engines

package
v1.5.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Nov 3, 2025 License: AGPL-3.0 Imports: 24 Imported by: 0

Documentation

Index

Constants

View Source 
const ALL = "<>"

Variables

This section is empty.

Functions

func ContextToString added in v0.5.5 

func ContextToString(context *base.Context) string

ContextToString function takes a Context object and converts it into a string

func ConvertToAnyPB added in v0.5.0 

func ConvertToAnyPB(value interface{}) (*anypb.Any, error)

ConvertToAnyPB is a function to convert various basic Go types into *anypb.Any. It supports conversion from bool, int, float64, and string. It uses a type switch to detect the type of the input value. If the type is unsupported or unknown, it returns an error.

func GenerateKey added in v0.5.5 

func GenerateKey(key *base.PermissionCheckRequest, isRelational bool) string

GenerateKey function takes a PermissionCheckRequest and generates a unique key Key format: check|{tenant_id}|{schema_version}|{snap_token}|{context}|{entity:id#permission(optional_arguments)@subject:id#optional_relation}

func IsContextRelatedError added in v1.1.4 

func IsContextRelatedError(ctx context.Context, err error) bool

IsContextRelatedError is a legacy function maintained for backward compatibility. This function provides the same functionality as isContextError but with the original signature to maintain compatibility with existing code.

Parameters:

  • ctx: Context (unused, kept for compatibility)
  • err: The error to check

Returns:

  • bool: True if the error is context-related, false otherwise

func IsRelational added in v0.5.6 

func IsRelational(en *base.EntityDefinition, permission string) bool

IsRelational determines if a given permission corresponds to a relational attribute in the provided entity definition.

Types

type BulkChecker 

type BulkChecker struct {
	// contains filtered or unexported fields
}

BulkChecker handles concurrent permission checks with ordered result processing. This struct implements a high-performance bulk permission checking system that: - Collects permission check requests asynchronously - Processes them concurrently with controlled parallelism - Maintains strict ordering of results based on request sorting - Provides efficient resource management and error handling

func NewBulkChecker 

func NewBulkChecker(ctx context.Context, checker invoke.Check, typ BulkCheckerType, callback func(entityID, ct string), config BulkCheckerConfig) (*BulkChecker, error)

NewBulkChecker creates a new BulkChecker instance with comprehensive validation and error handling. This constructor ensures that all dependencies are properly initialized and validates configuration parameters to prevent runtime errors.

Parameters:

  • ctx: Context for managing the lifecycle of the BulkChecker
  • checker: The permission checking engine to use for actual permission checks
  • typ: The type of bulk checking operation (entity or subject)
  • callback: Function called for each successful permission check
  • config: Configuration parameters for tuning performance and behavior

Returns:

  • *BulkChecker: The initialized BulkChecker instance
  • error: Any error that occurred during initialization

func (*BulkChecker) Close added in v1.4.1 

func (bc *BulkChecker) Close() error

Close properly cleans up resources and cancels all operations. This method should be called when the BulkChecker is no longer needed to ensure proper resource cleanup and prevent goroutine leaks.

Returns:

  • error: Any error that occurred during cleanup

func (*BulkChecker) ExecuteRequests added in v1.0.2 

func (bc *BulkChecker) ExecuteRequests(size uint32) error

ExecuteRequests processes requests concurrently with comprehensive error handling and resource management. This method is the main entry point for bulk permission checking. It: 1. Stops collecting new requests 2. Sorts all collected requests 3. Processes them concurrently with controlled parallelism 4. Maintains strict ordering of results 5. Handles errors gracefully and manages resources properly

Parameters:

  • size: The maximum number of successful results to process

Returns:

  • error: Any error that occurred during processing (context cancellation is not considered an error)

func (*BulkChecker) StopCollectingRequests added in v1.0.2 

func (bc *BulkChecker) StopCollectingRequests()

StopCollectingRequests safely stops request collection and waits for completion. This method closes the input channel and waits for the collection goroutine to finish processing any remaining requests. This ensures that no requests are lost during shutdown.

type BulkCheckerConfig added in v1.4.1 

type BulkCheckerConfig struct {
	// ConcurrencyLimit defines the maximum number of concurrent permission checks
	// that can be processed simultaneously. Higher values increase throughput
	// but may consume more system resources.
	ConcurrencyLimit int
	// BufferSize defines the size of the internal request buffer.
	// This should be set based on expected request volume to avoid blocking.
	BufferSize int
}

BulkCheckerConfig holds configuration parameters for the BulkChecker. This struct allows for fine-tuning the behavior and performance characteristics of the bulk permission checking system.

func DefaultBulkCheckerConfig added in v1.4.1 

func DefaultBulkCheckerConfig() BulkCheckerConfig

DefaultBulkCheckerConfig returns a sensible default configuration that balances performance and resource usage for most use cases.

type BulkCheckerRequest 

type BulkCheckerRequest struct {
	// Request contains the actual permission check request
	Request *base.PermissionCheckRequest
	// Result holds a pre-computed result if available, otherwise CHECK_RESULT_UNSPECIFIED
	Result base.CheckResult
}

BulkCheckerRequest represents a permission check request with optional pre-computed result. This struct encapsulates both the permission check request and an optional pre-determined result, allowing for optimization when results are already known (e.g., from caching).

type BulkCheckerType added in v0.5.0 

type BulkCheckerType string

BulkCheckerType defines the type of bulk checking operation. This enum determines how requests are sorted and processed. 

const (
	// BulkCheckerTypeSubject indicates that requests should be sorted and processed by subject ID
	BulkCheckerTypeSubject BulkCheckerType = "subject"
	// BulkCheckerTypeEntity indicates that requests should be sorted and processed by entity ID
	BulkCheckerTypeEntity BulkCheckerType = "entity"
)

type BulkEntityPublisher added in v0.5.0 

type BulkEntityPublisher struct {
	// contains filtered or unexported fields
}

BulkEntityPublisher handles entity-based permission check publishing. This struct provides a convenient interface for publishing entity permission check requests to a BulkChecker instance.

func NewBulkEntityPublisher added in v0.5.0 

func NewBulkEntityPublisher(ctx context.Context, request *base.PermissionLookupEntityRequest, bulkChecker *BulkChecker) *BulkEntityPublisher

NewBulkEntityPublisher creates a new BulkEntityPublisher instance. This constructor initializes a publisher for entity-based permission checks.

Parameters:

  • ctx: Context for the publisher (currently unused but kept for API consistency)
  • request: The base lookup request containing common parameters
  • bulkChecker: The BulkChecker instance to publish to

Returns:

  • *BulkEntityPublisher: The initialized publisher instance

func (*BulkEntityPublisher) Publish added in v0.5.0 

func (p *BulkEntityPublisher) Publish(entity *base.Entity, metadata *base.PermissionCheckRequestMetadata, context *base.Context, result base.CheckResult)

Publish sends an entity permission check request to the bulk checker. This method creates a permission check request from the provided parameters and sends it to the BulkChecker for processing. It handles context cancellation gracefully by dropping requests when the context is done.

Parameters:

  • entity: The entity to check permissions for
  • metadata: Metadata for the permission check request
  • context: Additional context for the permission check
  • result: Optional pre-computed result

type BulkSubjectPublisher added in v0.5.0 

type BulkSubjectPublisher struct {
	// contains filtered or unexported fields
}

BulkSubjectPublisher handles subject-based permission check publishing. This struct provides a convenient interface for publishing subject permission check requests to a BulkChecker instance.

func NewBulkSubjectPublisher added in v0.5.0 

func NewBulkSubjectPublisher(ctx context.Context, request *base.PermissionLookupSubjectRequest, bulkChecker *BulkChecker) *BulkSubjectPublisher

NewBulkSubjectPublisher creates a new BulkSubjectPublisher instance. This constructor initializes a publisher for subject-based permission checks.

