Affected by GO-2024-3131 and 1 other vulnerabilities

GO-2024-3131: SpiceDB having multiple caveats on resources of the same type may improperly result in no permission in github.com/authzed/spicedb

GO-2024-3200: SpiceDB calls to LookupResources using LookupResources2 with caveats may return context is missing when it is not in github.com/authzed/spicedb

datasets

package

v1.35.0 Latest Latest Go to latest Published: Jul 25, 2024 License: Apache-2.0 Imports: 7 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/authzed/spicedb

Links

Open Source Insights

Documentation ¶

Index ¶

type BaseSubjectSet
- func NewBaseSubjectSet[T Subject[T]](constructor constructor[T]) BaseSubjectSet[T]
type Subject
type SubjectByTypeSet
- func NewSubjectByTypeSet() *SubjectByTypeSet
type SubjectSet
- func NewSubjectSet() SubjectSet
type SubjectSetByResourceID
- func NewSubjectSetByResourceID() SubjectSetByResourceID

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

This section is empty.

Types ¶

type BaseSubjectSet ¶

type BaseSubjectSet[T Subject[T]] struct {
	// contains filtered or unexported fields
}

BaseSubjectSet defines a set that tracks accessible subjects, their exclusions (if wildcards), and all conditional expressions applied due to caveats.

It is generic to allow other implementations to define the kind of tracking information associated with each subject.

NOTE: Unlike a traditional set, unions between wildcards and a concrete subject will result in *both* being present in the set, to maintain the proper set semantics around wildcards.

func NewBaseSubjectSet ¶

func NewBaseSubjectSet[T Subject[T]](constructor constructor[T]) BaseSubjectSet[T]

NewBaseSubjectSet creates a new base subject set for use underneath well-typed implementation.

The constructor function returns a new instance of type T for a particular subject ID.

func (BaseSubjectSet[T]) Add ¶

func (bss BaseSubjectSet[T]) Add(foundSubject T) error

Add adds the found subject to the set. This is equivalent to a Union operation between the existing set of subjects and a set containing the single subject, but modifies the set *in place*.

func (BaseSubjectSet[T]) AsSlice ¶

func (bss BaseSubjectSet[T]) AsSlice() []T

AsSlice returns the contents of the subject set as a slice of found subjects.

func (BaseSubjectSet[T]) Clone ¶

func (bss BaseSubjectSet[T]) Clone() BaseSubjectSet[T]

Clone returns a clone of this subject set. Note that this is a shallow clone. NOTE: Should only be used when performance is not a concern.

func (BaseSubjectSet[T]) Get ¶

func (bss BaseSubjectSet[T]) Get(id string) (T, bool)

Get returns the found subject with the given ID in the set, if any.

func (BaseSubjectSet[T]) IntersectionDifference ¶

func (bss BaseSubjectSet[T]) IntersectionDifference(other BaseSubjectSet[T]) error

IntersectionDifference performs an intersection between this set and the other set, modifying this set *in place*.

func (BaseSubjectSet[T]) IsEmpty ¶

func (bss BaseSubjectSet[T]) IsEmpty() bool

IsEmpty returns whether the subject set is empty.

func (BaseSubjectSet[T]) MustAdd ¶ added in v1.16.0

func (bss BaseSubjectSet[T]) MustAdd(foundSubject T)

MustAdd adds the found subject to the set. This is equivalent to a Union operation between the existing set of subjects and a set containing the single subject, but modifies the set *in place*.

func (BaseSubjectSet[T]) MustIntersectionDifference ¶ added in v1.16.0

func (bss BaseSubjectSet[T]) MustIntersectionDifference(other BaseSubjectSet[T])

MustIntersectionDifference performs an intersection between this set and the other set, modifying this set *in place*.

func (BaseSubjectSet[T]) MustUnionWithSet ¶ added in v1.16.0

func (bss BaseSubjectSet[T]) MustUnionWithSet(other BaseSubjectSet[T])

MustUnionWithSet performs a union operation between this set and the other set, modifying this set *in place*.

func (BaseSubjectSet[T]) Subtract ¶

func (bss BaseSubjectSet[T]) Subtract(toRemove T)

Subtract subtracts the given subject found the set.

func (BaseSubjectSet[T]) SubtractAll ¶

func (bss BaseSubjectSet[T]) SubtractAll(other BaseSubjectSet[T])

SubtractAll subtracts the other set of subjects from this set of subtracts, modifying this set *in place*.

func (BaseSubjectSet[T]) UnionWith ¶

func (bss BaseSubjectSet[T]) UnionWith(foundSubjects []T) error

UnionWith adds the given subjects to this set, via a union call.

func (BaseSubjectSet[T]) UnionWithSet ¶

func (bss BaseSubjectSet[T]) UnionWithSet(other BaseSubjectSet[T]) error

UnionWithSet performs a union operation between this set and the other set, modifying this set *in place*.

func (BaseSubjectSet[T]) UnsafeRemoveExact ¶

func (bss BaseSubjectSet[T]) UnsafeRemoveExact(foundSubject T)

UnsafeRemoveExact removes the *exact* matching subject, with no wildcard handling. This should ONLY be used for testing.

func (BaseSubjectSet[T]) WithParentCaveatExpression ¶

func (bss BaseSubjectSet[T]) WithParentCaveatExpression(parentCaveatExpr *core.CaveatExpression) BaseSubjectSet[T]

WithParentCaveatExpression returns a copy of the subject set with the parent caveat expression applied to all members of this set.

type Subject ¶

type Subject[T any] interface {
	// GetSubjectId returns the ID of the subject. For wildcards, this should be `*`.
	GetSubjectId() string

	// GetCaveatExpression returns the caveat expression for this subject, if it is conditional.
	GetCaveatExpression() *core.CaveatExpression

	// GetExcludedSubjects returns the list of subjects excluded. Must only have values
	// for wildcards and must never be nested.
	GetExcludedSubjects() []T
}

Subject is a subject that can be placed into a BaseSubjectSet. It is defined in a generic manner to allow implementations that wrap BaseSubjectSet to add their own additional bookkeeping to the base implementation.

type SubjectByTypeSet ¶

type SubjectByTypeSet struct {
	// contains filtered or unexported fields
}

SubjectByTypeSet is a set of SubjectSet's, grouped by their subject types.

func NewSubjectByTypeSet ¶

func NewSubjectByTypeSet() *SubjectByTypeSet

NewSubjectByTypeSet creates and returns a new SubjectByTypeSet.

func (*SubjectByTypeSet) AddConcreteSubject ¶

func (s *SubjectByTypeSet) AddConcreteSubject(subject *core.ObjectAndRelation) error

AddConcreteSubject adds a non-caveated subject to the set.

func (*SubjectByTypeSet) AddSubject ¶

func (s *SubjectByTypeSet) AddSubject(subject *core.ObjectAndRelation, caveat *core.ContextualizedCaveat) error

AddSubject adds the specified subject to the set.

func (*SubjectByTypeSet) AddSubjectOf ¶

func (s *SubjectByTypeSet) AddSubjectOf(relationship *core.RelationTuple) error

AddSubjectOf adds the subject found in the given relationship, along with its caveat.

func (*SubjectByTypeSet) ForEachType ¶

func (s *SubjectByTypeSet) ForEachType(handler func(rr *core.RelationReference, subjects SubjectSet))

ForEachType invokes the handler for each type of ObjectAndRelation found in the set, along with all IDs of objects of that type.

func (*SubjectByTypeSet) IsEmpty ¶

func (s *SubjectByTypeSet) IsEmpty() bool

IsEmpty returns true if the set is empty.

func (*SubjectByTypeSet) Len ¶

func (s *SubjectByTypeSet) Len() int

Len returns the number of keys in the set.

