Documentation
¶
Overview ¶
Package access provides server-side authz/audit middleware built on accessx.
The middleware supports two levels of skip control:
SkipPolicyResolver — checked before the main Resolver. When the policy is SkipAll, Guard.Require records audit and then the request passes through without authn/authz. When the policy is SkipAuthz, the policy is applied to the Check before calling Guard.Require (which skips the SpiceDB check but keeps authn + audit).
Resolver — the standard operation-to-Check mapper. If it returns required=false, the request passes through. Otherwise, Guard.Require enforces the full authn + authz + audit pipeline.
The SkipPolicyResolver is typically created from accessx.NewSkipPolicyResolver using the service's security.access configuration, allowing operators to configure skip policies without code changes.
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func Server ¶
func Server(guard accessx.Guard, opts ...Option) middleware.Middleware
Server enforces authz and records audit through accessx.Guard. It fills common audit fields such as principal, request_id, trace_id, tenant_id, client_ip and user_agent from contextx and transport headers.
The middleware checks skip policies in this order:
- SkipAll from SkipPolicyResolver passes through as public.
- SkipAuthz from SkipPolicyResolver authenticates and audits through Guard.
- Resolver checks are enriched and enforced through Guard.
- Resolver required=false passes through.
Types ¶
type Option ¶
type Option func(*options)
Option configures Server.
func WithResolver ¶
WithResolver configures the operation-to-resource resolver.
func WithSkipPolicyResolver ¶ added in v0.2.4
func WithSkipPolicyResolver(resolver SkipPolicyResolver) Option
WithSkipPolicyResolver configures config-driven access shortcuts. Public endpoints use SkipAll. Self/bootstrap/internal endpoints usually use SkipAuthz so they still require authentication and generate audit records.
type Resolver ¶
Resolver maps a transport operation and protobuf request into an accessx check. The bool return reports whether the operation requires a check.
type SkipPolicyResolver ¶ added in v0.2.4
type SkipPolicyResolver func(operation string) accessx.SkipPolicy
SkipPolicyResolver returns an accessx.SkipPolicy for a given operation. When the policy is SkipAll, the middleware records audit and skips both authn and authz. When the policy is SkipAuthz, the middleware still calls Guard.Require with a synthetic check so authentication and audit stay active.