engine

package
v0.0.4 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Dec 8, 2025 License: Apache-2.0 Imports: 7 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type AttributeCache 

type AttributeCache interface {
	Get(ctx context.Context, key string) (map[string]interface{}, bool)
	Set(ctx context.Context, key string, value map[string]interface{}, ttl time.Duration) error
	Delete(ctx context.Context, key string) error
	Clear(ctx context.Context) error
}

AttributeCache defines the caching interface for attributes This is intentionally simple and can wrap any caching backend

func NewSimpleAttributeCache 

func NewSimpleAttributeCache() AttributeCache

NewSimpleAttributeCache creates a simple in-memory attribute cache

type AttributeProvider 

type AttributeProvider interface {
	// Name returns the provider name (e.g., "user", "resource", "request")
	Name() string

	// GetAttributes fetches attributes for a given entity
	// The key format depends on the provider (e.g., "user:123", "resource:doc_456")
	GetAttributes(ctx context.Context, key string) (map[string]interface{}, error)

	// GetBatchAttributes fetches attributes for multiple entities
	// Returns a map of key -> attributes
	GetBatchAttributes(ctx context.Context, keys []string) (map[string]map[string]interface{}, error)
}

AttributeProvider fetches attributes from various sources (users, resources, etc.)

type AttributeRequest 

type AttributeRequest struct {
	Provider string
	Key      string
}

AttributeRequest represents a request for attributes

type AttributeResolver 

type AttributeResolver struct {
	// contains filtered or unexported fields
}

AttributeResolver coordinates multiple providers and handles caching

func NewAttributeResolver 

func NewAttributeResolver(cache AttributeCache) *AttributeResolver

NewAttributeResolver creates a new attribute resolver

func (*AttributeResolver) ClearCache 

func (r *AttributeResolver) ClearCache(ctx context.Context) error

ClearCache clears all cached attributes

func (*AttributeResolver) ClearCacheKey 

func (r *AttributeResolver) ClearCacheKey(ctx context.Context, providerName, key string) error

ClearCacheKey clears a specific cached attribute

func (*AttributeResolver) EnrichEvaluationContext 

func (r *AttributeResolver) EnrichEvaluationContext(ctx context.Context, evalCtx *EvaluationContext) error

EnrichEvaluationContext enriches an evaluation context with additional attributes This is called before policy evaluation to ensure all needed attributes are present

func (*AttributeResolver) GetProvider 

func (r *AttributeResolver) GetProvider(name string) (AttributeProvider, error)

GetProvider returns a registered provider by name

func (*AttributeResolver) RegisterProvider 

func (r *AttributeResolver) RegisterProvider(provider AttributeProvider) error

RegisterProvider registers an attribute provider

func (*AttributeResolver) Resolve 

func (r *AttributeResolver) Resolve(ctx context.Context, providerName, key string) (map[string]interface{}, error)

Resolve fetches attributes for a given provider and key It checks the cache first, then falls back to the provider

func (*AttributeResolver) ResolveBatch 

func (r *AttributeResolver) ResolveBatch(ctx context.Context, providerName string, keys []string) (map[string]map[string]interface{}, error)

ResolveBatch fetches attributes for multiple entities from a provider

func (*AttributeResolver) ResolveMultiple 

func (r *AttributeResolver) ResolveMultiple(ctx context.Context, requests []AttributeRequest) (map[string]map[string]interface{}, error)

ResolveMultiple fetches attributes for multiple requests in parallel

type CompiledPolicy 

type CompiledPolicy struct {
	// Policy metadata
	PolicyID           xid.ID
	AppID              xid.ID  // Platform app (required)
	EnvironmentID      xid.ID  // Environment (required)
	UserOrganizationID *xid.ID // User-created org (optional)
	NamespaceID        xid.ID
	Name               string
	Description        string

	// Compiled CEL program
	Program cel.Program
	AST     *cel.Ast

	// Indexing keys for fast lookup
	ResourceType string
	Actions      []string
	Priority     int

	// Metadata
	Version    int
	CompiledAt time.Time

	// Performance tracking
	EvaluationCount int64
	AvgLatencyMs    float64
}

CompiledPolicy represents a policy compiled to executable CEL bytecode V2 Architecture: App → Environment → Organization

type Compiler 

type Compiler struct {
	// contains filtered or unexported fields
}

Compiler compiles policies from CEL expressions to executable programs

func NewCompiler 

func NewCompiler(config CompilerConfig) (*Compiler, error)

NewCompiler creates a new policy compiler

func (*Compiler) Compile 

func (c *Compiler) Compile(policy *core.Policy) (*CompiledPolicy, error)

Compile converts a policy to a compiled, executable form

func (*Compiler) CompileBatch 

func (c *Compiler) CompileBatch(policies []*core.Policy) (map[string]*CompiledPolicy, error)

CompileBatch compiles multiple policies in parallel

func (*Compiler) EstimateComplexity 

func (c *Compiler) EstimateComplexity(expression string) (int, error)

EstimateComplexity returns the estimated complexity of an expression

func (*Compiler) GetMaxComplexity 

func (c *Compiler) GetMaxComplexity() int

GetMaxComplexity returns the maximum allowed complexity

func (*Compiler) Validate 

func (c *Compiler) Validate(expression string) error

Validate checks if a policy expression is valid without fully compiling

type CompilerConfig 

type CompilerConfig struct {
	MaxComplexity int // Maximum allowed expression complexity
}

CompilerConfig configures the compiler

func DefaultCompilerConfig 

func DefaultCompilerConfig() CompilerConfig

DefaultCompilerConfig returns default compiler configuration

type Decision 

type Decision struct {
	// Allowed indicates if access is granted
	Allowed bool `json:"allowed"`

	// MatchedPolicies lists policies that allowed access
	MatchedPolicies []string `json:"matchedPolicies,omitempty"`

	// EvaluatedPolicies is the total number of policies checked
	EvaluatedPolicies int `json:"evaluatedPolicies"`

	// EvaluationTime is how long evaluation took
	EvaluationTime time.Duration `json:"evaluationTime"`

	// CacheHit indicates if result came from cache
	CacheHit bool `json:"cacheHit"`

	// Error if evaluation failed
	Error string `json:"error,omitempty"`
}

Decision represents the result of an authorization evaluation

type EvaluationContext 

type EvaluationContext struct {
	// Principal (user making the request)
	Principal map[string]interface{} `json:"principal"`

	// Resource being accessed
	Resource map[string]interface{} `json:"resource"`

	// Request context (IP, time, method, etc.)
	Request map[string]interface{} `json:"request"`

	// Action being performed
	Action string `json:"action"`
}

EvaluationContext contains all data available to policy expressions

type EvaluationStats 

type EvaluationStats struct {
	PolicyID        string
	EvaluationCount int64
	TotalLatencyMs  float64
	AvgLatencyMs    float64
	P50LatencyMs    float64
	P99LatencyMs    float64
	AllowCount      int64
	DenyCount       int64
	ErrorCount      int64
	LastEvaluated   time.Time
}

EvaluationStats tracks performance metrics for policies

type Evaluator 

type Evaluator struct {
	// contains filtered or unexported fields
}

Evaluator evaluates compiled policies to make authorization decisions

func NewEvaluator 

func NewEvaluator(config EvaluatorConfig) *Evaluator

NewEvaluator creates a new policy evaluator

func (*Evaluator) EnrichEvaluationContext 

func (e *Evaluator) EnrichEvaluationContext(ctx context.Context, evalCtx *EvaluationContext) error

EnrichEvaluationContext enriches the evaluation context with attributes from the resolver This is called automatically before evaluation if a resolver is configured

func (*Evaluator) Evaluate 

func (e *Evaluator) Evaluate(ctx context.Context, policies []*CompiledPolicy, evalCtx *EvaluationContext) (*Decision, error)

Evaluate makes an authorization decision based on compiled policies

func (*Evaluator) EvaluateBatch 

func (e *Evaluator) EvaluateBatch(ctx context.Context, policies []*CompiledPolicy, requests []*EvaluationContext) ([]*Decision, error)

EvaluateBatch evaluates multiple authorization requests in batch

func (*Evaluator) GetTimeout 

func (e *Evaluator) GetTimeout() time.Duration

GetTimeout returns the evaluation timeout

func (*Evaluator) SetAttributeResolver 

func (e *Evaluator) SetAttributeResolver(resolver *AttributeResolver)

SetAttributeResolver sets the attribute resolver for automatic attribute enrichment

func (*Evaluator) SetTimeout 

func (e *Evaluator) SetTimeout(timeout time.Duration)

SetTimeout updates the evaluation timeout

type EvaluatorConfig 

type EvaluatorConfig struct {
	Timeout             time.Duration
	ParallelEvaluations int
	EnableParallel      bool
	AttributeResolver   *AttributeResolver // Optional: enables automatic attribute enrichment
}

EvaluatorConfig configures the evaluator

func DefaultEvaluatorConfig 

func DefaultEvaluatorConfig() EvaluatorConfig

DefaultEvaluatorConfig returns default evaluator configuration

type IndexKey 

type IndexKey struct {
	AppID              string
	EnvironmentID      string
	UserOrganizationID string // Empty string if environment-level
	ResourceType       string
	Action             string
}

IndexKey represents a multi-dimensional index key for fast policy lookup V2 Architecture: App → Environment → Organization

func (IndexKey) String 

func (k IndexKey) String() string

String returns the string representation of the index key

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.