namespace

package
v1.11.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Aug 2, 2022 License: Apache-2.0 Imports: 17 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func AnnotateNamespace added in v1.7.0

func AnnotateNamespace(ts *ValidatedNamespaceTypeSystem) error

AnnotateNamespace annotates the namespace in the type system with computed aliasing and cache key metadata for more efficient dispatching.

func CheckNamespaceAndRelation added in v1.8.0

func CheckNamespaceAndRelation(
	ctx context.Context,
	namespace string,
	relation string,
	allowEllipsis bool,
	ds datastore.Reader,
) error

CheckNamespaceAndRelation checks that the specified namespace and relation exist in the datastore.

Returns datastore.ErrNamespaceNotFound if the namespace cannot be found. Returns ErrRelationNotFound if the relation was not found in the namespace. Returns the direct downstream error for all other unknown error.

func NewRelationNotFoundErr

func NewRelationNotFoundErr(nsName string, relationName string) error

NewRelationNotFoundErr constructs a new relation not found error.

func ReadNamespaceAndRelation added in v1.8.0

func ReadNamespaceAndRelation(
	ctx context.Context,
	namespace string,
	relation string,
	ds datastore.Reader,
) (*core.NamespaceDefinition, *core.Relation, error)

ReadNamespaceAndRelation checks that the specified namespace and relation exist in the datastore.

Returns ErrNamespaceNotFound if the namespace cannot be found. Returns ErrRelationNotFound if the relation was not found in the namespace. Returns the direct downstream error for all other unknown error.

Types

type AllowedDirectRelation

type AllowedDirectRelation int

AllowedDirectRelation indicates whether a relation is allowed on the right side of another relation.

const (
	// UnknownIfRelationAllowed indicates that no type information is defined for
	// this relation.
	UnknownIfRelationAllowed AllowedDirectRelation = iota

	// DirectRelationValid indicates that the specified subject relation is valid as
	// part of a *direct* tuple on the relation.
	DirectRelationValid

	// DirectRelationNotValid indicates that the specified subject relation is not
	// valid as part of a *direct* tuple on the relation.
	DirectRelationNotValid
)

type AllowedPublicSubject added in v1.3.0

type AllowedPublicSubject int

AllowedPublicSubject indicates whether a public subject of a particular kind is allowed on the right side of another relation.

const (
	// UnknownIfPublicAllowed indicates that no type information is defined for
	// this relation.
	UnknownIfPublicAllowed AllowedPublicSubject = iota

	// PublicSubjectAllowed indicates that the specified subject wildcard is valid as
	// part of a *direct* tuple on the relation.
	PublicSubjectAllowed

	// PublicSubjectNotAllowed indicates that the specified subject wildcard is not
	// valid as part of a *direct* tuple on the relation.
	PublicSubjectNotAllowed
)

type Delta

type Delta struct {
	// Type is the type of this delta.
	Type DeltaType

	// RelationName is the name of the relation to which this delta applies, if any.
	RelationName string

	// DirectType is the direct relation type added or removed, if any.
	DirectType *core.RelationReference

	// WildcardType is the wildcard type added or removed, if any.
	WildcardType string
}

type DeltaType

type DeltaType string

DeltaType defines the type of namespace deltas.

const (
	// NamespaceAdded indicates that the namespace was newly added/created.
	NamespaceAdded DeltaType = "namespace-added"

	// NamespaceRemoved indicates that the namespace was removed.
	NamespaceRemoved DeltaType = "namespace-removed"

	// AddedRelation indicates that the relation was added to the namespace.
	AddedRelation DeltaType = "added-relation"

	// RemovedRelation indicates that the relation was removed from the namespace.
	RemovedRelation DeltaType = "removed-relation"

	// AddedPermission indicates that the permission was added to the namespace.
	AddedPermission DeltaType = "added-permission"

	// RemovedPermission indicates that the permission was removed from the namespace.
	RemovedPermission DeltaType = "removed-permission"

