Documentation
¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func ClaimsFromStruct ¶ added in v0.1.11
ClaimsFromStruct converts a struct (or pointer to struct) into a map used as OPA `input.claims`. Key resolution order per field:
- `authz:"<key>"` struct tag (JWT claim key from manifest.auth.claims config)
- fallback: snake_case version of field name
"ID"(tag:user_id) → "user_id"; "OrgID"(no tag) → "org_id"; "Role" → "role".
func Init ¶
func Init(db *sql.DB, ownerships []OwnershipMapping) error
Init initializes the global authz state. OPA policy source resolution:
- OPA_POLICY_PATH env — file or directory (directory loads all *.rego)
- fallback: ./internal/authz, ./authz, ./policy (first existing directory)
DISABLE_AUTHZ=1 전체 skip.
Types ¶
type CheckRequest ¶
type CheckRequest struct {
Action string
Resource string
UserID int64
Role string
ResourceID int64
Claims map[string]any
}
CheckRequest holds the inputs for an authorization check.
Claims map (when non-nil) passes arbitrary JWT claims to OPA under input.claims. When nil, Check() falls back to {"user_id": UserID, "role": Role} for backward compat. Generator is expected to populate Claims from CurrentUser fields per manifest.auth.claims config.
type CheckResponse ¶
type CheckResponse struct{}
CheckResponse is the result of an authorization check.
func Check ¶
func Check(req CheckRequest) (CheckResponse, error)
Check evaluates the OPA policy. Returns error if denied or evaluation fails. Set DISABLE_AUTHZ=1 to bypass authorization checks.
type OwnershipMapping ¶
type OwnershipMapping struct {
Resource string // "gig", "proposal"
Table string // "gigs", "proposals"
Column string // "client_id", "freelancer_id"
}
OwnershipMapping represents a resource-to-table ownership mapping from @ownership annotations.
Source Files