func (*SubjectByTypeSet) Map ¶

func (s *SubjectByTypeSet) Map(mapper func(rr *core.RelationReference) (*core.RelationReference, error)) (*SubjectByTypeSet, error)

Map runs the mapper function over each type of object in the set, returning a new ONRByTypeSet with the object type replaced by that returned by the mapper function.

func (*SubjectByTypeSet) SubjectSetForType ¶

func (s *SubjectByTypeSet) SubjectSetForType(rr *core.RelationReference) (SubjectSet, bool)

SubjectSetForType returns the subject set associated with the given subject type, if any.

type SubjectSet ¶

type SubjectSet struct {
	BaseSubjectSet[*v1.FoundSubject]
}

SubjectSet defines a set that tracks accessible subjects.

NOTE: Unlike a traditional set, unions between wildcards and a concrete subject will result in *both* being present in the set, to maintain the proper set semantics around wildcards.

func NewSubjectSet ¶

func NewSubjectSet() SubjectSet

NewSubjectSet creates and returns a new subject set.

func (SubjectSet) AsFoundSubjects ¶

func (ss SubjectSet) AsFoundSubjects() *v1.FoundSubjects

func (SubjectSet) Clone ¶ added in v1.30.1

func (ss SubjectSet) Clone() SubjectSet

func (SubjectSet) IntersectionDifference ¶

func (ss SubjectSet) IntersectionDifference(other SubjectSet) error

func (SubjectSet) MustIntersectionDifference ¶ added in v1.16.0

func (ss SubjectSet) MustIntersectionDifference(other SubjectSet)

func (SubjectSet) MustUnionWithSet ¶ added in v1.16.0

func (ss SubjectSet) MustUnionWithSet(other SubjectSet)

func (SubjectSet) SubtractAll ¶

func (ss SubjectSet) SubtractAll(other SubjectSet)

func (SubjectSet) UnionWithSet ¶

func (ss SubjectSet) UnionWithSet(other SubjectSet) error

func (SubjectSet) WithParentCaveatExpression ¶

func (ss SubjectSet) WithParentCaveatExpression(parentCaveatExpr *core.CaveatExpression) SubjectSet

WithParentCaveatExpression returns a copy of the subject set with the parent caveat expression applied to all members of this set.

type SubjectSetByResourceID ¶

type SubjectSetByResourceID struct {
	// contains filtered or unexported fields
}

SubjectSetByResourceID defines a helper type which maps from a resource ID to its associated found subjects, in the form of a subject set per resource ID.

func NewSubjectSetByResourceID ¶

func NewSubjectSetByResourceID() SubjectSetByResourceID

NewSubjectSetByResourceID creates and returns a map of subject sets, indexed by resource ID.

func (SubjectSetByResourceID) AddFromRelationship ¶

func (ssr SubjectSetByResourceID) AddFromRelationship(relationship *core.RelationTuple) error

AddFromRelationship adds the subject found in the given relationship to this map, indexed at the resource ID specified in the relationship.

func (SubjectSetByResourceID) AsMap ¶

func (ssr SubjectSetByResourceID) AsMap() map[string]*v1.FoundSubjects

AsMap converts the map into a map for storage in a proto.

func (SubjectSetByResourceID) IntersectionDifference ¶

func (ssr SubjectSetByResourceID) IntersectionDifference(other SubjectSetByResourceID) error

IntersectionDifference performs an in-place intersection between the two maps' sets.

func (SubjectSetByResourceID) IsEmpty ¶

func (ssr SubjectSetByResourceID) IsEmpty() bool

IsEmpty returns true if the map is empty.

func (SubjectSetByResourceID) SubtractAll ¶

func (ssr SubjectSetByResourceID) SubtractAll(other SubjectSetByResourceID)

SubtractAll subtracts all sets in the other map from this map's sets.

func (SubjectSetByResourceID) UnionWith ¶

func (ssr SubjectSetByResourceID) UnionWith(other map[string]*v1.FoundSubjects) error

UnionWith unions the map's sets with the other map of sets provided.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL