authz

package
v0.5.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 22, 2023 License: MIT Imports: 12 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	// DefaultObjTypeTTL specifies how long ObjectTypes remain in the cache by default. If you frequently delete ObjectTypes - you should lower this number
	DefaultObjTypeTTL time.Duration = 10 * time.Minute
	// DefaultEdgeTypeTTL specifies how long EdgeTypes remain in the cache by default. If you frequently delete ObjectTypes - you should lower this number
	DefaultEdgeTypeTTL time.Duration = 10 * time.Minute
	// DefaultObjTTL specifies how long Objects remain in the cache by default. If you frequently delete Objects (such as users) - you should lower this number
	DefaultObjTTL time.Duration = 5 * time.Minute
	// DefaultEdgeTTL specifies how long Edges remain in the cache by default. It is assumed that edges churn frequently so this number is set lower
	DefaultEdgeTTL time.Duration = 30 * time.Second
)
View Source 
const (
	ObjectTypeUser     = "_user"
	ObjectTypeGroup    = "_group"
	ObjectTypeLoginApp = "_login_app"
)

AuthZ object types & edge types (roles) provisioned for every tenant. TODO: merge the string constant with the UUID into a const-ish struct to keep them associated, particularly if we add more of these. Keep in sync with TSX constants! TODO: we should have a better way to sync constants between TS and Go

Variables

View Source 
var AppObjectTypeID = uuid.Must(uuid.FromString("9b90794f-0ed0-48d6-99a5-6fd578a9134d"))

AppObjectTypeID is the ID of a built-in object type called "_login_app"

View Source 
var ErrObjectNotFound = ucerr.New("object not found")

ErrObjectNotFound is returned if an object is not found.

View Source 
var ErrRelationshipTypeNotFound = ucerr.New("relationship type not found")

ErrRelationshipTypeNotFound is returned if a relationship type name (e.g. "editor") is not found.

View Source 
var GroupObjectTypeID = uuid.Must(uuid.FromString("f5bce640-f866-4464-af1a-9e7474c4a90c"))

GroupObjectTypeID is the ID of a built-in object type called "_group"

View Source 
var RBACAuthZObjectTypes = []ObjectType{
	{BaseModel: ucdb.NewBaseWithID(UserObjectTypeID), TypeName: ObjectTypeUser},
	{BaseModel: ucdb.NewBaseWithID(GroupObjectTypeID), TypeName: ObjectTypeGroup},
	{BaseModel: ucdb.NewBaseWithID(AppObjectTypeID), TypeName: ObjectTypeLoginApp},
}

RBACAuthZObjectTypes is an array containing default AuthZ object types

View Source 
var UserObjectTypeID = uuid.Must(uuid.FromString("1bf2b775-e521-41d3-8b7e-78e89427e6fe"))

UserObjectTypeID is the ID of a built-in object type called "_user"

Functions

This section is empty.

Types

type Attribute 

type Attribute struct {
	Name string `db:"name" json:"name" validate:"notempty"`

	// Direct = true means that this attribute applies directly from the source to the target, or
	// alternately stated that "the source object 'has' the attribute on the target".
	// e.g. given an edge {Source: Alice, Target: Readme.txt, Type: Viewer} with attribute {Name:"read", Direct: true},
	// then Alice directly 'has' the "read" attribute on Readme.txt
	Direct bool `db:"direct" json:"direct"`

	// Inherit = true means that, if the target object 'has' (or inherits) the attribute on some other object X,
	// then the source object "inherits" that attribute on X as well. This applies transitively across
	// multiple consecutive Inherit edges.
	// e.g. given an edge {Source: Alice, Target: RootUsersGroup, Type: Member} with attribute {Name:"read", Inherit: true},
	// and another edge {Source: RootUsersGroup, Target: Readme.txt, Type: Viewer} with attribute {Name:"read", Direct: true},
	// then the Root Users group has direct read permissions on Readme.txt and Alice inherits the read permission
	// on Readme.txt through its connection to the RootUsersGroup.
	// This flag is typically used when some objects (e.g. users, files) should inherit attributes
	// that a "grouping" object has on some final target object without requiring direct edges between
	// every source and every target (e.g. between Alice and Readme.txt, in this example).
	// The Inherit flag would be used on attributes that associate the source objects with the grouping object.
	// This is like a "pull" model for permissions, while Propagate represents a "push" model.
	Inherit bool `db:"inherit" json:"inherit"`

