access

package
v0.4.1 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jul 8, 2026 License: MIT Imports: 8 Imported by: 0

Documentation

Overview

Package access provides server-side authz/audit middleware built on accessx.

The middleware supports two levels of skip control:

  1. SkipPolicyResolver — checked before the main Resolver. When the policy is SkipAll, Guard.Require records audit and then the request passes through without authn/authz. When the policy is SkipAuthz, the policy is applied to the Check before calling Guard.Require (which skips the SpiceDB check but keeps authn + audit).

  2. Resolver — the standard operation-to-Check mapper. If it returns required=false, the request passes through. Otherwise, Guard.Require enforces the full authn + authz + audit pipeline.

The SkipPolicyResolver is typically created from accessx.NewSkipPolicyResolver using the service's security.access configuration, allowing operators to configure skip policies without code changes.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func Server

func Server(guard accessx.Guard, opts ...Option) middleware.Middleware

Server enforces authz and records audit through accessx.Guard. It fills common audit fields such as principal, request_id, trace_id, tenant_id, client_ip and user_agent from contextx and transport headers.

The middleware checks skip policies in this order:

  1. SkipAll from SkipPolicyResolver passes through as public.
  2. SkipAuthz from SkipPolicyResolver authenticates and audits through Guard.
  3. Resolver checks are enriched and enforced through Guard.
  4. Resolver required=false passes through.

Types

type Option

type Option func(*options)

Option configures Server.

func WithResolver

func WithResolver(resolver Resolver) Option

WithResolver configures the operation-to-resource resolver.

func WithSkipPolicyResolver added in v0.2.4

func WithSkipPolicyResolver(resolver SkipPolicyResolver) Option

WithSkipPolicyResolver configures config-driven access shortcuts. Public endpoints use SkipAll. Self/bootstrap/internal endpoints usually use SkipAuthz so they still require authentication and generate audit records.

type Resolver

type Resolver func(ctx context.Context, operation string, req any) (accessx.Check, bool, error)

Resolver maps a transport operation and protobuf request into an accessx check. The bool return reports whether the operation requires a check.

type SkipPolicyResolver added in v0.2.4

type SkipPolicyResolver func(operation string) accessx.SkipPolicy

SkipPolicyResolver returns an accessx.SkipPolicy for a given operation. When the policy is SkipAll, the middleware records audit and skips both authn and authz. When the policy is SkipAuthz, the middleware still calls Guard.Require with a synthetic check so authentication and audit stay active.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL