iam

package

v0.2.1 Latest Latest Go to latest Published: Mar 26, 2026 License: BSD-2-Clause Imports: 11 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/bborbe/cqrs

Links

Open Source Insights

Documentation ¶

Overview ¶

Package iam provides generic Identity and Access Management (IAM) types for CQRS systems.

The IAM package defines the core RBAC (Role-Based Access Control) model:

Initiators represent entities (users/services) that can perform actions
Permissions define specific actions that can be performed
Roles group permissions together for easier management
RoleBindings associate roles with initiators

This package contains only generic types and interfaces. Concrete permission values, roles, role bindings, and initiators are defined by the consuming application.

Usage ¶

Services use the permission checker to validate access:

permissionCheck := iam.PermissionCheckFunc(func(ctx context.Context, tx kv.Tx, initiator iam.Initiator) error {
	// check permissions
	return nil
})
if err := permissionChecker.Check(ctx, tx, initiator, permissionCheck); err != nil {
	return errors.Wrapf(ctx, err, "permission denied")
}

Index ¶

Variables
type Initiator
- func (i Initiator) Bytes() []byte
- func (i Initiator) String() string
- func (i Initiator) Validate(ctx context.Context) error
type Initiators
- func ParseInitiators(values []string) Initiators
- func ParseInitiatorsFromString(value string) Initiators
- func (i Initiators) Contains(initiator Initiator) bool
- func (i Initiators) Strings() []string
- func (i Initiators) Validate(ctx context.Context) error
type Permission
- func (p Permission) String() string
- func (p Permission) Validate(ctx context.Context) error
type PermissionCheck
type PermissionCheckAll
- func (p PermissionCheckAll) Check(ctx context.Context, tx libkv.Tx, initiator Initiator) error
type PermissionCheckAny
- func (p PermissionCheckAny) Check(ctx context.Context, tx libkv.Tx, initiator Initiator) error
type PermissionCheckFunc
- func (p PermissionCheckFunc) Check(ctx context.Context, tx libkv.Tx, initiator Initiator) error
type PermissionChecker
- func NewPermissionChecker(sentryClient libsentry.Client, metrics PermissionCheckerMetrics) PermissionChecker
type PermissionCheckerMetrics
- func NewPermissionCheckerMetrics() PermissionCheckerMetrics
type Permissions
- func (r Permissions) Contains(permission Permission) bool
- func (r Permissions) ContainsAll(permissions ...Permission) bool
- func (r Permissions) ContainsAny(permissions ...Permission) bool
- func (r Permissions) ExpectAllPermissions(ctx context.Context, permissons ...Permission) error
- func (r Permissions) ExpectAnyPermissions(ctx context.Context, permissons ...Permission) error
- func (r Permissions) ExpectPermission(ctx context.Context, permisson Permission) error
- func (r Permissions) Validate(ctx context.Context) error
type Role
- func NewRole(name RoleName, permissions ...Permission) Role
- func (r Role) Validate(ctx context.Context) error
type RoleBinding
- func NewRoleBinding(role Role, initiators ...Initiator) RoleBinding
type RoleBindings
- func (r RoleBindings) FindByInitiator(initiator Initiator) RoleBindings
- func (r RoleBindings) Roles() Roles
type RoleName
- func (r RoleName) String() string
- func (r RoleName) Validate(ctx context.Context) error
type RoleNames
- func (r RoleNames) Contains(role RoleName) bool
type Roles
- func (r Roles) Contains(role Role) bool
- func (r Roles) Permissions() Permissions
- func (r Roles) RoleNames() RoleNames
- func (r Roles) Validate(ctx context.Context) error

Constants ¶

This section is empty.

Variables ¶

View Source

var ErrPermissionDenied = stderrors.New("permission denied")

ErrPermissionDenied is returned when an initiator lacks required permissions.

View Source

var PermissionDeniedError = ErrPermissionDenied //nolint:errname

Deprecated: Use ErrPermissionDenied instead.

Functions ¶

This section is empty.

Types ¶

type Initiator ¶

type Initiator string

Initiator is a username or servicename who init a command.

func (Initiator) Bytes ¶

func (i Initiator) Bytes() []byte

Bytes returns the byte representation of the initiator.

func (Initiator) String ¶

func (i Initiator) String() string

String returns the string representation of the initiator.

func (Initiator) Validate ¶

func (i Initiator) Validate(ctx context.Context) error

Validate checks if the initiator is non-empty.

type Initiators ¶

type Initiators []Initiator

Initiators represents a collection of initiator identities with lookup operations.

func ParseInitiators ¶

func ParseInitiators(values []string) Initiators

ParseInitiators converts a slice of strings into a slice of Initiators.

func ParseInitiatorsFromString ¶

func ParseInitiatorsFromString(value string) Initiators

ParseInitiatorsFromString converts a comma-separated string into a slice of Initiators.

func (Initiators) Contains ¶

func (i Initiators) Contains(initiator Initiator) bool

Contains returns true if the initiator exists in the collection.

func (Initiators) Strings ¶

func (i Initiators) Strings() []string

Strings returns the string representation of all initiators.

func (Initiators) Validate ¶

func (i Initiators) Validate(ctx context.Context) error

Validate checks if all initiators in the collection are valid.

type Permission ¶

type Permission string

Permission represents a specific action that can be performed in the IAM system.

func (Permission) String ¶

func (p Permission) String() string

String returns the string representation of the permission.

func (Permission) Validate ¶

func (p Permission) Validate(ctx context.Context) error

Validate checks if the permission is non-empty.

type PermissionCheck ¶

type PermissionCheck interface {
	Check(ctx context.Context, tx libkv.Tx, initiator Initiator) error
}

PermissionCheck defines the interface for validating initiator permissions.

type PermissionCheckAll ¶

type PermissionCheckAll []PermissionCheck

PermissionCheckAll requires all permission checks to pass (AND logic).

func (PermissionCheckAll) Check ¶

func (p PermissionCheckAll) Check(ctx context.Context, tx libkv.Tx, initiator Initiator) error

Check returns nil only if all permission checks pass, or the first error encountered.

type PermissionCheckAny ¶

type PermissionCheckAny []PermissionCheck

PermissionCheckAny requires at least one permission check to pass (OR logic).

func (PermissionCheckAny) Check ¶

func (p PermissionCheckAny) Check(ctx context.Context, tx libkv.Tx, initiator Initiator) error

Check returns nil if any permission check passes, or an error if all fail.

type PermissionCheckFunc ¶

type PermissionCheckFunc func(ctx context.Context, tx libkv.Tx, initiator Initiator) error

PermissionCheckFunc is a function type that implements PermissionCheck interface.

func (PermissionCheckFunc) Check ¶

func (p PermissionCheckFunc) Check(ctx context.Context, tx libkv.Tx, initiator Initiator) error

Check executes the permission check function.

type PermissionChecker ¶

type PermissionChecker interface {
	Check(
		ctx context.Context,
		tx libkv.Tx,
		initiator Initiator,
		permissionCheck PermissionCheck,
	) error
}

PermissionChecker validates initiator permissions with error tracking and logging.

func NewPermissionChecker ¶

func NewPermissionChecker(
	sentryClient libsentry.Client,
	metrics PermissionCheckerMetrics,
) PermissionChecker

NewPermissionChecker creates a new permission checker with Sentry error tracking and metrics.

type PermissionCheckerMetrics ¶

type PermissionCheckerMetrics interface {
	PermissionCheckTotalCounterInc()
	PermissionCheckSuccessCounterInc()
	PermissionCheckFailureCounterInc()
}

PermissionCheckerMetrics provides metrics for permission check operations.

func NewPermissionCheckerMetrics ¶

func NewPermissionCheckerMetrics() PermissionCheckerMetrics

NewPermissionCheckerMetrics creates a new permission checker metrics instance.

