Documentation
¶
Overview ¶
Package authorizer provides an Ory Keto adapter implementation for the security.Authorizer interface.
Index ¶
- Variables
- func CurrentTimeFromContext(ctx context.Context) time.Time
- func LocationFromContext(ctx context.Context) string
- func NewAuditLogger(config AuditLoggerConfig) security.AuditLogger
- func NewKetoAdapter(cfg config.ConfigurationAuthorization, auditLogger security.AuditLogger) security.Authorizer
- func NewNoOpAuditLogger() security.AuditLogger
- func ToConnectError(err error) error
- func ToGrpcError(err error) error
- func ToHTTPStatusCode(err error) int
- func WithCurrentTime(ctx context.Context, t time.Time) context.Context
- func WithLocation(ctx context.Context, location string) context.Context
- type AccessConstraint
- type AuditLoggerConfig
- type AuthzServiceError
- type FunctionChecker
- type FunctionCheckerOption
- type NoOpAuditLogger
- type PermissionDeniedError
- type ResourceAccessChecker
- func (c *ResourceAccessChecker) Check(ctx context.Context, resourceID, permission string) error
- func (c *ResourceAccessChecker) CheckSubject(ctx context.Context, resourceID, permission, subjectID string) error
- func (c *ResourceAccessChecker) Grant(ctx context.Context, resourceID, relation, subjectID string) error
- func (c *ResourceAccessChecker) Members(ctx context.Context, resourceID, relation string) ([]security.SubjectRef, error)
- func (c *ResourceAccessChecker) Revoke(ctx context.Context, resourceID, relation, subjectID string) error
- type ResourceCheckerOption
- type TenancyAccessChecker
- type TenancyAccessDeniedFunc
- type TenantPermissionCheckerOption
Constants ¶
This section is empty.
Variables ¶
var ( // ErrPermissionDenied indicates the subject lacks the required permission. ErrPermissionDenied = errors.New("permission denied") // ErrInvalidObject indicates an invalid object reference. ErrInvalidObject = errors.New("invalid object reference") // ErrInvalidSubject indicates an invalid subject reference. ErrInvalidSubject = errors.New("invalid subject reference") // ErrTupleNotFound indicates the relationship tuple was not found. ErrTupleNotFound = errors.New("relationship tuple not found") // ErrTupleAlreadyExists indicates the relationship tuple already exists. ErrTupleAlreadyExists = errors.New("relationship tuple already exists") // ErrAuthzServiceDown indicates the authorization service is unavailable. ErrAuthzServiceDown = errors.New("authorization service unavailable") // ErrInvalidPermission indicates an invalid permission was requested. ErrInvalidPermission = errors.New("invalid permission") // ErrInvalidRole indicates an invalid role was specified. ErrInvalidRole = errors.New("invalid role") )
Functions ¶
func CurrentTimeFromContext ¶
CurrentTimeFromContext returns the time stored in context, or time.Now() if none was injected.
func LocationFromContext ¶
LocationFromContext returns the location stored in context, or "".
func NewAuditLogger ¶
func NewAuditLogger(config AuditLoggerConfig) security.AuditLogger
NewAuditLogger creates a new AuditLogger with the given configuration.
func NewKetoAdapter ¶
func NewKetoAdapter( cfg config.ConfigurationAuthorization, auditLogger security.AuditLogger, ) security.Authorizer
NewKetoAdapter creates a new Keto adapter with the given configuration.
func NewNoOpAuditLogger ¶
func NewNoOpAuditLogger() security.AuditLogger
NewNoOpAuditLogger creates a new no-op audit logger.
func ToConnectError ¶
ToConnectError translates authorization errors into ConnectRPC error codes.
Mapping:
- ErrInvalidSubject / ErrInvalidObject → CodeUnauthenticated
- PermissionDeniedError → CodePermissionDenied
- everything else → CodeInternal
func ToGrpcError ¶
ToGrpcError translates authorization errors into gRPC status errors.
Mapping:
- ErrInvalidSubject / ErrInvalidObject → codes.Unauthenticated
- PermissionDeniedError → codes.PermissionDenied
- everything else → codes.Internal
func ToHTTPStatusCode ¶
ToHTTPStatusCode translates authorization errors into HTTP status codes.
Mapping:
- ErrInvalidSubject / ErrInvalidObject → 401 Unauthorized
- PermissionDeniedError → 403 Forbidden
- everything else → 500 Internal Server Error
func WithCurrentTime ¶
WithCurrentTime injects the current time into context. Production middleware should call this with time.Now(). Tests can inject a fixed value.
Types ¶
type AccessConstraint ¶
AccessConstraint evaluates a contextual condition that must hold for access to be granted. It is checked after the Keto relation check passes. Return nil to allow, or a non-nil error to deny.
func AnyConstraint ¶
func AnyConstraint(constraints ...AccessConstraint) AccessConstraint
AnyConstraint returns a constraint that passes if at least one of the given constraints passes (OR logic). All constraint errors are collected; if none pass, the error from the first constraint is returned.
Panics if no constraints are provided.
func LocationConstraint ¶
func LocationConstraint(allowed ...string) AccessConstraint
LocationConstraint restricts access to callers whose location (from context) matches one of the allowed values. Matching is case-insensitive. Returns an error if no location is present in context or if the location is not in the allowed set.
Panics if no allowed locations are provided.
func TimeWindowConstraint ¶
func TimeWindowConstraint(startHour, endHour int, loc *time.Location) AccessConstraint
TimeWindowConstraint restricts access to a daily time window defined by startHour and endHour (0-23, 24h format). Access is allowed when startHour <= currentHour < endHour. Supports wrapping past midnight (e.g., startHour=22, endHour=6 allows 22:00-05:59). If loc is nil, UTC is used.
Panics if startHour or endHour is outside 0-23, or if startHour == endHour (ambiguous — use no constraint for "always allow").
type AuditLoggerConfig ¶
type AuditLoggerConfig struct {
// Enabled controls whether the audit logger actually logs decisions.
// Default is false (disabled).
Enabled bool
// SampleRate is the fraction of decisions to log (0.0 to 1.0).
SampleRate float64
}
AuditLoggerConfig holds configuration for the audit logger.
type AuthzServiceError ¶
type AuthzServiceError struct {
Operation string
Code codes.Code
Retryable bool
SchemaReadiness bool
Cause error
}
AuthzServiceError wraps authorization service errors with context.
func NewAuthzServiceError ¶
func NewAuthzServiceError(operation string, cause error) *AuthzServiceError
NewAuthzServiceError creates a new AuthzServiceError.
func (*AuthzServiceError) Error ¶
func (e *AuthzServiceError) Error() string
Error implements the error interface.
func (*AuthzServiceError) Is ¶
func (e *AuthzServiceError) Is(target error) bool
Is allows checking error type.
func (*AuthzServiceError) Unwrap ¶
func (e *AuthzServiceError) Unwrap() error
Unwrap returns the cause for error wrapping support.
type FunctionChecker ¶
type FunctionChecker struct {
// contains filtered or unexported fields
}
FunctionChecker verifies functional permissions in application-specific namespaces (e.g., service_tenancy, service_payment). It extracts tenant and partition from the caller's claims and checks whether the caller has a specific permission in the configured namespace.
Unlike TenancyAccessChecker, FunctionChecker has no provisioning callback — it performs a pure permission check. Data access should be verified separately using TenancyAccessChecker before calling FunctionChecker.
func NewFunctionChecker ¶
func NewFunctionChecker( auth security.Authorizer, objectNamespace string, opts ...FunctionCheckerOption, ) *FunctionChecker
NewFunctionChecker creates a checker that verifies functional permissions against the given objectNamespace.
type FunctionCheckerOption ¶
type FunctionCheckerOption func(*FunctionChecker)
FunctionCheckerOption configures a FunctionChecker.
func WithFunctionConstraints ¶
func WithFunctionConstraints(constraints ...AccessConstraint) FunctionCheckerOption
WithFunctionConstraints adds contextual constraints evaluated after the Keto relation check passes.
func WithFunctionPermissionConstraints ¶
func WithFunctionPermissionConstraints(permission string, constraints ...AccessConstraint) FunctionCheckerOption
WithFunctionPermissionConstraints adds constraints that apply only when checking a specific permission.
func WithFunctionSubjectNamespace ¶
func WithFunctionSubjectNamespace(ns string) FunctionCheckerOption
WithFunctionSubjectNamespace overrides the default subject namespace.
type NoOpAuditLogger ¶
type NoOpAuditLogger struct{}
NoOpAuditLogger is an audit logger that does nothing.
func (*NoOpAuditLogger) LogDecision ¶
func (n *NoOpAuditLogger) LogDecision( _ context.Context, _ security.CheckRequest, _ security.CheckResult, _ map[string]string, ) error
LogDecision implements AuditLogger but does nothing.
type PermissionDeniedError ¶
type PermissionDeniedError struct {
Object security.ObjectRef
Permission string
Subject security.SubjectRef
Reason string
}
PermissionDeniedError provides detailed denial information.
func NewPermissionDeniedError ¶
func NewPermissionDeniedError( object security.ObjectRef, permission string, subject security.SubjectRef, reason string, ) *PermissionDeniedError
NewPermissionDeniedError creates a new PermissionDeniedError.
func (*PermissionDeniedError) Error ¶
func (e *PermissionDeniedError) Error() string
Error implements the error interface.
func (*PermissionDeniedError) Is ¶
func (e *PermissionDeniedError) Is(target error) bool
Is allows checking if an error is a PermissionDeniedError.
func (*PermissionDeniedError) Unwrap ¶
func (e *PermissionDeniedError) Unwrap() error
Unwrap returns the base error for error wrapping support.
type ResourceAccessChecker ¶
type ResourceAccessChecker struct {
// contains filtered or unexported fields
}
ResourceAccessChecker verifies per-resource-instance permissions (Plane 3). Unlike TenancyAccessChecker and FunctionChecker which derive the object ID from claims (tenant/partition), ResourceAccessChecker takes the resource ID explicitly because resource instances are not part of the authentication claims.
Example namespaces: chat_room, file, file_version.
func NewResourceAccessChecker ¶
func NewResourceAccessChecker( auth security.Authorizer, objectNamespace string, opts ...ResourceCheckerOption, ) *ResourceAccessChecker
NewResourceAccessChecker creates a checker that verifies permissions on individual resource instances in the given objectNamespace.
func (*ResourceAccessChecker) Check ¶
func (c *ResourceAccessChecker) Check(ctx context.Context, resourceID, permission string) error
Check verifies that the caller (extracted from context claims) has the given permission on the resource identified by resourceID.
func (*ResourceAccessChecker) CheckSubject ¶
func (c *ResourceAccessChecker) CheckSubject(ctx context.Context, resourceID, permission, subjectID string) error
CheckSubject verifies that a specific subject has the given permission on the resource. Use this when the subject is not the authenticated caller.
func (*ResourceAccessChecker) Grant ¶
func (c *ResourceAccessChecker) Grant(ctx context.Context, resourceID, relation, subjectID string) error
Grant assigns a relation to a subject on a resource instance.
func (*ResourceAccessChecker) Members ¶
func (c *ResourceAccessChecker) Members( ctx context.Context, resourceID, relation string, ) ([]security.SubjectRef, error)
Members returns all subjects with the given relation on a resource instance.
type ResourceCheckerOption ¶
type ResourceCheckerOption func(*ResourceAccessChecker)
ResourceCheckerOption configures a ResourceAccessChecker.
func WithConstraints ¶
func WithConstraints(constraints ...AccessConstraint) ResourceCheckerOption
WithConstraints adds contextual constraints that are evaluated after the Keto relation check passes. If any constraint returns an error, the overall check is denied. Use this for time-of-day, location, or other runtime conditions that cannot be modelled as Keto relation tuples.
func WithPermissionConstraints ¶
func WithPermissionConstraints(permission string, constraints ...AccessConstraint) ResourceCheckerOption
WithPermissionConstraints adds constraints that apply only when checking a specific permission. These are evaluated after global constraints.
func WithResourceSubjectNamespace ¶
func WithResourceSubjectNamespace(ns string) ResourceCheckerOption
WithResourceSubjectNamespace overrides the default subject namespace.
type TenancyAccessChecker ¶
type TenancyAccessChecker struct {
// contains filtered or unexported fields
}
TenancyAccessChecker extracts claims from context, builds a CheckRequest against a tenant-scoped object namespace, and calls the authorizer. For system_internal callers it supports a self-healing callback that provisions missing tuples and retries.
func NewTenancyAccessChecker ¶
func NewTenancyAccessChecker( auth security.Authorizer, objectNamespace string, opts ...TenantPermissionCheckerOption, ) *TenancyAccessChecker
NewTenancyAccessChecker creates a checker that verifies permissions against objectNamespace using the provided authorizer.
func (*TenancyAccessChecker) Check ¶
func (c *TenancyAccessChecker) Check(ctx context.Context, permission string) error
Check verifies that the caller in ctx has the given permission on the tenant identified in their claims.
func (*TenancyAccessChecker) CheckAccess ¶
func (c *TenancyAccessChecker) CheckAccess(ctx context.Context) error
CheckAccess verifies that the caller has data access to the partition identified in their claims. For regular users it checks the "member" relation; for internal system callers it checks the "service" relation. Service accounts are expected to have a "service" tuple on the root partition, with child partitions inheriting access via SubjectSet chains. If denied and a self-healing callback is set, it invokes the callback and retries once.
type TenancyAccessDeniedFunc ¶
type TenancyAccessDeniedFunc func(ctx context.Context, auth security.Authorizer, tenantID, subjectID string) error
TenancyAccessDeniedFunc is called when a system_internal caller is denied permission. It should provision the necessary tuples so that a retry succeeds.
type TenantPermissionCheckerOption ¶
type TenantPermissionCheckerOption func(*TenancyAccessChecker)
TenantPermissionCheckerOption configures a TenancyAccessChecker.
func WithOnTenancyAccessDenied ¶
func WithOnTenancyAccessDenied(fn TenancyAccessDeniedFunc) TenantPermissionCheckerOption
WithOnTenancyAccessDenied registers a callback invoked when a system_internal caller is denied. The callback should provision the required tuples so that a subsequent retry can succeed.
func WithSubjectNamespace ¶
func WithSubjectNamespace(ns string) TenantPermissionCheckerOption
WithSubjectNamespace overrides the default subject namespace (security.NamespaceProfile).
func WithTenancyConstraints ¶
func WithTenancyConstraints(constraints ...AccessConstraint) TenantPermissionCheckerOption
WithTenancyConstraints adds contextual constraints evaluated after the Keto relation check passes.