Documentation
¶
Index ¶
- Variables
- func SortByPriority(userTypes []UserTypeConfig)
- func ValidateConfig(userTypes []UserTypeConfig) error
- type ActionCapability
- type BatchEvaluateRequest
- type BatchEvaluateResponse
- type CapabilityResource
- type ConfigurableDetector
- type Context
- type Decision
- type DecisionContext
- type Detector
- type Entitlement
- type EntitlementClaimInfo
- type EntitlementConfig
- type EvaluateRequest
- type PAP
- type PDP
- type PolicyEffectType
- type ProfileRequest
- type Resource
- type ResourceHierarchy
- type Role
- type RoleEntitlementMapping
- type Subject
- type SubjectContext
- type SubjectType
- type UserCapabilitiesResponse
- type UserTypeConfig
- type UserTypeInfo
Constants ¶
This section is empty.
Variables ¶
View Source
var ( ErrAuthzDisabled = fmt.Errorf("authorization is disabled - policy management operations are not available") ErrRoleAlreadyExists = fmt.Errorf("role already exists") ErrRoleNotFound = fmt.Errorf("role not found") ErrRolePolicyMappingAlreadyExists = fmt.Errorf("role policy mapping already exists") ErrRolePolicyMappingNotFound = fmt.Errorf("role policy mapping not found") ErrInvalidRequest = fmt.Errorf("invalid request") )
Functions ¶
func SortByPriority ¶ added in v0.8.0
func SortByPriority(userTypes []UserTypeConfig)
SortByPriority sorts user type configurations by priority (lower = higher priority)
func ValidateConfig ¶ added in v0.8.0
func ValidateConfig(userTypes []UserTypeConfig) error
ValidateConfig validates an array of user type configurations
Types ¶
type ActionCapability ¶ added in v0.8.0
type ActionCapability struct {
Allowed []*CapabilityResource `json:"allowed"`
Denied []*CapabilityResource `json:"denied"`
}
ActionCapability represents capabilities for a specific action
type BatchEvaluateRequest ¶
type BatchEvaluateRequest struct {
Requests []EvaluateRequest `json:"requests"`
}
BatchEvaluateRequest represents a batch of authorization requests
type BatchEvaluateResponse ¶
type BatchEvaluateResponse struct {
Decisions []Decision `json:"decisions"`
}
BatchEvaluateResponse represents a batch of authorization decisions
type CapabilityResource ¶ added in v0.8.0
type CapabilityResource struct {
Path string `json:"path"` // Full resource path: "org/acme/project/payment"
Constraints *interface{} `json:"constraints"` // represents additional instance level restrictions
}
CapabilityResource represents a resource with permission details (SIMPLIFIED)
type ConfigurableDetector ¶ added in v0.8.0
type ConfigurableDetector struct {
// contains filtered or unexported fields
}
ConfigurableDetector implements Detector using configuration
func (*ConfigurableDetector) DetectUserType ¶ added in v0.8.0
func (d *ConfigurableDetector) DetectUserType(jwtToken string) (*SubjectContext, error)
DetectUserType implements the Detector interface
type Decision ¶
type Decision struct {
Decision bool `json:"decision"`
Context *DecisionContext `json:"context,omitempty"`
}
Decision represents the authorization decision response
type DecisionContext ¶
type DecisionContext struct {
Reason string `json:"reason,omitempty"`
}
DecisionContext contains additional context about the decision
type Detector ¶ added in v0.8.0
type Detector interface {
// DetectUserType analyzes a JWT token and returns the SubjectContext
DetectUserType(jwtToken string) (*SubjectContext, error)
}
Detector is responsible for detecting user types from JWT tokens
func NewDetector ¶ added in v0.8.0
func NewDetector(userTypes []UserTypeConfig) (Detector, error)
NewDetector creates a new user type detector from pre-loaded configuration
type Entitlement ¶ added in v0.8.0
type Entitlement struct {
// Claim is the JWT claim name (e.g., "group", "sub")
Claim string `json:"claim"`
// Value is the entitlement value (e.g., "admin-group", "service-123")
Value string `json:"value"`
}
Entitlement represents an entitlement with its claim and value
type EntitlementClaimInfo ¶ added in v0.8.0
type EntitlementClaimInfo struct {
// Name is the JWT claim name (e.g., "group", "sub")
Name string `json:"name"`
// DisplayName is a human-readable name for the claim
DisplayName string `json:"display_name"`
}
EntitlementClaimInfo represents information about an entitlement claim
type EntitlementConfig ¶ added in v0.8.0
type EntitlementConfig struct {
Claim string `yaml:"claim"` // JWT claim for detection and entitlement
DisplayName string `yaml:"display_name"` // Human-readable name for the claim
}
EntitlementConfig defines how to extract entitlement claims from JWT tokens
type EvaluateRequest ¶
type EvaluateRequest struct {
Subject Subject `json:"subject"`
Resource Resource `json:"resource"`
Action string `json:"action"`
Context Context `json:"context"`
}
EvaluateRequest represents a single authorization request
type PAP ¶
type PAP interface {
// AddRole creates a new role with the specified name and actions
AddRole(ctx context.Context, role *Role) error
// RemoveRole deletes a role by name
RemoveRole(ctx context.Context, roleName string) error
// GetRole retrieves a role by name
GetRole(ctx context.Context, roleName string) (*Role, error)
// ListRoles returns all defined roles
ListRoles(ctx context.Context) ([]*Role, error)
// AddRoleEntitlementMapping creates a new role-entitlement mapping with optional conditions
AddRoleEntitlementMapping(ctx context.Context, mapping *RoleEntitlementMapping) error
// RemoveRoleEntitlementMapping removes a role-entitlement mapping
RemoveRoleEntitlementMapping(ctx context.Context, mappingID uint) error
