authz

package
v0.4.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 2, 2023 License: MIT Imports: 16 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	// DefaultObjTypeTTL specifies how long ObjectTypes remain in the cache by default. If you frequently delete ObjectTypes - you should lower this number
	DefaultObjTypeTTL time.Duration = 10 * time.Minute
	// DefaultEdgeTypeTTL specifies how long EdgeTypes remain in the cache by default. If you frequently delete ObjectTypes - you should lower this number
	DefaultEdgeTypeTTL time.Duration = 10 * time.Minute
	// DefaultObjTTL specifies how long Objects remain in the cache by default. If you frequently delete Objects (such as users) - you should lower this number
	DefaultObjTTL time.Duration = 5 * time.Minute
	// DefaultEdgeTTL specifies how long Edges remain in the cache by default. It is assumed that edges churn frequently so this number is set lower
	DefaultEdgeTTL time.Duration = 30 * time.Second
)
View Source 
const (
	ObjectTypeUser  = "_user"
	ObjectTypeGroup = "_group"
)

AuthZ object types & edge types (roles) provisioned for every tenant. TODO: merge the string constant with the UUID into a const-ish struct to keep them associated, particularly if we add more of these. Keep in sync with TSX constants! TODO: we should have a better way to sync constants between TS and Go

Variables

View Source 
var ErrObjectNotFound = ucerr.New("object not found")

ErrObjectNotFound is returned if an object is not found.

View Source 
var ErrRelationshipTypeNotFound = ucerr.New("relationship type not found")

ErrRelationshipTypeNotFound is returned if a relationship type name (e.g. "editor") is not found.

View Source 
var GroupObjectTypeID = uuid.Must(uuid.FromString("f5bce640-f866-4464-af1a-9e7474c4a90c"))

GroupObjectTypeID is the ID of a built-in object type called "_group"

View Source 
var RBACAuthZObjectTypes = []ObjectType{
	{BaseModel: ucdb.NewBaseWithID(UserObjectTypeID), TypeName: ObjectTypeUser},
	{BaseModel: ucdb.NewBaseWithID(GroupObjectTypeID), TypeName: ObjectTypeGroup},
}

RBACAuthZObjectTypes is an array containing default AuthZ object types

View Source 
var UserObjectTypeID = uuid.Must(uuid.FromString("1bf2b775-e521-41d3-8b7e-78e89427e6fe"))

UserObjectTypeID is the ID of a built-in object type called "_user"

Functions

This section is empty.

Types

type Attribute 

type Attribute struct {
	Name string `db:"name" json:"name" validate:"notempty"`

	// Direct = true means that this attribute applies directly from the source to the target, or
	// alternately stated that "the source object 'has' the attribute on the target".
	// e.g. given an edge {Source: Alice, Target: Readme.txt, Type: Viewer} with attribute {Name:"read", Direct: true},
	// then Alice directly 'has' the "read" attribute on Readme.txt
	Direct bool `db:"direct" json:"direct"`

	// Inherit = true means that, if the target object 'has' (or inherits) the attribute on some other object X,
	// then the source object "inherits" that attribute on X as well. This applies transitively across
	// multiple consecutive Inherit edges.
	// e.g. given an edge {Source: Alice, Target: RootUsersGroup, Type: Member} with attribute {Name:"read", Inherit: true},
	// and another edge {Source: RootUsersGroup, Target: Readme.txt, Type: Viewer} with attribute {Name:"read", Direct: true},
	// then the Root Users group has direct read permissions on Readme.txt and Alice inherits the read permission
	// on Readme.txt through its connection to the RootUsersGroup.
	// This flag is typically used when some objects (e.g. users, files) should inherit attributes
	// that a "grouping" object has on some final target object without requiring direct edges between
	// every source and every target (e.g. between Alice and Readme.txt, in this example).
	// The Inherit flag would be used on attributes that associate the source objects with the grouping object.
	// This is like a "pull" model for permissions, while Propagate represents a "push" model.
	Inherit bool `db:"inherit" json:"inherit"`

