Documentation
¶
Overview ¶
Package validation provides tuple and request validation against an OpenFGA authorization model.
The primary entry points are ValidateTupleForWrite (used by write paths and contextual tuples) and ValidateTupleForRead (used by read/query paths). Both enforce type restrictions, tupleset constraints, and condition requirements defined in the model.
A generic Validator type and combinators (CombineValidators, MakeFallible) support composing reusable validation predicates outside of the tuple-specific logic.
Index ¶
- func FilterInvalidTuples(typesys *typesystem.TypeSystem) storage.TupleKeyFilterFunc
- func ValidateObject(typesys *typesystem.TypeSystem, tk *openfgav1.TupleKey) error
- func ValidateRelation(typesys *typesystem.TypeSystem, tk *openfgav1.TupleKey) error
- func ValidateStruct(s *structpb.Struct) error
- func ValidateTupleForRead(typesys *typesystem.TypeSystem, tk *openfgav1.TupleKey) error
- func ValidateTupleForWrite(typesys *typesystem.TypeSystem, tk *openfgav1.TupleKey) error
- func ValidateUser(typesys *typesystem.TypeSystem, user string) error
- func ValidateUserObjectRelation(typesys *typesystem.TypeSystem, tk *openfgav1.TupleKey) error
- type Validator
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func FilterInvalidTuples ¶
func FilterInvalidTuples(typesys *typesystem.TypeSystem) storage.TupleKeyFilterFunc
FilterInvalidTuples filters out tuples that aren't valid according to the provided model.
func ValidateObject ¶
func ValidateObject(typesys *typesystem.TypeSystem, tk *openfgav1.TupleKey) error
ValidateObject validates the provided object string 'type:id' against the provided model. An object is considered valid if it validates against one of the type definitions included in the provided model.
func ValidateRelation ¶
func ValidateRelation(typesys *typesystem.TypeSystem, tk *openfgav1.TupleKey) error
ValidateRelation validates the relation on the provided objectType against the given model. A relation is valid if it is defined as a relation for the type definition of the given objectType.
func ValidateStruct ¶ added in v1.14.1
ValidateStruct checks that a structpb.Struct does not contain forbidden characters in any string keys or values. This prevents dangerous characters from reaching cache key generation or log output.
func ValidateTupleForRead ¶ added in v1.6.2
func ValidateTupleForRead(typesys *typesystem.TypeSystem, tk *openfgav1.TupleKey) error
ValidateTupleForRead returns nil if a tuple is valid according to the provided model. It also validates TTU relations and type restrictions.
func ValidateTupleForWrite ¶ added in v1.6.2
func ValidateTupleForWrite(typesys *typesystem.TypeSystem, tk *openfgav1.TupleKey) error
ValidateTupleForWrite returns nil if a tuple is well formed and valid according to the provided model. It is a superset of ValidateUserObjectRelation and ValidateTupleForRead; ONLY meant to be used in Write and contextual tuples (since these mimic being written in the datastore).
func ValidateUser ¶
func ValidateUser(typesys *typesystem.TypeSystem, user string) error
ValidateUser validates the 'user' string provided by validating that it meets the model constraints. For 1.0 and 1.1 models if the user field is a userset value, then the objectType and relation must be defined. For 1.1 models the user field must either be a userset or an object, and if it's an object we verify the objectType is defined in the model.
func ValidateUserObjectRelation ¶ added in v0.3.1
func ValidateUserObjectRelation(typesys *typesystem.TypeSystem, tk *openfgav1.TupleKey) error
ValidateUserObjectRelation returns nil if the tuple is well-formed and valid according to the provided model.
Types ¶
type Validator ¶ added in v1.14.0
Validator is a predicate that reports whether a value of type T is valid. It returns false or a non-nil error to indicate rejection.
func CombineValidators ¶ added in v1.14.0
CombineValidators returns a Validator that runs each of the given validators in order and short-circuits on the first rejection or error. Nil entries are skipped. If all validators pass (or the list is empty), the combined validator returns true, nil.
func MakeFallible ¶ added in v1.14.0
MakeFallible adapts a boolean predicate into a Validator that always returns a nil error.
Source Files