benchmarked on: 4 CPU, 8GB RAM, PostgreSQL + Redis

API Reference

Policy Management
Endpoint Method Description
/api/permissions/policies POST Create policy
/api/permissions/policies GET List policies
/api/permissions/policies/:id GET Get policy
/api/permissions/policies/:id PUT Update policy
/api/permissions/policies/:id DELETE Delete policy
/api/permissions/policies/validate POST Validate syntax
/api/permissions/policies/test POST Test policy
Resource Management
Endpoint Method Description
/api/permissions/resources POST Define resource type
/api/permissions/resources GET List resource types
/api/permissions/resources/:id GET Get resource definition
/api/permissions/resources/:id DELETE Delete resource type
Evaluation
Endpoint Method Description
/api/permissions/evaluate POST Check authorization
/api/permissions/evaluate/batch POST Batch evaluation
Templates
Endpoint Method Description
/api/permissions/templates GET List templates
/api/permissions/templates/:id GET Get template
/api/permissions/templates/:id/instantiate POST Use template

Monitoring

Prometheus Metrics
permissions_evaluations_total{org_id, resource_type, action, result}
permissions_evaluation_duration_seconds{org_id}
permissions_cache_hits_total{tier="local|redis|db"}
permissions_policy_count{org_id}
permissions_errors_total{type}
Grafana Dashboard

Import dashboard from: /plugins/permissions/monitoring/grafana-dashboard.json

Health Check
curl http://localhost:8080/health/permissions

Security Considerations

Policy Validation
  • All policies validated at creation time
  • Type checking prevents runtime errors
  • Complexity limits prevent DoS
Cache Security
  • Cache keys include org ID for isolation
  • Redis ACLs recommended
  • Automatic cache invalidation on updates
Audit Trail
  • All policy changes logged
  • Actor, timestamp, old/new values tracked
  • Queryable audit API
Rate Limiting
  • Per-org policy limits
  • Evaluation timeout protection
  • Request rate limiting recommended

Troubleshooting

Slow Evaluations

Check metrics:

curl http://localhost:8080/metrics | grep permissions_evaluation_duration

Enable profiling:

performance:
  enableProfiling: true

Profile: curl http://localhost:8080/debug/pprof/profile

Cache Misses

Check hit rate:

curl http://localhost:8080/metrics | grep permissions_cache_hits

Adjust cache sizes:

cache:
  localCacheSize: 20000  # Increase
  localCacheTTL: 10m     # Increase
Policy Errors

Validate before creating:

curl -X POST http://localhost:8080/api/permissions/policies/validate \
  -d '{"expression": "resource.owner == principal.id"}'

Test with sample data:

curl -X POST http://localhost:8080/api/permissions/policies/test \
  -d '{
    "expression": "...",
    "testCases": [...]
  }'

Documentation

Examples

See /examples/permissions/ for:

  • Basic policy examples
  • ABAC scenarios
  • Multi-tenant setup
  • Performance testing
  • Client integration

Support

License

Same as AuthSome (see root LICENSE file)

Documentation ΒΆ

Index ΒΆ

Constants ΒΆ

View Source 
const (
	PluginID      = "permissions"
	PluginName    = "Advanced Permissions"
	PluginVersion = "1.0.0"
)

Variables ΒΆ

This section is empty.

Functions ΒΆ

This section is empty.

Types ΒΆ

type CacheConfig ΒΆ 

type CacheConfig struct {
	// Enabled controls whether caching is active
	// Default: true
	Enabled bool `json:"enabled" yaml:"enabled"`

	// Backend specifies the cache backend
	// Options: "memory", "redis", "hybrid"
	// Default: "hybrid"
	Backend string `json:"backend" yaml:"backend"`

	// LocalCacheSize is the size of the in-memory LRU cache
	// Default: 10000
	LocalCacheSize int `json:"localCacheSize" yaml:"localCacheSize"`

	// LocalCacheTTL is the TTL for local cache entries
	// Default: 5 minutes
	LocalCacheTTL time.Duration `json:"localCacheTTL" yaml:"localCacheTTL"`

	// RedisTTL is the TTL for Redis cache entries
	// Default: 15 minutes
	RedisTTL time.Duration `json:"redisTTL" yaml:"redisTTL"`

	// WarmupOnStart pre-loads policies on startup
	// Default: true
	WarmupOnStart bool `json:"warmupOnStart" yaml:"warmupOnStart"`

	// InvalidateOnChange immediately invalidates cache on policy changes
	// Default: true
	InvalidateOnChange bool `json:"invalidateOnChange" yaml:"invalidateOnChange"`
}

CacheConfig controls caching behavior

type Config ΒΆ 

type Config struct {
	// Enabled controls whether the permissions system is active
	Enabled bool `json:"enabled" yaml:"enabled"`

	// Mode determines the evaluation mode
	// - "strict": Only use permissions system (RBAC disabled)
	// - "hybrid": Try permissions first, fallback to RBAC
	// - "rbac-primary": Try RBAC first, fallback to permissions
	Mode string `json:"mode" yaml:"mode"`

	// Engine configuration
	Engine EngineConfig `json:"engine" yaml:"engine"`

	// Cache configuration
	Cache CacheConfig `json:"cache" yaml:"cache"`

	// Performance tuning
	Performance PerformanceConfig `json:"performance" yaml:"performance"`

	// Migration settings
	Migration MigrationConfig `json:"migration" yaml:"migration"`

	// Organization-specific overrides
	Organizations map[string]*OrgConfig `json:"organizations" yaml:"organizations"`
}

Config represents the permissions plugin configuration

func DefaultConfig ΒΆ 

func DefaultConfig() *Config

DefaultConfig returns the default configuration

func LoadConfig ΒΆ 

func LoadConfig(configManager forge.ConfigManager) (*Config, error)

LoadConfig loads configuration from Forge config manager

func (*Config) GetOrgConfig ΒΆ 

func (c *Config) GetOrgConfig(orgID string) *Config

GetOrgConfig returns the effective configuration for an organization

func (*Config) MergeOrgConfig ΒΆ 

func (c *Config) MergeOrgConfig(orgID string, override *OrgConfig)

MergeOrgConfig merges organization-specific settings

func (*Config) Validate ΒΆ 

func (c *Config) Validate() error

Validate checks if the configuration is valid

type EngineConfig ΒΆ 

type EngineConfig struct {
	// MaxPolicyComplexity limits the number of operations in a policy
	// Default: 100
	MaxPolicyComplexity int `json:"maxPolicyComplexity" yaml:"maxPolicyComplexity"`

	// EvaluationTimeout is the maximum time for policy evaluation
	// Default: 10ms
	EvaluationTimeout time.Duration `json:"evaluationTimeout" yaml:"evaluationTimeout"`

	// MaxPoliciesPerOrg limits policies per organization
	// Default: 10000
	MaxPoliciesPerOrg int `json:"maxPoliciesPerOrg" yaml:"maxPoliciesPerOrg"`

	// ParallelEvaluation enables concurrent policy evaluation
	// Default: true
	ParallelEvaluation bool `json:"parallelEvaluation" yaml:"parallelEvaluation"`

	// MaxParallelEvaluations controls concurrency level
	// Default: 4
	MaxParallelEvaluations int `json:"maxParallelEvaluations" yaml:"maxParallelEvaluations"`

	// EnableAttributeCaching caches attribute lookups
	// Default: true
	EnableAttributeCaching bool `json:"enableAttributeCaching" yaml:"enableAttributeCaching"`

	// AttributeCacheTTL is the TTL for attribute cache
	// Default: 5 minutes
	AttributeCacheTTL time.Duration `json:"attributeCacheTTL" yaml:"attributeCacheTTL"`
}

