Documentation
¶
Index ¶
- Constants
- Variables
- func AssignableRelationError(objectType, relation string) error
- func ContainsSelf(rewrite *openfgapb.Userset) bool
- func InvalidRelationError(objectType, relation string) error
- func InvalidRelationTypeError(objectType, relation, relatedObjectType, relatedRelation string) error
- func NonAssignableRelationError(objectType, relation string) error
- func ObjectTypeDoesNotExistError(objectType string) error
- func RelationDoesNotExistError(objectType, relation string) error
- func Validate(model *openfgapb.AuthorizationModel) error
- type TypeSystem
- func (t *TypeSystem) GetRelation(objectType, relation string) (*openfgapb.Relation, bool)
- func (t *TypeSystem) GetRelations(objectType string) (map[string]*openfgapb.Relation, bool)
- func (t *TypeSystem) GetSchemaVersion() string
- func (t *TypeSystem) GetTypeDefinition(objectType string) (*openfgapb.TypeDefinition, bool)
- func (t *TypeSystem) GetTypeDefinitions() map[string]*openfgapb.TypeDefinition
- func (t *TypeSystem) IsDirectlyAssignable(relation *openfgapb.Relation) bool
Constants ¶
View Source
const ( SchemaVersion1_0 = "1.0" SchemaVersion1_1 = "1.1" )
Variables ¶
View Source
var ( ErrDuplicateTypes = errors.New("an authorization model cannot contain duplicate types") ErrInvalidSchemaVersion = errors.New("invalid schema version") )
Functions ¶
func AssignableRelationError ¶
func ContainsSelf ¶
func InvalidRelationError ¶
func RelationDoesNotExistError ¶
RelationDoesNotExistError may have an empty objectType, but must have a relation (otherwise the error won't make much sense).
func Validate ¶
func Validate(model *openfgapb.AuthorizationModel) error
Validate validates an *openfgapb.AuthorizationModel according to the following rules:
- Checks that the model have a valid schema version.
- For every rewrite the relations in the rewrite must: a. Be valid relations on the same type in the authorization model (in cases of computedUserset) b. Be valid relations on another existing type (in cases of tupleToUserset)
- Do not allow duplicate types or duplicate relations (only need to check types as relations are in a map so cannot contain duplicates)
If the authorization model has a v1.1 schema version (with types on relations), then additionally validate the type system according to the following rules:
- Every type restriction on a relation must be a valid type: a. For a type (e.g. user) this means checking that this type is in the TypeSystem b. For a type#relation this means checking that this type with this relation is in the TypeSystem
- Check that a relation is assignable if and only if it has a non-zero list of types
Types ¶
type TypeSystem ¶
type TypeSystem struct {
// contains filtered or unexported fields
}
func New ¶
func New(model *openfgapb.AuthorizationModel) *TypeSystem
New creates a *TypeSystem from an *openfgapb.AuthorizationModel. New assumes that the model has already been validated.
func (*TypeSystem) GetRelation ¶
func (t *TypeSystem) GetRelation(objectType, relation string) (*openfgapb.Relation, bool)
func (*TypeSystem) GetRelations ¶
func (*TypeSystem) GetSchemaVersion ¶
func (t *TypeSystem) GetSchemaVersion() string
func (*TypeSystem) GetTypeDefinition ¶
func (t *TypeSystem) GetTypeDefinition(objectType string) (*openfgapb.TypeDefinition, bool)
func (*TypeSystem) GetTypeDefinitions ¶
func (t *TypeSystem) GetTypeDefinitions() map[string]*openfgapb.TypeDefinition
func (*TypeSystem) IsDirectlyAssignable ¶
func (t *TypeSystem) IsDirectlyAssignable(relation *openfgapb.Relation) bool
Click to show internal directories.
Click to hide internal directories.