authz

package

v1.0.0 Latest Latest Go to latest Published: Jun 1, 2026 License: Apache-2.0 Imports: 10 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/3lbits/vigil

Links

Open Source Insights

Documentation ¶

Index ¶

func RequireObjectPolicy(e *Engine, resource, action string, load ObjectLoader, ...) func(http.Handler) http.Handler
func RequirePolicy(e *Engine, resource, action string) func(http.Handler) http.Handler
type Engine
- func New(ctx context.Context, policySource string) (*Engine, error)
- func (e *Engine) Allow(ctx context.Context, userID, role, resource, action string, ...) (bool, error)
type ObjectInputBuilder
type ObjectLoader

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func RequireObjectPolicy ¶

func RequireObjectPolicy(
	e *Engine,
	resource, action string,
	load ObjectLoader,
	buildInput ObjectInputBuilder,
) func(http.Handler) http.Handler

RequireObjectPolicy enforces OPA policy for object-level checks while letting modules keep ownership of resource loading details.

func RequirePolicy ¶

func RequirePolicy(e *Engine, resource, action string) func(http.Handler) http.Handler

RequirePolicy returns middleware that evaluates the OPA policy for every request. resource and action are static per route (e.g. "frameworks", "write"). Unauthenticated requests are redirected to /login.

Types ¶

type Engine ¶

type Engine struct {
	// contains filtered or unexported fields
}

Engine wraps a compiled OPA query. Thread-safe; compile once at startup.

func New ¶

func New(ctx context.Context, policySource string) (*Engine, error)

New compiles the given Rego policy source and returns a ready Engine. policySource should be the full content of the authz.rego file.

func (*Engine) Allow ¶

func (e *Engine) Allow(ctx context.Context, userID, role, resource, action string, extra ...map[string]any) (bool, error)

Allow evaluates the policy for the given user, resource, and action. An optional extra map is merged into the OPA input (e.g. {"is_participant": true}).

type ObjectInputBuilder ¶

type ObjectInputBuilder func(*http.Request, middleware.SessionUser) (map[string]any, error)

ObjectInputBuilder computes dynamic OPA input for object-level decisions.

type ObjectLoader ¶

type ObjectLoader func(http.ResponseWriter, *http.Request) (*http.Request, bool)

ObjectLoader prepares request context with the loaded object data. It returns (updatedRequest, true) when the request can proceed. It should write the response and return false on not-found/internal failures.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL