authz

package

v0.0.0-...-86ef8f6 Latest Latest Go to latest Published: Aug 30, 2025 License: MIT Imports: 12 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/real-evolution/recloak

Links

Open Source Insights

Documentation ¶

Index ¶

Constants
Variables
type AuthzConfig
type AuthzEnv
- func (e AuthzEnv) InRealmRole(role string) bool
- func (e AuthzEnv) InRole(role string) bool
type CompiledPolicy
- func CompilePolicy(source string) (CompiledPolicy, error)
- func (p CompiledPolicy) Evaluate(env AuthzEnv) error
type EnforcementMode
- func (s EnforcementMode) String() string
- func (s *EnforcementMode) UnmarshalYAML(value *yaml.Node) (err error)
type Enforcer
- func NewEnforcer(client *recloak.ReCloak, config *AuthzConfig) (*Enforcer, error)
- func (e *Enforcer) Authorize(ctx context.Context, accessToken string, path string, request any) (recloak.Token, error)
- func (e *Enforcer) Client() *recloak.ReCloak
- func (e *Enforcer) SetEnforcementMode(mode EnforcementMode)
type Engine
- func NewEngine(config *AuthzConfig) (*Engine, error)
- func (e *Engine) Authorize(path string, claims *recloak.Claims, request any) error
- func (e *Engine) SetEnforcementMode(mode EnforcementMode)
type IntrospectionMode
- func (s IntrospectionMode) String() string
- func (s *IntrospectionMode) UnmarshalYAML(value *yaml.Node) (err error)
type Policy
type PolicyCompiler
- func NewPolicyCompiler(baseExpr string) PolicyCompiler
- func (b PolicyCompiler) And(exprs ...string) PolicyCompiler
- func (b PolicyCompiler) Compile() (CompiledPolicy, error)
- func (b *PolicyCompiler) IsEmpty() bool
- func (b PolicyCompiler) Or(exprs ...string) PolicyCompiler
type PolicyMap
- func NewEmptyPolicyMap() PolicyMap
- func NewPolicyMap(config *AuthzConfig) (PolicyMap, error)
- func (s *PolicyMap) Add(policy Policy) error
- func (s *PolicyMap) AddFromResource(resource *Resource) error
- func (p *PolicyMap) Get(name string) (policy Policy, ok bool)
- func (p *PolicyMap) HasPolicy(name string) bool
- func (p *PolicyMap) Preprocess(policy *Policy) error
type PolicySpec
- func (s *PolicySpec) UnmarshalYAML(value *yaml.Node) error
type Resource

Constants ¶

View Source

const PolicyIncludePrefix = '@'

PolicyIncludePrefix is the prefix that indicates a policy include.

Variables ¶

View Source

var ErrUnauthorized = fmt.Errorf("unauthorized")

View Source

var ErrorNoPolicyForPath = fmt.Errorf("no policy for path")

Functions ¶

This section is empty.

Types ¶

type AuthzConfig ¶

type AuthzConfig struct {
	// The path separator.
	PathSeparator string `yaml:"pathSeparator"`

	// The enforcement mode.
	EnforcementMode EnforcementMode `yaml:"enforcementMode"`

	// Whether to introspect user token before evaluating policies.
	IntrospectionMode IntrospectionMode `yaml:"introspection"`

	// Whether to print debug information.
	Debug bool `yaml:"debug"`

	// The ID of the client.
	ClientID string `yaml:"clientID"`

	// Authorization policies.
	Policies []Policy `yaml:"policies,flow"`

	// Resources.
	Resources []Resource `yaml:"resources,flow"`
}

AuthzConfig is a struct that holds the authorization configuration.

type AuthzEnv ¶

type AuthzEnv struct {
	Config  *AuthzConfig
	Claims  *recloak.Claims
	Request any
}

AuthzEnv is an environment that is passed to the policy expression during evaluation.

func (AuthzEnv) InRealmRole ¶

func (e AuthzEnv) InRealmRole(role string) bool

InRealmRole checks if the user has the given role in the realm.

func (AuthzEnv) InRole ¶

func (e AuthzEnv) InRole(role string) bool

InClientRole checks if the user has the given role for the given client.

type CompiledPolicy ¶

type CompiledPolicy struct {
	// contains filtered or unexported fields
}

CompiledPolicy is a compiled policy that can be evaluated against a request and a set of claims at runtime.

func CompilePolicy ¶

func CompilePolicy(source string) (CompiledPolicy, error)

CompilePolicy compiles the given policy from the given source expression.

func (CompiledPolicy) Evaluate ¶

func (p CompiledPolicy) Evaluate(env AuthzEnv) error

Evaluate evaluates the policy against the given claims and request.

type EnforcementMode ¶

type EnforcementMode int

EnforcementMode is an enum that represents the policy evaluation enforcement mode.

const (
	// EnforcementModeEnforcing is the enforcement mode that causes the
	// evaluation to fail if a resource has no policy associated with it.
	EnforcementModeEnforcing EnforcementMode = iota

	// EnforcementModePermissive is the enforcement mode that causes the
	// evaluation to succeed if a resource has no policy associated with it.
	EnforcementModePermissive

	// EnforcementModeDisabled is the enforcement mode that causes the
	// evaluation to succeed regardless of whether a resource has a policy
	// associated with it.
	EnforcementModeDisabled
)

func (EnforcementMode) String ¶

func (s EnforcementMode) String() string

func (*EnforcementMode) UnmarshalYAML ¶

func (s *EnforcementMode) UnmarshalYAML(value *yaml.Node) (err error)

type Enforcer ¶

type Enforcer struct {
	// contains filtered or unexported fields
}

func NewEnforcer ¶

func NewEnforcer(client *recloak.ReCloak, config *AuthzConfig) (*Enforcer, error)

NewEnforcer creates a new authorization enforcer.

func (*Enforcer) Authorize ¶

func (e *Enforcer) Authorize(
	ctx context.Context,
	accessToken string,
	path string,
	request any,
) (recloak.Token, error)

Authorize evaluates a policy for a path, with the given claims and request.

func (*Enforcer) Client ¶

func (e *Enforcer) Client() *recloak.ReCloak

Client returns the recloak client

func (*Enforcer) SetEnforcementMode ¶

func (e *Enforcer) SetEnforcementMode(mode EnforcementMode)

SetEnforcementMode sets the enforcement mode.

type Engine ¶

type Engine struct {
	// contains filtered or unexported fields
}

Engine is a struct that is used to evaluate authorization policies.

func NewEngine ¶

func NewEngine(config *AuthzConfig) (*Engine, error)

NewEngine creates a new authorization engine.

func (*Engine) Authorize ¶

func (e *Engine) Authorize(path string, claims *recloak.Claims, request any) error

Authorize evaluates a policy for a path, with the given claims and request.

func (*Engine) SetEnforcementMode ¶

func (e *Engine) SetEnforcementMode(mode EnforcementMode)

type IntrospectionMode ¶

type IntrospectionMode int

IntrospectionMode is an enum that indicates whether to introspect user token before evaluating policies.

const (
	// IntrospectionModeDisabled is the introspection mode that causes the
	// evaluation to not introspect user token before evaluating policies,
	// and instead try to decode & verify the token locally.
	IntrospectionModeDisabled IntrospectionMode = iota

	// IntrospectionModeAlways is the introspection mode that causes the
	// evaluation to always introspect user token before evaluating policies.
	IntrospectionModeAlways
)

func (IntrospectionMode) String ¶

func (s IntrospectionMode) String() string

func (*IntrospectionMode) UnmarshalYAML ¶

func (s *IntrospectionMode) UnmarshalYAML(value *yaml.Node) (err error)

type Policy ¶

type Policy struct {
	// The display name of the policy.
	Name string `yaml:"name,omitempty"`

	// The description of the policy.
	Description string `yaml:"description,omitempty"`

	// The description of the policy.
	Expression string `yaml:"expression"`
}

Policy is a struct that holds authorization logic for a resource.

type PolicyCompiler ¶

type PolicyCompiler struct {
	// contains filtered or unexported fields
}

PolicyCompiler is a builder for a compiled policy.

func NewPolicyCompiler ¶

func NewPolicyCompiler(baseExpr string) PolicyCompiler

NewPolicyCompiler creates a new policy compiler.

func (PolicyCompiler) And ¶

func (b PolicyCompiler) And(exprs ...string) PolicyCompiler

And adds a logical AND to the current expression.

func (PolicyCompiler) Compile ¶

func (b PolicyCompiler) Compile() (CompiledPolicy, error)

Compile builds a compiled policy from the current expression.

func (*PolicyCompiler) IsEmpty ¶

func (b *PolicyCompiler) IsEmpty() bool

func (PolicyCompiler) Or ¶

func (b PolicyCompiler) Or(exprs ...string) PolicyCompiler

Or adds a logical OR to the current expression.

type PolicyMap ¶

type PolicyMap struct {
	// contains filtered or unexported fields
}

PolicyMap is a set of policies.

func NewEmptyPolicyMap ¶

func NewEmptyPolicyMap() PolicyMap

NewEmptyPolicyMap creates a new empty policy set.

func NewPolicyMap ¶

func NewPolicyMap(config *AuthzConfig) (PolicyMap, error)

NewPolicyMap creates a new policy set.

func (*PolicyMap) Add ¶

func (s *PolicyMap) Add(policy Policy) error

Add adds a policy to the set.

func (*PolicyMap) AddFromResource ¶

func (s *PolicyMap) AddFromResource(resource *Resource) error

AddFromResource adds a policy from a resource to the set.

func (*PolicyMap) Get ¶

func (p *PolicyMap) Get(name string) (policy Policy, ok bool)

Get gets a policy from the set by name.

func (*PolicyMap) HasPolicy ¶

func (p *PolicyMap) HasPolicy(name string) bool

HasKey checks if a policy exists in the set by name.

func (*PolicyMap) Preprocess ¶

func (p *PolicyMap) Preprocess(policy *Policy) error

type PolicySpec ¶

type PolicySpec struct {
	InPlace *Policy `yaml:"inPlace,omitempty"`
	Ref     string  `yaml:"policyRef,omitempty"`
}

PolicySpec is a struct that enables to specify a policy either in place or by reference.

func (*PolicySpec) UnmarshalYAML ¶

func (s *PolicySpec) UnmarshalYAML(value *yaml.Node) error

type Resource ¶

type Resource struct {
	// The name of the resource.
	Name string `yaml:"name,omitempty"`

	// The display name of the resource.
	DisplayName string `yaml:"displayName,omitempty"`

	// The description of the resource.
	Policy *PolicySpec `yaml:"policy,omitempty"`

	// The description of the resource.
	Children []Resource `yaml:"children,omitempty"`
}

Resource is a resource that the access to which is controlled by an authorization policy.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL