permissions

package
v1.6.2 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 7, 2026 License: MIT Imports: 12 Imported by: 0

Documentation

Overview

Package permissions provides RBAC/ABAC permission management for protobuf services.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type AccessLevel 

type AccessLevel struct {
	// Allowed indicates if access is allowed.
	Allowed bool `json:"allowed" yaml:"allowed"`
	// RequireMFA indicates if MFA is required.
	RequireMFA bool `json:"require_mfa,omitempty" yaml:"require_mfa,omitempty"`
	// Conditions indicates if there are conditions.
	Conditions bool `json:"conditions,omitempty" yaml:"conditions,omitempty"`
	// RateLimit indicates if there is rate limiting.
	RateLimit bool `json:"rate_limit,omitempty" yaml:"rate_limit,omitempty"`
}

AccessLevel represents the level of access for matrix display.

type Analyzer 

type Analyzer struct {
	// contains filtered or unexported fields
}

Analyzer analyzes permissions for issues and generates reports.

func NewAnalyzer 

func NewAnalyzer() *Analyzer

NewAnalyzer creates a new permission analyzer with default rules.

func (*Analyzer) AddRule 

func (a *Analyzer) AddRule(rule AuditRule)

AddRule adds a custom audit rule.

func (*Analyzer) Audit 

func (a *Analyzer) Audit(ctx context.Context, services []*ServicePermissions) []AuditIssue

Audit analyzes permissions and returns audit issues.

func (*Analyzer) Diff 

func (a *Analyzer) Diff(ctx context.Context, old, new []*ServicePermissions) []PermissionDiff

Diff compares two permission sets and returns differences.

func (*Analyzer) Summary 

func (a *Analyzer) Summary(services []*ServicePermissions) PermissionSummary

Summary returns a summary of permissions.

type AuditEntry 

type AuditEntry struct {
	// Timestamp is when the action occurred.
	Timestamp string `json:"timestamp" yaml:"timestamp"`
	// Service is the service name.
	Service string `json:"service" yaml:"service"`
	// Method is the method name.
	Method string `json:"method" yaml:"method"`
	// UserID is the user who performed the action.
	UserID string `json:"user_id" yaml:"user_id"`
	// Roles are the user's roles.
	Roles []string `json:"roles" yaml:"roles"`
	// Action is the permission action.
	Action string `json:"action" yaml:"action"`
	// Resource is the resource being accessed.
	Resource string `json:"resource" yaml:"resource"`
	// ResourceID is the specific resource ID.
	ResourceID string `json:"resource_id,omitempty" yaml:"resource_id,omitempty"`
	// Allowed indicates if access was granted.
	Allowed bool `json:"allowed" yaml:"allowed"`
	// Reason explains why access was granted/denied.
	Reason string `json:"reason,omitempty" yaml:"reason,omitempty"`
}

AuditEntry represents an audit log entry.

type AuditIssue 

type AuditIssue struct {
	// RuleID is the rule identifier.
	RuleID string `json:"rule_id" yaml:"rule_id"`
	// Severity is the issue severity.
	Severity IssueSeverity `json:"severity" yaml:"severity"`
	// Service is the affected service.
	Service string `json:"service" yaml:"service"`
	// Method is the affected method.
	Method string `json:"method,omitempty" yaml:"method,omitempty"`
	// Message describes the issue.
	Message string `json:"message" yaml:"message"`
	// Fix provides a fix suggestion.
	Fix string `json:"fix,omitempty" yaml:"fix,omitempty"`
}

AuditIssue represents a permission audit issue.

type AuditRule 

type AuditRule struct {
	ID          string
	Name        string
	Description string
	Severity    IssueSeverity
	Check       func(service *ServicePermissions, method string, perm *Permission) *AuditIssue
}

AuditRule defines a rule for auditing permissions.

type Condition 

type Condition struct {
	// Field is the field to check.
	Field string `json:"field" yaml:"field"`
	// Operator is the comparison operator.
	Operator ConditionOperator `json:"operator" yaml:"operator"`
	// Source is where to get the comparison value.
	Source string `json:"source" yaml:"source"`
	// Value is a static comparison value (if Source is not set).
	Value interface{} `json:"value,omitempty" yaml:"value,omitempty"`
}

Condition represents an ABAC condition.

type ConditionOperator 

type ConditionOperator string

ConditionOperator is the type of condition comparison. 

const (
	// OpEqual checks for equality.
	OpEqual ConditionOperator = "eq"
	// OpNotEqual checks for inequality.
	OpNotEqual ConditionOperator = "neq"
	// OpIn checks if value is in a list.
	OpIn ConditionOperator = "in"
	// OpNotIn checks if value is not in a list.
	OpNotIn ConditionOperator = "not_in"
	// OpContains checks if a list contains a value.
	OpContains ConditionOperator = "contains"
	// OpGreaterThan checks if value is greater.
	OpGreaterThan ConditionOperator = "gt"
	// OpLessThan checks if value is less.
	OpLessThan ConditionOperator = "lt"
	// OpExists checks if a field exists.
	OpExists ConditionOperator = "exists"
)

type DiffType 

type DiffType string

DiffType represents the type of permission change. 

const (
	// DiffAdded means a new permission was added.
	DiffAdded DiffType = "added"
	// DiffRemoved means a permission was removed.
	DiffRemoved DiffType = "removed"
	// DiffModified means a permission was modified.
	DiffModified DiffType = "modified"
)

type Generator 

type Generator struct {
	// contains filtered or unexported fields
}

Generator generates permission code for various frameworks.

func NewGenerator 

func NewGenerator(opts GeneratorOptions) *Generator

NewGenerator creates a new permission code generator.

func (*Generator) Generate 

func (g *Generator) Generate(services []*ServicePermissions) (string, error)

Generate generates code for the specified framework.

type GeneratorOptions 

type GeneratorOptions struct {
	// Framework is the authorization framework (go, casbin, opa).
	Framework string `json:"framework" yaml:"framework"`
	// Package is the generated package name.
	Package string `json:"package" yaml:"package"`
	// OutputDir is the output directory.
	OutputDir string `json:"output_dir" yaml:"output_dir"`
	// GenerateConstants generates constants for actions/roles/scopes.
	GenerateConstants bool `json:"generate_constants" yaml:"generate_constants"`
	// IncludeTests generates test files.
	IncludeTests bool `json:"include_tests" yaml:"include_tests"`
}

GeneratorOptions contains options for code generation.

type IssueSeverity 

type IssueSeverity int

IssueSeverity represents the severity of an audit issue. 

const (
	// SeverityInfo for informational issues.
	SeverityInfo IssueSeverity = iota
	// SeverityWarning for warning issues.
	SeverityWarning
	// SeverityError for error issues.
	SeverityError
)

type Matrix 

type Matrix struct {
	Services []string
	Methods  map[string][]string // service -> methods
	Roles    []string
	Scopes   []string
	Access   map[string]map[string]*AccessLevel // "service.method" -> role/scope -> access
}

Matrix represents a permission access matrix.

func BuildMatrix 

func BuildMatrix(services []*ServicePermissions) *Matrix

BuildMatrix builds a permission matrix from services.

func (*Matrix) RenderHTML 

func (m *Matrix) RenderHTML() (string, error)

RenderHTML renders the matrix as HTML table.

func (*Matrix) RenderMarkdown 

func (m *Matrix) RenderMarkdown() string

RenderMarkdown renders the matrix as Markdown table.

func (*Matrix) RenderText 

func (m *Matrix) RenderText() string

RenderText renders the matrix as text table.

type MethodPermission 

type MethodPermission struct {
	// Service is the service name.
	Service string `json:"service" yaml:"service"`
	// Method is the method name.
	Method string `json:"method" yaml:"method"`
	// Permission is the permission configuration.
	Permission *Permission `json:"permission" yaml:"permission"`
}