EngineConfig controls the policy evaluation engine

type Handler ΒΆ 

type Handler struct {
	// contains filtered or unexported fields
}

Handler handles HTTP requests for the permissions plugin Updated for V2 architecture: App β†’ Environment β†’ Organization

func NewHandler ΒΆ 

func NewHandler(service *Service) *Handler

NewHandler creates a new handler instance

func (*Handler) CreateAction ΒΆ 

func (h *Handler) CreateAction(c forge.Context) error

CreateAction handles POST /api/permissions/actions

func (*Handler) CreateNamespace ΒΆ 

func (h *Handler) CreateNamespace(c forge.Context) error

CreateNamespace handles POST /api/permissions/namespaces

func (*Handler) CreatePolicy ΒΆ 

func (h *Handler) CreatePolicy(c forge.Context) error

CreatePolicy handles POST /api/permissions/policies

func (*Handler) CreateResource ΒΆ 

func (h *Handler) CreateResource(c forge.Context) error

CreateResource handles POST /api/permissions/resources

func (*Handler) DeleteAction ΒΆ 

func (h *Handler) DeleteAction(c forge.Context) error

DeleteAction handles DELETE /api/permissions/actions/:id

func (*Handler) DeleteNamespace ΒΆ 

func (h *Handler) DeleteNamespace(c forge.Context) error

DeleteNamespace handles DELETE /api/permissions/namespaces/:id

func (*Handler) DeletePolicy ΒΆ 

func (h *Handler) DeletePolicy(c forge.Context) error

DeletePolicy handles DELETE /api/permissions/policies/:id

func (*Handler) DeleteResource ΒΆ 

func (h *Handler) DeleteResource(c forge.Context) error

DeleteResource handles DELETE /api/permissions/resources/:id

func (*Handler) Evaluate ΒΆ 

func (h *Handler) Evaluate(c forge.Context) error

Evaluate handles POST /api/permissions/evaluate

func (*Handler) EvaluateBatch ΒΆ 

func (h *Handler) EvaluateBatch(c forge.Context) error

EvaluateBatch handles POST /api/permissions/evaluate/batch

func (*Handler) GetAnalytics ΒΆ 

func (h *Handler) GetAnalytics(c forge.Context) error

GetAnalytics handles GET /api/permissions/analytics

func (*Handler) GetAuditLog ΒΆ 

func (h *Handler) GetAuditLog(c forge.Context) error

GetAuditLog handles GET /api/permissions/audit

func (*Handler) GetMigrationStatus ΒΆ 

func (h *Handler) GetMigrationStatus(c forge.Context) error

GetMigrationStatus handles GET /api/permissions/migrate/rbac/status

func (*Handler) GetNamespace ΒΆ 

func (h *Handler) GetNamespace(c forge.Context) error

GetNamespace handles GET /api/permissions/namespaces/:id

func (*Handler) GetPolicy ΒΆ 

func (h *Handler) GetPolicy(c forge.Context) error

GetPolicy handles GET /api/permissions/policies/:id

func (*Handler) GetResource ΒΆ 

func (h *Handler) GetResource(c forge.Context) error

GetResource handles GET /api/permissions/resources/:id

func (*Handler) GetTemplate ΒΆ 

func (h *Handler) GetTemplate(c forge.Context) error

GetTemplate handles GET /api/permissions/templates/:id

func (*Handler) InstantiateTemplate ΒΆ 

func (h *Handler) InstantiateTemplate(c forge.Context) error

InstantiateTemplate handles POST /api/permissions/templates/:id/instantiate

func (*Handler) ListActions ΒΆ 

func (h *Handler) ListActions(c forge.Context) error

ListActions handles GET /api/permissions/actions

func (*Handler) ListNamespaces ΒΆ 

func (h *Handler) ListNamespaces(c forge.Context) error

ListNamespaces handles GET /api/permissions/namespaces

func (*Handler) ListPolicies ΒΆ 

func (h *Handler) ListPolicies(c forge.Context) error

ListPolicies handles GET /api/permissions/policies

func (*Handler) ListResources ΒΆ 

func (h *Handler) ListResources(c forge.Context) error

ListResources handles GET /api/permissions/resources

func (*Handler) ListTemplates ΒΆ 

func (h *Handler) ListTemplates(c forge.Context) error

ListTemplates handles GET /api/permissions/templates

func (*Handler) MigrateFromRBAC ΒΆ 

func (h *Handler) MigrateFromRBAC(c forge.Context) error

MigrateFromRBAC handles POST /api/permissions/migrate/rbac

func (*Handler) TestPolicy ΒΆ 

func (h *Handler) TestPolicy(c forge.Context) error

TestPolicy handles POST /api/permissions/policies/test

func (*Handler) UpdateNamespace ΒΆ 

func (h *Handler) UpdateNamespace(c forge.Context) error

UpdateNamespace handles PUT /api/permissions/namespaces/:id

func (*Handler) UpdatePolicy ΒΆ 

func (h *Handler) UpdatePolicy(c forge.Context) error

UpdatePolicy handles PUT /api/permissions/policies/:id

func (*Handler) ValidatePolicy ΒΆ 

func (h *Handler) ValidatePolicy(c forge.Context) error

ValidatePolicy handles POST /api/permissions/policies/validate

type MessageResponse ΒΆ 

type MessageResponse = handlers.MessageResponse

Response types - use from handlers package

type MigrationConfig ΒΆ 

type MigrationConfig struct {
	// AutoMigrate automatically converts RBAC policies
	// Default: false (requires manual migration)
	AutoMigrate bool `json:"autoMigrate" yaml:"autoMigrate"`

	// ValidateEquivalence checks that migrated policies match RBAC
	// Default: true
	ValidateEquivalence bool `json:"validateEquivalence" yaml:"validateEquivalence"`

	// KeepRBACPolicies retains RBAC policies after migration
	// Default: true (safe to delete after validation)
	KeepRBACPolicies bool `json:"keepRBACPolicies" yaml:"keepRBACPolicies"`

	// DryRun simulates migration without making changes
	// Default: false
	DryRun bool `json:"dryRun" yaml:"dryRun"`
}

MigrationConfig controls RBAC β†’ Permissions migration

type OrgConfig ΒΆ 

type OrgConfig struct {
	// Enabled controls if permissions are enabled for this org
	Enabled *bool `json:"enabled,omitempty" yaml:"enabled,omitempty"`

	// MaxPolicies overrides the global limit for this org
	MaxPolicies *int `json:"maxPolicies,omitempty" yaml:"maxPolicies,omitempty"`

	// CustomResources defines org-specific resource types
	CustomResources []string `json:"customResources,omitempty" yaml:"customResources,omitempty"`

	// CustomActions defines org-specific actions
	CustomActions []string `json:"customActions,omitempty" yaml:"customActions,omitempty"`

	// TemplateID specifies which platform template to inherit
	TemplateID *string `json:"templateId,omitempty" yaml:"templateId,omitempty"`

	// InheritPlatform controls platform policy inheritance
	InheritPlatform *bool `json:"inheritPlatform,omitempty" yaml:"inheritPlatform,omitempty"`
}

OrgConfig allows organization-specific overrides

type PerformanceConfig ΒΆ 

type PerformanceConfig struct {
	// EnableMetrics enables Prometheus metrics
	// Default: true
	EnableMetrics bool `json:"enableMetrics" yaml:"enableMetrics"`

	// EnableTracing enables OpenTelemetry tracing
	// Default: false (enable in production)
	EnableTracing bool `json:"enableTracing" yaml:"enableTracing"`

	// TraceSamplingRate is the percentage of requests to trace
	// Default: 0.01 (1%)
	TraceSamplingRate float64 `json:"traceSamplingRate" yaml:"traceSamplingRate"`

	// SlowQueryThreshold logs queries slower than this
	// Default: 5ms
	SlowQueryThreshold time.Duration `json:"slowQueryThreshold" yaml:"slowQueryThreshold"`

	// EnableProfiling enables pprof endpoints
	// Default: false (enable for debugging)
	EnableProfiling bool `json:"enableProfiling" yaml:"enableProfiling"`
}

PerformanceConfig controls performance tuning

type Plugin ΒΆ 

type Plugin struct {
	// contains filtered or unexported fields
}

Plugin implements the AuthSome plugin interface for advanced permissions

func NewPlugin ΒΆ 

func NewPlugin() *Plugin

NewPlugin creates a new permissions plugin instance

func (*Plugin) Description ΒΆ 

func (p *Plugin) Description() string

Description returns the plugin description

func (*Plugin) Health ΒΆ 

func (p *Plugin) Health(ctx context.Context) error

Health checks plugin health

func (*Plugin) ID ΒΆ 

func (p *Plugin) ID() string

ID returns the unique plugin identifier

func (*Plugin) Init ΒΆ 

func (p *Plugin) Init(auth interface{}) error

Init initializes the plugin (stub - to be fully implemented in Week 2-4)

func (*Plugin) Migrate ΒΆ 

func (p *Plugin) Migrate(ctx context.Context) error

Migrate runs database migrations for the plugin

func (*Plugin) Name ΒΆ 

func (p *Plugin) Name() string

Name returns the human-readable plugin name

func (*Plugin) RegisterHooks ΒΆ 

func (p *Plugin) RegisterHooks(hooks interface{}) error

RegisterHooks registers lifecycle hooks (stub - hooks not yet defined in core)

func (*Plugin) RegisterRoutes ΒΆ 

func (p *Plugin) RegisterRoutes(router forge.Router) error

RegisterRoutes registers HTTP routes for the plugin

func (*Plugin) Service ΒΆ 

func (p *Plugin) Service() *Service

Service returns the permissions service (for programmatic access)

func (*Plugin) Shutdown ΒΆ 

func (p *Plugin) Shutdown(ctx context.Context) error

Shutdown gracefully shuts down the plugin

func (*Plugin) Version ΒΆ 

func (p *Plugin) Version() string

Version returns the plugin version

type Service ΒΆ 

type Service struct {
	// contains filtered or unexported fields
}

Service is the main permissions service Updated for V2 architecture: App β†’ Environment β†’ Organization

func (*Service) CreateAction ΒΆ 

func (s *Service) CreateAction(ctx context.Context, appID xid.ID, orgID *xid.ID, req *handlers.CreateActionRequest) (*core.ActionDefinition, error)

CreateAction creates a new action definition Week 3 implementation

func (*Service) CreateDefaultNamespace ΒΆ 

func (s *Service) CreateDefaultNamespace(ctx context.Context, appID xid.ID, orgID *xid.ID) error

CreateDefaultNamespace creates a default namespace for a new app or organization Updated for V2 architecture

func (*Service) CreateNamespace ΒΆ 

func (s *Service) CreateNamespace(ctx context.Context, appID xid.ID, orgID *xid.ID, userID xid.ID, req *handlers.CreateNamespaceRequest) (*core.Namespace, error)

CreateNamespace creates a new namespace Week 3 implementation

func (*Service) CreatePolicy ΒΆ 

func (s *Service) CreatePolicy(ctx context.Context, appID xid.ID, orgID *xid.ID, userID xid.ID, req *handlers.CreatePolicyRequest) (*core.Policy, error)

CreatePolicy creates a new permission policy Week 4 implementation

func (*Service) CreateResource ΒΆ 

func (s *Service) CreateResource(ctx context.Context, appID xid.ID, orgID *xid.ID, req *handlers.CreateResourceRequest) (*core.ResourceDefinition, error)

CreateResource creates a new resource definition Week 3 implementation

func (*Service) DeleteAction ΒΆ 

func (s *Service) DeleteAction(ctx context.Context, appID xid.ID, orgID *xid.ID, actionID xid.ID) error

