Documentation
¶
Index ¶
- Variables
- func IsAction(v Action) bool
- func IsObjectType(v ObjectType) bool
- func IsRelation(v Relation) bool
- type Action
- type ActionSet
- type AdminManager
- type AdminRoleChecker
- func (c *AdminRoleChecker) Check(ctx context.Context, obj ObjectRef, action Action) (bool, error)
- func (c *AdminRoleChecker) IsGlobalAdmin(ctx context.Context) (bool, error)
- func (c *AdminRoleChecker) ListObjects(ctx context.Context, objType ObjectType) ([]ObjectRef, error)
- func (c *AdminRoleChecker) Me(ctx context.Context) (*UserInfo, error)
- type AllowAllChecker
- func (c *AllowAllChecker) Check(ctx context.Context, obj ObjectRef, action Action) (bool, error)
- func (c *AllowAllChecker) IsGlobalAdmin(ctx context.Context) (bool, error)
- func (c *AllowAllChecker) ListObjects(ctx context.Context, objType ObjectType) ([]ObjectRef, error)
- func (c *AllowAllChecker) Me(ctx context.Context) (*UserInfo, error)
- type Checker
- type DenyAllChecker
- func (c *DenyAllChecker) Check(ctx context.Context, obj ObjectRef, action Action) (bool, error)
- func (c *DenyAllChecker) IsGlobalAdmin(ctx context.Context) (bool, error)
- func (c *DenyAllChecker) ListObjects(ctx context.Context, objType ObjectType) ([]ObjectRef, error)
- func (c *DenyAllChecker) Me(ctx context.Context) (*UserInfo, error)
- type EntityKey
- type EntityProvider
- type EntityRelation
- func (x *EntityRelation) GetId() string
- func (x *EntityRelation) GetName() string
- func (x *EntityRelation) GetRefRelation() Relation
- func (x *EntityRelation) GetRelation() Relation
- func (x *EntityRelation) GetType() ObjectType
- func (er *EntityRelation) Int64() int64
- func (er *EntityRelation) WithObject(ek EntityKey) TupleKey
- type Feed
- type FeedVersion
- type Group
- type GroupSaveRequest
- type GroupSaveResponse
- type ObjectPermissions
- type ObjectRef
- type ObjectType
- type PermissionManager
- type Relation
- type SubjectRef
- type Tenant
- type TenantCreateGroupRequest
- type TenantSaveRequest
- type TenantSaveResponse
- type TupleKey
- func (tk TupleKey) ActionOrRelation() string
- func (tk TupleKey) Equals(other TupleKey) bool
- func (tk TupleKey) IsValid() bool
- func (tk TupleKey) String() string
- func (tk TupleKey) Validate() error
- func (tk TupleKey) WithAction(action Action) TupleKey
- func (tk TupleKey) WithObject(objectType ObjectType, objectName string) TupleKey
- func (tk TupleKey) WithObjectID(objectType ObjectType, objectId int64) TupleKey
- func (tk TupleKey) WithRelation(relation Relation) TupleKey
- func (tk TupleKey) WithSubject(userType ObjectType, userName string) TupleKey
- func (tk TupleKey) WithSubjectID(userType ObjectType, userId int64) TupleKey
- func (tk TupleKey) WithUser(user string) TupleKey
- type User
- type UserInfo
- type UserListRequest
- type UserListResponse
- type UserRequest
- type UserResponse
Constants ¶
This section is empty.
