authorizer

package
v1.93.4 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 3, 2026 License: Apache-2.0 Imports: 17 Imported by: 0

Documentation

Overview

Package authorizer provides an Ory Keto adapter implementation for the security.Authorizer interface.

Index

Constants

This section is empty.

Variables

View Source 
var (
	// ErrPermissionDenied indicates the subject lacks the required permission.
	ErrPermissionDenied = errors.New("permission denied")

	// ErrInvalidObject indicates an invalid object reference.
	ErrInvalidObject = errors.New("invalid object reference")

	// ErrInvalidSubject indicates an invalid subject reference.
	ErrInvalidSubject = errors.New("invalid subject reference")

	// ErrTupleNotFound indicates the relationship tuple was not found.
	ErrTupleNotFound = errors.New("relationship tuple not found")

	// ErrTupleAlreadyExists indicates the relationship tuple already exists.
	ErrTupleAlreadyExists = errors.New("relationship tuple already exists")

	// ErrAuthzServiceDown indicates the authorization service is unavailable.
	ErrAuthzServiceDown = errors.New("authorization service unavailable")

	// ErrInvalidPermission indicates an invalid permission was requested.
	ErrInvalidPermission = errors.New("invalid permission")

	// ErrInvalidRole indicates an invalid role was specified.
	ErrInvalidRole = errors.New("invalid role")
)

Functions

func CurrentTimeFromContext added in v1.90.1 

func CurrentTimeFromContext(ctx context.Context) time.Time

CurrentTimeFromContext returns the time stored in context, or time.Now() if none was injected.

func LocationFromContext added in v1.90.1 

func LocationFromContext(ctx context.Context) string

LocationFromContext returns the location stored in context, or "".

func NewAuditLogger 

func NewAuditLogger(config AuditLoggerConfig) security.AuditLogger

NewAuditLogger creates a new AuditLogger with the given configuration.

func NewKetoAdapter 

func NewKetoAdapter(
	cfg config.ConfigurationAuthorization,
	auditLogger security.AuditLogger,
) security.Authorizer

NewKetoAdapter creates a new Keto adapter with the given configuration.

func NewNoOpAuditLogger 

func NewNoOpAuditLogger() security.AuditLogger

NewNoOpAuditLogger creates a new no-op audit logger.

func ToConnectError added in v1.76.0 

func ToConnectError(err error) error

ToConnectError translates authorization errors into ConnectRPC error codes.

Mapping:

  • ErrInvalidSubject / ErrInvalidObject → CodeUnauthenticated
  • PermissionDeniedError → CodePermissionDenied
  • everything else → CodeInternal

func ToGrpcError added in v1.76.1 

func ToGrpcError(err error) error

ToGrpcError translates authorization errors into gRPC status errors.

Mapping:

  • ErrInvalidSubject / ErrInvalidObject → codes.Unauthenticated
  • PermissionDeniedError → codes.PermissionDenied
  • everything else → codes.Internal

func ToHTTPStatusCode added in v1.76.1 

func ToHTTPStatusCode(err error) int

ToHTTPStatusCode translates authorization errors into HTTP status codes.

Mapping:

  • ErrInvalidSubject / ErrInvalidObject → 401 Unauthorized
  • PermissionDeniedError → 403 Forbidden
  • everything else → 500 Internal Server Error

func WithCurrentTime added in v1.90.1 

func WithCurrentTime(ctx context.Context, t time.Time) context.Context

WithCurrentTime injects the current time into context. Production middleware should call this with time.Now(). Tests can inject a fixed value.

func WithLocation added in v1.90.1 

func WithLocation(ctx context.Context, location string) context.Context

WithLocation injects the caller's location identifier into context. The value is normalized to lowercase for case-insensitive matching.

Types

type AccessConstraint added in v1.90.1 

type AccessConstraint func(ctx context.Context) error

AccessConstraint evaluates a contextual condition that must hold for access to be granted. It is checked after the Keto relation check passes. Return nil to allow, or a non-nil error to deny.

func AnyConstraint added in v1.90.1 

func AnyConstraint(constraints ...AccessConstraint) AccessConstraint

AnyConstraint returns a constraint that passes if at least one of the given constraints passes (OR logic). All constraint errors are collected; if none pass, the error from the first constraint is returned.

Panics if no constraints are provided.

func LocationConstraint added in v1.90.1 

func LocationConstraint(allowed ...string) AccessConstraint

LocationConstraint restricts access to callers whose location (from context) matches one of the allowed values. Matching is case-insensitive. Returns an error if no location is present in context or if the location is not in the allowed set.

Panics if no allowed locations are provided.

func TimeWindowConstraint added in v1.90.1 

func TimeWindowConstraint(startHour, endHour int, loc *time.Location) AccessConstraint

TimeWindowConstraint restricts access to a daily time window defined by startHour and endHour (0-23, 24h format). Access is allowed when startHour <= currentHour < endHour. Supports wrapping past midnight (e.g., startHour=22, endHour=6 allows 22:00-05:59). If loc is nil, UTC is used.

Panics if startHour or endHour is outside 0-23, or if startHour == endHour (ambiguous — use no constraint for "always allow").

type AuditLoggerConfig 

type AuditLoggerConfig struct {
	// Enabled controls whether the audit logger actually logs decisions.
	// Default is false (disabled).
	Enabled bool
	// SampleRate is the fraction of decisions to log (0.0 to 1.0).
	SampleRate float64
}

AuditLoggerConfig holds configuration for the audit logger.

type AuthzServiceError 

type AuthzServiceError struct {
	Operation string
	Cause     error
}

AuthzServiceError wraps authorization service errors with context.

func NewAuthzServiceError 

func NewAuthzServiceError(operation string, cause error) *AuthzServiceError

NewAuthzServiceError creates a new AuthzServiceError.

func (*AuthzServiceError) Error 

func (e *AuthzServiceError) Error() string

Error implements the error interface.

func (*AuthzServiceError) Is 

func (e *AuthzServiceError) Is(target error) bool

Is allows checking error type.

func (*AuthzServiceError) Unwrap 

func (e *AuthzServiceError) Unwrap() error

Unwrap returns the cause for error wrapping support.

type FunctionChecker added in v1.76.1 

type FunctionChecker struct {
	// contains filtered or unexported fields
}

FunctionChecker verifies functional permissions in application-specific namespaces (e.g., service_tenancy, service_payment). It extracts tenant and partition from the caller's claims and checks whether the caller has a specific permission in the configured namespace.

Unlike TenancyAccessChecker, FunctionChecker has no provisioning callback — it performs a pure permission check. Data access should be verified separately using TenancyAccessChecker before calling FunctionChecker.

func NewFunctionChecker added in v1.76.1 

func NewFunctionChecker(
	auth security.Authorizer,
	objectNamespace string,
	opts ...FunctionCheckerOption,
) *FunctionChecker

NewFunctionChecker creates a checker that verifies functional permissions against the given objectNamespace.

func (*FunctionChecker) Check added in v1.76.1 

func (c *FunctionChecker) Check(ctx context.Context, permission string) error

Check verifies that the caller in ctx has the given permission on the tenant/partition identified in their claims.

type FunctionCheckerOption added in v1.76.1 

type FunctionCheckerOption func(*FunctionChecker)

FunctionCheckerOption configures a FunctionChecker.

func WithFunctionConstraints added in v1.90.1 

func WithFunctionConstraints(constraints ...AccessConstraint) FunctionCheckerOption

WithFunctionConstraints adds contextual constraints evaluated after the Keto relation check passes.

func WithFunctionPermissionConstraints added in v1.90.1 

func WithFunctionPermissionConstraints(permission string, constraints ...AccessConstraint) FunctionCheckerOption

WithFunctionPermissionConstraints adds constraints that apply only when checking a specific permission.

func WithFunctionSubjectNamespace added in v1.76.1 

func WithFunctionSubjectNamespace(ns string) FunctionCheckerOption

WithFunctionSubjectNamespace overrides the default subject namespace.

type NoOpAuditLogger 

type NoOpAuditLogger struct{}

NoOpAuditLogger is an audit logger that does nothing.

func (*NoOpAuditLogger) LogDecision 

func (n *NoOpAuditLogger) LogDecision(
	_ context.Context,
	_ security.CheckRequest,
	_ security.CheckResult,
	_ map[string]string,
) error

LogDecision implements AuditLogger but does nothing.

type PermissionDeniedError 

type PermissionDeniedError struct {
	Object     security.ObjectRef
	Permission string
	Subject    security.SubjectRef
	Reason     string
}

PermissionDeniedError provides detailed denial information.

func NewPermissionDeniedError 

func NewPermissionDeniedError(
	object security.ObjectRef,
	permission string,
	subject security.SubjectRef,
	reason string,
) *PermissionDeniedError

NewPermissionDeniedError creates a new PermissionDeniedError.

func (*PermissionDeniedError) Error 

func (e *PermissionDeniedError) Error() string

Error implements the error interface.

func (*PermissionDeniedError) Is 

func (e *PermissionDeniedError) Is(target error) bool

Is allows checking if an error is a PermissionDeniedError.

func (*PermissionDeniedError) Unwrap 

func (e *PermissionDeniedError) Unwrap() error

Unwrap returns the base error for error wrapping support.

type ResourceAccessChecker added in v1.90.1 

type ResourceAccessChecker struct {
	// contains filtered or unexported fields
}

ResourceAccessChecker verifies per-resource-instance permissions (Plane 3). Unlike TenancyAccessChecker and FunctionChecker which derive the object ID from claims (tenant/partition), ResourceAccessChecker takes the resource ID explicitly because resource instances are not part of the authentication claims.