DeleteAction deletes an action definition Week 3 implementation

func (*Service) DeleteNamespace ΒΆ 

func (s *Service) DeleteNamespace(ctx context.Context, appID xid.ID, orgID *xid.ID, namespaceID xid.ID) error

DeleteNamespace deletes a namespace Week 3 implementation

func (*Service) DeletePolicy ΒΆ 

func (s *Service) DeletePolicy(ctx context.Context, appID xid.ID, orgID *xid.ID, policyID xid.ID) error

DeletePolicy deletes a policy Week 4 implementation

func (*Service) DeleteResource ΒΆ 

func (s *Service) DeleteResource(ctx context.Context, appID xid.ID, orgID *xid.ID, resourceID xid.ID) error

DeleteResource deletes a resource definition Week 3 implementation

func (*Service) Evaluate ΒΆ 

func (s *Service) Evaluate(ctx context.Context, appID xid.ID, orgID *xid.ID, userID xid.ID, req *handlers.EvaluateRequest) (*engine.Decision, error)

Evaluate evaluates a permission check Week 5 implementation - CORE FEATURE

func (*Service) EvaluateBatch ΒΆ 

func (s *Service) EvaluateBatch(ctx context.Context, appID xid.ID, orgID *xid.ID, userID xid.ID, req *handlers.BatchEvaluateRequest) ([]*handlers.BatchEvaluationResult, error)

EvaluateBatch evaluates multiple permission checks efficiently Week 5 implementation

func (*Service) GetAnalytics ΒΆ 

func (s *Service) GetAnalytics(ctx context.Context, appID xid.ID, orgID *xid.ID, timeRange map[string]interface{}) (*handlers.AnalyticsSummary, error)

GetAnalytics retrieves analytics data Week 8 implementation

func (*Service) GetMigrationStatus ΒΆ 

func (s *Service) GetMigrationStatus(ctx context.Context, appID xid.ID, orgID *xid.ID) (*core.MigrationStatus, error)

GetMigrationStatus retrieves migration status Week 7 implementation

func (*Service) GetNamespace ΒΆ 

func (s *Service) GetNamespace(ctx context.Context, appID xid.ID, orgID *xid.ID, namespaceID xid.ID) (*core.Namespace, error)

GetNamespace retrieves a namespace by ID Week 3 implementation

func (*Service) GetPolicy ΒΆ 

func (s *Service) GetPolicy(ctx context.Context, appID xid.ID, orgID *xid.ID, policyID xid.ID) (*core.Policy, error)

GetPolicy retrieves a policy by ID Week 4 implementation

func (*Service) GetResource ΒΆ 

func (s *Service) GetResource(ctx context.Context, appID xid.ID, orgID *xid.ID, resourceID xid.ID) (*core.ResourceDefinition, error)

GetResource retrieves a resource definition by ID Week 3 implementation

func (*Service) GetTemplate ΒΆ 

func (s *Service) GetTemplate(ctx context.Context, templateID string) (*core.PolicyTemplate, error)

GetTemplate retrieves a specific policy template Week 6 implementation

func (*Service) Health ΒΆ 

func (s *Service) Health(ctx context.Context) error

Health checks service health

func (*Service) InstantiateTemplate ΒΆ 

func (s *Service) InstantiateTemplate(ctx context.Context, appID xid.ID, orgID *xid.ID, userID xid.ID, templateID string, req *handlers.InstantiateTemplateRequest) (*core.Policy, error)

InstantiateTemplate creates a policy from a template Week 6 implementation

func (*Service) InvalidateAppCache ΒΆ 

func (s *Service) InvalidateAppCache(ctx context.Context, appID xid.ID) error

InvalidateAppCache invalidates the cache for a specific app New method for V2 architecture

func (*Service) InvalidateOrganizationCache ΒΆ 

func (s *Service) InvalidateOrganizationCache(ctx context.Context, appID xid.ID, orgID xid.ID) error

