Documentation
¶
Overview ¶
Package openfga provides an OpenFGA-based Authorizer implementation for security/authz. The concrete Authorizer type satisfies three interfaces:
- authz.Authorizer (single Check)
- batch.BatchAuthorizer (BatchCheck in one round-trip)
- lister.Lister (ListAllowed — enumerate accessible resources)
Use NewAuthorizer to create an instance and pass it to authz.Server().
Index ¶
- Constants
- func InvalidateCheck(ctx context.Context, rdb *redis.Client, ...)
- func InvalidateListObjects(ctx context.Context, rdb *redis.Client, user, relation, objectType string)
- type Authorizer
- type AuthorizerOption
- type BatchCheckItem
- type BatchCheckResult
- type Client
- func (c *Client) BatchCheck(ctx context.Context, reqs []BatchCheckItem) ([]BatchCheckResult, error)
- func (c *Client) CachedCheck(ctx context.Context, rdb *redis.Client, ttl time.Duration, ...) (allowed bool, cacheHit bool, err error)
- func (c *Client) CachedListObjects(ctx context.Context, rdb *redis.Client, ttl time.Duration, ...) ([]string, error)
- func (c *Client) Check(ctx context.Context, user, relation, objectType, objectID string) (bool, error)
- func (c *Client) DeleteTuples(ctx context.Context, tuples ...Tuple) error
- func (c *Client) EnsureTuples(ctx context.Context, tuples ...Tuple) error
- func (c *Client) InvalidateForTuples(ctx context.Context, rdb *redis.Client, tuples []Tuple)
- func (c *Client) ListObjects(ctx context.Context, user, relation, objectType string) ([]string, error)
- func (c *Client) TupleExists(ctx context.Context, t Tuple) (bool, error)
- func (c *Client) WriteTuples(ctx context.Context, tuples ...Tuple) error
- type ClientOption
- type Tuple
Constants ¶
const ( DefaultCheckCacheTTL = 60 * time.Second DefaultListCacheTTL = 10 * time.Minute )
Variables ¶
This section is empty.
Functions ¶
Types ¶
type Authorizer ¶
type Authorizer struct {
// contains filtered or unexported fields
}
Authorizer is an OpenFGA-based authorization engine. It optionally caches results in Redis via the WithRedisCache option.
func NewAuthorizer ¶
func NewAuthorizer(fgaClient *Client, opts ...AuthorizerOption) *Authorizer
NewAuthorizer creates an OpenFGA-backed Authorizer. The fgaClient must not be nil; pass WithRedisCache to enable result caching.
The returned value satisfies authz.Authorizer. Callers that need BatchCheck or ListAllowed can type-assert to batch.BatchAuthorizer or lister.Lister.
func (*Authorizer) BatchCheck ¶ added in v0.4.0
func (a *Authorizer) BatchCheck(ctx context.Context, reqs []authz.CheckRequest) ([]bool, error)
BatchCheck implements batch.BatchAuthorizer. It runs N checks in one OpenFGA call. Cache is intentionally NOT consulted — N Redis lookups would negate the batching win. Output order matches input order.
func (*Authorizer) Check ¶ added in v0.4.0
func (a *Authorizer) Check(ctx context.Context, req authz.CheckRequest) (bool, error)
Check implements authz.Authorizer. It maps CheckRequest fields to OpenFGA tuple format: Subject → User, Action → Relation, ResourceType:ResourceID → Object.
func (*Authorizer) ListAllowed ¶ added in v0.4.0
func (a *Authorizer) ListAllowed(ctx context.Context, subject, action, resourceType string) ([]string, error)
ListAllowed implements lister.Lister. It returns IDs of resources (of resourceType) the subject has the given action on.
type AuthorizerOption ¶ added in v0.5.0
type AuthorizerOption func(*Authorizer)
AuthorizerOption configures the OpenFGA Authorizer.
