Affected by GO-2025-3657 and 2 other vulnerabilities

GO-2025-3657: OpenFGA Authorization Bypass in github.com/openfga/openfga

GO-2025-3707: OpenFGA Authorization Bypass in github.com/openfga/openfga

GO-2025-4150: OpenFGA Improper Policy Enforcement in github.com/openfga/openfga

authz

package

v1.8.6 Latest Latest Go to latest Published: Feb 20, 2025 License: Apache-2.0 Imports: 17 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/openfga/openfga

Links

Documentation ¶

Index ¶

Constants
Variables
type Authorizer
- func NewAuthorizer(config *Config, server ServerInterface, logger logger.Logger) *Authorizer
type AuthorizerInterface
type ClientIDType
- func (c ClientIDType) String() string
type Config
type ModuleIDType
- func (m ModuleIDType) String(module string) string
type NoopAuthorizer
- func NewAuthorizerNoop() *NoopAuthorizer
type ServerInterface
type StoreIDType
- func (s StoreIDType) String() string
type TupleKeyInterface

Constants ¶

View Source

const (

	// MaxModulesInRequest Max number of modules a user is allowed to write in a single request if they do not have write permissions to the store.
	MaxModulesInRequest = 1

	// API methods.
	ReadAuthorizationModel  = "ReadAuthorizationModel"
	ReadAuthorizationModels = "ReadAuthorizationModels"
	Read                    = "Read"
	Write                   = "Write"
	ListObjects             = "ListObjects"
	StreamedListObjects     = "StreamedListObjects"
	Check                   = "Check"
	BatchCheck              = "BatchCheck"
	ListUsers               = "ListUsers"
	WriteAssertions         = "WriteAssertions"
	ReadAssertions          = "ReadAssertions"
	WriteAuthorizationModel = "WriteAuthorizationModel"
	ListStores              = "ListStores"
	CreateStore             = "CreateStore"
	GetStore                = "GetStore"
	DeleteStore             = "DeleteStore"
	Expand                  = "Expand"
	ReadChanges             = "ReadChanges"

	// Relations.
	CanCallReadAuthorizationModels  = "can_call_read_authorization_models"
	CanCallRead                     = "can_call_read"
	CanCallWrite                    = "can_call_write"
	CanCallListObjects              = "can_call_list_objects"
	CanCallCheck                    = "can_call_check"
	CanCallListUsers                = "can_call_list_users"
	CanCallWriteAssertions          = "can_call_write_assertions"
	CanCallReadAssertions           = "can_call_read_assertions"
	CanCallWriteAuthorizationModels = "can_call_write_authorization_models"
	CanCallListStores               = "can_call_list_stores"
	CanCallCreateStore              = "can_call_create_stores"
	CanCallGetStore                 = "can_call_get_store"
	CanCallDeleteStore              = "can_call_delete_store"
	CanCallExpand                   = "can_call_expand"
	CanCallReadChanges              = "can_call_read_changes"

	StoreType             = "store"
	ModuleType            = "module"
	ApplicationType       = "application"
	SystemType            = "system"
	SystemRelationOnStore = "system"
	RootSystemID          = "fga"
)

Variables ¶

View Source

var (
	ErrUnauthorizedResponse = status.Error(codes.Code(openfgav1.AuthErrorCode_forbidden), "the principal is not authorized to perform the action")
	SystemObjectID          = fmt.Sprintf("%s:%s", SystemType, RootSystemID)
)

Functions ¶

This section is empty.

