Affected by 
Documentation
¶
Index ¶
- Constants
- Variables
- func AssignableRelationError(objectType, relation string) error
- func ComputedUserset(relation string) *openfgapb.Userset
- func Difference(base *openfgapb.Userset, sub *openfgapb.Userset) *openfgapb.Userset
- func Intersection(children ...*openfgapb.Userset) *openfgapb.Userset
- func InvalidRelationTypeError(objectType, relation, relatedObjectType, relatedRelation string) error
- func NonAssignableRelationError(objectType, relation string) error
- func RelationReference(objectType, relation string) *openfgapb.RelationReference
- func RewriteContainsExclusion(rewrite *openfgapb.Userset) bool
- func RewriteContainsIntersection(rewrite *openfgapb.Userset) bool
- func RewriteContainsSelf(rewrite *openfgapb.Userset) bool
- func This() *openfgapb.Userset
- func TupleToUserset(tuplesetRelation, targetRelation string) *openfgapb.Userset
- func Union(children ...*openfgapb.Userset) *openfgapb.Userset
- func Validate(model *openfgapb.AuthorizationModel) error
- type InvalidRelationError
- type ObjectTypeUndefinedError
- type RelationUndefinedError
- type TypeSystem
- func (t *TypeSystem) GetAllTupleToUsersetsDefinitions() map[string]map[string][]*openfgapb.TupleToUserset
- func (t *TypeSystem) GetDirectlyRelatedUserTypes(objectType, relation string) ([]*openfgapb.RelationReference, error)
- func (t *TypeSystem) GetRelation(objectType, relation string) (*openfgapb.Relation, error)
- func (t *TypeSystem) GetRelations(objectType string) (map[string]*openfgapb.Relation, error)
- func (t *TypeSystem) GetSchemaVersion() string
- func (t *TypeSystem) GetTypeDefinition(objectType string) (*openfgapb.TypeDefinition, bool)
- func (t *TypeSystem) GetTypeDefinitions() map[string]*openfgapb.TypeDefinition
- func (t *TypeSystem) HasTypeInfo(objectType, relation string) (bool, error)
- func (t *TypeSystem) IsDirectlyAssignable(relation *openfgapb.Relation) bool
- func (t *TypeSystem) IsDirectlyRelated(target *openfgapb.RelationReference, source *openfgapb.RelationReference) (bool, error)
- func (t *TypeSystem) RelationInvolvesExclusion(objectType, relation string) (bool, error)
- func (t *TypeSystem) RelationInvolvesIntersection(objectType, relation string) (bool, error)
Constants ¶
View Source
const ( SchemaVersion1_0 = "1.0" SchemaVersion1_1 = "1.1" )
Variables ¶
View Source
var ( ErrDuplicateTypes = errors.New("an authorization model cannot contain duplicate types") ErrInvalidSchemaVersion = errors.New("invalid schema version") ErrInvalidModel = errors.New("invalid authorization model encountered") ErrRelationUndefined = errors.New("undefined relation") ErrObjectTypeUndefined = errors.New("undefined object type") ErrInvalidUsersetRewrite = errors.New("invalid userset rewrite definition") )
Functions ¶
func AssignableRelationError ¶
func ComputedUserset ¶ added in v0.2.4
func Difference ¶ added in v0.2.4
func Intersection ¶ added in v0.2.4
func RelationReference ¶ added in v0.2.4
func RelationReference(objectType, relation string) *openfgapb.RelationReference
func RewriteContainsExclusion ¶ added in v0.2.5
RewriteContainsExclusion returns true if the provided userset rewrite is defined by one or more direct or indirect exclusions.
func RewriteContainsIntersection ¶ added in v0.2.5
RewriteContainsIntersection returns true if the provided userset rewrite is defined by one or more direct or indirect intersections.
func RewriteContainsSelf ¶ added in v0.2.5
RewriteContainsSelf returns true if the provided userset rewrite is defined by one or more self referencing definitions.
func TupleToUserset ¶ added in v0.2.4
func Validate ¶
func Validate(model *openfgapb.AuthorizationModel) error
Validate validates an *openfgapb.AuthorizationModel according to the following rules:
- Checks that the model have a valid schema version.
- For every rewrite the relations in the rewrite must: a. Be valid relations on the same type in the authorization model (in cases of computedUserset) b. Be valid relations on another existing type (in cases of tupleToUserset)
- Do not allow duplicate types or duplicate relations (only need to check types as relations are in a map so cannot contain duplicates)
If the authorization model has a v1.1 schema version (with types on relations), then additionally validate the type system according to the following rules:
- Every type restriction on a relation must be a valid type: a. For a type (e.g. user) this means checking that this type is in the TypeSystem b. For a type#relation this means checking that this type with this relation is in the TypeSystem
- Check that a relation is assignable if and only if it has a non-zero list of types
Types ¶
type InvalidRelationError ¶
func (*InvalidRelationError) Error ¶ added in v0.2.5
func (e *InvalidRelationError) Error() string
func (*InvalidRelationError) Unwrap ¶ added in v0.2.5
func (e *InvalidRelationError) Unwrap() error
type ObjectTypeUndefinedError ¶ added in v0.2.5
func (*ObjectTypeUndefinedError) Error ¶ added in v0.2.5
func (e *ObjectTypeUndefinedError) Error() string
func (*ObjectTypeUndefinedError) Unwrap ¶ added in v0.2.5
func (e *ObjectTypeUndefinedError) Unwrap() error
type RelationUndefinedError ¶ added in v0.2.5
func (*RelationUndefinedError) Error ¶ added in v0.2.5
func (e *RelationUndefinedError) Error() string
func (*RelationUndefinedError) Unwrap ¶ added in v0.2.5
func (e *RelationUndefinedError) Unwrap() error
type TypeSystem ¶
type TypeSystem struct {
// contains filtered or unexported fields
}
func New ¶
func New(model *openfgapb.AuthorizationModel) *TypeSystem
New creates a *TypeSystem from an *openfgapb.AuthorizationModel. New assumes that the model has already been validated.
func (*TypeSystem) GetAllTupleToUsersetsDefinitions ¶ added in v0.2.5
func (t *TypeSystem) GetAllTupleToUsersetsDefinitions() map[string]map[string][]*openfgapb.TupleToUserset
GetAllTupleToUsersetsDefinitions returns a map where the key is the object type and the value is another map where key=relationName, value=list of tuple to usersets declared in that relation
func (*TypeSystem) GetDirectlyRelatedUserTypes ¶ added in v0.2.4
func (t *TypeSystem) GetDirectlyRelatedUserTypes(objectType, relation string) ([]*openfgapb.RelationReference, error)
func (*TypeSystem) GetRelation ¶
func (t *TypeSystem) GetRelation(objectType, relation string) (*openfgapb.Relation, error)
func (*TypeSystem) GetRelations ¶
func (*TypeSystem) GetSchemaVersion ¶
func (t *TypeSystem) GetSchemaVersion() string
func (*TypeSystem) GetTypeDefinition ¶
func (t *TypeSystem) GetTypeDefinition(objectType string) (*openfgapb.TypeDefinition, bool)
func (*TypeSystem) GetTypeDefinitions ¶
func (t *TypeSystem) GetTypeDefinitions() map[string]*openfgapb.TypeDefinition
func (*TypeSystem) HasTypeInfo ¶ added in v0.2.5
func (t *TypeSystem) HasTypeInfo(objectType, relation string) (bool, error)
func (*TypeSystem) IsDirectlyAssignable ¶
func (t *TypeSystem) IsDirectlyAssignable(relation *openfgapb.Relation) bool
func (*TypeSystem) IsDirectlyRelated ¶ added in v0.2.4
func (t *TypeSystem) IsDirectlyRelated(target *openfgapb.RelationReference, source *openfgapb.RelationReference) (bool, error)
IsDirectlyRelated determines whether the type of the target RelationReference contains the source RelationReference.
func (*TypeSystem) RelationInvolvesExclusion ¶ added in v0.2.5
func (t *TypeSystem) RelationInvolvesExclusion(objectType, relation string) (bool, error)
RelationInvolvesExclusion returns true if the provided relation's userset rewrite is defined by one or more direct or indirect exclusions.
func (*TypeSystem) RelationInvolvesIntersection ¶ added in v0.2.5
func (t *TypeSystem) RelationInvolvesIntersection(objectType, relation string) (bool, error)
RelationInvolvesIntersection returns true if the provided relation's userset rewrite is defined by one or more direct or indirect intersections.
Source Files
Click to show internal directories.
Click to hide internal directories.