Documentation
¶
Overview ¶
Package authorization provides authorization utilities.
Index ¶
- func ApplyScope(filters map[string]any, scope Scope) map[string]any
- func MaskFields(input map[string]any, denied []string) map[string]any
- func ProjectFields(input map[string]any, allowed []string) map[string]any
- func Require(ctx context.Context, auth ports.Authorizer, subject any, action string, ...) error
- func RequireOwner(subjectID string, resource Owner) error
- func RequireOwnerID(subjectID, ownerID string) error
- func RequireTenant(tenantID string, resource TenantOwned) error
- func TenantIDFromContext(ctx context.Context) (string, bool)
- func WithScope(ctx context.Context, scope Scope) context.Context
- type AllowlistAuthorizer
- func (a *AllowlistAuthorizer) Allow(action string, auth ports.Authorizer) error
- func (a *AllowlistAuthorizer) AllowAny(action string) error
- func (a *AllowlistAuthorizer) AllowFunc(action string, fn ports.AuthorizerFunc) error
- func (a *AllowlistAuthorizer) Can(ctx context.Context, subject any, action string, resource any) error
- type Owner
- type PolicyAuthorizer
- type PolicyAuthorizerOptions
- type PolicyContextProvider
- type Scope
- type TenantOwned
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func ApplyScope ¶
ApplyScope merges scope filters into an existing filter map.
func MaskFields ¶
MaskFields returns a new map without the denied keys.
func ProjectFields ¶
ProjectFields returns a new map with only the allowed keys.
func Require ¶
func Require(ctx context.Context, auth ports.Authorizer, subject any, action string, resource any) error
Require calls the provided authorizer or returns an error when missing.
func RequireOwner ¶
RequireOwner enforces ownership using an Owner interface.
func RequireOwnerID ¶
RequireOwnerID enforces resource ownership (BOLA).
func RequireTenant ¶
func RequireTenant(tenantID string, resource TenantOwned) error
RequireTenant enforces tenant scoping.
func TenantIDFromContext ¶
TenantIDFromContext returns the tenant identifier from context scope.
Types ¶
type AllowlistAuthorizer ¶
type AllowlistAuthorizer struct {
// contains filtered or unexported fields
}
AllowlistAuthorizer enforces explicit allow rules for actions. Missing rules default to forbidden.
func NewAllowlistAuthorizer ¶
func NewAllowlistAuthorizer() *AllowlistAuthorizer
NewAllowlistAuthorizer creates an allowlist-based authorizer.
func (*AllowlistAuthorizer) Allow ¶
func (a *AllowlistAuthorizer) Allow(action string, auth ports.Authorizer) error
Allow registers an authorizer for a specific action.
func (*AllowlistAuthorizer) AllowAny ¶
func (a *AllowlistAuthorizer) AllowAny(action string) error
AllowAny permits the specified action without additional checks.
func (*AllowlistAuthorizer) AllowFunc ¶
func (a *AllowlistAuthorizer) AllowFunc(action string, fn ports.AuthorizerFunc) error
AllowFunc registers an authorizer function for a specific action.
type Owner ¶
type Owner interface {
OwnerID() string
}
Owner exposes ownership information for BOLA checks.
type PolicyAuthorizer ¶
type PolicyAuthorizer struct {
// contains filtered or unexported fields
}
PolicyAuthorizer adapts a policy engine to the Authorizer interface.
func NewPolicyAuthorizer ¶
func NewPolicyAuthorizer(engine ports.PolicyEngine, opts PolicyAuthorizerOptions) *PolicyAuthorizer
NewPolicyAuthorizer creates an authorizer backed by a policy engine.
type PolicyAuthorizerOptions ¶
type PolicyAuthorizerOptions struct {
ContextProvider PolicyContextProvider
DenyOnError bool
}
PolicyAuthorizerOptions configures a policy-backed authorizer.
type PolicyContextProvider ¶
PolicyContextProvider supplies contextual attributes for policy evaluation.
type Scope ¶
Scope captures tenant/user scoping hints for repositories.
func ScopeFromContext ¶
ScopeFromContext retrieves the authorization scope from context.
type TenantOwned ¶
type TenantOwned interface {
TenantID() string
}
TenantOwned exposes tenant ownership for scoping checks.
Source Files