typesystem

package
v0.3.2 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jan 18, 2023 License: Apache-2.0 Imports: 4 Imported by: 5

Documentation

Index

Constants

View Source 
const (
	SchemaVersion1_0 = "1.0"
	SchemaVersion1_1 = "1.1"
)

Variables

View Source 
var (
	ErrDuplicateTypes        = errors.New("an authorization model cannot contain duplicate types")
	ErrInvalidSchemaVersion  = errors.New("invalid schema version")
	ErrInvalidModel          = errors.New("invalid authorization model encountered")
	ErrRelationUndefined     = errors.New("undefined relation")
	ErrObjectTypeUndefined   = errors.New("undefined object type")
	ErrInvalidUsersetRewrite = errors.New("invalid userset rewrite definition")
)

Functions

func AssignableRelationError 

func AssignableRelationError(objectType, relation string) error

func ComputedUserset added in v0.2.4 

func ComputedUserset(relation string) *openfgapb.Userset

func Difference added in v0.2.4 

func Difference(base *openfgapb.Userset, sub *openfgapb.Userset) *openfgapb.Userset

func DirectRelationReference added in v0.3.0 

func DirectRelationReference(objectType, relation string) *openfgapb.RelationReference

func Intersection added in v0.2.4 

func Intersection(children ...*openfgapb.Userset) *openfgapb.Userset

func InvalidRelationTypeError 

func InvalidRelationTypeError(objectType, relation, relatedObjectType, relatedRelation string) error

func NonAssignableRelationError 

func NonAssignableRelationError(objectType, relation string) error

func RewriteContainsExclusion added in v0.2.5 

func RewriteContainsExclusion(rewrite *openfgapb.Userset) bool

RewriteContainsExclusion returns true if the provided userset rewrite is defined by one or more direct or indirect exclusions.

func RewriteContainsIntersection added in v0.2.5 

func RewriteContainsIntersection(rewrite *openfgapb.Userset) bool

RewriteContainsIntersection returns true if the provided userset rewrite is defined by one or more direct or indirect intersections.

func RewriteContainsSelf added in v0.2.5 

func RewriteContainsSelf(rewrite *openfgapb.Userset) bool

RewriteContainsSelf returns true if the provided userset rewrite is defined by one or more self referencing definitions.

func This added in v0.2.4 

func This() *openfgapb.Userset

func TupleToUserset added in v0.2.4 

func TupleToUserset(tupleset, computedUserset string) *openfgapb.Userset

func Union added in v0.2.4 

func Union(children ...*openfgapb.Userset) *openfgapb.Userset

func Validate 

func Validate(model *openfgapb.AuthorizationModel) error

Validate validates an *openfgapb.AuthorizationModel according to the following rules:

  1. Checks that the model have a valid schema version.
  2. For every rewrite the relations in the rewrite must: a. Be valid relations on the same type in the authorization model (in cases of computedUserset) b. Be valid relations on another existing type (in cases of tupleToUserset)
  3. Do not allow duplicate types or duplicate relations (only need to check types as relations are in a map so cannot contain duplicates)

If the authorization model has a v1.1 schema version (with types on relations), then additionally validate the type system according to the following rules:

  1. Every type restriction on a relation must be a valid type: a. For a type (e.g. user) this means checking that this type is in the TypeSystem b. For a type#relation this means checking that this type with this relation is in the TypeSystem
  2. Check that a relation is assignable if and only if it has a non-zero list of types

func WalkUsersetRewrite added in v0.3.2 

func WalkUsersetRewrite(rewrite *openfgapb.Userset, handler WalkUsersetRewriteHandler) (interface{}, error)

WalkUsersetRewrite recursively walks the provided userset rewrite and invokes the provided WalkUsersetRewriteHandler to each node in the userset rewrite tree until the first non-nil response is encountered.

func WildcardRelationReference added in v0.3.0 

func WildcardRelationReference(objectType string) *openfgapb.RelationReference

Types

type InvalidRelationError 

type InvalidRelationError struct {
	ObjectType string
	Relation   string
	Cause      error
}

func (*InvalidRelationError) Error added in v0.2.5 

func (e *InvalidRelationError) Error() string

func (*InvalidRelationError) Unwrap added in v0.2.5 

func (e *InvalidRelationError) Unwrap() error

type ObjectTypeUndefinedError added in v0.2.5 

type ObjectTypeUndefinedError struct {
	ObjectType string
	Err        error
}

func (*ObjectTypeUndefinedError) Error added in v0.2.5 

func (e *ObjectTypeUndefinedError) Error() string

func (*ObjectTypeUndefinedError) Unwrap added in v0.2.5 

func (e *ObjectTypeUndefinedError) Unwrap() error

type RelationUndefinedError added in v0.2.5 

type RelationUndefinedError struct {
	ObjectType string
	Relation   string
	Err        error
}

func (*RelationUndefinedError) Error added in v0.2.5 

func (e *RelationUndefinedError) Error() string

func (*RelationUndefinedError) Unwrap added in v0.2.5 

func (e *RelationUndefinedError) Unwrap() error

type TypeSystem 

type TypeSystem struct {
	// contains filtered or unexported fields
}

func New 

func New(model *openfgapb.AuthorizationModel) *TypeSystem

New creates a *TypeSystem from an *openfgapb.AuthorizationModel. New assumes that the model has already been validated.

func (*TypeSystem) GetAuthorizationModel added in v0.3.0 

func (t *TypeSystem) GetAuthorizationModel() *openfgapb.AuthorizationModel

GetAuthorizationModel returns the underlying AuthorizationModel this TypeSystem was constructed from.

func (*TypeSystem) GetAuthorizationModelID added in v0.3.0 

func (t *TypeSystem) GetAuthorizationModelID() string

GetAuthorizationModelID returns the id for the authorization model this TypeSystem was constructed for.

func (*TypeSystem) GetDirectlyRelatedUserTypes added in v0.2.4 

func (t *TypeSystem) GetDirectlyRelatedUserTypes(objectType, relation string) ([]*openfgapb.RelationReference, error)

func (*TypeSystem) GetRelation 

func (t *TypeSystem) GetRelation(objectType, relation string) (*openfgapb.Relation, error)

func (*TypeSystem) GetRelations 

func (t *TypeSystem) GetRelations(objectType string) (map[string]*openfgapb.Relation, error)

func (*TypeSystem) GetSchemaVersion 

func (t *TypeSystem) GetSchemaVersion() string

func (*TypeSystem) GetTypeDefinition 

func (t *TypeSystem) GetTypeDefinition(objectType string) (*openfgapb.TypeDefinition, bool)

func (*TypeSystem) GetTypeDefinitions 

func (t *TypeSystem) GetTypeDefinitions() map[string]*openfgapb.TypeDefinition

func (*TypeSystem) HasTypeInfo added in v0.2.5 

func (t *TypeSystem) HasTypeInfo(objectType, relation string) (bool, error)

func (*TypeSystem) IsDirectlyAssignable 

func (t *TypeSystem) IsDirectlyAssignable(relation *openfgapb.Relation) bool

func (*TypeSystem) IsDirectlyRelated added in v0.2.4 

func (t *TypeSystem) IsDirectlyRelated(target *openfgapb.RelationReference, source *openfgapb.RelationReference) (bool, error)

IsDirectlyRelated determines whether the type of the target DirectRelationReference contains the source DirectRelationReference.

func (*TypeSystem) IsPubliclyAssignable added in v0.3.2 

func (t *TypeSystem) IsPubliclyAssignable(target *openfgapb.RelationReference, objectType string) (bool, error)

* IsPubliclyAssignable returns true if the provided objectType is part of a typed wildcard type restriction * on the target relation. * * type user * * type document * relations * define viewer: [user:*] * * In the example above, the 'user' objectType is publicly assignable to the 'document#viewer' relation.

func (*TypeSystem) IsTuplesetRelation added in v0.3.0 

func (t *TypeSystem) IsTuplesetRelation(objectType, relation string) (bool, error)

IsTuplesetRelation returns a boolean indicating if the provided relation is defined under a TupleToUserset rewrite as a tupleset relation (i.e. the right hand side of a `X from Y`).

func (*TypeSystem) RelationInvolvesExclusion added in v0.2.5 

func (t *TypeSystem) RelationInvolvesExclusion(objectType, relation string) (bool, error)

RelationInvolvesExclusion returns true if the provided relation's userset rewrite is defined by one or more direct or indirect exclusions or any of the types related to the provided relation are defined by one or more direct or indirect exclusions.

func (*TypeSystem) RelationInvolvesIntersection added in v0.2.5 

func (t *TypeSystem) RelationInvolvesIntersection(objectType, relation string) (bool, error)

RelationInvolvesIntersection returns true if the provided relation's userset rewrite is defined by one or more direct or indirect intersections or any of the types related to the provided relation are defined by one or more direct or indirect intersections.

type WalkUsersetRewriteHandler added in v0.3.2 

type WalkUsersetRewriteHandler func(rewrite *openfgapb.Userset) interface{}

WalkUsersetRewriteHandler is a userset rewrite handler that is applied to a node in a userset rewrite tree. Implementations of the WalkUsersetRewriteHandler should return a non-nil value when the traversal over the rewrite tree should terminate and nil if traversal should proceed to other nodes in the tree.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.