Documentation
¶
Overview ¶
Package authz answers "can this actor perform this action on this resource?" — a deliberate seam so the v1 always-allow implementation can later be swapped for Casbin / OpenFGA / Keto without touching call sites.
Handlers call:
if err := d.Authz.Authorize(ctx, "policy.write", authz.Resource{...}); err != nil {
return nil, err
}
before mutating state. Today the call is a near-no-op for any authenticated caller; tomorrow it gates the action against per-org permissions, ABAC predicates, or whatever the SaaS tier needs.
Index ¶
Constants ¶
This section is empty.
Variables ¶
var ErrForbidden = errors.New("authz: forbidden")
ErrForbidden is returned when an authenticated actor lacks permission. Mapped to HTTP 403.
var ErrUnauthenticated = errors.New("authz: unauthenticated")
ErrUnauthenticated is returned when the call has no actor in context. Mapped to HTTP 401 by the control-plane middleware.
Functions ¶
This section is empty.
Types ¶
type AlwaysAllowAuthenticated ¶
type AlwaysAllowAuthenticated struct{}
AlwaysAllowAuthenticated is the v1 implementation: any authenticated caller (user session or admin-token bypass) is granted any action. Unauthenticated callers are rejected.
This exists so handler call sites are permanent. Swap the concrete type when multi-tenant work lands; handlers stay the same.
type Authorizer ¶
type Authorizer interface {
Authorize(ctx context.Context, action string, resource Resource) error
}
Authorizer is the policy-decision interface. Authorize returns nil to allow, ErrForbidden/ErrUnauthenticated to deny, or any other error to signal a backend failure (which the middleware should treat as 500, not 403 — failure to authorize is not the same as denial).