// GetRoleMappings retrieves all entitlement mappings for a specific role
GetRoleMappings(ctx context.Context, roleName string) ([]*RoleEntitlementMapping, error)
// ListRoleEntitlementMappings lists all role-entitlement mappings
ListRoleEntitlementMappings(ctx context.Context) ([]*RoleEntitlementMapping, error)
// ListActions lists all defined actions in the system
ListActions(ctx context.Context) ([]string, error)
// ListUserTypes returns all configured user types in the system
ListUserTypes(ctx context.Context) ([]UserTypeInfo, error)
}
PAP (Policy Administration Point) interface defines the contract for policy management
type PDP ¶
type PDP interface {
// Evaluate evaluates a single authorization request and returns a decision
Evaluate(ctx context.Context, request *EvaluateRequest) (*Decision, error)
// BatchEvaluate evaluates multiple authorization requests and returns corresponding decisions
BatchEvaluate(ctx context.Context, request *BatchEvaluateRequest) (*BatchEvaluateResponse, error)
// GetSubjectProfile retrieves the authorization profile for a given subject
GetSubjectProfile(ctx context.Context, request *ProfileRequest) (*UserCapabilitiesResponse, error)
}
PDP (Policy Decision Point) interface defines the contract for authorization evaluation
type PolicyEffectType ¶
type PolicyEffectType string
PolicyEffectType defines the effect of a policy: allow or deny
const ( PolicyEffectAllow PolicyEffectType = "allow" PolicyEffectDeny PolicyEffectType = "deny" )
type ProfileRequest ¶
type ProfileRequest struct {
// Subject is the actor whose profile is being requested
Subject Subject `json:"subject"`
// Scope is the resource hierarchy scope for the profile
Scope ResourceHierarchy `json:"scope"`
}
ProfileRequest represents a request to retrieve a subject's authorization profile
type Resource ¶
type Resource struct {
Type string `json:"type"`
ID string `json:"id,omitempty"`
Hierarchy ResourceHierarchy `json:"hierarchy"`
}
Resource represents a resource in the authorization request
type ResourceHierarchy ¶
type ResourceHierarchy struct {
Organization string `json:"organization,omitempty"`
OrganizationUnits []string `json:"organization_units,omitempty"`
Project string `json:"project,omitempty"`
Component string `json:"component,omitempty"`
}
ResourceHierarchy represents a single item in a resource hierarchy
type Role ¶
type Role struct {
// Name is the unique identifier for the role
Name string `json:"name"`
// Actions is the list of actions this role permits
Actions []string `json:"actions"`
// IsInternal indicates if this role should be hidden from public listings
IsInternal bool `json:"-"`
}
Role represents a role with a set of allowed actions
type RoleEntitlementMapping ¶
type RoleEntitlementMapping struct {
// ID is the unique identifier for the mapping
ID uint `json:"id"`
// RoleName is the name of the role being assigned
RoleName string `json:"role_name"`
// Entitlement contains the claim and value for this mapping
Entitlement Entitlement `json:"entitlement"`
// Hierarchy defines the resource hierarchy scope where this role applies
Hierarchy ResourceHierarchy `json:"hierarchy"`
// Effect indicates whether the mapping is to allow or deny access
Effect PolicyEffectType `json:"effect"`
// Context provides optional additional context metadata for this mapping
Context Context `json:"context"`
// IsInternal indicates if this mapping should be hidden from public listings
IsInternal bool `json:"-"`
}
RoleEntitlementMapping represents the assignment of a role to an entitlement within a hierarchical scope
type Subject ¶
type Subject struct {
JwtToken string `json:"jwt_token"`
}
Subject represents the actor making the authorization request
type SubjectContext ¶
type SubjectContext struct {
Type SubjectType
EntitlementClaim string
EntitlementValues []string
}
SubjectContext - internal auth context for the subject
type SubjectType ¶
type SubjectType string
SubjectType defines the type of subject making the authorization request
const ( SubjectTypeUser SubjectType = "user" SubjectTypeServiceAccount SubjectType = "service_account" )
type UserCapabilitiesResponse ¶ added in v0.8.0
type UserCapabilitiesResponse struct {
User *SubjectContext `json:"user"`
Capabilities map[string]*ActionCapability `json:"capabilities"`
GeneratedAt time.Time `json:"evaluatedAt"`
}
UserCapabilitiesResponse represents the complete capabilities response
type UserTypeConfig ¶ added in v0.8.0
type UserTypeConfig struct {
Type SubjectType `yaml:"type"` // "user" or "service_account"
DisplayName string `yaml:"display_name"` // Human-readable name for user type
Priority int `yaml:"priority"` // Check order (lower = higher priority)
Entitlement EntitlementConfig `yaml:"entitlement"` // Entitlement configuration
}
UserTypeConfig represents configuration for a single user type
type UserTypeInfo ¶ added in v0.8.0
type UserTypeInfo struct {
// Type is the user type (e.g., "user", "service_account")
Type SubjectType `json:"type"`
// DisplayName is a human-readable name for the user type
DisplayName string `json:"display_name"`
// Priority determines the order in which user types are checked (lower = higher priority)
Priority int `json:"priority"`
// Entitlement contains information about the entitlement claim
Entitlement EntitlementClaimInfo `json:"entitlement"`
}
UserTypeInfo represents information about a configured user type
Source Files
Click to show internal directories.
Click to hide internal directories.