README
¶
cedar-go
This repository contains source code of the Go implementation of the Cedar policy language.
Cedar is a language for writing and enforcing authorization policies in your applications. Using Cedar, you can write policies that specify your applications' fine-grained permissions. Your applications then authorize access requests by calling Cedar's authorization engine. Because Cedar policies are separate from application code, they can be independently authored, updated, analyzed, and audited. You can use Cedar's validator to check that Cedar policies are consistent with a declared schema which defines your application's authorization model.
Cedar is:
Expressive
Cedar is a simple yet expressive language that is purpose-built to support authorization use cases for common authorization models such as RBAC and ABAC.
Performant
Cedar is fast and scalable. The policy structure is designed to be indexed for quick retrieval and to support fast and scalable real-time evaluation, with bounded latency.
Analyzable
Cedar is designed for analysis using Automated Reasoning. This enables analyzer tools capable of optimizing your policies and proving that your security model is what you believe it is.
Using Cedar
Cedar can be used in your application by importing the github.com/cedar-policy/cedar-go package.
Comparison to the Rust implementation
The Go implementation includes:
- the core authorizer
- JSON marshalling and unmarshalling
- all core and extended types
- integration test suite
The Go implementation does not yet include:
- examples and CLI applications
- schema support and the validator
- the formatter
- partial evaluation
Quick Start
Here's a simple example of using Cedar in Go:
package main
import (
"encoding/json"
"fmt"
"log"
"github.com/cedar-policy/cedar-go"
)
const policyCedar = `permit (
principal == User::"alice",
action == Action::"view",
resource in Album::"jane_vacation"
);
`
const entitiesJSON = `[
{
"uid": { "type": "User", "id": "alice" },
"attrs": { "age": 18 },
"parents": []
},
{
"uid": { "type": "Photo", "id": "VacationPhoto94.jpg" },
"attrs": {},
"parents": [{ "type": "Album", "id": "jane_vacation" }]
}
]`
func main() {
ps, err := cedar.NewPolicySet("policy.cedar", []byte(policyCedar))
if err != nil {
log.Fatal(err)
}
var entities cedar.Entities
if err := json.Unmarshal([]byte(entitiesJSON), &entities); err != nil {
log.Fatal(err)
}
req := cedar.Request{
Principal: cedar.EntityUID{Type: "User", ID: "alice"},
Action: cedar.EntityUID{Type: "Action", ID: "view"},
Resource: cedar.EntityUID{Type: "Photo", ID: "VacationPhoto94.jpg"},
Context: cedar.Record{},
}
ok, _ := ps.IsAuthorized(entities, req)
fmt.Println(ok)
}
CLI output:
allow
This request is allowed because VacationPhoto94.jpg belongs to Album::"jane_vacation", and alice can view photos in Album::"jane_vacation".
If you'd like to see more details on what can be expressed as Cedar policies, see the documentation.
Documentation
General documentation for Cedar is available at docs.cedarpolicy.com, with source code in the cedar-policy/cedar-docs repository.
Generated documentation for the latest version of the Go implementation can be accessed here.
If you're looking to integrate Cedar into a production system, please be sure the read the security best practices
Backward Compatibility Considerations
x/exp - code in this subrepository is not subject to the Go 1 compatibility promise.
Security
See CONTRIBUTING for more information.
Contributing
We welcome contributions from the community. Please either file an issue, or see CONTRIBUTING
License
This project is licensed under the Apache-2.0 License.
Documentation
¶
Overview ¶
Package cedar provides an implementation of the Cedar language authorizer.
Index ¶
Constants ¶
const ( Permit = Effect(true) Forbid = Effect(false) )
Each Policy has a Permit or Forbid effect that is determined during parsing.
const ( Allow = Decision(true) Deny = Decision(false) )
Each authorization results in one of these Decisions.
const DecimalPrecision = 10000
DecimalPrecision is the precision of a Decimal.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Annotations ¶
An Annotations is a map of key, value pairs found in the policy. Annotations have no impact on policy evaluation.
type Boolean ¶
type Boolean bool
A Boolean is a value that is either true or false.
func (Boolean) Cedar ¶
Cedar produces a valid Cedar language representation of the Boolean, e.g. `true`.
func (Boolean) ExplicitMarshalJSON ¶
ExplicitMarshalJSON marshals the Boolean into JSON.
type Decimal ¶
type Decimal int64
A Decimal is a value with both a whole number part and a decimal part of no more than four digits. In Go this is stored as an int64, the precision is defined by the constant DecimalPrecision.
func ParseDecimal ¶
ParseDecimal takes a string representation of a decimal number and converts it into a Decimal type.
func (Decimal) Cedar ¶
Cedar produces a valid Cedar language representation of the Decimal, e.g. `decimal("12.34")`.
func (Decimal) ExplicitMarshalJSON ¶
ExplicitMarshalJSON marshals the Decimal into JSON using the explicit form.
func (Decimal) MarshalJSON ¶
ExplicitMarshalJSON marshals the Decimal into JSON using the implicit form.
func (*Decimal) UnmarshalJSON ¶
type Decision ¶
type Decision bool
A Decision is the result of the authorization.
func (Decision) MarshalJSON ¶
func (*Decision) UnmarshalJSON ¶
type Diagnostic ¶
type Diagnostic struct {
Reasons []Reason `json:"reasons,omitempty"`
Errors []Error `json:"errors,omitempty"`
}
A Diagnostic details the errors and reasons for an authorization decision.
type Effect ¶
type Effect bool
An Effect specifies the intent of the policy, to either permit or forbid any request that matches the scope and conditions specified in the policy.