Parameters:

  • ctx: Context for the publisher (currently unused but kept for API consistency)
  • request: The base lookup request containing common parameters
  • bulkChecker: The BulkChecker instance to publish to

Returns:

  • *BulkSubjectPublisher: The initialized publisher instance

func (*BulkSubjectPublisher) Publish added in v0.5.0 

func (p *BulkSubjectPublisher) Publish(subject *base.Subject, metadata *base.PermissionCheckRequestMetadata, context *base.Context, result base.CheckResult)

Publish sends a subject permission check request to the bulk checker. This method creates a permission check request from the provided parameters and sends it to the BulkChecker for processing. It handles context cancellation gracefully by dropping requests when the context is done.

Parameters:

  • subject: The subject to check permissions for
  • metadata: Metadata for the permission check request
  • context: Additional context for the permission check
  • result: Optional pre-computed result

type CheckCombiner 

type CheckCombiner func(ctx context.Context, functions []CheckFunction, limit int) (*base.PermissionCheckResponse, error)

CheckCombiner is a type that represents a function which takes a context, a slice of CheckFunctions, and a limit. It combines the results of multiple CheckFunctions according to a specific strategy and returns a PermissionCheckResponse along with an error.

type CheckEngine 

type CheckEngine struct {
	// contains filtered or unexported fields
}

CheckEngine is a core component responsible for performing permission checks. It reads schema and relationship information, and uses the engine key manager to validate permission requests.

func NewCheckEngine 

func NewCheckEngine(sr storage.SchemaReader, rr storage.DataReader, opts ...CheckOption) *CheckEngine

NewCheckEngine creates a new CheckEngine instance for performing permission checks. It takes a key manager, schema reader, and relationship reader as parameters. Additionally, it allows for optional configuration through CheckOption function arguments.

func (*CheckEngine) Check added in v0.4.0 

func (engine *CheckEngine) Check(ctx context.Context, request *base.PermissionCheckRequest) (response *base.PermissionCheckResponse, err error)

Check executes a permission check based on the provided request. The permission field in the request can either be a relation or an permission. This function performs various checks and returns the permission check response along with any errors that may have occurred.

func (*CheckEngine) SetInvoker added in v0.4.0 

func (engine *CheckEngine) SetInvoker(invoker invoke.Check)

SetInvoker sets the delegate for the CheckEngine.

type CheckFunction 

type CheckFunction func(ctx context.Context) (*base.PermissionCheckResponse, error)

CheckFunction is a type that represents a function that takes a context and returns a PermissionCheckResponse along with an error. It is used to perform individual permission checks within the CheckEngine.

type CheckOption 

type CheckOption func(engine *CheckEngine)

CheckOption - a functional option type for configuring the CheckEngine.

func CheckConcurrencyLimit 

func CheckConcurrencyLimit(limit int) CheckOption

CheckConcurrencyLimit - a functional option that sets the concurrency limit for the CheckEngine.

type CheckResponse 

type CheckResponse struct {
	// contains filtered or unexported fields
}

CheckResponse - a struct that holds a PermissionCheckResponse and an error for a single check function.

type EntityFilter added in v1.1.0 

type EntityFilter struct {
	// contains filtered or unexported fields
}

EntityFilter is a struct that performs permission checks on a set of entities

func NewEntityFilter added in v1.1.0 

func NewEntityFilter(dataReader storage.DataReader, sch *base.SchemaDefinition) *EntityFilter

NewEntityFilter creates a new EntityFilter engine

func (*EntityFilter) EntityFilter added in v1.1.0 

func (engine *EntityFilter) EntityFilter(
	ctx context.Context,
	request *base.PermissionEntityFilterRequest,
	visits *VisitsMap,
	publisher *BulkEntityPublisher,
) (err error)

EntityFilter is a method of the EntityFilterEngine struct. It executes a permission request for linked entities.

type ExpandCombiner 

type ExpandCombiner func(ctx context.Context, entity *base.Entity, permission string, arguments []*base.Argument, functions []ExpandFunction) ExpandResponse

ExpandCombiner represents a function that combines the results of multiple ExpandFunction calls into a single ExpandResponse.

type ExpandEngine 

type ExpandEngine struct {
	// contains filtered or unexported fields
}

ExpandEngine - This comment is describing a type called ExpandEngine. The ExpandEngine type contains two fields: schemaReader, which is a storage.SchemaReader object, and relationshipReader, which is a storage.RelationshipReader object. The ExpandEngine type is used to expand permission scopes based on a given user ID and a set of permission requirements.

func NewExpandEngine 

func NewExpandEngine(sr storage.SchemaReader, rr storage.DataReader) *ExpandEngine

NewExpandEngine - This function creates a new instance of ExpandEngine by taking a SchemaReader and a RelationshipReader as parameters and returning a pointer to the created instance. The SchemaReader is used to read schema definitions, while the RelationshipReader is used to read relationship definitions.

func (*ExpandEngine) Expand added in v0.4.0 

func (engine *ExpandEngine) Expand(ctx context.Context, request *base.PermissionExpandRequest) (response *base.PermissionExpandResponse, err error)

Expand - This is the Run function of the ExpandEngine type, which takes a context, a PermissionExpandRequest, and returns a PermissionExpandResponse and an error. The function begins by starting a new OpenTelemetry span, with the name "permissions.expand.execute". It then checks if a snap token and schema version are included in the request. If not, it retrieves the head snapshot and head schema version, respectively, from the appropriate repository.

Finally, the function calls the expand function of the ExpandEngine type with the context, PermissionExpandRequest, and false value, and returns the resulting PermissionExpandResponse and error. If there is an error, the span records the error and sets the status to indicate an error.

type ExpandFunction 

type ExpandFunction func(ctx context.Context, expandChain chan<- ExpandResponse)

ExpandFunction represents a function that expands the schema and relationships of a request and sends the response through the provided channel.

type ExpandResponse 

type ExpandResponse struct {
	Response *base.PermissionExpandResponse
	Err      error
}

ExpandResponse is a struct that contains the response and error returned from the expand function in the ExpandEngine. It is used to return the response and error together as a single object.

type LookupEngine added in v0.5.0 

type LookupEngine struct {
	// contains filtered or unexported fields
}

func NewLookupEngine added in v0.5.0 

func NewLookupEngine(
	check invoke.Check,
	schemaReader storage.SchemaReader,
	dataReader storage.DataReader,
	opts ...LookupOption,
) *LookupEngine

func (*LookupEngine) LookupEntity added in v0.5.0 

func (engine *LookupEngine) LookupEntity(ctx context.Context, request *base.PermissionLookupEntityRequest) (response *base.PermissionLookupEntityResponse, err error)

LookupEntity performs a permission check on a set of entities and returns a response containing the IDs of the entities that have the requested permission.

func (*LookupEngine) LookupEntityStream added in v0.5.0 

func (engine *LookupEngine) LookupEntityStream(ctx context.Context, request *base.PermissionLookupEntityRequest, server base.Permission_LookupEntityStreamServer) (err error)

LookupEntityStream performs a permission check on a set of entities and streams the results containing the IDs of the entities that have the requested permission.

func (*LookupEngine) LookupSubject added in v0.5.0 

func (engine *LookupEngine) LookupSubject(ctx context.Context, request *base.PermissionLookupSubjectRequest) (response *base.PermissionLookupSubjectResponse, err error)

LookupSubject checks if a subject has a particular permission based on the schema and version. It returns a list of subjects that have the given permission.

type LookupOption added in v0.5.0 

type LookupOption func(engine *LookupEngine)

func LookupConcurrencyLimit added in v0.5.0 

func LookupConcurrencyLimit(limit int) LookupOption

type SubjectFilter added in v1.1.4 

type SubjectFilter struct {
	// contains filtered or unexported fields
}

func NewSubjectFilter added in v1.1.4 

func NewSubjectFilter(schemaReader storage.SchemaReader, dataReader storage.DataReader, opts ...SubjectFilterOption) *SubjectFilter

func (*SubjectFilter) SubjectFilter added in v1.1.4 

func (engine *SubjectFilter) SubjectFilter(ctx context.Context, request *base.PermissionLookupSubjectRequest) (response []string, err error)

SubjectFilter is a method for the SubjectFilterEngine struct. It takes a context and a pointer to a PermissionSubjectFilterRequest and returns a pointer to a PermissionSubjectFilterResponse and an error.

type SubjectFilterCombiner added in v0.5.0 

type SubjectFilterCombiner func(ctx context.Context, functions []SubjectFilterFunction, limit int) ([]string, error)

SubjectFilterCombiner defines the type for a function that takes a context, a slice of SubjectFilterFunctions, an integer as a limit and returns a pointer to a PermissionSubjectFilterResponse and an error. This type is useful when you want to define a function that can execute multiple SubjectFilterFunctions in a specific way (like concurrently with a limit or sequentially) and combine their results into a single PermissionSubjectFilterResponse.

type SubjectFilterFunction added in v0.5.0 

type SubjectFilterFunction func(ctx context.Context) ([]string, error)

SubjectFilterFunction defines the type for a function that takes a context and returns a pointer to a PermissionSubjectFilterResponse and an error. This type is often used when you want to pass around functions with this specific signature.

type SubjectFilterOption added in v1.1.4 

type SubjectFilterOption func(engine *SubjectFilter)

SubjectFilterOption - a functional option type for configuring the LookupSubjectEngine.

func SubjectFilterConcurrencyLimit added in v1.1.4 

func SubjectFilterConcurrencyLimit(limit int) SubjectFilterOption

SubjectFilterConcurrencyLimit - a functional option that sets the concurrency limit for the LookupSubjectEngine.

type SubjectFilterResponse added in v0.5.0 

type SubjectFilterResponse struct {
	// contains filtered or unexported fields
}

SubjectFilterResponse -

type SubjectPermissionEngine added in v0.4.7 

type SubjectPermissionEngine struct {
	// contains filtered or unexported fields
}

func NewSubjectPermission added in v0.4.7 

func NewSubjectPermission(checker invoke.Check, sr storage.SchemaReader, opts ...SubjectPermissionOption) *SubjectPermissionEngine

func (*SubjectPermissionEngine) SubjectPermission added in v0.4.7 

func (engine *SubjectPermissionEngine) SubjectPermission(ctx context.Context, request *base.PermissionSubjectPermissionRequest) (*base.PermissionSubjectPermissionResponse, error)

SubjectPermission is a method on the SubjectPermissionEngine struct. It checks permissions for a given subject based on the supplied request and context.

type SubjectPermissionOption added in v0.4.7 

type SubjectPermissionOption func(engine *SubjectPermissionEngine)

SubjectPermissionOption - a functional option type for configuring the SubjectPermissionEngine.

func SubjectPermissionConcurrencyLimit added in v0.4.7 

func SubjectPermissionConcurrencyLimit(limit int) SubjectPermissionOption

SubjectPermissionConcurrencyLimit - a functional option that sets the concurrency limit for the SubjectPermissionEngine.

type SubjectPermissionResponse added in v0.4.7 

type SubjectPermissionResponse struct {
	// contains filtered or unexported fields
}

SubjectPermissionResponse - a struct that holds a SubjectPermissionResponse and an error for a single subject permission check result.

type VisitsMap added in v1.1.0 

type VisitsMap struct {
	// contains filtered or unexported fields
}

VisitsMap - a thread-safe map of ENR records.

func (*VisitsMap) AddEA added in v1.1.4 

func (s *VisitsMap) AddEA(entityType, attribute string) bool

func (*VisitsMap) AddER added in v1.1.0 

func (s *VisitsMap) AddER(entity *base.Entity, relation string) bool

func (*VisitsMap) AddPublished added in v1.1.0 

func (s *VisitsMap) AddPublished(entity *base.Entity) bool

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.