Documentation
¶
Overview ¶
Package policy enforces authorization and action risk.
Package policy enforces RBAC (role → allowed permission/risk) plus per-connection ownership/sharing grants, using embedded Casbin. Risk levels come from route metadata — never client-supplied.
Index ¶
- Variables
- type AccessInput
- type Enforcer
- func (en *Enforcer) AddRolePermissionPolicy(role models.Role, permission string, risk plugin.RiskLevel) error
- func (en *Enforcer) AddRolePolicy(role models.Role, risk plugin.RiskLevel) error
- func (en *Enforcer) Authorize(in AccessInput) error
- func (en *Enforcer) LoadStorePolicies(ctx context.Context, policies store.PolicyStore) error
Constants ¶
This section is empty.
Variables ¶
var ErrForbidden = errors.New("policy: forbidden")
ErrForbidden is the deny-by-default authorization failure.
Functions ¶
This section is empty.
Types ¶
type AccessInput ¶
type AccessInput struct {
User models.User
Permission string
Risk plugin.RiskLevel
// Connection context. ConnectionID == "" means a non-connection route (e.g.
// the plugin catalog), which only needs the role/risk gate.
ConnectionID string
OwnerID string
HasGrant bool
GrantAccess models.Access
}
AccessInput is everything an authorization decision needs. The caller (the route wrapper) resolves the connection + the user's grant before calling.
type Enforcer ¶
type Enforcer struct {
// contains filtered or unexported fields
}
Enforcer answers authorization decisions. It is safe for concurrent use.
func (*Enforcer) AddRolePermissionPolicy ¶
func (en *Enforcer) AddRolePermissionPolicy(role models.Role, permission string, risk plugin.RiskLevel) error
AddRolePermissionPolicy grants a role a route permission/risk pair.
func (*Enforcer) AddRolePolicy ¶
AddRolePolicy grants a role an additional risk level (extensibility hook).
func (*Enforcer) Authorize ¶
func (en *Enforcer) Authorize(in AccessInput) error
Authorize applies both gates (deny-by-default):
- the user's role must permit the route's permission/risk, and
- for connection routes, the user must own it or hold a grant.
Admin is a user-management role, not a super-user: it grants no implicit access to other users' connections.
func (*Enforcer) LoadStorePolicies ¶
LoadStorePolicies loads additive policy rows from the control-plane store.