	// ChangedPermissionImpl indicates that the implementation of the permission has changed in some
	// way.
	ChangedPermissionImpl DeltaType = "changed-permission-implementation"

	// LegacyChangedRelationImpl indicates that the implementation of the relation has changed in some
	// way. This is for legacy checks and should not apply to any modern namespaces created
	// via schema.
	LegacyChangedRelationImpl DeltaType = "legacy-changed-relation-implementation"

	// RelationDirectTypeAdded indicates that an allowed direct relation type has been added to
	// the relation.
	RelationDirectTypeAdded DeltaType = "relation-direct-type-added"

	// RelationDirectTypeRemoved indicates that an allowed direct relation type has been removed from
	// the relation.
	RelationDirectTypeRemoved DeltaType = "relation-direct-type-removed"

	// RelationDirectWildcardTypeAdded indicates that an allowed relation wildcard type has been added to
	// the relation.
	RelationDirectWildcardTypeAdded DeltaType = "relation-wildcard-type-added"

	// RelationDirectWildcardTypeRemoved indicates that an allowed relation wildcard type has been removed from
	// the relation.
	RelationDirectWildcardTypeRemoved DeltaType = "relation-wildcard-type-removed"
)

type Diff added in v1.7.0

type Diff struct {
	// contains filtered or unexported fields
}

Diff holds the diff between two namespaces.

func DiffNamespaces

func DiffNamespaces(existing *core.NamespaceDefinition, updated *core.NamespaceDefinition) (*Diff, error)

DiffNamespaces performs a diff between two namespace definitions. One or both of the definitions can be `nil`, which will be treated as an add/remove as applicable.

func (Diff) Deltas added in v1.7.0

func (nd Diff) Deltas() []Delta

Deltas returns the deltas between the two namespaces.

type ErrRelationNotFound

type ErrRelationNotFound struct {
	// contains filtered or unexported fields
}

ErrRelationNotFound occurs when a relation was not found under a namespace.

func (ErrRelationNotFound) MarshalZerologObject

func (erf ErrRelationNotFound) MarshalZerologObject(e *zerolog.Event)

func (ErrRelationNotFound) NamespaceName

func (erf ErrRelationNotFound) NamespaceName() string

NamespaceName returns the name of the namespace in which the relation was not found.

func (ErrRelationNotFound) NotFoundRelationName

func (erf ErrRelationNotFound) NotFoundRelationName() string

NotFoundRelationName returns the name of the relation not found.

type LookupNamespace added in v0.0.2

type LookupNamespace func(ctx context.Context, name string) (*core.NamespaceDefinition, error)

LookupNamespace is a function used to lookup a namespace.

type ReachabilityEntrypoint added in v1.8.0

type ReachabilityEntrypoint struct {
	// contains filtered or unexported fields
}

ReachabilityEntrypoint is an entrypoint into the reachability graph for a subject of particular type.

func (ReachabilityEntrypoint) ContainingRelationOrPermission added in v1.8.0

func (re ReachabilityEntrypoint) ContainingRelationOrPermission() *core.RelationReference

ContainingRelationOrPermission is the relation or permission containing this entrypoint.

func (ReachabilityEntrypoint) DirectRelation added in v1.8.0

func (re ReachabilityEntrypoint) DirectRelation() *core.RelationReference

DirectRelation is the relation that this entrypoint represents, if a RELATION_ENTRYPOINT.

func (ReachabilityEntrypoint) EntrypointKind added in v1.8.0

EntrypointKind is the kind of the entrypoint.

func (ReachabilityEntrypoint) IsDirectResult added in v1.8.0

func (re ReachabilityEntrypoint) IsDirectResult() bool

IsDirectResult returns whether the entrypoint, when evaluated, becomes a direct result of the parent relation/permission. A direct result only exists if the entrypoint is not contained under an intersection or exclusion, which makes the entrypoint's object merely conditionally reachable.

func (ReachabilityEntrypoint) TuplesetRelation added in v1.8.0

func (re ReachabilityEntrypoint) TuplesetRelation() string

TuplesetRelation returns the tupleset relation of the TTU, if a TUPLESET_TO_USERSET_ENTRYPOINT.

type ReachabilityGraph added in v1.8.0

type ReachabilityGraph struct {
	// contains filtered or unexported fields
}

ReachabilityGraph is a helper struct that provides an easy way to determine all entrypoints for a subject of a particular type into a schema, for the purpose of walking from the subject to a specific resource relation.

func ReachabilityGraphFor added in v1.8.0

func ReachabilityGraphFor(ts *ValidatedNamespaceTypeSystem) *ReachabilityGraph

ReachabilityGraphFor returns a reachability graph for the given namespace.

func (*ReachabilityGraph) AllEntrypointsForSubjectToResource added in v1.8.0

func (rg *ReachabilityGraph) AllEntrypointsForSubjectToResource(
	ctx context.Context,
	subjectType *core.RelationReference,
	resourceType *core.RelationReference,
) ([]ReachabilityEntrypoint, error)

AllEntrypointsForSubjectToResource returns the entrypoints into the reachability graph, starting at the given subject type and walking to the given resource type.

func (*ReachabilityGraph) HasOptimizedEntrypointsForSubjectToResource added in v1.8.0

func (rg *ReachabilityGraph) HasOptimizedEntrypointsForSubjectToResource(
	ctx context.Context,
	subjectType *core.RelationReference,
	resourceType *core.RelationReference,
) (bool, error)

HasOptimizedEntrypointsForSubjectToResource returns whether there exists any *optimized* entrypoints into the reachability graph, starting at the given subject type and walking to the given resource type.

The optimized set will skip branches on intersections and exclusions in an attempt to minimize the number of entrypoints.

func (*ReachabilityGraph) OptimizedEntrypointsForSubjectToResource added in v1.8.0

func (rg *ReachabilityGraph) OptimizedEntrypointsForSubjectToResource(
	ctx context.Context,
	subjectType *core.RelationReference,
	resourceType *core.RelationReference,
) ([]ReachabilityEntrypoint, error)

OptimizedEntrypointsForSubjectToResource returns the *optimized* set of entrypoints into the reachability graph, starting at the given subject type and walking to the given resource type.

The optimized set will skip branches on intersections and exclusions in an attempt to minimize the number of entrypoints.

type TypeSystem added in v1.7.0

type TypeSystem struct {
	// contains filtered or unexported fields
}

TypeSystem represents typing information found in a namespace.

func BuildNamespaceTypeSystem

func BuildNamespaceTypeSystem(nsDef *core.NamespaceDefinition, lookupNamespace LookupNamespace) (*TypeSystem, error)

BuildNamespaceTypeSystem constructs a type system view of a namespace definition.

func BuildNamespaceTypeSystemForDatastore added in v1.8.0

func BuildNamespaceTypeSystemForDatastore(nsDef *core.NamespaceDefinition, ds datastore.Reader) (*TypeSystem, error)

BuildNamespaceTypeSystemForDatastore constructs a type system view of a namespace definition, with automatic lookup via the datastore reader.

func BuildNamespaceTypeSystemForDefs added in v0.0.2

func BuildNamespaceTypeSystemForDefs(nsDef *core.NamespaceDefinition, allDefs []*core.NamespaceDefinition) (*TypeSystem, error)

BuildNamespaceTypeSystemForDefs constructs a type system view of a namespace definition, with lookup in the list of definitions given.

func BuildNamespaceTypeSystemWithFallback added in v0.0.2

func BuildNamespaceTypeSystemWithFallback(nsDef *core.NamespaceDefinition, ds datastore.Reader, additionalDefs []*core.NamespaceDefinition) (*TypeSystem, error)

BuildNamespaceTypeSystemWithFallback constructs a type system view of a namespace definition, with automatic lookup via the additional defs first, and then the namespace manager as a fallback.

func ReadNamespaceAndTypes added in v1.8.0

func ReadNamespaceAndTypes(
	ctx context.Context,
	nsName string,
	ds datastore.Reader,
) (*core.NamespaceDefinition, *TypeSystem, error)

ReadNamespaceAndTypes reads a namespace definition, version, and type system and returns it if found.

func (*TypeSystem) AllowedDirectRelationsAndWildcards added in v1.7.0

func (nts *TypeSystem) AllowedDirectRelationsAndWildcards(sourceRelationName string) ([]*core.AllowedRelation, error)

AllowedDirectRelationsAndWildcards returns the allowed subject relations for a source relation. Note that this function will return wildcards.

func (*TypeSystem) AllowedSubjectRelations added in v1.7.0

func (nts *TypeSystem) AllowedSubjectRelations(sourceRelationName string) ([]*core.RelationReference, error)

AllowedSubjectRelations returns the allowed subject relations for a source relation. Note that this function will *not* return wildcards.

func (*TypeSystem) AsValidated added in v1.8.0

func (nts *TypeSystem) AsValidated() *ValidatedNamespaceTypeSystem

AsValidated returns the current type system marked as validated. This method should *only* be called for type systems read from storage. TODO(jschorr): Maybe have the namespaces loaded from datastore do this automatically?

func (*TypeSystem) HasRelation added in v1.7.0

func (nts *TypeSystem) HasRelation(relationName string) bool

HasRelation returns true if the namespace has the given relation defined.

func (*TypeSystem) HasTypeInformation added in v1.7.0

func (nts *TypeSystem) HasTypeInformation(relationName string) bool

HasTypeInformation returns true if the relation with the given name exists and has type information defined.

func (*TypeSystem) IsAllowedDirectRelation added in v1.7.0

func (nts *TypeSystem) IsAllowedDirectRelation(sourceRelationName string, targetNamespaceName string, targetRelationName string) (AllowedDirectRelation, error)

IsAllowedDirectRelation returns whether the subject relation is allowed to appear on the right hand side of a tuple placed in the source relation with the given name.

func (*TypeSystem) IsAllowedPublicNamespace added in v1.7.0

func (nts *TypeSystem) IsAllowedPublicNamespace(sourceRelationName string, targetNamespaceName string) (AllowedPublicSubject, error)

IsAllowedPublicNamespace returns whether the target namespace is defined as public on the source relation.

func (*TypeSystem) IsPermission added in v1.7.0

func (nts *TypeSystem) IsPermission(relationName string) bool

IsPermission returns true if the namespace has the given relation defined and it is a permission.

func (*TypeSystem) Namespace added in v1.8.0

func (nts *TypeSystem) Namespace() *core.NamespaceDefinition

Namespace is the namespace for which the type system was constructed.

func (*TypeSystem) ReferencesWildcardType added in v1.7.0

func (nts *TypeSystem) ReferencesWildcardType(ctx context.Context, relationName string) (*WildcardTypeReference, error)

ReferencesWildcardType returns true if the relation references a wildcard type, either directly or via another relation.

func (*TypeSystem) Validate added in v1.7.0

Validate runs validation on the type system for the namespace to ensure it is consistent.

type ValidatedNamespaceTypeSystem added in v1.7.0

type ValidatedNamespaceTypeSystem struct {
	*TypeSystem
}

ValidatedNamespaceTypeSystem is validated type system for a namespace.

type WildcardTypeReference added in v1.3.0

type WildcardTypeReference struct {
	// ReferencingRelation is the relation referencing the wildcard type.
	ReferencingRelation *core.RelationReference

	// WildcardType is the wildcard type referenced.
	WildcardType *core.AllowedRelation
}

WildcardTypeReference represents a relation that references a wildcard type.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL