authz

package
v0.2.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 4, 2026 License: Apache-2.0 Imports: 8 Imported by: 0

Documentation

Index

Constants

View Source 
const EmptyTenantID = TenantID("")

Variables

View Source 
var (
	ErrInvalidRequest        = errors.New("invalid request")
	ErrEmptyRequest          = errors.New("empty request")
	ErrAuthorizationDecision = errors.New("authorization decision error")
	ErrAuthorizationDenied   = errors.New("authorization denied")
	ErrWrongTenantID         = errors.New("wrong tenant ID in request")

	ErrExtractClientData  = errors.New("error extracting client data from context")
	ErrCreateAuthzRequest = errors.New("error creating authorization request")
	ErrExtractTenantID    = errors.New("error extracting tenant ID from context")
	ErrAuthzDecision      = errors.New("error making authorization decision")
)
View Source 
var (
	ErrValidation                  = errors.New("validation failed")
	ErrUserEmpty                   = errors.New("user is empty")
	ErrActionInvalid               = errors.New("action is invalid")
	ErrResourceTypeInvalid         = errors.New("resource type is invalid")
	ErrResourceTypeOrActionInvalid = errors.New("resource type or action is invalid")
)
View Source 
var (
	RestrictionsByOperation = make(map[Operation]Restricted)
	RestrictionsByAPI       = make(map[string]Restricted)
	AllowListByAPI          = make(map[string]Allowed)
)
View Source 
var ActionResourceTypes map[Action]ResourceTypeName
View Source 
var ErrInvalidRole = errors.New("invalid role")
View Source 
var InfoAuthorizationPassed = "Authorization check passed"
View Source 
var PolicyData = policies{
	Roles: []constants.Role{
		constants.KeyAdminRole, constants.TenantAdminRole, constants.TenantAuditorRole,
	},
	Policies: []Policy{
		{
			ID:   "AuditorPolicy",
			Role: constants.TenantAuditorRole,
			ResourceTypes: []ResourceType{
				{
					ID: ResourceTypeKeyConfiguration,
					Actions: []Action{
						ActionRead,
					},
				},
				{
					ID: ResourceTypeKey,
					Actions: []Action{
						ActionRead,
					},
				},
				{
					ID: ResourceTypeSystem,
					Actions: []Action{
						ActionRead,
					},
				},
				{
					ID: ResourceTypeWorkFlow,
					Actions: []Action{
						ActionRead,
					},
				},
				{
					ID: ResourceTypeUserGroup,
					Actions: []Action{
						ActionRead,
					},
				},
				{
					ID: ResourceTypeTenant,
					Actions: []Action{
						ActionRead,
					},
				},
			},
		},
		{
			ID:   "KeyAdminPolicy",
			Role: constants.KeyAdminRole,
			ResourceTypes: []ResourceType{
				{
					ID: ResourceTypeKeyConfiguration,
					Actions: []Action{
						ActionRead,
						ActionCreate,
						ActionDelete,
						ActionUpdate,
					},
				},
				{
					ID: ResourceTypeKey,
					Actions: []Action{
						ActionRead,
						ActionCreate,
						ActionDelete,
						ActionUpdate,
						ActionKeyRotate,
					},
				},
				{
					ID: ResourceTypeUserGroup,
					Actions: []Action{
						ActionRead,
					},
				},
				{
					ID: ResourceTypeSystem,
					Actions: []Action{
						ActionSystemModifyLink,
						ActionRead,
						ActionUpdate,
					},
				},
				{
					ID: ResourceTypeWorkFlow,
					Actions: []Action{
						ActionRead,
						ActionCreate,
						ActionDelete,
						ActionUpdate,
					},
				},
			},
		},
		{
			ID:   "TenantAdminPolicy",
			Role: constants.TenantAdminRole,
			ResourceTypes: []ResourceType{
				{
					ID: ResourceTypeTenant,
					Actions: []Action{
						ActionRead,
						ActionUpdate,
					},
				},
				{
					ID: ResourceTypeUserGroup,
					Actions: []Action{
						ActionRead,
						ActionCreate,
						ActionDelete,
						ActionUpdate,
					},
				},
			},
		},
	},
}
View Source 
var ResourceTypeActions = map[ResourceTypeName]map[Action]struct{}{
	ResourceTypeKeyConfiguration: {
		ActionRead:   {},
		ActionCreate: {},
		ActionDelete: {},
		ActionUpdate: {},
	},
	ResourceTypeKey: {
		ActionRead:      {},
		ActionCreate:    {},
		ActionDelete:    {},
		ActionUpdate:    {},
		ActionKeyRotate: {},
	},
	ResourceTypeSystem: {
		ActionRead:             {},
		ActionSystemModifyLink: {},
	},
	ResourceTypeWorkFlow: {
		ActionRead:   {},
		ActionCreate: {},
		ActionDelete: {},
		ActionUpdate: {},
	},
	ResourceTypeUserGroup: {
		ActionRead:   {},
		ActionCreate: {},
		ActionDelete: {},
		ActionUpdate: {},
	},
	ResourceTypeTenant: {
		ActionRead:   {},
		ActionUpdate: {},
	},
}
View Source 
var RolePolicies = make(map[constants.Role][]Policy)
View Source 
var ValidRoles = make(map[constants.Role]struct{})

Functions

func CheckAuthz 

func CheckAuthz(
	ctx context.Context,
	authzHandler *Handler,
	resourceType ResourceTypeName,
	action Action,
) (bool, error)

func LogDecision 

func LogDecision(ctx context.Context, request Request, auditor *auditor.Auditor, isAllowed bool, reason Reason)

LogDecision logs the authorization decision made for a request. It logs the request ID, tenant ID, resource type, action, decision, and reason. The decision is logged as an Info log if it is "Allow", otherwise as a Warn log. Additionally, it sends an audit log for unauthorized requests using the provided auditor.

Types

type APIMethod 

type APIMethod string
const (
	APIMethodGet    APIMethod = "GET"
	APIMethodPost   APIMethod = "POST"
	APIMethodPut    APIMethod = "PUT"
	APIMethodDelete APIMethod = "DELETE"
	APIMethodPatch  APIMethod = "PATCH"
)

type Action 

type Action string
const (
	ActionRead             Action = "read"
	ActionCreate           Action = "create"
	ActionUpdate           Action = "update"
	ActionDelete           Action = "delete"
	ActionKeyRotate        Action = "KeyRotate"
	ActionSystemModifyLink Action = "ModifySystemLink"
)

all actions which are used in policies which can be performed on resource types

type AllowList 

type AllowList struct {
	AuthzKeys map[AuthorizationKey]struct{}
	TenantIDs map[TenantID]struct{}
}

func NewAuthorizationData 

func NewAuthorizationData(entities []Entity) (*AllowList, error)

func (AllowList) ContainsTenant 

func (l AllowList) ContainsTenant(id TenantID) bool

type Allowed 

type Allowed struct {
	APIPath   string
	APIMethod APIMethod
}

type AuthorizationKey 

type AuthorizationKey struct {
	TenantID         TenantID
	UserGroup        string
	ResourceTypeName ResourceTypeName
	Action           Action
}

type Entity 

type Entity struct {
	TenantID   TenantID
	Role       constants.Role
	UserGroups []string
}

type Handler 

type Handler struct {
	Entities          []Entity
	AuthorizationData AllowList
	Auditor           *auditor.Auditor
}

func NewAuthorizationHandler 

func NewAuthorizationHandler(entities *[]Entity, auditor *auditor.Auditor) (*Handler, error)

func (*Handler) IsAllowed 

func (as *Handler) IsAllowed(ctx context.Context, ar Request) (bool, error)

IsAllowed checks if the given User is allowed to perform the given Action on the given resource

type Operation 

type Operation string
const (
	OpCreate Operation = "CREATE"
	OpList   Operation = "LIST"
	OpDelete Operation = "DELETE"
	OpFirst  Operation = "FIRST"
	OpPatch  Operation = "PATCH"
	OpSet    Operation = "SET"
)

type Policy 

type Policy struct {
	ID            string
	Role          constants.Role
	ResourceTypes []ResourceType
}

type Reason 

type Reason string

type Request 

type Request struct {
	ID               string           // required
	User             User             // required
	ResourceTypeName ResourceTypeName // optional
	Action           Action           // optional
	TenantID         TenantID         // required
}

func NewRequest 

func NewRequest(
	ctx context.Context, tenantID TenantID, user User, resourceTypeName ResourceTypeName, action Action,
) (*Request, error)

func (*Request) SetAction 

func (ar *Request) SetAction(action Action) error

func (*Request) SetResourceType 

func (ar *Request) SetResourceType(resourceTypeName ResourceTypeName) error

func (*Request) SetUser 

func (ar *Request) SetUser(user User) error

type ResourceType 

type ResourceType struct {
	ID      ResourceTypeName
	Actions []Action
}

type ResourceTypeName 

type ResourceTypeName string
const (
	ResourceTypeKeyConfiguration ResourceTypeName = "KeyConfiguration"
	ResourceTypeKey              ResourceTypeName = "Key"
	ResourceTypeSystem           ResourceTypeName = "System"
	ResourceTypeWorkFlow         ResourceTypeName = "Workflow"
	ResourceTypeUserGroup        ResourceTypeName = "UserGroup"
	ResourceTypeTenant           ResourceTypeName = "Tenant"
)

all resource types which are used in policies

type Restricted 

type Restricted struct {
	APIPath          string
	APIMethod        APIMethod
	ResourceTypeName ResourceTypeName
	Action           Action
	RepoOperation    Operation
}

type TenantID 

type TenantID string

type User 

type User struct {
	UserName string
	Groups   []string
}

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.