	// Propagate = true means that some object X which has an attribute on the source object will also have the same
	// attribute on the target object. This is effectively the inverse of Inherit, and "propagates" attributes forward.
	// e.g. given an edge {Source: Alice, Target: HomeDirectory, Type: Viewer} with attribute {Name: "read", Direct: true},
	// and another edge {Source: HomeDirectory, Target: Readme.txt, Type: Contains} with attribute {Name: "read", Propagate: true},
	// then Alice's read permission on the HomeDirectory propagates to Readme.txt since that is (presumably) contained in the
	// Home directory.
	// This is like a "push" model for permissions, while Inherit represents a "pull" model.
	// This is different from Direct = true because it doesn't make sense for the Home directory to have
	// direct "read" attributes on files within it, but simply propagate the permissions down the tree.
	// Permissions don't propagate through Direct links; if Alice has a 'direct' "friend" relationship to Bob,
	// and Bob has a 'direct' "friend" relationship to Charlie,
	// that wouldn't imply Alice has a 'direct' "friend" relationship to Charlie (direct != propagate).
	Propagate bool `db:"propagate" json:"propagate"`
}

Attribute represents a named attribute on an Edge Type.

func (*Attribute) Validate 

func (o *Attribute) Validate() error

Validate implements Validateable

type AttributePathNode 

type AttributePathNode struct {
	ObjectID uuid.UUID `json:"object_id"`
	EdgeID   uuid.UUID `json:"edge_id"`
}

AttributePathNode is a node in a path list from source to target, if CheckAttribute succeeds.

type Attributes 

type Attributes []Attribute

Attributes is a collection of Attribute, used as a column/field in EdgeType

type CheckAttributeResponse 

type CheckAttributeResponse struct {
	HasAttribute bool                `json:"has_attribute"`
	Path         []AttributePathNode `json:"path"`
}

CheckAttributeResponse is returned by the checkattribute endpoint.

type Client 

type Client struct {
	// contains filtered or unexported fields
}

Client is a client for the authz service

func NewClient 

func NewClient(url string, opts ...jsonclient.Option) (*Client, error)

NewClient creates a new authz client Web API base URL, e.g. "http://localhost:1234".

func NewCustomClient added in v0.4.0 

func NewCustomClient(objTypeTTL time.Duration, edgeTypeTTL time.Duration, objTTL time.Duration, edgeTTL time.Duration,
	url string, opts ...jsonclient.Option) (*Client, error)

NewCustomClient creates a new authz client with different cache defaults Web API base URL, e.g. "http://localhost:1234".

func (*Client) CheckAttribute 

func (c *Client) CheckAttribute(ctx context.Context, sourceObjectID, targetObjectID uuid.UUID, attributeName string) (*CheckAttributeResponse, error)

CheckAttribute returns true if the source object has the given attribute on the target object.

func (*Client) CreateEdge 

func (c *Client) CreateEdge(ctx context.Context, id, sourceObjectID, targetObjectID, edgeTypeID uuid.UUID) (*Edge, error)

CreateEdge creates an edge (relationship) between two objects.

func (*Client) CreateEdgeType 

func (c *Client) CreateEdgeType(ctx context.Context, id uuid.UUID, sourceObjectTypeID, targetObjectTypeID uuid.UUID, typeName string, attributes Attributes) (*EdgeType, error)

CreateEdgeType creates a new type of edge for the authz system.

func (*Client) CreateObject 

func (c *Client) CreateObject(ctx context.Context, id, typeID uuid.UUID, alias string) (*Object, error)

CreateObject creates a new object with a given ID, name, and type.

func (*Client) CreateObjectType 

func (c *Client) CreateObjectType(ctx context.Context, id uuid.UUID, typeName string) (*ObjectType, error)

CreateObjectType creates a new type of object for the authz system.

func (*Client) DeleteEdge 

func (c *Client) DeleteEdge(ctx context.Context, edgeID uuid.UUID) error

DeleteEdge deletes an edge by ID.

func (*Client) DeleteEdgeType 

func (c *Client) DeleteEdgeType(ctx context.Context, edgeTypeID uuid.UUID) error

DeleteEdgeType deletes an edge type by ID.

func (*Client) DeleteEdgesByObject added in v0.4.0 

func (c *Client) DeleteEdgesByObject(ctx context.Context, id uuid.UUID) error

DeleteEdgesByObject deletes all edges going in or out of an object by ID.

func (*Client) DeleteObject 

func (c *Client) DeleteObject(ctx context.Context, id uuid.UUID) error

DeleteObject deletes an object by ID.

func (*Client) DeleteObjectType 

func (c *Client) DeleteObjectType(ctx context.Context, objectTypeID uuid.UUID) error

DeleteObjectType deletes an object type by ID.

func (*Client) FindEdge 

func (c *Client) FindEdge(ctx context.Context, sourceObjectID, targetObjectID, edgeTypeID uuid.UUID) (*Edge, error)

FindEdge finds an existing edge (relationship) between two objects.

func (*Client) FindEdgeTypeID 

func (c *Client) FindEdgeTypeID(ctx context.Context, typeName string) (uuid.UUID, error)

FindEdgeTypeID resolves an edge type name to an ID.

func (*Client) FindObjectTypeID 

func (c *Client) FindObjectTypeID(ctx context.Context, typeName string) (uuid.UUID, error)

FindObjectTypeID resolves an object type name to an ID.

func (*Client) FlushCache added in v0.4.0 

func (c *Client) FlushCache()

FlushCache clears all contents of the cache

func (*Client) FlushCacheEdges added in v0.5.0 

func (c *Client) FlushCacheEdges()

FlushCacheEdges clears the edge cache only.

func (*Client) FlushCacheObjectsAndEdges added in v0.5.0 

func (c *Client) FlushCacheObjectsAndEdges()

FlushCacheObjectsAndEdges clears the objects/edges cache only.

func (*Client) GetEdge added in v0.4.0 

func (c *Client) GetEdge(ctx context.Context, id uuid.UUID) (*Edge, error)

GetEdge returns an edge by ID.

func (*Client) GetEdgeType 

func (c *Client) GetEdgeType(ctx context.Context, edgeTypeID uuid.UUID) (*EdgeType, error)

GetEdgeType gets an edge type (relationship) by its type ID.

func (*Client) GetObject 

func (c *Client) GetObject(ctx context.Context, id uuid.UUID) (*Object, error)

GetObject returns an object by ID.

func (*Client) GetObjectForName 

func (c *Client) GetObjectForName(ctx context.Context, typeID uuid.UUID, name string) (*Object, error)

GetObjectForName returns an object with a given name.

func (*Client) GetObjectType 

func (c *Client) GetObjectType(ctx context.Context, id uuid.UUID) (*ObjectType, error)

GetObjectType returns an object type by ID.

func (*Client) ListAttributes added in v0.4.0 

func (c *Client) ListAttributes(ctx context.Context, sourceObjectID, targetObjectID uuid.UUID) ([]string, error)

ListAttributes returns a list of attributes that the source object has on the target object.

func (*Client) ListEdgeTypes 

func (c *Client) ListEdgeTypes(ctx context.Context) ([]EdgeType, error)

ListEdgeTypes lists all available edge types

func (*Client) ListEdges added in v0.4.0 

func (c *Client) ListEdges(ctx context.Context, opts ...pagination.Option) (*ListEdgesResponse, error)

ListEdges lists `limit` edges.

func (*Client) ListEdgesBetweenObjects 

func (c *Client) ListEdgesBetweenObjects(ctx context.Context, sourceObjectID, targetObjectID uuid.UUID) ([]Edge, error)

ListEdgesBetweenObjects lists all edges (relationships) with a given source & target object.

func (*Client) ListEdgesOnObject 

func (c *Client) ListEdgesOnObject(ctx context.Context, objectID uuid.UUID, opts ...pagination.Option) (*ListEdgesResponse, error)

ListEdgesOnObject lists `limit` edges (relationships) where the given object is a source or target.

func (*Client) ListObjectTypes 

func (c *Client) ListObjectTypes(ctx context.Context) ([]ObjectType, error)

ListObjectTypes lists all object types in the system

func (*Client) ListObjects 

func (c *Client) ListObjects(ctx context.Context, opts ...pagination.Option) (*ListObjectsResponse, error)

ListObjects lists `limit` objects in sorted order with pagination, starting after a given ID (or uuid.Nil to start from the beginning).

func (*Client) ListObjectsFromQuery added in v0.4.0 

func (c *Client) ListObjectsFromQuery(ctx context.Context, query url.Values) (*ListObjectsResponse, error)

ListObjectsFromQuery takes in a query that can handle filters passed from console as well as the default method.

func (*Client) ListObjectsReachableWithAttribute added in v0.4.0 

func (c *Client) ListObjectsReachableWithAttribute(ctx context.Context, sourceObjectID uuid.UUID, targetObjectTypeID uuid.UUID, attributeName string) ([]uuid.UUID, error)

ListObjectsReachableWithAttribute returns a list of object IDs of a certain type that are reachable from the source object with the given attribute

func (*Client) ListOrganizations added in v0.4.0 

func (c *Client) ListOrganizations(ctx context.Context) ([]Organization, error)

ListOrganizations lists all organizations for a tenant

func (*Client) UpdateEdgeType 

func (c *Client) UpdateEdgeType(ctx context.Context, id uuid.UUID, sourceObjectTypeID, targetObjectTypeID uuid.UUID, typeName string, attributes Attributes) (*EdgeType, error)

UpdateEdgeType updates an existing edge type in the authz system.

type Edge 

type Edge struct {
	ucdb.BaseModel

	// This must be a valid EdgeType.ID value
	EdgeTypeID uuid.UUID `db:"edge_type_id" json:"edge_type_id" validate:"notnil"`
	// These must be valid ObjectType.ID values
	SourceObjectID uuid.UUID `db:"source_object_id" json:"source_object_id" validate:"notnil"`
	TargetObjectID uuid.UUID `db:"target_object_id" json:"target_object_id" validate:"notnil"`
}

Edge represents a directional relationship between a "source" object and a "target" object.

func (*Edge) Validate 

func (o *Edge) Validate() error

Validate implements Validateable

type EdgeType 

type EdgeType struct {
	ucdb.BaseModel

	TypeName           string     `db:"type_name" json:"type_name"  validate:"notempty"`
	SourceObjectTypeID uuid.UUID  `db:"source_object_type_id,immutable" json:"source_object_type_id"  validate:"notnil"`
	TargetObjectTypeID uuid.UUID  `db:"target_object_type_id,immutable" json:"target_object_type_id"  validate:"notnil"`
	Attributes         Attributes `db:"attributes" json:"attributes"`

	OrganizationID uuid.UUID `db:"organization_id" json:"organization_id"`
}

EdgeType defines a single, strongly-typed relationship that a "source" object type can have to a "target" object type.

func (*EdgeType) Validate 

func (o *EdgeType) Validate() error

Validate implements Validateable

type ListEdgeTypesResponse 

type ListEdgeTypesResponse struct {
	Data []EdgeType `json:"data"`
	pagination.ResponseFields
}

ListEdgeTypesResponse is the paginated response from listing edge types.

type ListEdgesResponse 

type ListEdgesResponse struct {
	Data []Edge `json:"data"`
	pagination.ResponseFields
}

ListEdgesResponse is the paginated response from listing edges.

type ListObjectTypesResponse 

type ListObjectTypesResponse struct {
	Data []ObjectType `json:"data"`
	pagination.ResponseFields
}

ListObjectTypesResponse is the paginated response from listing object types.

type ListObjectsResponse 

type ListObjectsResponse struct {
	Data []Object `json:"data"`
	pagination.ResponseFields
}

ListObjectsResponse represents a paginated response from listing objects.

type ListOrganizationsResponse added in v0.4.0 

type ListOrganizationsResponse struct {
	Data []Organization `json:"data"`
	pagination.ResponseFields
}

ListOrganizationsResponse is the response from the ListOrganizations endpoint.

type Object 

type Object struct {
	ucdb.BaseModel

	Alias  *string   `db:"alias" json:"alias,omitempty" validate:"allownil"`
	TypeID uuid.UUID `db:"type_id,immutable" json:"type_id" validate:"notnil"`

	OrganizationID uuid.UUID `db:"organization_id" json:"organization_id"`
}

Object represents an instance of an AuthZ object used for modeling permissions.

func (*Object) Validate 

func (o *Object) Validate() error

Validate implements Validateable

type ObjectType 

type ObjectType struct {
	ucdb.BaseModel

	TypeName string `db:"type_name" json:"type_name" validate:"notempty"`
}

ObjectType represents the type definition of an AuthZ object.

func (*ObjectType) Validate 

func (o *ObjectType) Validate() error

Validate implements Validateable

type Organization added in v0.4.0 

type Organization struct {
	ucdb.BaseModel

	Name string `db:"name" json:"name" validate:"notempty"`
}

Organization defines a collection of objects inside of a single AuthZ namespace. Uniqueness (of eg. Object aliases) is enforced by organization, rather than globally in a tenant

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.