openfga

package

v0.1.2 Latest Latest Go to latest Published: Mar 25, 2026 License: MIT Imports: 11 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/Servora-Kit/servora

Links

Open Source Insights

Documentation ¶

Index ¶

Constants
func InvalidateCheck(ctx context.Context, rdb *redis.Client, ...)
func InvalidateListObjects(ctx context.Context, rdb *redis.Client, user, relation, objectType string)
type Client
- func NewClient(cfg *conf.App_OpenFGA, opts ...ClientOption) (*Client, error)
- func NewClientOptional(cfg *conf.App, l logger.Logger, opts ...ClientOption) *Client
type ClientOption
- func WithAuditRecorder(r *audit.Recorder) ClientOption
- func WithComputedRelations(m map[string][]string) ClientOption
type Tuple

Constants ¶

View Source

const (
	DefaultCheckCacheTTL = 60 * time.Second
	DefaultListCacheTTL  = 10 * time.Minute
)

Variables ¶

This section is empty.

Functions ¶

func InvalidateCheck ¶

func InvalidateCheck(ctx context.Context, rdb *redis.Client, user, relation, objectType, objectID string)

InvalidateCheck removes a cached Check result.

func InvalidateListObjects ¶

func InvalidateListObjects(ctx context.Context, rdb *redis.Client, user, relation, objectType string)

InvalidateListObjects removes a cached ListObjects result.

Types ¶

type Client ¶

type Client struct {
	// contains filtered or unexported fields
}

Client wraps the OpenFGA SDK client with caching, audit, and framework integration.

func NewClient ¶

func NewClient(cfg *conf.App_OpenFGA, opts ...ClientOption) (*Client, error)

NewClient creates a new OpenFGA client from the given configuration.

func NewClientOptional ¶

func NewClientOptional(cfg *conf.App, l logger.Logger, opts ...ClientOption) *Client

NewClientOptional creates an OpenFGA client when the app configuration contains valid OpenFGA settings, returning nil (instead of an error) when the component is not configured or initialisation fails. This allows services to start without OpenFGA for local development or environments where authorisation is not required.

func (*Client) CachedCheck ¶

func (c *Client) CachedCheck(ctx context.Context, rdb *redis.Client, ttl time.Duration,
	user, relation, objectType, objectID string) (allowed bool, cacheHit bool, err error)

CachedCheck is like Check but caches results in Redis. If the Redis client is nil the call degrades to a plain Check. The second return value indicates whether the result was served from cache.

func (*Client) CachedListObjects ¶

func (c *Client) CachedListObjects(ctx context.Context, rdb *redis.Client, ttl time.Duration,
	user, relation, objectType string) ([]string, error)

CachedListObjects is like ListObjects but caches the full ID list in Redis. Subsequent calls within the TTL window return the cached result, avoiding repeated OpenFGA round-trips. Returns all IDs; the caller is responsible for pagination.

func (*Client) Check ¶

func (c *Client) Check(ctx context.Context, user, relation, objectType, objectID string) (bool, error)

Check returns whether the given principal (e.g. "user:uuid") has the specified relation on objectType:objectID.

func (*Client) DeleteTuples ¶

func (c *Client) DeleteTuples(ctx context.Context, tuples ...Tuple) error

DeleteTuples deletes one or more relationship tuples atomically and emits an audit event on success when a recorder is configured.

func (*Client) EnsureTuples ¶

func (c *Client) EnsureTuples(ctx context.Context, tuples ...Tuple) error

EnsureTuples writes each tuple only if it does not already exist. It is safe to call repeatedly (idempotent) and does not rely on error message text matching.

func (*Client) InvalidateForTuples ¶

func (c *Client) InvalidateForTuples(ctx context.Context, rdb *redis.Client, tuples []Tuple)

InvalidateForTuples invalidates all cached Check and ListObjects entries that could be affected by the given tuples. This should be called after WriteTuples or DeleteTuples to keep the cache consistent.

For each tuple it invalidates:

The exact Check cache entry (user + relation + object)
The ListObjects cache for the user on the object's type with the tuple's relation
Additional computed relations as configured via WithComputedRelations

func (*Client) ListObjects ¶

func (c *Client) ListObjects(ctx context.Context, user, relation, objectType string) ([]string, error)

ListObjects returns the IDs of objects of the given type that the principal (e.g. "user:uuid") has the specified relation to. The returned strings are bare IDs (i.e. the "type:" prefix is stripped).

func (*Client) TupleExists ¶

func (c *Client) TupleExists(ctx context.Context, t Tuple) (bool, error)

TupleExists reports whether the exact tuple already exists in the store.

func (*Client) WriteTuples ¶

func (c *Client) WriteTuples(ctx context.Context, tuples ...Tuple) error

WriteTuples writes one or more relationship tuples atomically and emits an audit event on success when a recorder is configured.

type ClientOption ¶

type ClientOption func(*clientOptions)

ClientOption configures optional Client behaviour.

func WithAuditRecorder ¶

func WithAuditRecorder(r *audit.Recorder) ClientOption

WithAuditRecorder injects an audit recorder for tuple-change and check events. Passing nil is safe and disables audit emission.

func WithComputedRelations ¶

func WithComputedRelations(m map[string][]string) ClientOption

WithComputedRelations provides a mapping from object-type to computed relations used for cache invalidation. When a tuple with a given object-type is written/deleted, all listed relations are also invalidated.

type Tuple ¶

type Tuple struct {
	User     string // e.g. "user:uuid" or "organization:uuid"
	Relation string // e.g. "owner", "admin", "tenant"
	Object   string // e.g. "organization:uuid", "project:uuid"
}

Tuple represents a single OpenFGA relationship tuple.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL