authz

package
v1.8.2 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Dec 13, 2024 License: Apache-2.0 Imports: 18 Imported by: 0

Documentation

Index

Constants

View Source 
const (

	// MaxModulesInRequest Max number of modules a user is allowed to write in a single request if they do not have write permissions to the store.
	MaxModulesInRequest = 1

	// API methods.
	ReadAuthorizationModel  = "ReadAuthorizationModel"
	ReadAuthorizationModels = "ReadAuthorizationModels"
	Read                    = "Read"
	Write                   = "Write"
	ListObjects             = "ListObjects"
	StreamedListObjects     = "StreamedListObjects"
	Check                   = "Check"
	BatchCheck              = "BatchCheck"
	ListUsers               = "ListUsers"
	WriteAssertions         = "WriteAssertions"
	ReadAssertions          = "ReadAssertions"
	WriteAuthorizationModel = "WriteAuthorizationModel"
	ListStores              = "ListStores"
	CreateStore             = "CreateStore"
	GetStore                = "GetStore"
	DeleteStore             = "DeleteStore"
	Expand                  = "Expand"
	ReadChanges             = "ReadChanges"

	// Relations.
	CanCallReadAuthorizationModels  = "can_call_read_authorization_models"
	CanCallRead                     = "can_call_read"
	CanCallWrite                    = "can_call_write"
	CanCallListObjects              = "can_call_list_objects"
	CanCallCheck                    = "can_call_check"
	CanCallListUsers                = "can_call_list_users"
	CanCallWriteAssertions          = "can_call_write_assertions"
	CanCallReadAssertions           = "can_call_read_assertions"
	CanCallWriteAuthorizationModels = "can_call_write_authorization_models"
	CanCallListStores               = "can_call_list_stores"
	CanCallCreateStore              = "can_call_create_stores"
	CanCallGetStore                 = "can_call_get_store"
	CanCallDeleteStore              = "can_call_delete_store"
	CanCallExpand                   = "can_call_expand"
	CanCallReadChanges              = "can_call_read_changes"

	StoreType             = "store"
	ModuleType            = "module"
	ApplicationType       = "application"
	SystemType            = "system"
	SystemRelationOnStore = "system"
	RootSystemID          = "fga"
)

Variables

View Source 
var (
	ErrUnauthorizedResponse                  = status.Error(codes.Code(openfgav1.AuthErrorCode_forbidden), "the principal is not authorized to perform the action")
	ErrBadRequestMaxModulesInRequestExceeded = status.Error(codes.Code(openfgav1.AuthErrorCode_forbidden), fmt.Sprintf("the principal cannot write tuples of more than %v module(s) in a single request", MaxModulesInRequest))
	ErrUnknownAPIMethod                      = errors.New("unknown API method")

	SystemObjectID = fmt.Sprintf("%s:%s", SystemType, RootSystemID)
)

Functions

This section is empty.

Types

type AuthorizationError 

type AuthorizationError struct {
	Err error
}

func (*AuthorizationError) Error 

func (e *AuthorizationError) Error() string

func (*AuthorizationError) Unwrap 

func (e *AuthorizationError) Unwrap() error

type Authorizer 

type Authorizer struct {
	// contains filtered or unexported fields
}

func NewAuthorizer 

func NewAuthorizer(config *Config, server ServerInterface, logger logger.Logger) *Authorizer

func (*Authorizer) AccessControlStoreID added in v1.8.0 

func (a *Authorizer) AccessControlStoreID() string

func (*Authorizer) Authorize 

func (a *Authorizer) Authorize(ctx context.Context, storeID, apiMethod string, modules ...string) error

Authorize checks if the user has access to the resource.

func (*Authorizer) AuthorizeCreateStore 

func (a *Authorizer) AuthorizeCreateStore(ctx context.Context) error

AuthorizeCreateStore checks if the user has access to create a store.

func (*Authorizer) AuthorizeListStores 

func (a *Authorizer) AuthorizeListStores(ctx context.Context) error

AuthorizeListStores checks if the user has access to list stores.

func (*Authorizer) GetModulesForWriteRequest 

func (a *Authorizer) GetModulesForWriteRequest(ctx context.Context, req *openfgav1.WriteRequest, typesys *typesystem.TypeSystem) ([]string, error)

GetModulesForWriteRequest returns the modules that should be checked for the write request. If we encounter a type with no attached module, we should break and return no modules so that the authz check will be against the store Otherwise we return a list of unique modules encountered so that FGA on FGA can check them after.

func (*Authorizer) ListAuthorizedStores 

func (a *Authorizer) ListAuthorizedStores(ctx context.Context) ([]string, error)

ListAuthorizedStores returns the list of store IDs that the user has access to.

type AuthorizerInterface 

type AuthorizerInterface interface {
	Authorize(ctx context.Context, storeID, apiMethod string, modules ...string) error
	AuthorizeCreateStore(ctx context.Context) error
	AuthorizeListStores(ctx context.Context) error
	ListAuthorizedStores(ctx context.Context) ([]string, error)
	GetModulesForWriteRequest(ctx context.Context, req *openfgav1.WriteRequest, typesys *typesystem.TypeSystem) ([]string, error)
	AccessControlStoreID() string
}

type ClientIDType 

type ClientIDType string

func (ClientIDType) String 

func (c ClientIDType) String() string

type Config 

type Config struct {
	StoreID string
	ModelID string
}

type ModuleIDType 

type ModuleIDType string

func (ModuleIDType) String 

func (m ModuleIDType) String(module string) string

type NoopAuthorizer 

type NoopAuthorizer struct{}

func NewAuthorizerNoop 

func NewAuthorizerNoop() *NoopAuthorizer

func (*NoopAuthorizer) AccessControlStoreID added in v1.8.0 

func (a *NoopAuthorizer) AccessControlStoreID() string

func (*NoopAuthorizer) Authorize 

func (a *NoopAuthorizer) Authorize(ctx context.Context, storeID, apiMethod string, modules ...string) error

func (*NoopAuthorizer) AuthorizeCreateStore 

func (a *NoopAuthorizer) AuthorizeCreateStore(ctx context.Context) error

func (*NoopAuthorizer) AuthorizeListStores 

func (a *NoopAuthorizer) AuthorizeListStores(ctx context.Context) error

func (*NoopAuthorizer) GetModulesForWriteRequest 

func (a *NoopAuthorizer) GetModulesForWriteRequest(ctx context.Context, req *openfgav1.WriteRequest, typesys *typesystem.TypeSystem) ([]string, error)

func (*NoopAuthorizer) ListAuthorizedStores 

func (a *NoopAuthorizer) ListAuthorizedStores(ctx context.Context) ([]string, error)

type ServerInterface 

type ServerInterface interface {
	Check(ctx context.Context, req *openfgav1.CheckRequest) (*openfgav1.CheckResponse, error)
	ListObjects(ctx context.Context, req *openfgav1.ListObjectsRequest) (*openfgav1.ListObjectsResponse, error)
}

type StoreIDType 

type StoreIDType string

func (StoreIDType) String 

func (s StoreIDType) String() string

type TupleKeyInterface 

type TupleKeyInterface interface {
	GetObject() string
	GetRelation() string
}

TupleKeyInterface is an interface that both TupleKeyWithoutCondition and TupleKey implement.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.