func WithRedisCache ¶
func WithRedisCache(rdb *redis.Client, ttl time.Duration) AuthorizerOption
WithRedisCache enables Redis caching of authorization check results. Results are stored for the given TTL. Pass nil redis client to disable caching.
type BatchCheckItem ¶ added in v0.5.0
BatchCheckItem is one element in a BatchCheck request. It mirrors fgaclient.ClientBatchCheckItem but is part of our stable API.
type BatchCheckResult ¶ added in v0.5.0
BatchCheckResult is the per-item outcome from BatchCheck. Order matches the input slice index.
type Client ¶ added in v0.5.0
type Client struct {
// contains filtered or unexported fields
}
Client wraps the OpenFGA SDK client with caching and framework integration.
func NewClient ¶ added in v0.5.0
func NewClient(cfg *openfgaconfpb.Config, opts ...ClientOption) (*Client, error)
NewClient creates a new OpenFGA client from the given configuration.
func (*Client) BatchCheck ¶ added in v0.5.0
func (c *Client) BatchCheck(ctx context.Context, reqs []BatchCheckItem) ([]BatchCheckResult, error)
BatchCheck runs N checks in one OpenFGA call. Output order matches input order. Returns a top-level error only if the whole call fails; per-item errors land in BatchCheckResult.Err for that item.
func (*Client) CachedCheck ¶ added in v0.5.0
func (c *Client) CachedCheck(ctx context.Context, rdb *redis.Client, ttl time.Duration, user, relation, objectType, objectID string) (allowed bool, cacheHit bool, err error)
CachedCheck is like Check but caches results in Redis. If the Redis client is nil the call degrades to a plain Check. The second return value indicates whether the result was served from cache.
func (*Client) CachedListObjects ¶ added in v0.5.0
func (c *Client) CachedListObjects(ctx context.Context, rdb *redis.Client, ttl time.Duration, user, relation, objectType string) ([]string, error)
CachedListObjects is like ListObjects but caches the full ID list in Redis. Subsequent calls within the TTL window return the cached result, avoiding repeated OpenFGA round-trips. Returns all IDs; the caller is responsible for pagination.
func (*Client) Check ¶ added in v0.5.0
func (c *Client) Check(ctx context.Context, user, relation, objectType, objectID string) (bool, error)
Check returns whether the given principal (e.g. "user:uuid") has the specified relation on objectType:objectID.
func (*Client) DeleteTuples ¶ added in v0.5.0
DeleteTuples deletes one or more relationship tuples atomically. Audit of tuple changes is handled by the annotation-based audit system or business code using auditor.Emit directly.
func (*Client) EnsureTuples ¶ added in v0.5.0
EnsureTuples writes each tuple only if it does not already exist. It is safe to call repeatedly (idempotent) and does not rely on error message text matching.
func (*Client) InvalidateForTuples ¶ added in v0.5.0
InvalidateForTuples invalidates all cached Check and ListObjects entries that could be affected by the given tuples. This should be called after WriteTuples or DeleteTuples to keep the cache consistent.
For each tuple it invalidates:
- The exact Check cache entry (user + relation + object)
- The ListObjects cache for the user on the object's type with the tuple's relation
- Additional computed relations as configured via WithComputedRelations
func (*Client) ListObjects ¶ added in v0.5.0
func (c *Client) ListObjects(ctx context.Context, user, relation, objectType string) ([]string, error)
ListObjects returns the IDs of objects of the given type that the principal (e.g. "user:uuid") has the specified relation to. The returned strings are bare IDs (i.e. the "type:" prefix is stripped).
func (*Client) TupleExists ¶ added in v0.5.0
TupleExists reports whether the exact tuple already exists in the store.
type ClientOption ¶ added in v0.5.0
type ClientOption func(*clientOptions)
ClientOption configures optional Client behaviour.
func WithComputedRelations ¶ added in v0.5.0
func WithComputedRelations(m map[string][]string) ClientOption
WithComputedRelations provides a mapping from object-type to computed relations used for cache invalidation. When a tuple with a given object-type is written/deleted, all listed relations are also invalidated.
Source Files