authz

package
v1.4.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jan 28, 2026 License: MIT Imports: 6 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	DefaultAuthorizer = "casbin"
	Noop              = "noop"
	Casbin            = "casbin"
)
View Source 
const (
	ActionRead   = "read"
	ActionCreate = "create"
	ActionUpdate = "update"
	ActionDelete = "delete"
	ActionAny    = "*"
)

Define standard authorization actions as constants.

Variables

This section is empty.

Functions

func Register 

func Register(name string, factory Factory)

Register registers a new authorizer provider factory. This function is intended to be called from the init() function of each provider implementation.

Types

type Authorizer 

type Authorizer interface {
	// Authorized individual rule specifications are checked.
	Authorized(ctx context.Context, p security.Principal, spec RuleSpec) (bool, error)
}

The Authorizer defines the core authorization interface for validating individual requests. It is often used as a "goalkeeper" in middleware.

func New 

func New(cfg *authzv1.Authorizer, opts ...options.Option) (Authorizer, error)

New creates a new authorizer provider instance based on the given configuration. It looks up the appropriate factory using the type specified in the config and invokes it. The returned Provider instance is NOT stored globally; it is the caller's responsibility to manage its lifecycle and inject it where needed.

type Factory 

type Factory interface {
	NewAuthorizer(config *authzv1.Authorizer, opts ...options.Option) (Authorizer, error)
}

type FactoryFunc 

type FactoryFunc func(config *authzv1.Authorizer, opts ...options.Option) (Authorizer, error)

FactoryFunc is a function type that creates a Provider instance.

func (FactoryFunc) NewAuthorizer 

func (f FactoryFunc) NewAuthorizer(config *authzv1.Authorizer, opts ...options.Option) (Authorizer, error)

type FilterQuerier 

type FilterQuerier interface {
	// FilterAuthorized is the generic and powerful core method of this interface.
	// It filters a list of RuleSpecs and returns the subset for which the principal is authorized.
	// It is useful for complex, non-standard batch filtering scenarios.
	FilterAuthorized(ctx context.Context, p security.Principal, specs []RuleSpec) ([]RuleSpec, error)

	// FilterAuthorizedResources is a convenience method for the common use case of filtering a list of resource IDs.
	// It abstracts away the complexity of creating and parsing RuleSpecs.
	// The specTemplate provides a template for the check, where its Resource field is ignored.
	FilterAuthorizedResources(ctx context.Context, p security.Principal, specTemplate RuleSpec, resources []string) ([]string, error)

	// FilterAuthorizedActions is a convenience method to determine which actions a principal can perform on a given resource.
	// The specTemplate provides a template for the check, where its Action field is ignored.
	FilterAuthorizedActions(ctx context.Context, p security.Principal, specTemplate RuleSpec, actions []string) ([]string, error)

	// FilterAuthorizedDomains is a convenience method to determine which domains a principal has access to.
	// The specTemplate provides a template for the check, where its Domain field is ignored.
	FilterAuthorizedDomains(ctx context.Context, p security.Principal, specTemplate RuleSpec, domains []string) ([]string, error)
}

FilterQuerier defines the interface for querying permissions in batches. Its primary consumer is API endpoints that need to perform bulk permission checks, for example, to filter a list of items based on the user's access rights.

type PolicyModifier added in v1.4.0 

type PolicyModifier interface {

	// AddUserRole assigns a role to a user.
	// Returns true if the assignment was added, false if it already existed.
	AddUserRole(ctx context.Context, userID string, roleID string) (bool, error)
	// RemoveUserRole revokes a role from a user.
	// Returns true if the assignment was removed, false if it didn't exist.
	RemoveUserRole(ctx context.Context, userID string, roleID string) (bool, error)
	// RemoveAllUserRoles removes all roles assigned to a specific user.
	// Returns true if any assignments were removed.
	RemoveAllUserRoles(ctx context.Context, userID string) (bool, error)

	// AddRolePermission grants a specific permission to a role.
	// The permission is defined by the RuleSpec (resource and action).
	// Returns true if the permission was added, false if it already existed.
	AddRolePermission(ctx context.Context, roleID string, spec RuleSpec) (bool, error)
	// RemoveRolePermission revokes a specific permission from a role.
	// Returns true if the permission was removed, false if it didn't exist.
	RemoveRolePermission(ctx context.Context, roleID string, spec RuleSpec) (bool, error)
	// RemoveAllRolePermissions removes all permissions granted to a specific role.
	// Returns true if any permissions were removed.
	RemoveAllRolePermissions(ctx context.Context, roleID string) (bool, error)

	// AddUserPermission grants a specific permission directly to a user (less common in pure RBAC, but useful for ABAC or exceptions).
	// Returns true if the permission was added, false if it already existed.
	AddUserPermission(ctx context.Context, userID string, spec RuleSpec) (bool, error)
	// RemoveUserPermission revokes a specific permission directly from a user.
	// Returns true if the permission was removed, false if it didn't exist.
	RemoveUserPermission(ctx context.Context, userID string, spec RuleSpec) (bool, error)
	// RemoveAllUserPermissions removes all direct permissions granted to a specific user.
	// Returns true if any permissions were removed.
	RemoveAllUserPermissions(ctx context.Context, userID string) (bool, error)
}

PolicyModifier defines a generic interface for modifying authorization policies at an atomic rule level. This abstraction allows business logic to manipulate the fundamental relationships (User-Role, Role-Permission) without knowing the underlying implementation (e.g., Casbin, OPA).

type Reloader added in v1.4.0 

type Reloader interface {
	// Reload triggers a reload of the authorization policies from the underlying storage.
	Reload() error
}

Reloader defines an optional interface for authorizers that support dynamic policy reloading. This is typically used in conjunction with a policy watcher or an event bus.

type RuleSpec 

type RuleSpec struct {
	Domain   string // Represent the project or tenant. It can be empty.
	Resource string // The resource being accessed.
	Action   string // Actions to be performed on the resource.
	// Attributes contain additional attributes related to this rule, such as the owner of the resource, status, and so on.
	// This allows RuleSpec to carry more complex contextual information to support ABAC.
	Attributes security.Claims
}

RuleSpec encapsulates the specification of an authorization rule to be checked. It is a pure data container that describes the core elements required for authorization checks.

func NewRuleSpec 

func NewRuleSpec(p security.Principal, req security.Request) RuleSpec

NewRuleSpec creates an authz.RuleSpec from a principal and a security.Request. It maps HTTP methods to standard authorization actions (read, create, update, delete).

Source Files

View all Source files

Directories

Path Synopsis
adapter
Package adapter implements the functions, types, and interfaces for the module.
 Package adapter implements the functions, types, and interfaces for the module.
internal/model
Package model embedding the model files for Casbin.
 Package model embedding the model files for Casbin.
internal/policy
Package policy embedding the policy files for Casbin.
 Package policy embedding the policy files for Casbin.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.