Affected by GO-2024-2477 and 3 other vulnerabilities

GO-2024-2477: OpenFGA denial of service in github.com/openfga/openfga

GO-2025-3384: OpenFGA Authorization Bypass in github.com/openfga/openfga

GO-2025-3470: OpenFGA Authorization Bypass in github.com/openfga/openfga

GO-2025-3657: OpenFGA Authorization Bypass in github.com/openfga/openfga

validation

package

v1.4.0-rc1 Latest Latest Go to latest Published: Nov 3, 2023 License: Apache-2.0 Imports: 7 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/openfga/openfga

Links

Documentation ¶

Index ¶

func FilterInvalidTuples(typesys *typesystem.TypeSystem) storage.TupleKeyFilterFunc
func ValidateObject(typesys *typesystem.TypeSystem, tk *openfgav1.TupleKey) error
func ValidateRelation(typesys *typesystem.TypeSystem, tk *openfgav1.TupleKey) error
func ValidateTuple(typesys *typesystem.TypeSystem, tk *openfgav1.TupleKey) error
func ValidateUser(typesys *typesystem.TypeSystem, user string) error
func ValidateUserObjectRelation(typesys *typesystem.TypeSystem, tk *openfgav1.TupleKey) error

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func FilterInvalidTuples ¶

func FilterInvalidTuples(typesys *typesystem.TypeSystem) storage.TupleKeyFilterFunc

FilterInvalidTuples implements the TupleFilterFunc signature and can be used to provide a generic filtering mechanism when reading tuples. It is particularly useful to filter out tuples that aren't valid according to the provided model, which can help filter tuples that were introduced due to another authorization model.

func ValidateObject ¶

func ValidateObject(typesys *typesystem.TypeSystem, tk *openfgav1.TupleKey) error

ValidateObject validates the provided object string 'type:id' against the provided model. An object is considered valid if it validates against one of the type definitions included in the provided model.

func ValidateRelation ¶

func ValidateRelation(typesys *typesystem.TypeSystem, tk *openfgav1.TupleKey) error

ValidateRelation validates the relation on the provided objectType against the given model. A relation is valid if it is defined as a relation for the type definition of the given objectType.

func ValidateTuple ¶

func ValidateTuple(typesys *typesystem.TypeSystem, tk *openfgav1.TupleKey) error

ValidateTuple returns nil if a tuple is well formed and valid according to the provided model. It is a superset of ValidateUserObjectRelation; it also validates TTU relations and type restrictions.

Do NOT use this when validating a tuple that is an input to a Check or WriteAssertions request.

func ValidateUser ¶

func ValidateUser(typesys *typesystem.TypeSystem, user string) error

ValidateUser validates the 'user' string provided by validating that it meets the model constraints. For 1.0 and 1.1 models if the user field is a userset value, then the objectType and relation must be defined. For 1.1 models the user field must either be a userset or an object, and if it's an object we verify the objectType is defined in the model.

func ValidateUserObjectRelation ¶ added in v0.3.1

func ValidateUserObjectRelation(typesys *typesystem.TypeSystem, tk *openfgav1.TupleKey) error

ValidateUserObjectRelation returns nil if the tuple is well-formed and valid according to the provided model.

Do NOT use this when reading or writing tuples to storage. Use ValidateTuple instead, because it's stricter.

Types ¶

This section is empty.

Source Files ¶

View all Source files

validation.go

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL