permissions

package
v0.0.16 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 11, 2026 License: Apache-2.0 Imports: 28 Imported by: 0

README ΒΆ

AuthSome Permissions Plugin

Enterprise-grade permissions system with ABAC, dynamic resources, and CEL policy language.

Features

πŸš€ Advanced Authorization
  • ABAC (Attribute-Based Access Control) - Policy decisions based on user, resource, and request attributes
  • CEL Policy Language - Google's Common Expression Language for safe, fast policy evaluation
  • Dynamic Resources - Organizations define their own resource types and actions
  • Sub-millisecond latency - <5ms p99 with 10K+ policies per org
🏒 Multi-Tenant SaaS
  • Organization-scoped namespaces - Complete isolation between tenants
  • Custom resource definitions - Each org defines what they need to protect
  • Policy templates - Pre-built patterns for common scenarios
  • Platform inheritance - Share common policies across organizations
⚑ Performance
  • Three-tier caching - Local LRU + Redis + Database
  • Compiled policies - Parse once, evaluate millions of times
  • Parallel evaluation - Concurrent policy checks with early exit
  • Query optimization - Cost-based evaluation ordering
πŸ”§ Production-Ready
  • Migration tool - Seamless migration from existing RBAC
  • Hybrid mode - Run both systems during transition
  • Comprehensive metrics - Prometheus + OpenTelemetry integration
  • Audit logging - Complete trail of policy changes
  • Policy versioning - Rollback to previous versions

Quick Start

1. Enable the Plugin

Add to your authsome.yaml:

auth:
  permissions:
    enabled: true
    mode: hybrid  # Use hybrid mode during migration
    
    engine:
      maxPolicyComplexity: 100
      evaluationTimeout: 10ms
      parallelEvaluation: true
    
    cache:
      enabled: true
      backend: redis
      localCacheSize: 10000
2. Register the Plugin
import (
    "github.com/xraph/authsome"
    "github.com/xraph/authsome/plugins/permissions"
)

func main() {
    auth := authsome.New(authsome.Config{
        ModeSaaS: true,
        // ... other config
    })
    
    // Register permissions plugin
    auth.RegisterPlugin(permissions.NewPlugin())
    
    // Initialize
    if err := auth.Init(); err != nil {
        log.Fatal(err)
    }
}
3. Create Your First Policy
curl -X POST http://localhost:8080/permissions/policies \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "Document owners can edit",
    "expression": "resource.owner == principal.id",
    "resourceType": "document",
    "actions": ["read", "write", "delete"],
    "enabled": true
  }'
4. Evaluate Permissions
curl -X POST http://localhost:8080/permissions/evaluate \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "principalId": "user_123",
    "action": "write",
    "resourceType": "document",
    "resourceId": "doc_456"
  }'

Response:

{
  "allowed": true,
  "matchedPolicies": ["policy_789"],
  "evaluationTime": "2.3ms"
}

Policy Examples

Owner-Only Access
resource.owner == principal.id
Admin or Owner
has_role("admin") || resource.owner == principal.id
Business Hours Only
is_weekday() && in_time_range("09:00", "17:00")
IP Allowlist
ip_in_range(["10.0.0.0/8", "192.168.0.0/16"])
Team Members
principal.team_id == resource.team_id && 
principal.department in ["engineering", "operations"]
Time-Limited Access
request.time < resource.expires_at && 
days_since(resource.created_at) < 90
Confidentiality-Based
resource.metadata.confidentiality == "public" ||
(resource.metadata.confidentiality == "internal" && is_member_of(resource.org_id)) ||
(resource.metadata.confidentiality == "restricted" && principal.clearance_level >= 3)

Organization Setup

1. Create Namespace
curl -X POST http://localhost:8080/permissions/namespaces \
  -H "Authorization: Bearer $TOKEN" \
  -d '{
    "orgId": "org_abc123",
    "inheritPlatform": true,
    "templateId": "enterprise-base"
  }'
2. Define Custom Resources
curl -X POST http://localhost:8080/permissions/resources \
  -H "Authorization: Bearer $TOKEN" \
  -d '{
    "namespaceId": "ns_xyz",
    "type": "document",
    "attributes": [
      {"name": "owner", "type": "string", "required": true},
      {"name": "team_id", "type": "string"},
      {"name": "confidentiality", "type": "string"},
      {"name": "tags", "type": "array"}
    ]
  }'
3. Define Actions
curl -X POST http://localhost:8080/permissions/actions \
  -H "Authorization: Bearer $TOKEN" \
  -d '{
    "namespaceId": "ns_xyz",
    "name": "export",
    "description": "Export resource data"
  }'

Migration from RBAC

Automatic Migration
curl -X POST http://localhost:8080/permissions/migrate/rbac \
  -H "Authorization: Bearer $TOKEN" \
  -d '{
    "orgId": "org_abc123",
    "dryRun": true,
    "validateEquivalence": true
  }'
Hybrid Mode

Run both systems during migration:

auth:
  permissions:
    mode: hybrid  # Try permissions first, fallback to RBAC

Check migration status:

curl http://localhost:8080/permissions/migrate/rbac/status?orgId=org_abc123 \
  -H "Authorization: Bearer $TOKEN"

Configuration Reference

Engine Settings
engine:
  maxPolicyComplexity: 100      # Max operations per policy
  evaluationTimeout: 10ms       # Max evaluation time
  maxPoliciesPerOrg: 10000      # Policy limit per org
  parallelEvaluation: true      # Concurrent evaluation
  maxParallelEvaluations: 4     # Concurrency level
  enableAttributeCaching: true  # Cache attributes
  attributeCacheTTL: 5m         # Attribute cache TTL
Cache Settings
cache:
  enabled: true
  backend: hybrid               # memory, redis, hybrid
  localCacheSize: 10000         # LRU cache size
  localCacheTTL: 5m             # Local TTL
  redisTTL: 15m                 # Redis TTL
  warmupOnStart: true           # Pre-load on startup
  invalidateOnChange: true      # Immediate invalidation
Performance Tuning
performance:
  enableMetrics: true           # Prometheus metrics
  enableTracing: false          # OpenTelemetry traces
  traceSamplingRate: 0.01       # 1% sampling
  slowQueryThreshold: 5ms       # Log slow queries
  enableProfiling: false        # pprof endpoints

Performance Benchmarks

Scenario Latency (p50) Latency (p99) Throughput
Simple policy (owner check) <1ms <2ms 50K RPS
Complex policy (ABAC) 2ms 4ms 25K RPS
1K policies, local cache 1ms 3ms 30K RPS
1K policies, Redis cache 2ms 5ms 20K RPS
10K policies, optimized 3ms 8ms 15K RPS

Benchmarked on: 4 CPU, 8GB RAM, PostgreSQL + Redis

API Reference

Policy Management
Endpoint Method Description
/permissions/policies POST Create policy
/permissions/policies GET List policies
/permissions/policies/:id GET Get policy
/permissions/policies/:id PUT Update policy
/permissions/policies/:id DELETE Delete policy
/permissions/policies/validate POST Validate syntax
/permissions/policies/test POST Test policy
Resource Management
Endpoint Method Description
/permissions/resources POST Define resource type
/permissions/resources GET List resource types
/permissions/resources/:id GET Get resource definition
/permissions/resources/:id DELETE Delete resource type
Evaluation
Endpoint Method Description
/permissions/evaluate POST Check authorization
/permissions/evaluate/batch POST Batch evaluation
Templates
Endpoint Method Description
/permissions/templates GET List templates
/permissions/templates/:id GET Get template
/permissions/templates/:id/instantiate POST Use template

Monitoring

Prometheus Metrics
permissions_evaluations_total{org_id, resource_type, action, result}
permissions_evaluation_duration_seconds{org_id}
permissions_cache_hits_total{tier="local|redis|db"}
permissions_policy_count{org_id}
permissions_errors_total{type}
Grafana Dashboard

Import dashboard from: /plugins/permissions/monitoring/grafana-dashboard.json

Health Check
curl http://localhost:8080/health/permissions

Security Considerations

Policy Validation
  • All policies validated at creation time
  • Type checking prevents runtime errors
  • Complexity limits prevent DoS
Cache Security
  • Cache keys include org ID for isolation
  • Redis ACLs recommended
  • Automatic cache invalidation on updates
Audit Trail
  • All policy changes logged
  • Actor, timestamp, old/new values tracked
  • Queryable audit API
Rate Limiting
  • Per-org policy limits
  • Evaluation timeout protection
  • Request rate limiting recommended

Troubleshooting

Slow Evaluations

Check metrics:

curl http://localhost:8080/metrics | grep permissions_evaluation_duration

Enable profiling:

performance:
  enableProfiling: true

Profile: curl http://localhost:8080/debug/pprof/profile

Cache Misses

Check hit rate:

curl http://localhost:8080/metrics | grep permissions_cache_hits

Adjust cache sizes:

cache:
  localCacheSize: 20000  # Increase
  localCacheTTL: 10m     # Increase
Policy Errors

Validate before creating:

curl -X POST http://localhost:8080/permissions/policies/validate \
  -d '{"expression": "resource.owner == principal.id"}'

Test with sample data:

curl -X POST http://localhost:8080/permissions/policies/test \
  -d '{
    "expression": "...",
    "testCases": [...]
  }'

Documentation

Examples

See /examples/permissions/ for:

  • Basic policy examples
  • ABAC scenarios
  • Multi-tenant setup
  • Performance testing
  • Client integration

Support

License

Same as AuthSome (see root LICENSE file)

Documentation ΒΆ

Index ΒΆ

Constants ΒΆ

View Source 
const (
	PluginID      = "permissions"
	PluginName    = "Advanced Permissions"
	PluginVersion = "1.0.0"
)

Variables ΒΆ

This section is empty.

Functions ΒΆ

This section is empty.

Types ΒΆ

type CacheConfig ΒΆ 

type CacheConfig struct {
	// Enabled controls whether caching is active
	// Default: true
	Enabled bool `json:"enabled" yaml:"enabled"`

	// Backend specifies the cache backend
	// Options: "memory", "redis", "hybrid"
	// Default: "hybrid"
	Backend string `json:"backend" yaml:"backend"`

	// LocalCacheSize is the size of the in-memory LRU cache
	// Default: 10000
	LocalCacheSize int `json:"localCacheSize" yaml:"localCacheSize"`

	// LocalCacheTTL is the TTL for local cache entries
	// Default: 5 minutes
	LocalCacheTTL time.Duration `json:"localCacheTTL" yaml:"localCacheTTL"`

	// RedisTTL is the TTL for Redis cache entries
	// Default: 15 minutes
	RedisTTL time.Duration `json:"redisTTL" yaml:"redisTTL"`

	// WarmupOnStart pre-loads policies on startup
	// Default: true
	WarmupOnStart bool `json:"warmupOnStart" yaml:"warmupOnStart"`

	// InvalidateOnChange immediately invalidates cache on policy changes
	// Default: true
	InvalidateOnChange bool `json:"invalidateOnChange" yaml:"invalidateOnChange"`
}

CacheConfig controls caching behavior.

type Config ΒΆ 

type Config struct {
	// Enabled controls whether the permissions system is active
	Enabled bool `json:"enabled" yaml:"enabled"`

	// Mode determines the evaluation mode
	// - "strict": Only use permissions system (RBAC disabled)
	// - "hybrid": Try permissions first, fallback to RBAC
	// - "rbac-primary": Try RBAC first, fallback to permissions
	Mode string `json:"mode" yaml:"mode"`

	// Engine configuration
	Engine EngineConfig `json:"engine" yaml:"engine"`

	// Cache configuration
	Cache CacheConfig `json:"cache" yaml:"cache"`

	// Performance tuning
	Performance PerformanceConfig `json:"performance" yaml:"performance"`

	// Migration settings
	Migration MigrationConfig `json:"migration" yaml:"migration"`

	// Organization-specific overrides
	Organizations map[string]*OrgConfig `json:"organizations" yaml:"organizations"`
}

Config represents the permissions plugin configuration.

func DefaultConfig ΒΆ 

func DefaultConfig() *Config

DefaultConfig returns the default configuration.

func LoadConfig ΒΆ 

func LoadConfig(configManager forge.ConfigManager) (*Config, error)

LoadConfig loads configuration from Forge config manager.

func (*Config) GetOrgConfig ΒΆ 

func (c *Config) GetOrgConfig(orgID string) *Config

GetOrgConfig returns the effective configuration for an organization.

func (*Config) MergeOrgConfig ΒΆ 

func (c *Config) MergeOrgConfig(orgID string, override *OrgConfig)

MergeOrgConfig merges organization-specific settings.

func (*Config) Validate ΒΆ 

func (c *Config) Validate() error

Validate checks if the configuration is valid.

type EngineConfig ΒΆ 

type EngineConfig struct {
	// MaxPolicyComplexity limits the number of operations in a policy
	// Default: 100
	MaxPolicyComplexity int `json:"maxPolicyComplexity" yaml:"maxPolicyComplexity"`

	// EvaluationTimeout is the maximum time for policy evaluation
	// Default: 10ms
	EvaluationTimeout time.Duration `json:"evaluationTimeout" yaml:"evaluationTimeout"`

	// MaxPoliciesPerOrg limits policies per organization
	// Default: 10000
	MaxPoliciesPerOrg int `json:"maxPoliciesPerOrg" yaml:"maxPoliciesPerOrg"`

	// ParallelEvaluation enables concurrent policy evaluation
	// Default: true
	ParallelEvaluation bool `json:"parallelEvaluation" yaml:"parallelEvaluation"`

	// MaxParallelEvaluations controls concurrency level
	// Default: 4
	MaxParallelEvaluations int `json:"maxParallelEvaluations" yaml:"maxParallelEvaluations"`

	// EnableAttributeCaching caches attribute lookups
	// Default: true
	EnableAttributeCaching bool `json:"enableAttributeCaching" yaml:"enableAttributeCaching"`

	// AttributeCacheTTL is the TTL for attribute cache
	// Default: 5 minutes
	AttributeCacheTTL time.Duration `json:"attributeCacheTTL" yaml:"attributeCacheTTL"`
}

EngineConfig controls the policy evaluation engine.

type Handler ΒΆ 

type Handler struct {
	// contains filtered or unexported fields
}

Handler handles HTTP requests for the permissions plugin V2 Architecture: App β†’ Environment β†’ Organization.

func NewHandler ΒΆ 

func NewHandler(service *Service) *Handler

NewHandler creates a new handler instance.

func (*Handler) CreateAction ΒΆ 

func (h *Handler) CreateAction(c forge.Context) error

CreateAction handles POST /permissions/actions.

func (*Handler) CreateNamespace ΒΆ 

func (h *Handler) CreateNamespace(c forge.Context) error

CreateNamespace handles POST /permissions/namespaces.

func (*Handler) CreatePolicy ΒΆ 

func (h *Handler) CreatePolicy(c forge.Context) error

CreatePolicy handles POST /permissions/policies.

func (*Handler) CreateResource ΒΆ 

func (h *Handler) CreateResource(c forge.Context) error

CreateResource handles POST /permissions/resources.

func (*Handler) DeleteAction ΒΆ 

func (h *Handler) DeleteAction(c forge.Context) error

DeleteAction handles DELETE /permissions/actions/:id.

func (*Handler) DeleteNamespace ΒΆ 

func (h *Handler) DeleteNamespace(c forge.Context) error

DeleteNamespace handles DELETE /permissions/namespaces/:id.

func (*Handler) DeletePolicy ΒΆ 

func (h *Handler) DeletePolicy(c forge.Context) error

DeletePolicy handles DELETE /permissions/policies/:id.