MethodPermission represents permissions for a specific RPC method.

type Parser 

type Parser struct {
	// contains filtered or unexported fields
}

Parser parses permission annotations from proto files.

func NewParser 

func NewParser() *Parser

NewParser creates a new permission parser.

func (*Parser) GetAllPermissions 

func (p *Parser) GetAllPermissions() []*ServicePermissions

GetAllPermissions returns all parsed permissions.

func (*Parser) ParseDirectory 

func (p *Parser) ParseDirectory(ctx context.Context, dir string) ([]*ServicePermissions, error)

ParseDirectory parses all proto files in a directory.

func (*Parser) ParseFile 

func (p *Parser) ParseFile(ctx context.Context, path string) ([]*ServicePermissions, error)

ParseFile parses permissions from a proto file.

type Permission 

type Permission struct {
	// Action is the permission action (e.g., "read", "write", "delete").
	Action string `json:"action" yaml:"action"`
	// Roles lists allowed roles.
	Roles []string `json:"roles,omitempty" yaml:"roles,omitempty"`
	// Scopes lists required OAuth scopes.
	Scopes []string `json:"scopes,omitempty" yaml:"scopes,omitempty"`
	// Conditions are ABAC conditions.
	Conditions []Condition `json:"conditions,omitempty" yaml:"conditions,omitempty"`
	// AllowSelf allows users to access their own resources.
	AllowSelf bool `json:"allow_self,omitempty" yaml:"allow_self,omitempty"`
	// RequireMFA requires multi-factor authentication.
	RequireMFA bool `json:"require_mfa,omitempty" yaml:"require_mfa,omitempty"`
	// AuditLog enables audit logging for this action.
	AuditLog bool `json:"audit_log,omitempty" yaml:"audit_log,omitempty"`
	// RateLimit sets rate limiting for this action.
	RateLimit *RateLimit `json:"rate_limit,omitempty" yaml:"rate_limit,omitempty"`
	// Public makes this endpoint public (no auth required).
	Public bool `json:"public,omitempty" yaml:"public,omitempty"`
}

Permission represents a single permission rule for an RPC method.

type PermissionDiff 

type PermissionDiff struct {
	// Type is the type of difference.
	Type DiffType `json:"type" yaml:"type"`
	// Service is the service name.
	Service string `json:"service" yaml:"service"`
	// Method is the method name.
	Method string `json:"method" yaml:"method"`
	// Old is the old permission (for removed/modified).
	Old *Permission `json:"old,omitempty" yaml:"old,omitempty"`
	// New is the new permission (for added/modified).
	New *Permission `json:"new,omitempty" yaml:"new,omitempty"`
}

PermissionDiff represents a difference between two permissions.

type PermissionSummary 

type PermissionSummary struct {
	ServiceCount int
	MethodCount  int
	PublicCount  int
	ByRole       map[string]int
	ByScope      map[string]int
}

PermissionSummary holds summary statistics.

type RateLimit 

type RateLimit struct {
	// Requests is the maximum number of requests.
	Requests int `json:"requests" yaml:"requests"`
	// Window is the time window (e.g., "1m", "1h").
	Window string `json:"window" yaml:"window"`
	// PerUser if true, rate limit is per user.
	PerUser bool `json:"per_user,omitempty" yaml:"per_user,omitempty"`
}

RateLimit specifies rate limiting configuration.

type ServicePermissions 

type ServicePermissions struct {
	// Service is the fully qualified service name.
	Service string `json:"service" yaml:"service"`
	// Resource is the resource name for this service.
	Resource string `json:"resource,omitempty" yaml:"resource,omitempty"`
	// DefaultRoles are default roles for all methods.
	DefaultRoles []string `json:"default_roles,omitempty" yaml:"default_roles,omitempty"`
	// Methods maps method names to permissions.
	Methods map[string]*Permission `json:"methods" yaml:"methods"`
}

ServicePermissions contains permissions for a service.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.