Documentation
¶
Index ¶
- Constants
- func Action(sset ...string) slugSet
- func Can(s Subject, act string, r Resource) (bool, error)
- func ResourceMatch(es ...Evaluator) conditionSet
- func ResourceType(sset ...string) slugSet
- type Access
- type Comparable
- type Error
- type Evaluator
- type LogicalConjunction
- type Resource
- type Rule
- type Subject
Constants ¶
const Version = "1.0.0"
Variables ¶
This section is empty.
Functions ¶
func ResourceMatch ¶
func ResourceMatch(es ...Evaluator) conditionSet
ResourceMatch is just a more readable way to start the rsrc_match section of a rule. It uses the implied logical conjunction AND.
func ResourceType ¶
func ResourceType(sset ...string) slugSet
Types ¶
type Access ¶
type Access string
Access represents a value which will distinguish a rule as either being a restricting rule or a permitting one.
const ( // Allow when set as the "access" on a rule will return true when the rule // is matched Allow Access = "allow" // Deny when set as the "access" on a rule will return false when the rule // is matched Deny = "Deny" )
type Comparable ¶
Comparable is an abstract representation of a type which is capable of being compared for equality against arbitrary values. This is useful if you will be returning your own types from Resource.GetResourceAttribute and you want them to still be comparable.
type Error ¶
type Error string
Error is used for any error that occurs during authr's evaluation. They are normally returned as a result of improperly constructed rules.
type Evaluator ¶
type Evaluator interface {
// contains filtered or unexported methods
}
Evaluator is an abstract representation of something that is capable of analyzing a Resource
func And ¶
And returns an Evaluator that combines multiple Evaluators and will evaluate the set of evaluators with the logical conjunction AND. The behavior of the AND evaluator is to evaluate each sub-evaluator in order until one returns false or all return true. Once it finds a negative evaluator, it will halt and return — also known as short-circuiting.
func Cond ¶
Cond is the basic unit of a resource match section of a rule. It represents a single condition to be evaluated against a Resource. Constructing a condition should be quite natural, like so:
Cond("@id", "=", "123")
The above condition says that the "id" attribute on a resource MUST equal 123. References to resource attributes are prefixed with an "@" character to distinguish them from literal values. To specify multiple conditions, use the condition sets:
And( Cond("@status", "=", "active"), Cond("@name", "$in", []string{ "mike", "jane", "rachel", }), )
type LogicalConjunction ¶
type LogicalConjunction string
const ( LogicalAnd LogicalConjunction = "$and" LogicalOr = "$or" )
type Resource ¶
type Resource interface { GetResourceType() (string, error) GetResourceAttribute(string) (interface{}, error) }
Resource is an abstract representation of an entity the is the target of actions performed by subjects. Resources have a type and attributes.
A "type" is what you might expect. If a blog were in need of an access control system, the resource type for a post would simply be "post" and the writers "author" perhaps.
Attributes are any properties of a resource that can be evaluated. A post, for example, can have "tags", which when being retrieve with GetResourceAttribute() would return a slice of strings.
Unknown or missing properties should simply return "nil" and not an error.
type Rule ¶
type Rule struct {
// contains filtered or unexported fields
}
Rule represents the basic building block of an access control system. Rules are entities which are said to "belong" to subjects in that they have been granted or applied to subjects based on the state of a datastore or the state of the subject themselves.
Rules have a few sections which constitute a valid authr rule.
type Subject ¶
type Subject interface { // GetRules simply retrieves a list of rules. The ordering of these rules // does matter. The rules themselves can be retrieve by any means necessary — // whether it be from a database or a config file; whatever works. GetRules() ([]*Rule, error) }
Subject is an abstract representation of an entity capable of performing actions on resources. It is distinguished by have a method which is supposed to return a list of rules that apply to the subject.