Variables ¶
View Source
var Action_name = map[int32]string{
0: "empty_action",
1: "can_view",
2: "can_edit",
3: "can_edit_members",
4: "can_create_org",
5: "can_delete_org",
6: "can_create_feed_version",
7: "can_delete_feed_version",
8: "can_create_feed",
9: "can_delete_feed",
10: "can_set_group",
11: "can_set_tenant",
}
View Source
var Action_value = map[string]int32{
"empty_action": 0,
"can_view": 1,
"can_edit": 2,
"can_edit_members": 3,
"can_create_org": 4,
"can_delete_org": 5,
"can_create_feed_version": 6,
"can_delete_feed_version": 7,
"can_create_feed": 8,
"can_delete_feed": 9,
"can_set_group": 10,
"can_set_tenant": 11,
}
View Source
var AdminRelation = Relation_admin
View Source
var CanCreateFeed = Action_can_create_feed
View Source
var CanCreateFeedVersion = Action_can_create_feed_version
View Source
var CanCreateOrg = Action_can_create_org
View Source
var CanDeleteFeed = Action_can_delete_feed
View Source
var CanDeleteFeedVersion = Action_can_delete_feed_version
View Source
var CanDeleteOrg = Action_can_delete_org
View Source
var CanEdit = Action_can_edit
View Source
var CanEditMembers = Action_can_edit_members
View Source
var CanSetGroup = Action_can_set_group
View Source
var CanSetTenant = Action_can_set_tenant
View Source
var CanView = Action_can_view
View Source
var EditorRelation = Relation_editor
View Source
var FeedType = ObjectType_feed
View Source
var FeedVersionType = ObjectType_feed_version
View Source
var GroupType = ObjectType_org
View Source
var ManagerRelation = Relation_manager
View Source
var MemberRelation = Relation_member
View Source
var ObjectType_name = map[int32]string{
0: "empty_object",
1: "tenant",
2: "org",
3: "feed",
4: "feed_version",
5: "user",
}
View Source
var ObjectType_value = map[string]int32{
"empty_object": 0,
"tenant": 1,
"org": 2,
"group": 2,
"feed": 3,
"feed_version": 4,
"user": 5,
}
View Source
var ParentRelation = Relation_parent
View Source
var Relation_name = map[int32]string{
0: "empty_relation",
1: "admin",
2: "member",
3: "manager",
4: "viewer",
5: "editor",
6: "parent",
}
View Source
var Relation_value = map[string]int32{
"empty_relation": 0,
"admin": 1,
"member": 2,
"manager": 3,
"viewer": 4,
"editor": 5,
"parent": 6,
}
View Source
var TenantType = ObjectType_tenant
View Source
var UserType = ObjectType_user
View Source
var ViewerRelation = Relation_viewer
Functions ¶
func IsObjectType ¶
func IsObjectType(v ObjectType) bool
func IsRelation ¶
Types ¶
type Action ¶
type Action int32
Action represents a permission action that can be checked.
const ( Action_empty_action Action = 0 Action_can_view Action = 1 Action_can_edit Action = 2 Action_can_edit_members Action = 3 Action_can_create_org Action = 4 Action_can_delete_org Action = 5 Action_can_create_feed_version Action = 6 Action_can_delete_feed_version Action = 7 Action_can_create_feed Action = 8 Action_can_delete_feed Action = 9 Action_can_set_group Action = 10 Action_can_set_tenant Action = 11 )
func ActionString ¶
func (Action) MarshalText ¶ added in v1.3.3
MarshalText implements encoding.TextMarshaler so Action works as a JSON map key.
func (*Action) UnmarshalText ¶ added in v1.3.3
UnmarshalText implements encoding.TextUnmarshaler.
type ActionSet ¶ added in v1.3.3
ActionSet is the result of checking what a user can do on an object.
type AdminManager ¶ added in v1.3.3
type AdminManager interface {
PermissionManager
UserList(ctx context.Context, req *UserListRequest) (*UserListResponse, error)
User(ctx context.Context, req *UserRequest) (*UserResponse, error)
TenantSave(ctx context.Context, req *TenantSaveRequest) (*TenantSaveResponse, error)
TenantCreateGroup(ctx context.Context, req *TenantCreateGroupRequest) (*GroupSaveResponse, error)
GroupSave(ctx context.Context, req *GroupSaveRequest) (*GroupSaveResponse, error)
}
AdminManager extends PermissionManager with admin-specific DB write operations for managing tenants and groups. These are not expressible through the generic permission interface because they create/update database entities, not just authorization tuples.
Implementations that expose user search (e.g., for assigning users to tenants/groups) must handle visibility scoping in the UserProvider layer. The GraphQL resolvers gate access via can_edit_members but do not filter results — the UserProvider is responsible for limiting which users are returned based on deployment-specific rules (e.g., Auth0 organization boundaries, tenant membership, etc.).
type AdminRoleChecker ¶ added in v1.3.4
type AdminRoleChecker struct {
// Authn user IDs treated as admin in addition to the "admin" role.
GlobalAdminUserIDs []string
}
AdminRoleChecker allows all operations when the authn user has the "admin" role or an ID in GlobalAdminUserIDs, and denies them otherwise. For deployments without an FGA backend that still need to gate mutations; callers must ensure the role and listed IDs go only to trusted principals.
func (*AdminRoleChecker) IsGlobalAdmin ¶ added in v1.3.4
func (c *AdminRoleChecker) IsGlobalAdmin(ctx context.Context) (bool, error)
func (*AdminRoleChecker) ListObjects ¶ added in v1.3.4
func (c *AdminRoleChecker) ListObjects(ctx context.Context, objType ObjectType) ([]ObjectRef, error)
type AllowAllChecker ¶ added in v1.3.3
type AllowAllChecker struct{}
AllowAllChecker is the explicit "allow all" Checker — install it when a deployment wants to opt out of authorization. Pairs with DenyAllChecker. Use only in demo binaries or tests; never in a deployment that enforces per-feed permissions. When no authn user is present, Me() returns a synthetic identity with the "admin" role, so anonymous callers also pass any handler gated on RoleRequired("admin").
func (*AllowAllChecker) IsGlobalAdmin ¶ added in v1.3.3
func (c *AllowAllChecker) IsGlobalAdmin(ctx context.Context) (bool, error)
func (*AllowAllChecker) ListObjects ¶ added in v1.3.3
func (c *AllowAllChecker) ListObjects(ctx context.Context, objType ObjectType) ([]ObjectRef, error)
type Checker ¶ added in v1.3.3
type Checker interface {
Me(ctx context.Context) (*UserInfo, error)
IsGlobalAdmin(ctx context.Context) (bool, error)
ListObjects(ctx context.Context, objType ObjectType) ([]ObjectRef, error)
Check(ctx context.Context, obj ObjectRef, action Action) (bool, error)
}
Checker is the read-only query interface used by the data path (perm_filter, actions, dbfinder mutations, GraphQL resolvers).
type DenyAllChecker ¶ added in v1.3.3
type DenyAllChecker struct{}
DenyAllChecker is the explicit "deny all" Checker — install it when callers should have no per-feed access. Read paths still see public feeds via the unconditional public clause in pfJoinCheck.
func (*DenyAllChecker) IsGlobalAdmin ¶ added in v1.3.3
func (c *DenyAllChecker) IsGlobalAdmin(ctx context.Context) (bool, error)
func (*DenyAllChecker) ListObjects ¶ added in v1.3.3
func (c *DenyAllChecker) ListObjects(ctx context.Context, objType ObjectType) ([]ObjectRef, error)
type EntityKey ¶
type EntityKey struct {
Type ObjectType `json:"type"`
Name string `json:"name"`
RefRel Relation `json:"ref_rel"`
}
func NewEntityKey ¶
func NewEntityKey(t ObjectType, name string) EntityKey
func (EntityKey) WithRefRel ¶
type EntityProvider ¶ added in v1.3.4
type EntityProvider interface {
GetTenants(ctx context.Context, ids []int64) ([]*Tenant, error)
GetGroups(ctx context.Context, ids []int64) ([]*Group, error)
GetFeeds(ctx context.Context, ids []int64) ([]*Feed, error)
GetFeedVersions(ctx context.Context, ids []int64) ([]*FeedVersion, error)
}
EntityProvider hydrates ObjectRef IDs into typed entity records for HTTP response payloads. Separate from AdminManager — these are plain DB metadata lookups, not authz decisions.
type EntityRelation ¶
type EntityRelation struct {
Type ObjectType `json:"type,omitempty"`
Id string `json:"id,omitempty"`
Name string `json:"name,omitempty"`
RefRelation Relation `json:"ref_relation,omitempty"`
Relation Relation `json:"relation,omitempty"`
}
func NewEntityRelation ¶
func NewEntityRelation(ek EntityKey, rel Relation) *EntityRelation
func (*EntityRelation) GetId ¶
func (x *EntityRelation) GetId() string
func (*EntityRelation) GetName ¶
func (x *EntityRelation) GetName() string
func (*EntityRelation) GetRefRelation ¶
func (x *EntityRelation) GetRefRelation() Relation
func (*EntityRelation) GetRelation ¶
func (x *EntityRelation) GetRelation() Relation
func (*EntityRelation) GetType ¶
func (x *EntityRelation) GetType() ObjectType
func (*EntityRelation) Int64 ¶
func (er *EntityRelation) Int64() int64
func (*EntityRelation) WithObject ¶
func (er *EntityRelation) WithObject(ek EntityKey) TupleKey
type Feed ¶
type Feed struct {
Id int64 `json:"id,omitempty"`
OnestopId string `json:"onestop_id,omitempty"`
Name string `json:"name,omitempty"`
}
func (*Feed) GetOnestopId ¶
type FeedVersion ¶
type FeedVersion struct {
Id int64 `json:"id,omitempty"`
Name string `json:"name,omitempty"`
Sha1 string `json:"sha1,omitempty"`
FeedId int64 `json:"feed_id,omitempty"`
}
func (*FeedVersion) GetFeedId ¶
func (x *FeedVersion) GetFeedId() int64
func (*FeedVersion) GetId ¶
func (x *FeedVersion) GetId() int64
func (*FeedVersion) GetName ¶
func (x *FeedVersion) GetName() string
func (*FeedVersion) GetSha1 ¶
func (x *FeedVersion) GetSha1() string
type GroupSaveRequest ¶
type GroupSaveRequest struct {
Group *Group `json:"group,omitempty"`
}
func (*GroupSaveRequest) GetGroup ¶
func (x *GroupSaveRequest) GetGroup() *Group
type GroupSaveResponse ¶
type GroupSaveResponse struct {
Group *Group `json:"group,omitempty"`
}
type ObjectPermissions ¶ added in v1.3.3
type ObjectPermissions struct {
Ref ObjectRef `json:"ref"`
Actions ActionSet `json:"actions"`
Subjects []SubjectRef `json:"subjects"`
Parent *ObjectRef `json:"parent,omitempty"`
Children []ObjectRef `json:"children,omitempty"`
}
ObjectPermissions is the generic return from a permissions query.
type ObjectRef ¶ added in v1.3.3
type ObjectRef struct {
Type ObjectType `json:"type"`
ID int64 `json:"id"`
Name string `json:"name,omitempty"`
}
ObjectRef identifies an entity in the authorization system.
type ObjectType ¶
type ObjectType int32
ObjectType represents the type of an entity in the authorization model.
const ( ObjectType_empty_object ObjectType = 0 ObjectType_tenant ObjectType = 1 ObjectType_org ObjectType = 2 ObjectType_feed ObjectType = 3 ObjectType_feed_version ObjectType = 4 ObjectType_user ObjectType = 5 )
func ObjectTypeString ¶
func ObjectTypeString(v string) (ObjectType, error)
func (ObjectType) MarshalText ¶ added in v1.3.3
func (o ObjectType) MarshalText() ([]byte, error)
MarshalText implements encoding.TextMarshaler so ObjectType works as a JSON map key.
func (ObjectType) String ¶
func (o ObjectType) String() string
func (*ObjectType) UnmarshalJSON ¶ added in v1.3.4
func (o *ObjectType) UnmarshalJSON(data []byte) error
UnmarshalJSON accepts either a JSON number (proto3 enum int value) or a JSON string (enum name). The admin REST API migration guide documents that request bodies use integer enum values; this keeps that working without giving up the string form used elsewhere.
func (*ObjectType) UnmarshalText ¶ added in v1.3.3
func (o *ObjectType) UnmarshalText(text []byte) error
UnmarshalText implements encoding.TextUnmarshaler.