type Permissions ¶

type Permissions []Permission

Permissions represents a collection of permissions with validation and lookup operations.

func (Permissions) Contains ¶

func (r Permissions) Contains(permission Permission) bool

Contains returns true if the permission exists in the collection.

func (Permissions) ContainsAll ¶

func (r Permissions) ContainsAll(permissions ...Permission) bool

ContainsAll returns true if all provided permissions exist in the collection.

func (Permissions) ContainsAny ¶

func (r Permissions) ContainsAny(permissions ...Permission) bool

ContainsAny returns true if at least one of the provided permissions exists in the collection.

func (Permissions) ExpectAllPermissions ¶

func (r Permissions) ExpectAllPermissions(ctx context.Context, permissons ...Permission) error

ExpectAllPermissions returns an error if any of the provided permissions are missing from the collection.

func (Permissions) ExpectAnyPermissions ¶

func (r Permissions) ExpectAnyPermissions(ctx context.Context, permissons ...Permission) error

ExpectAnyPermissions returns an error if none of the provided permissions exist in the collection.

func (Permissions) ExpectPermission ¶

func (r Permissions) ExpectPermission(ctx context.Context, permisson Permission) error

ExpectPermission returns an error if the permission is not in the collection.

func (Permissions) Validate ¶

func (r Permissions) Validate(ctx context.Context) error

Validate checks if all permissions in the collection are valid.

type Role ¶

type Role struct {
	Name        RoleName    `json:"name"`
	Permissions Permissions `json:"permissions"`
}

Role represents a named collection of permissions for access control.

func NewRole ¶

func NewRole(name RoleName, permissions ...Permission) Role

NewRole creates a new role with the specified name and permissions.

func (Role) Validate ¶

func (r Role) Validate(ctx context.Context) error

Validate checks if the role has a valid name and permissions.

type RoleBinding ¶

type RoleBinding struct {
	Role       Role       `json:"role"`
	Initiators Initiators `json:"initiators"`
}

RoleBinding associates a role with one or more initiators.

func NewRoleBinding ¶

func NewRoleBinding(role Role, initiators ...Initiator) RoleBinding

NewRoleBinding creates a new role binding for the specified role and initiators.

type RoleBindings ¶

type RoleBindings []RoleBinding

RoleBindings represents a collection of role-to-initiator mappings.

func (RoleBindings) FindByInitiator ¶

func (r RoleBindings) FindByInitiator(initiator Initiator) RoleBindings

FindByInitiator returns all role bindings that apply to the given initiator.

func (RoleBindings) Roles ¶

func (r RoleBindings) Roles() Roles

Roles extracts all roles from the role bindings collection.

type RoleName ¶

type RoleName string

RoleName represents a unique identifier for an IAM role.

func (RoleName) String ¶

func (r RoleName) String() string

String returns the string representation of the role name.

func (RoleName) Validate ¶

func (r RoleName) Validate(ctx context.Context) error

Validate checks if the role name is non-empty.

type RoleNames ¶

type RoleNames []RoleName

RoleNames represents a collection of role names with lookup operations.

func (RoleNames) Contains ¶

func (r RoleNames) Contains(role RoleName) bool

Contains returns true if the role name exists in the collection.

type Roles ¶

type Roles []Role

Roles represents a collection of roles with utility operations.

func (Roles) Contains ¶

func (r Roles) Contains(role Role) bool

Contains returns true if the role exists in the collection.

func (Roles) Permissions ¶

func (r Roles) Permissions() Permissions

Permissions aggregates all unique permissions from all roles in the collection.

func (Roles) RoleNames ¶

func (r Roles) RoleNames() RoleNames

RoleNames extracts all role names from the collection.

func (Roles) Validate ¶

func (r Roles) Validate(ctx context.Context) error

Validate checks if all roles in the collection are valid.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL