spicedb

package
v0.2.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 8, 2026 License: MIT Imports: 15 Imported by: 0

Documentation

Overview

Package spicedb provides SpiceDB-based authorization for CoreForge.

Index

Constants

View Source 
const (
	// TypePrincipal represents a principal (user, service, agent).
	TypePrincipal = "principal"

	// TypeOrganization represents an organization.
	TypeOrganization = "organization"

	// TypeUser represents a user.
	TypeUser = "user"
)

Common resource type constants.

View Source 
const (
	// PermView allows viewing a resource.
	PermView = "view"

	// PermEdit allows editing a resource.
	PermEdit = "edit"

	// PermManage allows managing a resource (admin operations).
	PermManage = "manage"

	// PermDelete allows deleting a resource.
	PermDelete = "delete"

	// PermCreate allows creating resources.
	PermCreate = "create"
)

Common permission constants.

View Source 
const (
	// RelOwner represents the owner relation.
	RelOwner = "owner"

	// RelAdmin represents the admin relation.
	RelAdmin = "admin"

	// RelMember represents the member relation.
	RelMember = "member"

	// RelViewer represents the viewer relation.
	RelViewer = "viewer"

	// RelEditor represents the editor relation.
	RelEditor = "editor"
)

Common relation constants.

View Source 
const BaseSchema = `` /* 661-byte string literal not displayed */

BaseSchema provides a minimal SpiceDB schema for CoreForge applications. Applications can extend this with their own resource types.

Variables

This section is empty.

Functions

func ResourceSchema 

func ResourceSchema(resourceType string) string

ResourceSchema returns a SpiceDB schema definition for a custom resource type. This can be used to define app-specific resources that integrate with organizations.

Types

type CheckRequest 

type CheckRequest struct {
	// ResourceType is the type of the resource (e.g., "organization", "project")
	ResourceType string
	// ResourceID is the ID of the resource
	ResourceID string
	// Permission is the permission to check (e.g., "view", "edit", "manage")
	Permission string
	// SubjectType is the type of the subject (e.g., "principal", "user")
	SubjectType string
	// SubjectID is the ID of the subject
	SubjectID string
}

CheckRequest represents a permission check request.

type Client 

type Client struct {
	// contains filtered or unexported fields
}

Client provides authorization operations backed by SpiceDB.

func NewClient 

func NewClient(ctx context.Context, cfg Config, logger *slog.Logger) (*Client, error)

NewClient creates a new SpiceDB client based on configuration.

func (*Client) Check 

func (c *Client) Check(ctx context.Context, req *CheckRequest) (bool, error)

Check checks if a subject has a permission on a resource.

func (*Client) Close 

func (c *Client) Close() error

Close closes the client connection.

func (*Client) DeleteRelationship 

func (c *Client) DeleteRelationship(ctx context.Context, rel *Relationship) error

DeleteRelationship deletes a relationship tuple.

func (*Client) IsEmbedded 

func (c *Client) IsEmbedded() bool

IsEmbedded returns true if this client is using an embedded SpiceDB instance.

func (*Client) LookupResources 

func (c *Client) LookupResources(ctx context.Context, req *LookupResourcesRequest) ([]string, error)

LookupResources finds all resources a subject has permission on.

func (*Client) LookupSubjects 

func (c *Client) LookupSubjects(ctx context.Context, req *LookupSubjectsRequest) ([]string, error)

LookupSubjects finds all subjects with a given permission on a resource.

func (*Client) ReadSchema 

func (c *Client) ReadSchema(ctx context.Context) (string, error)

ReadSchema reads the current authorization schema.

func (*Client) WriteRelationship 

func (c *Client) WriteRelationship(ctx context.Context, rel *Relationship) error

WriteRelationship writes a relationship tuple.

func (*Client) WriteRelationships 

func (c *Client) WriteRelationships(ctx context.Context, rels []*Relationship) error

WriteRelationships writes multiple relationship tuples atomically.

func (*Client) WriteSchema 

func (c *Client) WriteSchema(ctx context.Context, schema string) error

WriteSchema writes the authorization schema.

type Config 

type Config struct {
	// Mode: "embedded" or "remote"
	Mode string `json:"mode" yaml:"mode"`

	// Embedded mode settings
	// DatastoreEngine: "memory" or "postgres"
	DatastoreEngine string `json:"datastore_engine,omitempty" yaml:"datastore_engine,omitempty"`
	// DatastoreURI: connection string for postgres
	DatastoreURI string `json:"datastore_uri,omitempty" yaml:"datastore_uri,omitempty"`

	// Remote mode settings
	// Endpoint: SpiceDB gRPC endpoint (e.g., "localhost:50051")
	Endpoint string `json:"endpoint,omitempty" yaml:"endpoint,omitempty"`
	// Token: preshared key for authentication
	Token string `json:"token,omitempty" yaml:"token,omitempty"`
	// Insecure: skip TLS verification
	Insecure bool `json:"insecure,omitempty" yaml:"insecure,omitempty"`
}

Config holds SpiceDB client configuration.

func DefaultConfig 

func DefaultConfig() Config

DefaultConfig returns a default configuration for embedded mode.

type LookupResourcesRequest 

type LookupResourcesRequest struct {
	// ResourceType is the type of resources to look up
	ResourceType string
	// Permission is the permission to check
	Permission string
	// SubjectType is the type of the subject
	SubjectType string
	// SubjectID is the ID of the subject
	SubjectID string
}

LookupResourcesRequest represents a request to find resources a subject can access.

type LookupSubjectsRequest 

type LookupSubjectsRequest struct {
	// ResourceType is the type of the resource
	ResourceType string
	// ResourceID is the ID of the resource
	ResourceID string
	// Permission is the permission to check
	Permission string
	// SubjectType is the type of subjects to look up
	SubjectType string
}

LookupSubjectsRequest represents a request to find subjects with a permission.

type Provider 

type Provider struct {
	// contains filtered or unexported fields
}

Provider implements the authz.Authorizer interface using SpiceDB.

func NewProvider 

func NewProvider(client *Client) *Provider

NewProvider creates a new SpiceDB authorization provider.

func (*Provider) AddOrgMember 

func (p *Provider) AddOrgMember(ctx context.Context, principalID string, orgID uuid.UUID, role string) error

AddOrgMember adds a principal as a member of an organization with a specific role.

func (*Provider) AddRelationship 

func (p *Provider) AddRelationship(ctx context.Context, subjectType, subjectID, relation, resourceType, resourceID string) error

AddRelationship adds a relationship between a subject and a resource.

func (*Provider) Can 

func (p *Provider) Can(ctx context.Context, principal authz.Principal, action authz.Action, resource authz.Resource) (bool, error)

Can checks if a principal can perform an action on a resource.

func (*Provider) CanAll 

func (p *Provider) CanAll(ctx context.Context, principal authz.Principal, actions []authz.Action, resource authz.Resource) (bool, error)

CanAll checks if a principal can perform all specified actions on a resource.

func (*Provider) CanAny 

func (p *Provider) CanAny(ctx context.Context, principal authz.Principal, actions []authz.Action, resource authz.Resource) (bool, error)

CanAny checks if a principal can perform any of the specified actions on a resource.

func (*Provider) CanForOrg 

func (p *Provider) CanForOrg(ctx context.Context, principal authz.Principal, orgID uuid.UUID, action authz.Action, resource authz.Resource) (bool, error)

CanForOrg checks permission scoped to a specific organization.

func (*Provider) Client 

func (p *Provider) Client() *Client

Client returns the underlying SpiceDB client for advanced operations.

func (*Provider) Close 

func (p *Provider) Close() error

Close closes the provider and underlying client.

func (*Provider) Filter 

func (p *Provider) Filter(ctx context.Context, principal authz.Principal, action authz.Action, resources []authz.Resource) ([]authz.Resource, error)

Filter returns only the resources the principal can access with the given action.

func (*Provider) GetRole 

func (p *Provider) GetRole(ctx context.Context, principal authz.Principal, orgID uuid.UUID) (string, error)

GetRole returns the principal's role in an organization.

func (*Provider) IsMember 

func (p *Provider) IsMember(ctx context.Context, principal authz.Principal, orgID uuid.UUID) (bool, error)

IsMember checks if a principal is a member of an organization.

func (*Provider) IsPlatformAdmin 

func (p *Provider) IsPlatformAdmin(ctx context.Context, principal authz.Principal) (bool, error)

IsPlatformAdmin checks if a principal has platform-wide admin access.

func (*Provider) RemoveOrgMember 

func (p *Provider) RemoveOrgMember(ctx context.Context, principalID string, orgID uuid.UUID, role string) error

RemoveOrgMember removes a principal from an organization.

func (*Provider) RemoveRelationship 

func (p *Provider) RemoveRelationship(ctx context.Context, subjectType, subjectID, relation, resourceType, resourceID string) error

RemoveRelationship removes a relationship between a subject and a resource.

type Relationship 

type Relationship struct {
	// ResourceType is the type of the resource
	ResourceType string
	// ResourceID is the ID of the resource
	ResourceID string
	// Relation is the relationship type (e.g., "owner", "member", "admin")
	Relation string
	// SubjectType is the type of the subject
	SubjectType string
	// SubjectID is the ID of the subject
	SubjectID string
}

Relationship represents a relationship tuple.

type Syncer 

type Syncer struct {
	// contains filtered or unexported fields
}

Syncer implements RelationshipSyncer using SpiceDB as the authorization backend.

func NewSyncer 

func NewSyncer(client *Client) *Syncer

NewSyncer creates a new SpiceDB-backed relationship syncer.

func (*Syncer) AddOrgMembership 

func (s *Syncer) AddOrgMembership(ctx context.Context, principalID, orgID uuid.UUID, role string) error

AddOrgMembership adds a principal's membership in an organization.

func (*Syncer) RegisterOrganization 

func (s *Syncer) RegisterOrganization(ctx context.Context, orgID, ownerID uuid.UUID) error

RegisterOrganization creates an organization with an initial owner.

func (*Syncer) RegisterPrincipal 

func (s *Syncer) RegisterPrincipal(_ context.Context, _ uuid.UUID) error

RegisterPrincipal creates a principal entity in SpiceDB. SpiceDB doesn't require explicit entity creation - entities are created implicitly when relationships are added. This is a no-op but kept for interface compliance.

func (*Syncer) RemoveOrgMembership 

func (s *Syncer) RemoveOrgMembership(ctx context.Context, principalID, orgID uuid.UUID, role string) error

RemoveOrgMembership removes a principal's membership from an organization.

func (*Syncer) SetPlatformAdmin 

func (s *Syncer) SetPlatformAdmin(ctx context.Context, principalID uuid.UUID, isAdmin bool) error

SetPlatformAdmin grants or revokes platform admin privileges.

func (*Syncer) UnregisterOrganization 

func (s *Syncer) UnregisterOrganization(ctx context.Context, orgID uuid.UUID) error

UnregisterOrganization removes an organization and all its membership relationships.

func (*Syncer) UnregisterPrincipal 

func (s *Syncer) UnregisterPrincipal(ctx context.Context, principalID uuid.UUID) error

UnregisterPrincipal removes all relationships involving a principal.

func (*Syncer) UpdateOrgMembership 

func (s *Syncer) UpdateOrgMembership(ctx context.Context, principalID, orgID uuid.UUID, oldRole, newRole string) error

UpdateOrgMembership changes a principal's role in an organization. This is implemented as an atomic batch operation: remove old role, add new role.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.