func (*Handler) DeleteResource ΒΆ 

func (h *Handler) DeleteResource(c forge.Context) error

DeleteResource handles DELETE /permissions/resources/:id.

func (*Handler) Evaluate ΒΆ 

func (h *Handler) Evaluate(c forge.Context) error

Evaluate handles POST /permissions/evaluate.

func (*Handler) EvaluateBatch ΒΆ 

func (h *Handler) EvaluateBatch(c forge.Context) error

EvaluateBatch handles POST /permissions/evaluate/batch.

func (*Handler) GetAnalytics ΒΆ 

func (h *Handler) GetAnalytics(c forge.Context) error

GetAnalytics handles GET /permissions/analytics.

func (*Handler) GetAuditLog ΒΆ 

func (h *Handler) GetAuditLog(c forge.Context) error

GetAuditLog handles GET /permissions/audit.

func (*Handler) GetMigrationStatus ΒΆ 

func (h *Handler) GetMigrationStatus(c forge.Context) error

GetMigrationStatus handles GET /permissions/migrate/rbac/status.

func (*Handler) GetNamespace ΒΆ 

func (h *Handler) GetNamespace(c forge.Context) error

GetNamespace handles GET /permissions/namespaces/:id.

func (*Handler) GetPolicy ΒΆ 

func (h *Handler) GetPolicy(c forge.Context) error

GetPolicy handles GET /permissions/policies/:id.

func (*Handler) GetResource ΒΆ 

func (h *Handler) GetResource(c forge.Context) error

GetResource handles GET /permissions/resources/:id.

func (*Handler) GetTemplate ΒΆ 

func (h *Handler) GetTemplate(c forge.Context) error

GetTemplate handles GET /permissions/templates/:id.

func (*Handler) InstantiateTemplate ΒΆ 

func (h *Handler) InstantiateTemplate(c forge.Context) error

InstantiateTemplate handles POST /permissions/templates/:id/instantiate.

func (*Handler) ListActions ΒΆ 

func (h *Handler) ListActions(c forge.Context) error

ListActions handles GET /permissions/actions.

func (*Handler) ListNamespaces ΒΆ 

func (h *Handler) ListNamespaces(c forge.Context) error

ListNamespaces handles GET /permissions/namespaces.

func (*Handler) ListPolicies ΒΆ 

func (h *Handler) ListPolicies(c forge.Context) error

ListPolicies handles GET /permissions/policies.

func (*Handler) ListResources ΒΆ 

func (h *Handler) ListResources(c forge.Context) error

ListResources handles GET /permissions/resources.

func (*Handler) ListTemplates ΒΆ 

func (h *Handler) ListTemplates(c forge.Context) error

ListTemplates handles GET /permissions/templates.

func (*Handler) MigrateFromRBAC ΒΆ 

func (h *Handler) MigrateFromRBAC(c forge.Context) error

MigrateFromRBAC handles POST /permissions/migrate/rbac.

func (*Handler) TestPolicy ΒΆ 

func (h *Handler) TestPolicy(c forge.Context) error

TestPolicy handles POST /permissions/policies/test.

func (*Handler) UpdateNamespace ΒΆ 

func (h *Handler) UpdateNamespace(c forge.Context) error

UpdateNamespace handles PUT /permissions/namespaces/:id.

func (*Handler) UpdatePolicy ΒΆ 

func (h *Handler) UpdatePolicy(c forge.Context) error

UpdatePolicy handles PUT /permissions/policies/:id.

func (*Handler) ValidatePolicy ΒΆ 

func (h *Handler) ValidatePolicy(c forge.Context) error

ValidatePolicy handles POST /permissions/policies/validate.

type MessageResponse ΒΆ 

type MessageResponse = handlers.MessageResponse

Response types - use from handlers package.

type MigrationConfig ΒΆ 

type MigrationConfig struct {
	// AutoMigrate automatically converts RBAC policies
	// Default: false (requires manual migration)
	AutoMigrate bool `json:"autoMigrate" yaml:"autoMigrate"`

	// ValidateEquivalence checks that migrated policies match RBAC
	// Default: true
	ValidateEquivalence bool `json:"validateEquivalence" yaml:"validateEquivalence"`

	// KeepRBACPolicies retains RBAC policies after migration
	// Default: true (safe to delete after validation)
	KeepRBACPolicies bool `json:"keepRBACPolicies" yaml:"keepRBACPolicies"`

	// DryRun simulates migration without making changes
	// Default: false
	DryRun bool `json:"dryRun" yaml:"dryRun"`
}

MigrationConfig controls RBAC β†’ Permissions migration.

type OrgConfig ΒΆ 

type OrgConfig struct {
	// Enabled controls if permissions are enabled for this org
	Enabled *bool `json:"enabled,omitempty" yaml:"enabled,omitempty"`

	// MaxPolicies overrides the global limit for this org
	MaxPolicies *int `json:"maxPolicies,omitempty" yaml:"maxPolicies,omitempty"`

	// CustomResources defines org-specific resource types
	CustomResources []string `json:"customResources,omitempty" yaml:"customResources,omitempty"`

	// CustomActions defines org-specific actions
	CustomActions []string `json:"customActions,omitempty" yaml:"customActions,omitempty"`

	// TemplateID specifies which platform template to inherit
	TemplateID *string `json:"templateId,omitempty" yaml:"templateId,omitempty"`

	// InheritPlatform controls platform policy inheritance
	InheritPlatform *bool `json:"inheritPlatform,omitempty" yaml:"inheritPlatform,omitempty"`
}

OrgConfig allows organization-specific overrides.

type PerformanceConfig ΒΆ 

type PerformanceConfig struct {
	// EnableMetrics enables Prometheus metrics
	// Default: true
	EnableMetrics bool `json:"enableMetrics" yaml:"enableMetrics"`

	// EnableTracing enables OpenTelemetry tracing
	// Default: false (enable in production)
	EnableTracing bool `json:"enableTracing" yaml:"enableTracing"`

	// TraceSamplingRate is the percentage of requests to trace
	// Default: 0.01 (1%)
	TraceSamplingRate float64 `json:"traceSamplingRate" yaml:"traceSamplingRate"`

	// SlowQueryThreshold logs queries slower than this
	// Default: 5ms
	SlowQueryThreshold time.Duration `json:"slowQueryThreshold" yaml:"slowQueryThreshold"`

	// EnableProfiling enables pprof endpoints
	// Default: false (enable for debugging)
	EnableProfiling bool `json:"enableProfiling" yaml:"enableProfiling"`
}

PerformanceConfig controls performance tuning.

type PermissionMiddleware ΒΆ added in v0.0.3 

type PermissionMiddleware struct {
	// contains filtered or unexported fields
}

PermissionMiddleware provides middleware for automatic permission checking on routes.

func NewPermissionMiddleware ΒΆ added in v0.0.3 

func NewPermissionMiddleware(service *Service, config PermissionMiddlewareConfig, logger forge.Logger) *PermissionMiddleware

NewPermissionMiddleware creates a new permission middleware.

func (*PermissionMiddleware) Middleware ΒΆ added in v0.0.3 

func (m *PermissionMiddleware) Middleware() func(next forge.Handler) forge.Handler

Middleware returns the forge middleware function.

type PermissionMiddlewareConfig ΒΆ added in v0.0.3 

type PermissionMiddlewareConfig struct {
	// ResourceType is the type of resource being protected (e.g., "document", "project")
	ResourceType string

	// Action is the action being performed (e.g., "read", "write", "delete")
	Action string

	// ResourceIDParam is the URL parameter name containing the resource ID (e.g., "id", "documentId")
	// If empty, the middleware checks access at the resource type level without a specific resource
	ResourceIDParam string

	// DenyHandler is an optional custom handler for denied requests
	// If nil, a default 403 response is returned
	DenyHandler forge.Handler

	// AllowAnonymous allows unauthenticated requests to proceed (useful with other conditions)
	AllowAnonymous bool

	// SkipIfNoUser skips permission check if no user is in context (useful for optional auth routes)
	SkipIfNoUser bool

	// CustomContext provides additional context for the permission check
	CustomContext map[string]any
}

PermissionMiddlewareConfig configures the permission middleware behavior.

type PermissionMiddlewareFunc ΒΆ added in v0.0.3 

type PermissionMiddlewareFunc func(next forge.Handler) forge.Handler

PermissionMiddlewareFunc is the middleware function type.

type Plugin ΒΆ 

type Plugin struct {
	// contains filtered or unexported fields
}

Plugin implements the AuthSome plugin interface for advanced permissions V2 Architecture: App β†’ Environment β†’ Organization.

func NewPlugin ΒΆ 

func NewPlugin(opts ...PluginOption) *Plugin

NewPlugin creates a new permissions plugin instance.

func (*Plugin) AttributeResolver ΒΆ added in v0.0.3 

func (p *Plugin) AttributeResolver() *engine.AttributeResolver

AttributeResolver returns the attribute resolver for registering custom providers.

func (*Plugin) CheckPermission ΒΆ added in v0.0.3 

func (p *Plugin) CheckPermission(c forge.Context, resourceType, action, resourceID string) (bool, error)

CheckPermission is a helper that evaluates a permission check inline without middleware Useful for conditional permission checks within handlers.

func (*Plugin) Description ΒΆ 

func (p *Plugin) Description() string

Description returns the plugin description.

func (*Plugin) Health ΒΆ 

func (p *Plugin) Health(ctx context.Context) error

Health checks plugin health.

func (*Plugin) ID ΒΆ 

func (p *Plugin) ID() string

ID returns the unique plugin identifier.

func (*Plugin) Init ΒΆ 

func (p *Plugin) Init(authInst core.Authsome) error

Init initializes the plugin with dependencies.

func (*Plugin) Migrate ΒΆ 

func (p *Plugin) Migrate() error

Migrate runs database migrations for the plugin.

func (*Plugin) MigrationService ΒΆ added in v0.0.3 

func (p *Plugin) MigrationService() *migration.RBACMigrationService

MigrationService returns the RBAC migration service (for programmatic access).

func (*Plugin) Name ΒΆ 

func (p *Plugin) Name() string

Name returns the human-readable plugin name.

func (*Plugin) RegisterHooks ΒΆ 

func (p *Plugin) RegisterHooks(hookRegistry *hooks.HookRegistry) error

RegisterHooks registers lifecycle hooks.

func (*Plugin) RegisterResourceLoader ΒΆ added in v0.0.3 

func (p *Plugin) RegisterResourceLoader(resourceType string, loader providers.ResourceLoader)

RegisterResourceLoader registers a resource loader for a specific resource type This allows external code to provide resource data for policy evaluation.

func (*Plugin) RegisterResourceLoaderFunc ΒΆ added in v0.0.3 

func (p *Plugin) RegisterResourceLoaderFunc(resourceType string, fn providers.ResourceLoaderFunc)

RegisterResourceLoaderFunc registers a function as a resource loader.

func (*Plugin) RegisterRoutes ΒΆ 

func (p *Plugin) RegisterRoutes(router forge.Router) error

RegisterRoutes registers HTTP routes for the plugin.

func (*Plugin) RegisterServiceDecorators ΒΆ added in v0.0.3 

func (p *Plugin) RegisterServiceDecorators(services *registry.ServiceRegistry) error

RegisterServiceDecorators allows plugins to replace core services with decorated versions This is called automatically by AuthSome after all services are initialized.

func (*Plugin) RequireAdmin ΒΆ added in v0.0.3 

func (p *Plugin) RequireAdmin(resourceType string) PermissionMiddlewareFunc

RequireAdmin creates a middleware that requires admin permission on a resource type.

func (*Plugin) RequireDelete ΒΆ added in v0.0.3 

func (p *Plugin) RequireDelete(resourceType string) PermissionMiddlewareFunc

RequireDelete creates a middleware that requires delete permission.

func (*Plugin) RequireOwnership ΒΆ added in v0.0.3 

func (p *Plugin) RequireOwnership(resourceType, resourceIDParam string) PermissionMiddlewareFunc

RequireOwnership creates a middleware that requires the user to own the resource This is a common pattern for user-owned resources.

func (*Plugin) RequirePermission ΒΆ added in v0.0.3 

func (p *Plugin) RequirePermission(resourceType, action string) PermissionMiddlewareFunc

RequirePermission creates a permission-checking middleware for specific resource type and action This is a convenience function for common use cases.

func (*Plugin) RequirePermissionWithConfig ΒΆ added in v0.0.3 

func (p *Plugin) RequirePermissionWithConfig(config PermissionMiddlewareConfig) PermissionMiddlewareFunc

RequirePermissionWithConfig creates a middleware with full configuration.

func (*Plugin) RequirePermissionWithID ΒΆ added in v0.0.3 

func (p *Plugin) RequirePermissionWithID(resourceType, action, resourceIDParam string) PermissionMiddlewareFunc

RequirePermissionWithID creates a middleware that checks permission for a specific resource instance.

func (*Plugin) RequireRead ΒΆ added in v0.0.3 

func (p *Plugin) RequireRead(resourceType string) PermissionMiddlewareFunc

RequireRead creates a middleware that requires read permission.

func (*Plugin) RequireWrite ΒΆ added in v0.0.3 

func (p *Plugin) RequireWrite(resourceType string) PermissionMiddlewareFunc

RequireWrite creates a middleware that requires write permission.

func (*Plugin) ResourceRegistry ΒΆ added in v0.0.3 

func (p *Plugin) ResourceRegistry() *providers.ResourceProviderRegistry

ResourceRegistry returns the resource provider registry for registering resource loaders.

func (*Plugin) Service ΒΆ 

func (p *Plugin) Service() *Service

Service returns the permissions service (for programmatic access).

func (*Plugin) Shutdown ΒΆ 

func (p *Plugin) Shutdown(ctx context.Context) error

Shutdown gracefully shuts down the plugin.

func (*Plugin) Version ΒΆ 

func (p *Plugin) Version() string

Version returns the plugin version.

func (*Plugin) WireFromAuthsome ΒΆ added in v0.0.3 

func (p *Plugin) WireFromAuthsome() error

WireFromAuthsome wires all services from the AuthSome instance This is the recommended method to call after plugin initialization.

func (*Plugin) WireMigrationService ΒΆ added in v0.0.3 

func (p *Plugin) WireMigrationService(rbacAdapter *migration.RBACServiceAdapter) error

WireMigrationService wires the migration service to RBAC repositories This should be called after plugin initialization when RBAC services are available.

func (*Plugin) WireUserAttributeProvider ΒΆ added in v0.0.3 

func (p *Plugin) WireUserAttributeProvider(cfg providers.AuthsomeUserProviderConfig) error

WireUserAttributeProvider wires the user attribute provider to AuthSome services This should be called after plugin initialization when services are available.

type PluginOption ΒΆ added in v0.0.3 

type PluginOption func(*Plugin)

PluginOption is a functional option for configuring the permissions plugin.

func WithCacheBackend ΒΆ added in v0.0.3 

func WithCacheBackend(backend string) PluginOption

WithCacheBackend sets the cache backend.

func WithCacheEnabled ΒΆ added in v0.0.3 

func WithCacheEnabled(enabled bool) PluginOption

WithCacheEnabled sets whether caching is enabled.

func WithDefaultConfig ΒΆ added in v0.0.3 

func WithDefaultConfig(cfg *Config) PluginOption

WithDefaultConfig sets the default configuration for the plugin.

func WithMaxPoliciesPerOrg ΒΆ added in v0.0.3 

func WithMaxPoliciesPerOrg(max int) PluginOption

WithMaxPoliciesPerOrg sets the maximum policies per organization.

func WithMetricsEnabled ΒΆ added in v0.0.3 

func WithMetricsEnabled(enabled bool) PluginOption

WithMetricsEnabled sets whether metrics are enabled.

func WithMode ΒΆ added in v0.0.3 

func WithMode(mode string) PluginOption

WithMode sets the evaluation mode.

func WithParallelEvaluation ΒΆ added in v0.0.3 

func WithParallelEvaluation(enabled bool) PluginOption

WithParallelEvaluation sets whether parallel evaluation is enabled.

type Service ΒΆ 

type Service struct {
	// contains filtered or unexported fields
}

Service is the main permissions service V2 Architecture: App β†’ Environment β†’ Organization.

func NewService ΒΆ added in v0.0.3 

func NewService(db *bun.DB, config *Config, logger forge.Logger) *Service

NewService creates a new permissions service with all dependencies.

func (*Service) CreateAction ΒΆ 

func (s *Service) CreateAction(ctx context.Context, appID, envID xid.ID, orgID *xid.ID, req *handlers.CreateActionRequest) (*core.ActionDefinition, error)

CreateAction creates a new action definition.

func (*Service) CreateDefaultNamespace ΒΆ 

func (s *Service) CreateDefaultNamespace(ctx context.Context, appID, envID xid.ID, orgID *xid.ID) error

CreateDefaultNamespace creates a default namespace for a new app/env or organization.

func (*Service) CreateNamespace ΒΆ 

func (s *Service) CreateNamespace(ctx context.Context, appID, envID xid.ID, orgID *xid.ID, userID xid.ID, req *handlers.CreateNamespaceRequest) (*core.Namespace, error)

CreateNamespace creates a new namespace.

func (*Service) CreatePolicy ΒΆ 

func (s *Service) CreatePolicy(ctx context.Context, appID, envID xid.ID, orgID *xid.ID, userID xid.ID, req *handlers.CreatePolicyRequest) (*core.Policy, error)

CreatePolicy creates a new permission policy.

func (*Service) CreateResource ΒΆ 

func (s *Service) CreateResource(ctx context.Context, appID, envID xid.ID, orgID *xid.ID, req *handlers.CreateResourceRequest) (*core.ResourceDefinition, error)

CreateResource creates a new resource definition.

func (*Service) DeleteAction ΒΆ 

func (s *Service) DeleteAction(ctx context.Context, appID, envID xid.ID, orgID *xid.ID, actionID xid.ID) error

DeleteAction deletes an action definition.

func (*Service) DeleteNamespace ΒΆ 

func (s *Service) DeleteNamespace(ctx context.Context, appID, envID xid.ID, orgID *xid.ID, namespaceID xid.ID) error

DeleteNamespace deletes a namespace.

func (*Service) DeletePolicy ΒΆ 

func (s *Service) DeletePolicy(ctx context.Context, appID, envID xid.ID, orgID *xid.ID, policyID xid.ID) error

DeletePolicy deletes a policy.

func (*Service) DeleteResource ΒΆ 

func (s *Service) DeleteResource(ctx context.Context, appID, envID xid.ID, orgID *xid.ID, resourceID xid.ID) error

DeleteResource deletes a resource definition.

func (*Service) Evaluate ΒΆ 

func (s *Service) Evaluate(ctx context.Context, appID, envID xid.ID, orgID *xid.ID, userID xid.ID, req *handlers.EvaluateRequest) (*engine.Decision, error)

Evaluate evaluates a permission check - THE CORE FEATURE.

func (*Service) EvaluateBatch ΒΆ 

func (s *Service) EvaluateBatch(ctx context.Context, appID, envID xid.ID, orgID *xid.ID, userID xid.ID, req *handlers.BatchEvaluateRequest) ([]*handlers.BatchEvaluationResult, error)

EvaluateBatch evaluates multiple permission checks efficiently.

func (*Service) GetAnalytics ΒΆ 

func (s *Service) GetAnalytics(ctx context.Context, appID, envID xid.ID, orgID *xid.ID, timeRange map[string]any) (*handlers.AnalyticsSummary, error)

GetAnalytics retrieves analytics data.

func (*Service) GetMigrationStatus ΒΆ 

func (s *Service) GetMigrationStatus(ctx context.Context, appID, envID xid.ID, orgID *xid.ID) (*core.MigrationStatus, error)

GetMigrationStatus retrieves migration status.

func (*Service) GetNamespace ΒΆ 

func (s *Service) GetNamespace(ctx context.Context, appID, envID xid.ID, orgID *xid.ID, namespaceID xid.ID) (*core.Namespace, error)

GetNamespace retrieves a namespace by ID.

func (*Service) GetPolicy ΒΆ 

func (s *Service) GetPolicy(ctx context.Context, appID, envID xid.ID, orgID *xid.ID, policyID xid.ID) (*core.Policy, error)

GetPolicy retrieves a policy by ID.

func (*Service) GetResource ΒΆ 

func (s *Service) GetResource(ctx context.Context, appID, envID xid.ID, orgID *xid.ID, resourceID xid.ID) (*core.ResourceDefinition, error)

GetResource retrieves a resource definition by ID.

func (*Service) GetTemplate ΒΆ 

func (s *Service) GetTemplate(ctx context.Context, templateID string) (*core.PolicyTemplate, error)

GetTemplate retrieves a specific policy template.

func (*Service) Health ΒΆ 

func (s *Service) Health(ctx context.Context) error

Health checks service health.

func (*Service) InstantiateTemplate ΒΆ 

func (s *Service) InstantiateTemplate(ctx context.Context, appID, envID xid.ID, orgID *xid.ID, userID xid.ID, templateID string, req *handlers.InstantiateTemplateRequest) (*core.Policy, error)

InstantiateTemplate creates a policy from a template.

func (*Service) InvalidateAppCache ΒΆ 

func (s *Service) InvalidateAppCache(ctx context.Context, appID xid.ID) error

InvalidateAppCache invalidates the cache for a specific app.

func (*Service) InvalidateEnvironmentCache ΒΆ added in v0.0.3 

func (s *Service) InvalidateEnvironmentCache(ctx context.Context, appID, envID xid.ID) error

InvalidateEnvironmentCache invalidates the cache for a specific environment.

func (*Service) InvalidateOrganizationCache ΒΆ 

func (s *Service) InvalidateOrganizationCache(ctx context.Context, appID, envID, orgID xid.ID) error

InvalidateOrganizationCache invalidates the cache for a specific organization.

func (*Service) InvalidateUserCache ΒΆ 

func (s *Service) InvalidateUserCache(ctx context.Context, userID xid.ID) error

InvalidateUserCache invalidates the cache for a specific user.

func (*Service) ListActions ΒΆ 

func (s *Service) ListActions(ctx context.Context, appID, envID xid.ID, orgID *xid.ID, namespaceID xid.ID) ([]*core.ActionDefinition, error)

ListActions lists action definitions for a namespace.

func (*Service) ListAuditEvents ΒΆ 

func (s *Service) ListAuditEvents(ctx context.Context, appID, envID xid.ID, orgID *xid.ID, filters map[string]any) ([]*core.AuditEvent, int, error)

ListAuditEvents lists audit log entries.

func (*Service) ListNamespaces ΒΆ 

func (s *Service) ListNamespaces(ctx context.Context, appID, envID xid.ID, orgID *xid.ID) ([]*core.Namespace, error)

ListNamespaces lists namespaces for an app/env/org.

func (*Service) ListPolicies ΒΆ 

func (s *Service) ListPolicies(ctx context.Context, appID, envID xid.ID, orgID *xid.ID, filters map[string]any) ([]*core.Policy, int, error)

ListPolicies lists policies for an app/env/org.

func (*Service) ListResources ΒΆ 

func (s *Service) ListResources(ctx context.Context, appID, envID xid.ID, orgID *xid.ID, namespaceID xid.ID) ([]*core.ResourceDefinition, error)

ListResources lists resource definitions for a namespace.

func (*Service) ListTemplates ΒΆ 

func (s *Service) ListTemplates(ctx context.Context) ([]*core.PolicyTemplate, error)

ListTemplates lists available policy templates.

func (*Service) Migrate ΒΆ 

func (s *Service) Migrate(ctx context.Context) error

Migrate runs database migrations.

func (*Service) MigrateFromRBAC ΒΆ 

func (s *Service) MigrateFromRBAC(ctx context.Context, appID, envID xid.ID, orgID *xid.ID, req *handlers.MigrateRBACRequest) (*core.MigrationStatus, error)

MigrateFromRBAC migrates RBAC policies to permissions.

func (*Service) SetMigrationService ΒΆ added in v0.0.3 

func (s *Service) SetMigrationService(svc *migration.RBACMigrationService)

SetMigrationService sets the migration service.

func (*Service) Shutdown ΒΆ 

func (s *Service) Shutdown(ctx context.Context) error

Shutdown gracefully shuts down the service.

func (*Service) TestPolicy ΒΆ 

func (s *Service) TestPolicy(ctx context.Context, req *handlers.TestPolicyRequest) (*handlers.TestPolicyResponse, error)

TestPolicy tests a policy against test cases.

func (*Service) UpdateNamespace ΒΆ 

func (s *Service) UpdateNamespace(ctx context.Context, appID, envID xid.ID, orgID *xid.ID, namespaceID xid.ID, req *handlers.UpdateNamespaceRequest) (*core.Namespace, error)

UpdateNamespace updates an existing namespace.

func (*Service) UpdatePolicy ΒΆ 

func (s *Service) UpdatePolicy(ctx context.Context, appID, envID xid.ID, orgID *xid.ID, userID xid.ID, policyID xid.ID, req *handlers.UpdatePolicyRequest) (*core.Policy, error)

UpdatePolicy updates an existing policy.

func (*Service) ValidatePolicy ΒΆ 

func (s *Service) ValidatePolicy(ctx context.Context, req *handlers.ValidatePolicyRequest) (*handlers.ValidatePolicyResponse, error)

ValidatePolicy validates a policy expression.

func (*Service) WarmCache ΒΆ added in v0.0.3 

func (s *Service) WarmCache(ctx context.Context, appID, envID xid.ID, orgID *xid.ID) error

WarmCache pre-loads and compiles all active policies for a given scope into the cache This is called during plugin initialization to ensure fast permission evaluation from the start.

func (*Service) WarmCacheForAllApps ΒΆ added in v0.0.3 

func (s *Service) WarmCacheForAllApps(ctx context.Context) error

WarmCacheForAllApps warms the cache for all apps and environments This should be called sparingly as it can be resource intensive.

type StatusResponse ΒΆ 

type StatusResponse = handlers.StatusResponse

Response types - use from handlers package.

Source Files ΒΆ

View all Source files

Directories ΒΆ

Path Synopsis
providers

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.