InvalidateOrganizationCache invalidates the cache for a specific organization New method for V2 architecture

func (*Service) InvalidateUserCache ΒΆ 

func (s *Service) InvalidateUserCache(ctx context.Context, userID xid.ID) error

InvalidateUserCache invalidates the cache for a specific user Updated for V2 architecture

func (*Service) ListActions ΒΆ 

func (s *Service) ListActions(ctx context.Context, appID xid.ID, orgID *xid.ID, namespaceID xid.ID) ([]*core.ActionDefinition, error)

ListActions lists action definitions for a namespace Week 3 implementation

func (*Service) ListAuditEvents ΒΆ 

func (s *Service) ListAuditEvents(ctx context.Context, appID xid.ID, orgID *xid.ID, filters map[string]interface{}) ([]*core.AuditEvent, int, error)

ListAuditEvents lists audit log entries Week 8 implementation

func (*Service) ListNamespaces ΒΆ 

func (s *Service) ListNamespaces(ctx context.Context, appID xid.ID, orgID *xid.ID) ([]*core.Namespace, error)

ListNamespaces lists namespaces for an app/org Week 3 implementation

func (*Service) ListPolicies ΒΆ 

func (s *Service) ListPolicies(ctx context.Context, appID xid.ID, orgID *xid.ID, filters map[string]interface{}) ([]*core.Policy, int, error)

ListPolicies lists policies for an app/org Week 4 implementation

func (*Service) ListResources ΒΆ 

func (s *Service) ListResources(ctx context.Context, appID xid.ID, orgID *xid.ID, namespaceID xid.ID) ([]*core.ResourceDefinition, error)

ListResources lists resource definitions for a namespace Week 3 implementation

func (*Service) ListTemplates ΒΆ 

func (s *Service) ListTemplates(ctx context.Context) ([]*core.PolicyTemplate, error)

ListTemplates lists available policy templates Week 6 implementation

func (*Service) Migrate ΒΆ 

func (s *Service) Migrate(ctx context.Context) error

Migrate runs database migrations

func (*Service) MigrateFromRBAC ΒΆ 

func (s *Service) MigrateFromRBAC(ctx context.Context, appID xid.ID, orgID *xid.ID, req *handlers.MigrateRBACRequest) (*core.MigrationStatus, error)

MigrateFromRBAC migrates RBAC policies to permissions Week 7 implementation

func (*Service) Shutdown ΒΆ 

func (s *Service) Shutdown(ctx context.Context) error

Shutdown gracefully shuts down the service

func (*Service) TestPolicy ΒΆ 

func (s *Service) TestPolicy(ctx context.Context, req *handlers.TestPolicyRequest) (*handlers.TestPolicyResponse, error)

TestPolicy tests a policy against test cases Week 4 implementation

func (*Service) UpdateNamespace ΒΆ 

func (s *Service) UpdateNamespace(ctx context.Context, appID xid.ID, orgID *xid.ID, namespaceID xid.ID, req *handlers.UpdateNamespaceRequest) (*core.Namespace, error)

UpdateNamespace updates an existing namespace Week 3 implementation

func (*Service) UpdatePolicy ΒΆ 

func (s *Service) UpdatePolicy(ctx context.Context, appID xid.ID, orgID *xid.ID, userID xid.ID, policyID xid.ID, req *handlers.UpdatePolicyRequest) (*core.Policy, error)

UpdatePolicy updates an existing policy Week 4 implementation

func (*Service) ValidatePolicy ΒΆ 

func (s *Service) ValidatePolicy(ctx context.Context, req *handlers.ValidatePolicyRequest) (*handlers.ValidatePolicyResponse, error)

ValidatePolicy validates a policy expression Week 4 implementation

type StatusResponse ΒΆ 

type StatusResponse = handlers.StatusResponse

Response types - use from handlers package

Source Files ΒΆ

View all Source files

Directories ΒΆ

Path Synopsis
providers

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.