func (Effect) MarshalJSON ¶
func (*Effect) UnmarshalJSON ¶
type Entities ¶
An Entities is a collection of all the Entities that are needed to evaluate authorization requests. The key is an EntityUID which uniquely identifies the Entity (it must be the same as the UID within the Entity itself.)
func (Entities) MarshalJSON ¶
func (*Entities) UnmarshalJSON ¶
type Entity ¶
type Entity struct {
UID EntityUID `json:"uid"`
Parents []EntityUID `json:"parents,omitempty"`
Attributes Record `json:"attrs"`
}
An Entity defines the parents and attributes for an EntityUID.
type EntityUID ¶
An EntityUID is the identifier for a principal, action, or resource.
func NewEntityUID ¶
func (EntityUID) Cedar ¶
Cedar produces a valid Cedar language representation of the EntityUID, e.g. `Type::"id"`.
func (EntityUID) ExplicitMarshalJSON ¶
ExplicitMarshalJSON marshals the EntityUID into JSON using the explicit form.
func (EntityUID) MarshalJSON ¶
ExplicitMarshalJSON marshals the EntityUID into JSON using the implicit form.
func (EntityUID) String ¶
String produces a string representation of the EntityUID, e.g. `Type::"id"`.
func (*EntityUID) UnmarshalJSON ¶
type Error ¶
type Error struct {
Policy int `json:"policy"`
Position Position `json:"position"`
Message string `json:"message"`
}
An Error details the Policy index within a PolicySet, the Position within the text document, and the resulting error message.
type IPAddr ¶
An IPAddr is value that represents an IP address. It can be either IPv4 or IPv6. The value can represent an individual address or a range of addresses.
func ParseIPAddr ¶
ParseIPAddr takes a string representation of an IP address and converts it into an IPAddr type.
func (IPAddr) Cedar ¶
Cedar produces a valid Cedar language representation of the IPAddr, e.g. `ip("127.0.0.1")`.
func (IPAddr) ExplicitMarshalJSON ¶
ExplicitMarshalJSON marshals the IPAddr into JSON using the explicit form.
func (IPAddr) MarshalJSON ¶
ExplicitMarshalJSON marshals the IPAddr into JSON using the implicit form.
func (*IPAddr) UnmarshalJSON ¶
type Long ¶
type Long int64
A Long is a whole number without decimals that can range from -9223372036854775808 to 9223372036854775807.
func (Long) ExplicitMarshalJSON ¶
ExplicitMarshalJSON marshals the Long into JSON.
type Policy ¶
type Policy struct {
Position Position // location within the policy text document
Annotations Annotations // annotations found for this policy
Effect Effect // the effect of this policy
// contains filtered or unexported fields
}
A Policy is the parsed form of a single Cedar language policy statement. It includes the following elements, a Position, Annotations, and an Effect.
type PolicySet ¶
type PolicySet []Policy
A PolicySet is a slice of policies.
func NewPolicySet ¶
NewPolicySet will create a PolicySet from the given text document with the given file name used in Position data. If there is an error parsing the document, it will be returned.
func (PolicySet) IsAuthorized ¶
func (p PolicySet) IsAuthorized(entities Entities, req Request) (Decision, Diagnostic)
IsAuthorized uses the combination of the PolicySet and Entities to determine if the given Request to determine Decision and Diagnostic.
type Position ¶
type Position struct {
Filename string // filename, if any
Offset int // byte offset, starting at 0
Line int // line number, starting at 1
Column int // column number, starting at 1 (character count per line)
}
A Position describes an arbitrary source position including the file, line, and column location.
type Reason ¶
A Reason details the Policy index within a PolicySet, and the Position within the text document.
type Record ¶
A Record is a collection of attributes. Each attribute consists of a name and an associated value. Names are simple strings. Values can be of any type.
func (Record) Cedar ¶
Cedar produces a valid Cedar language representation of the Record, e.g. `{"a":1,"b":2,"c":3}`.
func (Record) ExplicitMarshalJSON ¶
ExplicitMarshalJSON marshals the Record into JSON, the marshaller uses the explicit JSON form for all the values in the Record.
func (Record) MarshalJSON ¶
MarshalJSON marshals the Record into JSON, the marshaller uses the explicit JSON form for all the values in the Record.
func (Record) String ¶
String produces a string representation of the Record, e.g. `{"a":1,"b":2,"c":3}`.
func (*Record) UnmarshalJSON ¶
type Request ¶
type Request struct {
Principal EntityUID `json:"principal"`
Action EntityUID `json:"action"`
Resource EntityUID `json:"resource"`
Context Record `json:"context"`
}
A Request is the Principal, Action, Resource, and Context portion of an authorization request.
type Set ¶
type Set []Value
A Set is a collection of elements that can be of the same or different types.
func (Set) ExplicitMarshalJSON ¶
ExplicitMarshalJSON marshals the Set into JSON, the marshaller uses the explicit JSON form for all the values in the Set.
func (Set) MarshalJSON ¶
MarshalJSON marshals the Set into JSON, the marshaller uses the explicit JSON form for all the values in the Set.
func (*Set) UnmarshalJSON ¶
type String ¶
type String string
A String is a sequence of characters consisting of letters, numbers, or symbols.
func (String) Cedar ¶
Cedar produces a valid Cedar language representation of the String, e.g. `"hello"`.
func (String) ExplicitMarshalJSON ¶
ExplicitMarshalJSON marshals the String into JSON.
type Value ¶
type Value interface {
// String produces a string representation of the Value.
String() string
// Cedar produces a valid Cedar language representation of the Value.
Cedar() string
// ExplicitMarshalJSON marshals the Value into JSON using the explicit (if
// applicable) JSON form, which is necessary for marshalling values within
// Sets or Records where the type is not defined.
ExplicitMarshalJSON() ([]byte, error)
// contains filtered or unexported methods
}
Source Files
Directories