	// Propagate = true means that some object X which has an attribute on the source object will also have the same
	// attribute on the target object. This is effectively the inverse of Inherit, and "propagates" attributes forward.
	// e.g. given an edge {Source: Alice, Target: HomeDirectory, Type: Viewer} with attribute {Name: "read", Direct: true},
	// and another edge {Source: HomeDirectory, Target: Readme.txt, Type: Contains} with attribute {Name: "read", Propagate: true},
	// then Alice's read permission on the HomeDirectory propagates to Readme.txt since that is (presumably) contained in the
	// Home directory.
	// This is like a "push" model for permissions, while Inherit represents a "pull" model.
	// This is different from Direct = true because it doesn't make sense for the Home directory to have
	// direct "read" attributes on files within it, but simply propagate the permissions down the tree.
	// Permissions don't propagate through Direct links; if Alice has a 'direct' "friend" relationship to Bob,
	// and Bob has a 'direct' "friend" relationship to Charlie,
	// that wouldn't imply Alice has a 'direct' "friend" relationship to Charlie (direct != propagate).
	Propagate bool `db:"propagate" json:"propagate"`
}

Attribute represents a named attribute on an Edge Type.

func (*Attribute) Validate 

func (o *Attribute) Validate() error

Validate implements Validateable

type AttributePathNode 

type AttributePathNode struct {
	ObjectID uuid.UUID `json:"object_id"`
	EdgeID   uuid.UUID `json:"edge_id"`
}

AttributePathNode is a node in a path list from source to target, if CheckAttribute succeeds.

type Attributes 

type Attributes []Attribute

Attributes is a collection of Attribute, used as a column/field in EdgeType

type CheckAttributeResponse 

type CheckAttributeResponse struct {
	HasAttribute bool                `json:"has_attribute"`
	Path         []AttributePathNode `json:"path"`
}

CheckAttributeResponse is returned by the checkattribute endpoint.

type Client 

type Client struct {
	// contains filtered or unexported fields
}

Client is a client for the authz service

func NewClient 

func NewClient(url string, opts ...jsonclient.Option) (*Client, error)

NewClient creates a new authz client Web API base URL, e.g. "http://localhost:1234".

func NewCustomClient added in v0.4.0 

func NewCustomClient(objTypeTTL time.Duration, edgeTypeTTL time.Duration, objTTL time.Duration, edgeTTL time.Duration,
	url string, opts ...jsonclient.Option) (*Client, error)

NewCustomClient creates a new authz client with different cache defaults Web API base URL, e.g. "http://localhost:1234".

func (*Client) CheckAttribute 

func (c *Client) CheckAttribute(ctx context.Context, sourceObjectID, targetObjectID uuid.UUID, attributeName string) (*CheckAttributeResponse, error)

CheckAttribute returns true if the source object has the given attribute on the target object.

func (*Client) CreateEdge 

func (c *Client) CreateEdge(ctx context.Context, id, sourceObjectID, targetObjectID, edgeTypeID uuid.UUID) (*Edge, error)

CreateEdge creates an edge (relationship) between two objects.

func (*Client) CreateEdgeType 

func (c *Client) CreateEdgeType(ctx context.Context, id uuid.UUID, sourceObjectTypeID, targetObjectTypeID uuid.UUID, typeName string, attributes Attributes) (*EdgeType, error)

CreateEdgeType creates a new type of edge for the authz system.

func (*Client) CreateObject 

func (c *Client) CreateObject(ctx context.Context, id, typeID uuid.UUID, alias string) (*Object, error)

CreateObject creates a new object with a given ID, name, and type.

func (*Client) CreateObjectType 

func (c *Client) CreateObjectType(ctx context.Context, id uuid.UUID, typeName string) (*ObjectType, error)

CreateObjectType creates a new type of object for the authz system.

func (*Client) DeleteEdge 

func (c *Client) DeleteEdge(ctx context.Context, edgeID uuid.UUID) error

DeleteEdge deletes an edge by ID.

func (*Client) DeleteEdgeType 

func (c *Client) DeleteEdgeType(ctx context.Context, edgeTypeID uuid.UUID) error

DeleteEdgeType deletes an edge type by ID.

func (*Client) DeleteEdgesByObject added in v0.4.0 

func (c *Client) DeleteEdgesByObject(ctx context.Context, id uuid.UUID) error

DeleteEdgesByObject deletes all edges going in or out of an object by ID.

func (*Client) DeleteObject 

func (c *Client) DeleteObject(ctx context.Context, id uuid.UUID) error

DeleteObject deletes an object by ID.

func (*Client) DeleteObjectType 

func (c *Client) DeleteObjectType(ctx context.Context, objectTypeID uuid.UUID) error

DeleteObjectType deletes an object type by ID.

func (*Client) FindEdge 

func (c *Client) FindEdge(ctx context.Context, sourceObjectID, targetObjectID, edgeTypeID uuid.UUID) (*Edge, error)

FindEdge finds an existing edge (relationship) between two objects.

func (*Client) FindEdgeTypeID 

func (c *Client) FindEdgeTypeID(ctx context.Context, typeName string) (uuid.UUID, error)

FindEdgeTypeID resolves an edge type name to an ID.

func (*Client) FindObjectTypeID 

func (c *Client) FindObjectTypeID(ctx context.Context, typeName string) (uuid.UUID, error)

FindObjectTypeID resolves an object type name to an ID.

func (*Client) FlushCache added in v0.4.0 

func (c *Client) FlushCache()

FlushCache clears all contents of the cache

func (*Client) GetEdge added in v0.4.0 

func (c *Client) GetEdge(ctx context.Context, id uuid.UUID) (*Edge, error)

GetEdge returns an edge by ID.

func (*Client) GetEdgeType 

func (c *Client) GetEdgeType(ctx context.Context, edgeTypeID uuid.UUID) (*EdgeType, error)

GetEdgeType gets an edge type (relationship) by its type ID.

func (*Client) GetObject 

func (c *Client) GetObject(ctx context.Context, id uuid.UUID) (*Object, error)

GetObject returns an object by ID.

func (*Client) GetObjectForName 

func (c *Client) GetObjectForName(ctx context.Context, typeID uuid.UUID, name string) (*Object, error)

GetObjectForName returns an object with a given name.

func (*Client) GetObjectType 

func (c *Client) GetObjectType(ctx context.Context, id uuid.UUID) (*ObjectType, error)

GetObjectType returns an object type by ID.

func (*Client) ListAttributes added in v0.4.0 

func (c *Client) ListAttributes(ctx context.Context, sourceObjectID, targetObjectID uuid.UUID) ([]string, error)

ListAttributes returns a list of attributes that the source object has on the target object.

func (*Client) ListEdgeTypes 

func (c *Client) ListEdgeTypes(ctx context.Context) ([]EdgeType, error)

ListEdgeTypes lists all available edge types

func (*Client) ListEdges added in v0.4.0 

func (c *Client) ListEdges(ctx context.Context, opts ...pagination.Option) (*ListEdgesResponse, error)

ListEdges lists `limit` edges.

func (*Client) ListEdgesBetweenObjects 

func (c *Client) ListEdgesBetweenObjects(ctx context.Context, sourceObjectID, targetObjectID uuid.UUID) ([]Edge, error)

ListEdgesBetweenObjects lists all edges (relationships) with a given source & target objct.

func (*Client) ListEdgesOnObject 

func (c *Client) ListEdgesOnObject(ctx context.Context, objectID uuid.UUID, opts ...pagination.Option) (*ListEdgesResponse, error)

ListEdgesOnObject lists `limit` edges (relationships) where the given object is a source or target.

func (*Client) ListObjectTypes 

func (c *Client) ListObjectTypes(ctx context.Context) ([]ObjectType, error)

ListObjectTypes lists all object types in the system

func (*Client) ListObjects 

func (c *Client) ListObjects(ctx context.Context, opts ...pagination.Option) (*ListObjectsResponse, error)

ListObjects lists `limit` objects in sorted order with pagination, starting after a given ID (or uuid.Nil to start from the beginning).

func (*Client) ListObjectsFromQuery added in v0.4.0 

func (c *Client) ListObjectsFromQuery(ctx context.Context, query url.Values, opts ...pagination.Option) (*ListObjectsResponse, error)

ListObjectsFromQuery takes in a query that can handle filters passed from console as well as the default method.

func (*Client) ListObjectsReachableWithAttribute added in v0.4.0 

func (c *Client) ListObjectsReachableWithAttribute(ctx context.Context, sourceObjectID uuid.UUID, targetObjectTypeID uuid.UUID, attributeName string) ([]uuid.UUID, error)

ListObjectsReachableWithAttribute returns a list of object IDs of a certain type that are reachable from the source object with the given attribute

func (*Client) ListOrganizations added in v0.4.0 

func (c *Client) ListOrganizations(ctx context.Context) ([]Organization, error)

ListOrganizations lists all organizations for a tenant

func (*Client) UpdateEdgeType 

func (c *Client) UpdateEdgeType(ctx context.Context, id uuid.UUID, sourceObjectTypeID, targetObjectTypeID uuid.UUID, typeName string, attributes Attributes) (*EdgeType, error)

UpdateEdgeType updates an existing edge type in the authz system.

type Edge 

type Edge struct {
	ucdb.BaseModel

	// This must be a valid EdgeType.ID value
	EdgeTypeID uuid.UUID `db:"edge_type_id" json:"edge_type_id" validate:"notnil"`
	// These must be valid ObjectType.ID values
	SourceObjectID uuid.UUID `db:"source_object_id" json:"source_object_id" validate:"notnil"`
	TargetObjectID uuid.UUID `db:"target_object_id" json:"target_object_id" validate:"notnil"`
}

Edge represents a directional relationship between a "source" object and a "target" object.

func (*Edge) Validate 

func (o *Edge) Validate() error

Validate implements Validateable

type EdgeType 

type EdgeType struct {
	ucdb.BaseModel

	TypeName           string     `db:"type_name" json:"type_name"  validate:"notempty"`
	SourceObjectTypeID uuid.UUID  `db:"source_object_type_id,immutable" json:"source_object_type_id"  validate:"notnil"`
	TargetObjectTypeID uuid.UUID  `db:"target_object_type_id,immutable" json:"target_object_type_id"  validate:"notnil"`
	Attributes         Attributes `db:"attributes" json:"attributes"`

	OrganizationID uuid.UUID `db:"organization_id" json:"organization_id"`
}

EdgeType defines a single, strongly-typed relationship that a "source" object type can have to a "target" object type.

func (*EdgeType) Validate 

func (o *EdgeType) Validate() error

Validate implements Validateable

type ListEdgeTypesResponse 

type ListEdgeTypesResponse struct {
	Data []EdgeType `json:"data"`
	pagination.ResponseFields
}

ListEdgeTypesResponse is the paginated response from listing edge types.

type ListEdgesResponse 

type ListEdgesResponse struct {
	Data []Edge `json:"data"`
	pagination.ResponseFields
}

ListEdgesResponse is the paginated response from listing edges.

type ListObjectTypesResponse 

type ListObjectTypesResponse struct {
	Data []ObjectType `json:"data"`
	pagination.ResponseFields
}

ListObjectTypesResponse is the paginated response from listing object types.

type ListObjectsResponse 

type ListObjectsResponse struct {
	Data []Object `json:"data"`
	pagination.ResponseFields
}

ListObjectsResponse represents a paginated response from listing objects.

func (ListObjectsResponse) Len 

func (r ListObjectsResponse) Len() int

TODO: get rid of sort.Interface code when the legacy path in ListObjects goes away Len implements sort.Interface

func (ListObjectsResponse) Less 

func (r ListObjectsResponse) Less(left, right int) bool

Less implements sort.Interface

func (ListObjectsResponse) Swap 

func (r ListObjectsResponse) Swap(left, right int)

Swap implements sort.Interface

type ListOrganizationsResponse added in v0.4.0 

type ListOrganizationsResponse struct {
	Data []Organization `json:"data"`
	pagination.ResponseFields
}

ListOrganizationsResponse is the response from the ListOrganizations endpoint.

type Object 

type Object struct {
	ucdb.BaseModel

	Alias  *string   `db:"alias" json:"alias,omitempty" validate:"allownil"`
	TypeID uuid.UUID `db:"type_id,immutable" json:"type_id" validate:"notnil"`

	OrganizationID uuid.UUID `db:"organization_id" json:"organization_id"`
}

Object represents an instance of an AuthZ object used for modeling permissions.

func (*Object) Validate 

func (o *Object) Validate() error

Validate implements Validateable

type ObjectType 

type ObjectType struct {
	ucdb.BaseModel

	TypeName string `db:"type_name" json:"type_name" validate:"notempty"`
}

ObjectType represents the type definition of an AuthZ object.

func (*ObjectType) Validate 

func (o *ObjectType) Validate() error

Validate implements Validateable

type Organization added in v0.4.0 

type Organization struct {
	ucdb.BaseModel

	Name string `db:"name" json:"name" validate:"notempty"`
}

Organization defines a collection of objects inside of a single AuthZ namespace. Uniqueness (of eg. Object aliases) is enforced by organization, rather than globally in a tenant

type UserObject 

type UserObject struct {
	ucdb.BaseModel
}

UserObject is a limited view of the `users` table used by the AuthZ service. To avoid a dependency on IDP packages, AuthZ uses this stub structure to load a limited slice of User objects for authz purposes instead of depending on `idp/internal/storage`.`

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.