Documentation
¶
Overview ¶
Package cedar provides authorization utilities using Cedar policies.
Package cedar provides authorization utilities using Cedar policies.
Index ¶
- Constants
- Variables
- func NewCedarAuthorizer(options ConfigOptions) (authorizers.Authorizer, error)
- type Authorizer
- func (a *Authorizer) AddEntity(entity cedar.Entity)
- func (a *Authorizer) AuthorizeWithJWTClaims(ctx context.Context, feature authorizers.MCPFeature, ...) (bool, error)
- func (a *Authorizer) GetEntity(uid cedar.EntityUID) (cedar.Entity, bool)
- func (a *Authorizer) GetEntityFactory() *EntityFactory
- func (a *Authorizer) IsAuthorized(principal, action, resource string, contextMap map[string]interface{}, ...) (bool, error)
- func (a *Authorizer) RemoveEntity(uid cedar.EntityUID)
- func (a *Authorizer) UpdateEntities(entitiesJSON string) error
- func (a *Authorizer) UpdatePolicies(policies []string) error
- type ClientIDContextKey
- type Config
- type ConfigOptions
- type EntityFactory
- func (*EntityFactory) CreateActionEntity(actionType, actionID string, attributes map[string]interface{}) (cedar.EntityUID, cedar.Entity)
- func (f *EntityFactory) CreateEntitiesForRequest(principal, action, resource string, claimsMap map[string]interface{}, ...) (cedar.EntityMap, error)
- func (*EntityFactory) CreatePrincipalEntity(principalType, principalID string, attributes map[string]interface{}) (cedar.EntityUID, cedar.Entity)
- func (*EntityFactory) CreateResourceEntity(resourceType, resourceID string, attributes map[string]interface{}) (cedar.EntityUID, cedar.Entity)
- type Factory
Constants ¶
const ConfigType = "cedarv1"
ConfigType is the configuration type identifier for Cedar authorization.
Variables ¶
var ( ErrNoPolicies = errors.New("no policies loaded") ErrInvalidPolicy = errors.New("invalid policy") ErrMissingPrincipal = errors.New("missing principal") ErrMissingAction = errors.New("missing action") ErrMissingResource = errors.New("missing resource") ErrFailedToLoadEntities = errors.New("failed to load entities") )
Common errors for Cedar authorization
Functions ¶
func NewCedarAuthorizer ¶
func NewCedarAuthorizer(options ConfigOptions) (authorizers.Authorizer, error)
NewCedarAuthorizer creates a new Cedar authorizer.
Types ¶
type Authorizer ¶
type Authorizer struct {
// contains filtered or unexported fields
}
Authorizer authorizes MCP operations using Cedar policies.
func (*Authorizer) AddEntity ¶
func (a *Authorizer) AddEntity(entity cedar.Entity)
AddEntity adds or updates an entity in the authorizer's entity store.
func (*Authorizer) AuthorizeWithJWTClaims ¶
func (a *Authorizer) AuthorizeWithJWTClaims( ctx context.Context, feature authorizers.MCPFeature, operation authorizers.MCPOperation, resourceID string, arguments map[string]interface{}, ) (bool, error)
AuthorizeWithJWTClaims demonstrates how to use JWT claims with the Cedar authorization middleware. This method: 1. Extracts JWT claims from the context 2. Extracts the client ID from the claims 3. Includes the JWT claims in the Cedar context 4. Creates entities with appropriate attributes 5. Authorizes the operation using the client ID and claims
func (*Authorizer) GetEntityFactory ¶
func (a *Authorizer) GetEntityFactory() *EntityFactory
GetEntityFactory returns the entity factory associated with this authorizer.
func (*Authorizer) IsAuthorized ¶
func (a *Authorizer) IsAuthorized( principal, action, resource string, contextMap map[string]interface{}, entities ...cedar.EntityMap, ) (bool, error)
IsAuthorized checks if a request is authorized. This is the core authorization method that all other authorization methods use. It takes: - principal: The entity making the request (e.g., "Client::vscode_extension_123") - action: The operation being performed (e.g., "Action::call_tool") - resource: The object being accessed (e.g., "Tool::weather") - context: Additional information about the request - entities: Optional Cedar entity map with attributes
func (*Authorizer) RemoveEntity ¶
func (a *Authorizer) RemoveEntity(uid cedar.EntityUID)
RemoveEntity removes an entity from the authorizer's entity store.
func (*Authorizer) UpdateEntities ¶
func (a *Authorizer) UpdateEntities(entitiesJSON string) error
UpdateEntities updates the Cedar entities.
func (*Authorizer) UpdatePolicies ¶
func (a *Authorizer) UpdatePolicies(policies []string) error
UpdatePolicies updates the Cedar policies.
type ClientIDContextKey ¶
type ClientIDContextKey struct{}
ClientIDContextKey is the key used to store client ID in the context.
type Config ¶
type Config struct {
Version string `json:"version"`
Type string `json:"type"`
Options *ConfigOptions `json:"cedar"`
}
Config represents the complete authorization configuration file structure for Cedar authorization. This includes the common version/type fields plus the Cedar-specific "cedar" field. This maintains backwards compatibility with the v1.0 configuration schema.
func ExtractConfig ¶
func ExtractConfig(authzConfig *authorizers.Config) (*Config, error)
ExtractConfig extracts the Cedar configuration from an authorizers.Config. This is useful for tests and other code that needs to inspect the Cedar configuration after it has been loaded into the generic Config structure. To access the Cedar-specific options (policies, entities), use the returned Config's Cedar field.
type ConfigOptions ¶
type ConfigOptions struct {
// Policies is a list of Cedar policy strings
Policies []string `json:"policies" yaml:"policies"`
// EntitiesJSON is the JSON string representing Cedar entities
EntitiesJSON string `json:"entities_json" yaml:"entities_json"`
}
ConfigOptions represents the Cedar-specific authorization configuration options.
type EntityFactory ¶
type EntityFactory struct{}
EntityFactory creates Cedar entities for authorization.
func NewEntityFactory ¶
func NewEntityFactory() *EntityFactory
NewEntityFactory creates a new entity factory.
func (*EntityFactory) CreateActionEntity ¶
func (*EntityFactory) CreateActionEntity( actionType, actionID string, attributes map[string]interface{}, ) (cedar.EntityUID, cedar.Entity)
CreateActionEntity creates an action entity with the given ID and attributes.
func (*EntityFactory) CreateEntitiesForRequest ¶
func (f *EntityFactory) CreateEntitiesForRequest( principal, action, resource string, claimsMap map[string]interface{}, attributes map[string]interface{}, ) (cedar.EntityMap, error)
CreateEntitiesForRequest creates entities for a specific authorization request.
func (*EntityFactory) CreatePrincipalEntity ¶
func (*EntityFactory) CreatePrincipalEntity( principalType, principalID string, attributes map[string]interface{}, ) (cedar.EntityUID, cedar.Entity)
CreatePrincipalEntity creates a principal entity with the given ID and attributes.
func (*EntityFactory) CreateResourceEntity ¶
func (*EntityFactory) CreateResourceEntity( resourceType, resourceID string, attributes map[string]interface{}, ) (cedar.EntityUID, cedar.Entity)
CreateResourceEntity creates a resource entity with the given ID and attributes.
type Factory ¶
type Factory struct{}
Factory implements the authorizers.AuthorizerFactory interface for Cedar.
func (*Factory) CreateAuthorizer ¶
func (*Factory) CreateAuthorizer(rawConfig json.RawMessage, _ string) (authorizers.Authorizer, error)
CreateAuthorizer creates a Cedar Authorizer from the configuration. It receives the full raw config and extracts the Cedar-specific portion.
func (*Factory) ValidateConfig ¶
func (*Factory) ValidateConfig(rawConfig json.RawMessage) error
ValidateConfig validates the Cedar-specific configuration. It receives the full raw config and extracts the Cedar-specific portion.
Source Files