Example namespaces: chat_room, file, file_version.

func NewResourceAccessChecker added in v1.90.1 

func NewResourceAccessChecker(
	auth security.Authorizer,
	objectNamespace string,
	opts ...ResourceCheckerOption,
) *ResourceAccessChecker

NewResourceAccessChecker creates a checker that verifies permissions on individual resource instances in the given objectNamespace.

func (*ResourceAccessChecker) Check added in v1.90.1 

func (c *ResourceAccessChecker) Check(ctx context.Context, resourceID, permission string) error

Check verifies that the caller (extracted from context claims) has the given permission on the resource identified by resourceID.

func (*ResourceAccessChecker) CheckSubject added in v1.90.1 

func (c *ResourceAccessChecker) CheckSubject(ctx context.Context, resourceID, permission, subjectID string) error

CheckSubject verifies that a specific subject has the given permission on the resource. Use this when the subject is not the authenticated caller.

func (*ResourceAccessChecker) Grant added in v1.90.1 

func (c *ResourceAccessChecker) Grant(ctx context.Context, resourceID, relation, subjectID string) error

Grant assigns a relation to a subject on a resource instance.

func (*ResourceAccessChecker) Members added in v1.90.1 

func (c *ResourceAccessChecker) Members(
	ctx context.Context,
	resourceID, relation string,
) ([]security.SubjectRef, error)

Members returns all subjects with the given relation on a resource instance.

func (*ResourceAccessChecker) Revoke added in v1.90.1 

func (c *ResourceAccessChecker) Revoke(ctx context.Context, resourceID, relation, subjectID string) error

Revoke removes a relation from a subject on a resource instance.

type ResourceCheckerOption added in v1.90.1 

type ResourceCheckerOption func(*ResourceAccessChecker)

ResourceCheckerOption configures a ResourceAccessChecker.

func WithConstraints added in v1.90.1 

func WithConstraints(constraints ...AccessConstraint) ResourceCheckerOption

WithConstraints adds contextual constraints that are evaluated after the Keto relation check passes. If any constraint returns an error, the overall check is denied. Use this for time-of-day, location, or other runtime conditions that cannot be modelled as Keto relation tuples.

func WithPermissionConstraints added in v1.90.1 

func WithPermissionConstraints(permission string, constraints ...AccessConstraint) ResourceCheckerOption

WithPermissionConstraints adds constraints that apply only when checking a specific permission. These are evaluated after global constraints.

func WithResourceSubjectNamespace added in v1.90.1 

func WithResourceSubjectNamespace(ns string) ResourceCheckerOption

WithResourceSubjectNamespace overrides the default subject namespace.

type TenancyAccessChecker added in v1.76.0 

type TenancyAccessChecker struct {
	// contains filtered or unexported fields
}

TenancyAccessChecker extracts claims from context, builds a CheckRequest against a tenant-scoped object namespace, and calls the authorizer. For system_internal callers it supports a self-healing callback that provisions missing tuples and retries.

func NewTenancyAccessChecker added in v1.76.0 

func NewTenancyAccessChecker(
	auth security.Authorizer,
	objectNamespace string,
	opts ...TenantPermissionCheckerOption,
) *TenancyAccessChecker

NewTenancyAccessChecker creates a checker that verifies permissions against objectNamespace using the provided authorizer.

func (*TenancyAccessChecker) Check added in v1.76.0 

func (c *TenancyAccessChecker) Check(ctx context.Context, permission string) error

Check verifies that the caller in ctx has the given permission on the tenant identified in their claims.

func (*TenancyAccessChecker) CheckAccess added in v1.76.1 

func (c *TenancyAccessChecker) CheckAccess(ctx context.Context) error

CheckAccess verifies that the caller has data access to the partition identified in their claims. For regular users it checks the "member" relation; for internal system callers it checks the "service" relation. Service accounts are expected to have a "service" tuple on the root partition, with child partitions inheriting access via SubjectSet chains. If denied and a self-healing callback is set, it invokes the callback and retries once.

type TenancyAccessDeniedFunc added in v1.76.0 

type TenancyAccessDeniedFunc func(ctx context.Context, auth security.Authorizer, tenantID, subjectID string) error

TenancyAccessDeniedFunc is called when a system_internal caller is denied permission. It should provision the necessary tuples so that a retry succeeds.

type TenantPermissionCheckerOption added in v1.76.0 

type TenantPermissionCheckerOption func(*TenancyAccessChecker)

TenantPermissionCheckerOption configures a TenancyAccessChecker.

func WithOnTenancyAccessDenied added in v1.76.0 

func WithOnTenancyAccessDenied(fn TenancyAccessDeniedFunc) TenantPermissionCheckerOption

WithOnTenancyAccessDenied registers a callback invoked when a system_internal caller is denied. The callback should provision the required tuples so that a subsequent retry can succeed.

func WithSubjectNamespace added in v1.76.0 

func WithSubjectNamespace(ns string) TenantPermissionCheckerOption

WithSubjectNamespace overrides the default subject namespace (security.NamespaceProfile).

func WithTenancyConstraints added in v1.90.1 

func WithTenancyConstraints(constraints ...AccessConstraint) TenantPermissionCheckerOption

WithTenancyConstraints adds contextual constraints evaluated after the Keto relation check passes.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.