ash

package

v0.12.6 Latest Latest Go to latest Published: Jan 10, 2018 License: MIT Imports: 3 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/256dpi/fire

Links

Open Source Insights

Documentation ¶

Overview ¶

Package ash implements a highly configurable and callback based ACL that can be used to authorize controller operations in a declarative way.

Index ¶

Variables
func C(s *Strategy) *fire.Callback
type Authorizer
- func (a *Authorizer) And(b *Authorizer) *Authorizer
- func (a *Authorizer) Or(b *Authorizer) *Authorizer
type Enforcer
type Handler
type L
type M
type Strategy
- func (s *Strategy) Callback() *fire.Callback

Constants ¶

This section is empty.

Variables ¶

View Source

var ErrAccessDenied = errors.New("access denied")

ErrAccessDenied is returned by the DenyAccess enforcer and the Strategy if no authorizer authorized the operation.

Functions ¶

func C ¶ added in v0.12.2

func C(s *Strategy) *fire.Callback

C is a short-hand to define a strategy and return its callback.

Types ¶

type Authorizer ¶

type Authorizer struct {
	Matcher fire.Matcher
	Handler Handler
}

An Authorizer should inspect the specified context and assesses if it is able to enforce authorization with the data that is available. If yes, the authorizer should return an Enforcer that will enforce the authorization.

func A ¶ added in v0.12.0

func A(name string, m fire.Matcher, h Handler) *Authorizer

A is a short-hand function to construct an authorizer. It will also add tracing code around the execution of the authorizer.

func And ¶

func And(a, b *Authorizer) *Authorizer

And will match and run both authorizers and return immediately if one does not return an enforcer. The two successfully returned enforcers are wrapped in one that will match and run both enforcers.

func Or ¶

func Or(a, b *Authorizer) *Authorizer

Or will match and run the first authorizer and return its enforcer on success. If no enforcer is returned it will match and run the second authorizer and return its result.

func (*Authorizer) And ¶

func (a *Authorizer) And(b *Authorizer) *Authorizer

And will run And() with the current and specified authorizer.

func (*Authorizer) Or ¶

func (a *Authorizer) Or(b *Authorizer) *Authorizer

Or will run Or() with the current and specified authorizer.

type Enforcer ¶

type Enforcer = fire.Callback

An Enforcer is returned by an Authorizer to enforce the previously inspected Authorization.

Enforcers should only return errors if the operation is clearly not allowed for the presented candidate and that this information is general knowledge (e.g. API documentation). In order to prevent the leakage of implementation details the enforcer should mutate the context's Query field to hide existing data from the candidate.

func AddFilter ¶ added in v0.11.0

func AddFilter(filters bson.M) *Enforcer

AddFilter will enforce the authorization by adding the passed filters to the Filter query of the context. It should be used if the candidate is allowed to access the resource in general, but some records should be filtered out.

Note: This method will panic if used for Create and CollectionAction operation. You should test for this cases and use another enforcer.

func DenyAccess ¶ added in v0.12.0

func DenyAccess() *Enforcer

DenyAccess will enforce the authorization by directly returning an access denied error. It should be used if the operation should not be authorized in any case (.e.g a candidate accessing a resource he has clearly no access to).

Note: Usually access is denied by returning no enforcer. This enforcer should only be returned to immediately stop the authorization process and prevent other enforcers from authorizing the operation.

func E ¶ added in v0.12.0

func E(name string, m fire.Matcher, h fire.Handler) *Enforcer

E is a short-hand function to create an enforcer.

func GrantAccess ¶ added in v0.12.0

func GrantAccess() *Enforcer

GrantAccess will enforce the authorization without any changes to the context. It should be used if the presented candidate has full access to the data (.e.g a superuser).

func HideFilter ¶

func HideFilter() *Enforcer

HideFilter will enforce the authorization by adding a falsy filter to the Filter query of the context, so that no records will be returned. It should be used if the requested resources or resource should be hidden from the candidate.

Note: This method will panic if used for Create and CollectionAction operation. You should test for this cases and use another enforcer.

type Handler ¶ added in v0.12.0

type Handler func(*fire.Context) (*Enforcer, error)

Handler is a function that inspects an operation context and eventually returns an enforcer or an error.

type L ¶

type L []*Authorizer

L is a short-hand type to create a list of authorizers.

type M ¶ added in v0.10.0

type M map[string][]*Authorizer

M is a short-hand type to create a map of authorizers.

type Strategy ¶

type Strategy struct {
	// Single operations.
	List   []*Authorizer
	Find   []*Authorizer
	Create []*Authorizer
	Update []*Authorizer
	Delete []*Authorizer

	// Single action operations.
	CollectionAction map[string][]*Authorizer
	ResourceAction   map[string][]*Authorizer

	// All action operations.
	CollectionActions []*Authorizer
	ResourceActions   []*Authorizer

	// All List and Find operations.
	Read []*Authorizer

	// All Create, Update and Delete operations.
	Write []*Authorizer

	// All CollectionAction and ResourceAction operations.
	Actions []*Authorizer

	// All operations.
	All []*Authorizer
}

Strategy contains lists of authorizers that are used to authorize operations.

func (*Strategy) Callback ¶ added in v0.12.2

func (s *Strategy) Callback() *fire.Callback

Callback will return a callback that authorizes operations using the strategy.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL