Documentation
¶
Index ¶
- Constants
- func IsAllowed(ctx context.Context, kind ArnKind, parts ...string) (bool, error)
- func SetDefaultAuthorizer(au Authorizer)
- func WithContext(ctx context.Context, user Principal) context.Context
- type Action
- type ArnKind
- type Authorizer
- type EvalArgs
- type GenericIdentity
- type GenericPrincipal
- type Identity
- type Principal
- type Resource
Constants ¶
const (
// PrincipalContextKey is the key of context which store the user.
PrincipalContextKey = "woocoo_user"
)
Variables ¶
This section is empty.
Functions ¶
func IsAllowed ¶ added in v0.5.0
IsAllowed checks if the user has permission to do an operation on a resource. It uses the default authorizer, so you must set the default authorizer before use this method, see SetDefaultAuthorizer.
func SetDefaultAuthorizer ¶ added in v0.5.0
func SetDefaultAuthorizer(au Authorizer)
SetDefaultAuthorizer sets the default authorization.
Types ¶
type Action ¶ added in v0.5.0
type Action string
Action describe a resource operation. Action should be easy to understand like "user:createXXX", "user:updateXXX", "user:deleteXXX", "user:listXXXX".
func (Action) MatchResource ¶ added in v0.5.0
MatchResource checks if the resource matches the resource pattern. supports '*' and '?' wildcards in the pattern string.
type ArnKind ¶ added in v0.5.0
type ArnKind string
ArnKind define the application resource name(arn) request kind. application resource can be an action described by uri; data resource and so on.
type Authorizer ¶ added in v0.5.0
type Authorizer interface {
// Prepare accepts input infos and build EvalArgs.
// when you implement this method, you must know the meaning of the arnParts and convert to correct Action.
// In Web authz, the parts format is [appCode, Request.Method, Request.URL.Path] by default;
// In Graphql, the parts format is [appCode, Request.Method, Operator.Name] by default;
Prepare(ctx context.Context, kind ArnKind, parts ...string) (*EvalArgs, error)
// Eval returns true if the request is allowed, otherwise returns false.
Eval(ctx context.Context, args *EvalArgs) (bool, error)
// QueryAllowedResourceConditions parse the conditions part of resources eval passed by resource prefix,
// the result is a list of resource conditions that adapt Authorizer instance.
// This method call sense: Orm need to filter the data that the user has permission to access.
// For example, the resource arn "oss:bucket:user/1" means that the user has permission to access the `user` table data
// whose condition is "user = 1",the result of this method is ["user = 1"].
// You should implement complex condition by your sense if you when to filter data.
QueryAllowedResourceConditions(ctx context.Context, args *EvalArgs) ([]string, error)
}
Authorizer defines the interface for authorization.
The authorization is based on system user operate the application resource, the behavior of resource can be classified as some actions. The authorizer check the user has permission to access the resource by the action.
var (
DefaultAuthorizer Authorizer = &noopAuthorizer{}
)
type EvalArgs ¶ added in v0.5.0
type EvalArgs struct {
// User is the user who performs the operation. If you can't get the user from the context, you can set it.
User Principal
// Action is the operation that the user performs on the resource.
Action Action
// ActionVerb is the operation verb that may be in part of action.
//
// For example, the action is "user:createUser", the verb is "create". The verb is empty in most cases.
// If the Authorizer implement user a verb in policy such as casbin, a policy ['p','/user','read']
ActionVerb string
// Resource is the resource that the user performs the operation on, empty in most cases.
Resource Resource
}
EvalArgs is the request for authorization.
type GenericIdentity ¶
type GenericIdentity struct {
// contains filtered or unexported fields
}
GenericIdentity Represents a generic user.
func (*GenericIdentity) Claims ¶
func (i *GenericIdentity) Claims() jwt.Claims
func (*GenericIdentity) Name ¶
func (i *GenericIdentity) Name() string
Name returns the id of the user if any.
type GenericPrincipal ¶
type GenericPrincipal struct {
GenericIdentity *GenericIdentity
}
GenericPrincipal Represents a generic principal.
func NewGenericPrincipalByClaims ¶
func NewGenericPrincipalByClaims(claims jwt.Claims) *GenericPrincipal
NewGenericPrincipalByClaims return GenericPrincipal
func (*GenericPrincipal) Identity ¶
func (p *GenericPrincipal) Identity() Identity
type Identity ¶
type Identity interface {
// Name returns the identity of the user from Claims.
// for example, the primary key of the user record in database.
// The identity field in business system may int or string, translate it to string.
Name() string
// Claims uses jwt Claims for easy to get user info and declare use jwt to pass identity info.
Claims() jwt.Claims
}
Identity defines the basic functionality of an identity object.
An identity object represents the user on whose behalf the code is running
type Principal ¶
type Principal interface {
Identity() Identity
}
Principal Defines the basic functionality of a principal object.
A Principal is typically defined as an entity that has a unique identifier in a security context. It can be a user, computer, process, service, or any other entity. In the context of security, a Principal represents an entity that can operate independently or participate in security-related activities.
A principal object represents the security context of the user on whose behalf the code is running, including that user's identity (IIdentity) and any roles to which they belong, but now only identity.
type Resource ¶ added in v0.5.0
type Resource string
Resource is for describing a resource pattern by string expression. The resource can be a string or a wildcard. identify a resource like "oss:bucket/object", "oss:bucket/*", "oss:bucket/object/*".
func (Resource) MatchResource ¶ added in v0.5.0
MatchResource checks if the resource matches the resource pattern. supports '*' and '?' wildcards in the pattern string.
Source Files