Types ¶

type Authorizer ¶

type Authorizer struct {
	// contains filtered or unexported fields
}

func NewAuthorizer ¶

func NewAuthorizer(config *Config, server ServerInterface, logger logger.Logger) *Authorizer

func (*Authorizer) AccessControlStoreID ¶ added in v1.8.0

func (a *Authorizer) AccessControlStoreID() string

func (*Authorizer) Authorize ¶

func (a *Authorizer) Authorize(ctx context.Context, storeID, apiMethod string, modules ...string) error

Authorize checks if the user has access to the resource.

func (*Authorizer) AuthorizeCreateStore ¶

func (a *Authorizer) AuthorizeCreateStore(ctx context.Context) error

AuthorizeCreateStore checks if the user has access to create a store.

func (*Authorizer) AuthorizeListStores ¶

func (a *Authorizer) AuthorizeListStores(ctx context.Context) error

AuthorizeListStores checks if the user has access to list stores.

func (*Authorizer) GetModulesForWriteRequest ¶

func (a *Authorizer) GetModulesForWriteRequest(ctx context.Context, req *openfgav1.WriteRequest, typesys *typesystem.TypeSystem) ([]string, error)

GetModulesForWriteRequest returns the modules that should be checked for the write request. If we encounter a type with no attached module, we should break and return no modules so that the authz check will be against the store Otherwise we return a list of unique modules encountered so that FGA on FGA can check them after.

func (*Authorizer) ListAuthorizedStores ¶

func (a *Authorizer) ListAuthorizedStores(ctx context.Context) ([]string, error)

ListAuthorizedStores returns the list of store IDs that the user has access to.

type AuthorizerInterface ¶

type AuthorizerInterface interface {
	Authorize(ctx context.Context, storeID, apiMethod string, modules ...string) error
	AuthorizeCreateStore(ctx context.Context) error
	AuthorizeListStores(ctx context.Context) error
	ListAuthorizedStores(ctx context.Context) ([]string, error)
	GetModulesForWriteRequest(ctx context.Context, req *openfgav1.WriteRequest, typesys *typesystem.TypeSystem) ([]string, error)
	AccessControlStoreID() string
}

type ClientIDType ¶

type ClientIDType string

func (ClientIDType) String ¶

func (c ClientIDType) String() string

type Config ¶

type Config struct {
	StoreID string
	ModelID string
}

type ModuleIDType ¶

type ModuleIDType string

func (ModuleIDType) String ¶

func (m ModuleIDType) String(module string) string

type NoopAuthorizer ¶

type NoopAuthorizer struct{}

func NewAuthorizerNoop ¶

func NewAuthorizerNoop() *NoopAuthorizer

func (*NoopAuthorizer) AccessControlStoreID ¶ added in v1.8.0

func (a *NoopAuthorizer) AccessControlStoreID() string

func (*NoopAuthorizer) Authorize ¶

func (a *NoopAuthorizer) Authorize(ctx context.Context, storeID, apiMethod string, modules ...string) error

func (*NoopAuthorizer) AuthorizeCreateStore ¶

func (a *NoopAuthorizer) AuthorizeCreateStore(ctx context.Context) error

func (*NoopAuthorizer) AuthorizeListStores ¶

func (a *NoopAuthorizer) AuthorizeListStores(ctx context.Context) error

func (*NoopAuthorizer) GetModulesForWriteRequest ¶

func (a *NoopAuthorizer) GetModulesForWriteRequest(ctx context.Context, req *openfgav1.WriteRequest, typesys *typesystem.TypeSystem) ([]string, error)

func (*NoopAuthorizer) ListAuthorizedStores ¶

func (a *NoopAuthorizer) ListAuthorizedStores(ctx context.Context) ([]string, error)

type ServerInterface ¶

type ServerInterface interface {
	Check(ctx context.Context, req *openfgav1.CheckRequest) (*openfgav1.CheckResponse, error)
	ListObjects(ctx context.Context, req *openfgav1.ListObjectsRequest) (*openfgav1.ListObjectsResponse, error)
}

type StoreIDType ¶

type StoreIDType string

func (StoreIDType) String ¶

func (s StoreIDType) String() string

type TupleKeyInterface ¶

type TupleKeyInterface interface {
	GetObject() string
	GetRelation() string
}

TupleKeyInterface is an interface that both TupleKeyWithoutCondition and TupleKey implement.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL