Documentation
¶
Index ¶
- Variables
- func IsAction(v Action) bool
- func IsObjectType(v ObjectType) bool
- func IsRelation(v Relation) bool
- type Action
- type ActionSet
- type AdminManager
- type AllowAllChecker
- func (c *AllowAllChecker) Check(ctx context.Context, obj ObjectRef, action Action) (bool, error)
- func (c *AllowAllChecker) IsGlobalAdmin(ctx context.Context) (bool, error)
- func (c *AllowAllChecker) ListObjects(ctx context.Context, objType ObjectType) ([]ObjectRef, error)
- func (c *AllowAllChecker) Me(ctx context.Context) (*UserInfo, error)
- type Checker
- type DenyAllChecker
- func (c *DenyAllChecker) Check(ctx context.Context, obj ObjectRef, action Action) (bool, error)
- func (c *DenyAllChecker) IsGlobalAdmin(ctx context.Context) (bool, error)
- func (c *DenyAllChecker) ListObjects(ctx context.Context, objType ObjectType) ([]ObjectRef, error)
- func (c *DenyAllChecker) Me(ctx context.Context) (*UserInfo, error)
- type EntityKey
- type EntityRelation
- func (x *EntityRelation) GetId() string
- func (x *EntityRelation) GetName() string
- func (x *EntityRelation) GetRefRelation() Relation
- func (x *EntityRelation) GetRelation() Relation
- func (x *EntityRelation) GetType() ObjectType
- func (er *EntityRelation) Int64() int64
- func (er *EntityRelation) WithObject(ek EntityKey) TupleKey
- type Feed
- type FeedVersion
- type Group
- type GroupSaveRequest
- type GroupSaveResponse
- type ObjectPermissions
- type ObjectRef
- type ObjectType
- type PermissionManager
- type Relation
- type SubjectRef
- type Tenant
- type TenantCreateGroupRequest
- type TenantSaveRequest
- type TenantSaveResponse
- type TupleKey
- func (tk TupleKey) ActionOrRelation() string
- func (tk TupleKey) Equals(other TupleKey) bool
- func (tk TupleKey) IsValid() bool
- func (tk TupleKey) String() string
- func (tk TupleKey) Validate() error
- func (tk TupleKey) WithAction(action Action) TupleKey
- func (tk TupleKey) WithObject(objectType ObjectType, objectName string) TupleKey
- func (tk TupleKey) WithObjectID(objectType ObjectType, objectId int64) TupleKey
- func (tk TupleKey) WithRelation(relation Relation) TupleKey
- func (tk TupleKey) WithSubject(userType ObjectType, userName string) TupleKey
- func (tk TupleKey) WithSubjectID(userType ObjectType, userId int64) TupleKey
- func (tk TupleKey) WithUser(user string) TupleKey
- type User
- type UserInfo
- type UserListRequest
- type UserListResponse
- type UserRequest
- type UserResponse
Constants ¶
This section is empty.
Variables ¶
View Source
var Action_name = map[int32]string{
0: "empty_action",
1: "can_view",
2: "can_edit",
3: "can_edit_members",
4: "can_create_org",
5: "can_delete_org",
6: "can_create_feed_version",
7: "can_delete_feed_version",
8: "can_create_feed",
9: "can_delete_feed",
10: "can_set_group",
11: "can_set_tenant",
}
View Source
var Action_value = map[string]int32{
"empty_action": 0,
"can_view": 1,
"can_edit": 2,
"can_edit_members": 3,
"can_create_org": 4,
"can_delete_org": 5,
"can_create_feed_version": 6,
"can_delete_feed_version": 7,
"can_create_feed": 8,
"can_delete_feed": 9,
"can_set_group": 10,
"can_set_tenant": 11,
}
View Source
var AdminRelation = Relation_admin
View Source
var CanCreateFeed = Action_can_create_feed
View Source
var CanCreateFeedVersion = Action_can_create_feed_version
View Source
var CanCreateOrg = Action_can_create_org
View Source
var CanDeleteFeed = Action_can_delete_feed
View Source
var CanDeleteFeedVersion = Action_can_delete_feed_version
View Source
var CanDeleteOrg = Action_can_delete_org
View Source
var CanEdit = Action_can_edit
View Source
var CanEditMembers = Action_can_edit_members
View Source
var CanSetGroup = Action_can_set_group
View Source
var CanSetTenant = Action_can_set_tenant
View Source
var CanView = Action_can_view
View Source
var EditorRelation = Relation_editor
View Source
var FeedType = ObjectType_feed
View Source
var FeedVersionType = ObjectType_feed_version
View Source
var GroupType = ObjectType_org
View Source
var ManagerRelation = Relation_manager
View Source
var MemberRelation = Relation_member
View Source
var ObjectType_name = map[int32]string{
0: "empty_object",
1: "tenant",
2: "org",
3: "feed",
4: "feed_version",
5: "user",
}
View Source
var ObjectType_value = map[string]int32{
"empty_object": 0,
"tenant": 1,
"org": 2,
"group": 2,
"feed": 3,
"feed_version": 4,
"user": 5,
}
View Source
var ParentRelation = Relation_parent
View Source
var Relation_name = map[int32]string{
0: "empty_relation",
1: "admin",
2: "member",
3: "manager",
4: "viewer",
5: "editor",
6: "parent",
}
View Source
var Relation_value = map[string]int32{
"empty_relation": 0,
"admin": 1,
"member": 2,
"manager": 3,
"viewer": 4,
"editor": 5,
"parent": 6,
}
View Source
var TenantType = ObjectType_tenant
View Source
var UserType = ObjectType_user
View Source
var ViewerRelation = Relation_viewer
Functions ¶
func IsObjectType ¶
func IsObjectType(v ObjectType) bool
func IsRelation ¶
Types ¶
type Action ¶
type Action int32
Action represents a permission action that can be checked.
const ( Action_empty_action Action = 0 Action_can_view Action = 1 Action_can_edit Action = 2 Action_can_edit_members Action = 3 Action_can_create_org Action = 4 Action_can_delete_org Action = 5 Action_can_create_feed_version Action = 6 Action_can_delete_feed_version Action = 7 Action_can_create_feed Action = 8 Action_can_delete_feed Action = 9 Action_can_set_group Action = 10 Action_can_set_tenant Action = 11 )
func ActionString ¶
func (Action) MarshalText ¶ added in v1.3.3
MarshalText implements encoding.TextMarshaler so Action works as a JSON map key.
func (*Action) UnmarshalText ¶ added in v1.3.3
UnmarshalText implements encoding.TextUnmarshaler.
type ActionSet ¶ added in v1.3.3
ActionSet is the result of checking what a user can do on an object.
type AdminManager ¶ added in v1.3.3
type AdminManager interface {
PermissionManager
UserList(ctx context.Context, req *UserListRequest) (*UserListResponse, error)
User(ctx context.Context, req *UserRequest) (*UserResponse, error)
TenantSave(ctx context.Context, req *TenantSaveRequest) (*TenantSaveResponse, error)
TenantCreateGroup(ctx context.Context, req *TenantCreateGroupRequest) (*GroupSaveResponse, error)
GroupSave(ctx context.Context, req *GroupSaveRequest) (*GroupSaveResponse, error)
}
AdminManager extends PermissionManager with admin-specific DB write operations for managing tenants and groups. These are not expressible through the generic permission interface because they create/update database entities, not just authorization tuples.
Implementations that expose user search (e.g., for assigning users to tenants/groups) must handle visibility scoping in the UserProvider layer. The GraphQL resolvers gate access via can_edit_members but do not filter results — the UserProvider is responsible for limiting which users are returned based on deployment-specific rules (e.g., Auth0 organization boundaries, tenant membership, etc.).
type AllowAllChecker ¶ added in v1.3.3
type AllowAllChecker struct{}
AllowAllChecker is the explicit "allow all" Checker — install it when a deployment wants to opt out of authorization. Pairs with DenyAllChecker. Use only in demo binaries or tests; never in a deployment that enforces per-feed permissions. When no authn user is present, Me() returns a synthetic identity with the "admin" role, so anonymous callers also pass any handler gated on RoleRequired("admin").
func (*AllowAllChecker) IsGlobalAdmin ¶ added in v1.3.3
func (c *AllowAllChecker) IsGlobalAdmin(ctx context.Context) (bool, error)
func (*AllowAllChecker) ListObjects ¶ added in v1.3.3
func (c *AllowAllChecker) ListObjects(ctx context.Context, objType ObjectType) ([]ObjectRef, error)
type Checker ¶ added in v1.3.3
type Checker interface {
Me(ctx context.Context) (*UserInfo, error)
IsGlobalAdmin(ctx context.Context) (bool, error)
ListObjects(ctx context.Context, objType ObjectType) ([]ObjectRef, error)
Check(ctx context.Context, obj ObjectRef, action Action) (bool, error)
}
Checker is the read-only query interface used by the data path (perm_filter, actions, dbfinder mutations, GraphQL resolvers).
type DenyAllChecker ¶ added in v1.3.3
type DenyAllChecker struct{}
DenyAllChecker is the explicit "deny all" Checker — install it when callers should have no per-feed access. Read paths still see public feeds via the unconditional public clause in pfJoinCheck.
func (*DenyAllChecker) IsGlobalAdmin ¶ added in v1.3.3
func (c *DenyAllChecker) IsGlobalAdmin(ctx context.Context) (bool, error)
func (*DenyAllChecker) ListObjects ¶ added in v1.3.3
func (c *DenyAllChecker) ListObjects(ctx context.Context, objType ObjectType) ([]ObjectRef, error)
type EntityKey ¶
type EntityKey struct {
Type ObjectType `json:"type"`
Name string `json:"name"`
RefRel Relation `json:"ref_rel"`
}
func NewEntityKey ¶
func NewEntityKey(t ObjectType, name string) EntityKey
func (EntityKey) WithRefRel ¶
type EntityRelation ¶
type EntityRelation struct {
Type ObjectType `json:"type,omitempty"`
Id string `json:"id,omitempty"`
Name string `json:"name,omitempty"`
RefRelation Relation `json:"ref_relation,omitempty"`
Relation Relation `json:"relation,omitempty"`
}
func NewEntityRelation ¶
func NewEntityRelation(ek EntityKey, rel Relation) *EntityRelation
func (*EntityRelation) GetId ¶
func (x *EntityRelation) GetId() string
func (*EntityRelation) GetName ¶
func (x *EntityRelation) GetName() string
func (*EntityRelation) GetRefRelation ¶
func (x *EntityRelation) GetRefRelation() Relation
func (*EntityRelation) GetRelation ¶
func (x *EntityRelation) GetRelation() Relation
func (*EntityRelation) GetType ¶
func (x *EntityRelation) GetType() ObjectType
func (*EntityRelation) Int64 ¶
func (er *EntityRelation) Int64() int64
func (*EntityRelation) WithObject ¶
func (er *EntityRelation) WithObject(ek EntityKey) TupleKey
type Feed ¶
type Feed struct {
Id int64 `json:"id,omitempty"`
OnestopId string `json:"onestop_id,omitempty"`
Name string `json:"name,omitempty"`
}
func (*Feed) GetOnestopId ¶
type FeedVersion ¶
type FeedVersion struct {
Id int64 `json:"id,omitempty"`
Name string `json:"name,omitempty"`
Sha1 string `json:"sha1,omitempty"`
FeedId int64 `json:"feed_id,omitempty"`
}
func (*FeedVersion) GetFeedId ¶
func (x *FeedVersion) GetFeedId() int64
func (*FeedVersion) GetId ¶
func (x *FeedVersion) GetId() int64
func (*FeedVersion) GetName ¶
func (x *FeedVersion) GetName() string
func (*FeedVersion) GetSha1 ¶
func (x *FeedVersion) GetSha1() string
type GroupSaveRequest ¶
type GroupSaveRequest struct {
Group *Group `json:"group,omitempty"`
}
func (*GroupSaveRequest) GetGroup ¶
func (x *GroupSaveRequest) GetGroup() *Group
type GroupSaveResponse ¶
type GroupSaveResponse struct {
Group *Group `json:"group,omitempty"`
}
type ObjectPermissions ¶ added in v1.3.3
type ObjectPermissions struct {
Ref ObjectRef `json:"ref"`
Actions ActionSet `json:"actions"`
Subjects []SubjectRef `json:"subjects"`
Parent *ObjectRef `json:"parent,omitempty"`
Children []ObjectRef `json:"children,omitempty"`
}
ObjectPermissions is the generic return from a permissions query.
type ObjectRef ¶ added in v1.3.3
type ObjectRef struct {
Type ObjectType `json:"type"`
ID int64 `json:"id"`
Name string `json:"name,omitempty"`
}
ObjectRef identifies an entity in the authorization system.
type ObjectType ¶
type ObjectType int32
ObjectType represents the type of an entity in the authorization model.
const ( ObjectType_empty_object ObjectType = 0 ObjectType_tenant ObjectType = 1 ObjectType_org ObjectType = 2 ObjectType_feed ObjectType = 3 ObjectType_feed_version ObjectType = 4 ObjectType_user ObjectType = 5 )
func ObjectTypeString ¶
func ObjectTypeString(v string) (ObjectType, error)
func (ObjectType) MarshalText ¶ added in v1.3.3
func (o ObjectType) MarshalText() ([]byte, error)
MarshalText implements encoding.TextMarshaler so ObjectType works as a JSON map key.
func (ObjectType) String ¶
func (o ObjectType) String() string
func (*ObjectType) UnmarshalText ¶ added in v1.3.3
func (o *ObjectType) UnmarshalText(text []byte) error
UnmarshalText implements encoding.TextUnmarshaler.
type PermissionManager ¶ added in v1.3.3
type PermissionManager interface {
Checker
ObjectPermissions(ctx context.Context, obj ObjectRef) (*ObjectPermissions, error)
SetParent(ctx context.Context, child ObjectRef, parent ObjectRef) error
AddPermission(ctx context.Context, obj ObjectRef, subject EntityKey, relation Relation) error
RemovePermission(ctx context.Context, obj ObjectRef, subject EntityKey, relation Relation) error
}
PermissionManager extends Checker with write operations for managing permissions, parents, and viewing detailed permission info. Implementations must enforce authorization checks internally — callers (e.g., GraphQL resolvers) delegate all access control to these methods.
type Relation ¶
type Relation int32
Relation represents a relationship between entities.
func RelationString ¶
func (Relation) MarshalText ¶ added in v1.3.3
MarshalText implements encoding.TextMarshaler so Relation works as a JSON map key.
func (*Relation) UnmarshalText ¶ added in v1.3.3
UnmarshalText implements encoding.TextUnmarshaler.
type SubjectRef ¶ added in v1.3.3
type SubjectRef struct {
Subject EntityKey `json:"subject"`
Relation Relation `json:"relation"`
Name string `json:"name"`
}
SubjectRef describes who has a relationship to an object.
type TenantCreateGroupRequest ¶
type TenantCreateGroupRequest struct {
Id int64 `json:"id,omitempty"`
Group *Group `json:"group,omitempty"`
}
func (*TenantCreateGroupRequest) GetGroup ¶
func (x *TenantCreateGroupRequest) GetGroup() *Group
func (*TenantCreateGroupRequest) GetId ¶
func (x *TenantCreateGroupRequest) GetId() int64
type TenantSaveRequest ¶
type TenantSaveRequest struct {
Tenant *Tenant `json:"tenant,omitempty"`
}
func (*TenantSaveRequest) GetTenant ¶
func (x *TenantSaveRequest) GetTenant() *Tenant
type TenantSaveResponse ¶
type TenantSaveResponse struct{}
type TupleKey ¶
type TupleKey struct {
Subject EntityKey
Object EntityKey
Action Action `json:"action"`
Relation Relation `json:"relation"`
}
func NewTupleKey ¶
func NewTupleKey() TupleKey
func (TupleKey) ActionOrRelation ¶
func (TupleKey) WithAction ¶
func (TupleKey) WithObject ¶
func (tk TupleKey) WithObject(objectType ObjectType, objectName string) TupleKey
func (TupleKey) WithObjectID ¶
func (tk TupleKey) WithObjectID(objectType ObjectType, objectId int64) TupleKey
func (TupleKey) WithRelation ¶
func (TupleKey) WithSubject ¶
func (tk TupleKey) WithSubject(userType ObjectType, userName string) TupleKey
func (TupleKey) WithSubjectID ¶
func (tk TupleKey) WithSubjectID(userType ObjectType, userId int64) TupleKey
type User ¶
type UserInfo ¶ added in v1.3.3
type UserInfo struct {
ID string `json:"id"`
Name string `json:"name"`
Email string `json:"email"`
Roles []string `json:"roles"`
Groups []Group `json:"groups"`
ExpandedGroups []Group `json:"expanded_groups"`
ExternalData map[string]string `json:"external_data"`
}
UserInfo is the return from Checker.Me().
type UserListRequest ¶
type UserListRequest struct {
Q string `json:"q,omitempty"`
}
func (*UserListRequest) GetQ ¶
func (x *UserListRequest) GetQ() string
type UserListResponse ¶
type UserListResponse struct {
Users []*User `json:"users,omitempty"`
}
type UserRequest ¶
type UserRequest struct {
Id string `json:"id,omitempty"`
}
func (*UserRequest) GetId ¶
func (x *UserRequest) GetId() string
type UserResponse ¶
type UserResponse struct {
User *User `json:"user,omitempty"`
}
Source Files
Click to show internal directories.
Click to hide internal directories.