type PermissionManager ¶ added in v1.3.3
type PermissionManager interface {
Checker
ObjectPermissions(ctx context.Context, obj ObjectRef) (*ObjectPermissions, error)
SetParent(ctx context.Context, child ObjectRef, parent ObjectRef) error
AddPermission(ctx context.Context, obj ObjectRef, subject EntityKey, relation Relation) error
RemovePermission(ctx context.Context, obj ObjectRef, subject EntityKey, relation Relation) error
}
PermissionManager extends Checker with write operations for managing permissions, parents, and viewing detailed permission info. Implementations must enforce authorization checks internally — callers (e.g., GraphQL resolvers) delegate all access control to these methods.
type Relation ¶
type Relation int32
Relation represents a relationship between entities.
func RelationString ¶
func (Relation) MarshalText ¶ added in v1.3.3
MarshalText implements encoding.TextMarshaler so Relation works as a JSON map key.
func (*Relation) UnmarshalJSON ¶ added in v1.3.4
UnmarshalJSON accepts either a JSON number (proto3 enum int value) or a JSON string (enum name). See ObjectType.UnmarshalJSON for rationale.
func (*Relation) UnmarshalText ¶ added in v1.3.3
UnmarshalText implements encoding.TextUnmarshaler.
type SubjectRef ¶ added in v1.3.3
type SubjectRef struct {
Subject EntityKey `json:"subject"`
Relation Relation `json:"relation"`
Name string `json:"name"`
}
SubjectRef describes who has a relationship to an object.
type TenantCreateGroupRequest ¶
type TenantCreateGroupRequest struct {
Id int64 `json:"id,omitempty"`
Group *Group `json:"group,omitempty"`
}
func (*TenantCreateGroupRequest) GetGroup ¶
func (x *TenantCreateGroupRequest) GetGroup() *Group
func (*TenantCreateGroupRequest) GetId ¶
func (x *TenantCreateGroupRequest) GetId() int64
type TenantSaveRequest ¶
type TenantSaveRequest struct {
Tenant *Tenant `json:"tenant,omitempty"`
}
func (*TenantSaveRequest) GetTenant ¶
func (x *TenantSaveRequest) GetTenant() *Tenant
type TenantSaveResponse ¶
type TenantSaveResponse struct{}
type TupleKey ¶
type TupleKey struct {
Subject EntityKey
Object EntityKey
Action Action `json:"action"`
Relation Relation `json:"relation"`
}
func NewTupleKey ¶
func NewTupleKey() TupleKey
func (TupleKey) ActionOrRelation ¶
func (TupleKey) WithAction ¶
func (TupleKey) WithObject ¶
func (tk TupleKey) WithObject(objectType ObjectType, objectName string) TupleKey
func (TupleKey) WithObjectID ¶
func (tk TupleKey) WithObjectID(objectType ObjectType, objectId int64) TupleKey
func (TupleKey) WithRelation ¶
func (TupleKey) WithSubject ¶
func (tk TupleKey) WithSubject(userType ObjectType, userName string) TupleKey
func (TupleKey) WithSubjectID ¶
func (tk TupleKey) WithSubjectID(userType ObjectType, userId int64) TupleKey
type User ¶
type UserInfo ¶ added in v1.3.3
type UserInfo struct {
ID string `json:"id"`
Name string `json:"name"`
Email string `json:"email"`
Roles []string `json:"roles"`
Groups []Group `json:"groups"`
ExpandedGroups []Group `json:"expanded_groups"`
ExternalData map[string]string `json:"external_data"`
}
UserInfo is the return from Checker.Me().
type UserListRequest ¶
type UserListRequest struct {
Q string `json:"q,omitempty"`
}
func (*UserListRequest) GetQ ¶
func (x *UserListRequest) GetQ() string
type UserListResponse ¶
type UserListResponse struct {
Users []*User `json:"users,omitempty"`
}
type UserRequest ¶
type UserRequest struct {
Id string `json:"id,omitempty"`
}
func (*UserRequest) GetId ¶
func (x *UserRequest) GetId() string
type UserResponse ¶
type UserResponse struct {
User *User `json:"user,omitempty"`
}
Source Files
Click to show internal directories.
Click to hide internal directories.