Documentation ¶
Index ¶
Constants ¶
const ( ActionCreate = "create" ActionRead = "read" ActionUpdate = "update" ActionDelete = "delete" )
const WildcardSymbol = "*"
Variables ¶
var ( ResourceWorkspace = Object{ Type: "workspace", } ResourceTemplate = Object{ Type: "template", } // ResourceWildcard represents all resource types ResourceWildcard = Object{ Type: WildcardSymbol, } )
Resources are just typed objects. Making resources this way allows directly passing them into an Authorize function and use the chaining api.
var ( // RoleAdmin is a role that allows everything everywhere. RoleAdmin = Role{ Name: "admin", Site: permissions(map[Object][]Action{ ResourceWildcard: {WildcardSymbol}, }), } // RoleMember is a role that allows access to user-level resources. RoleMember = Role{ Name: "member", User: permissions(map[Object][]Action{ ResourceWildcard: {WildcardSymbol}, }), } // RoleAuditor is an example on how to give more precise permissions RoleAuditor = Role{ Name: "auditor", Site: permissions(map[Object][]Action{ ResourceWorkspace: {ActionRead}, }), } )
Roles are stored as structs, so they can be serialized and stored. Until we store them elsewhere, const's will do just fine.
Functions ¶
This section is empty.
Types ¶
type Object ¶
type Object struct { ResourceID string `json:"id"` Owner string `json:"owner"` // OrgID specifies which org the object is a part of. OrgID string `json:"org_owner"` // Type is "workspace", "project", "devurl", etc Type string `json:"type"` }
Object is used to create objects for authz checks when you have none in hand to run the check on. An example is if you want to list all workspaces, you can create a Object that represents the set of workspaces you are trying to get access too. Do not export this type, as it can be created from a resource type constant.
type Permission ¶
type RegoAuthorizer ¶
type RegoAuthorizer struct {
// contains filtered or unexported fields
}
RegoAuthorizer will use a prepared rego query for performing authorize()
func NewAuthorizer ¶
func NewAuthorizer() (*RegoAuthorizer, error)
type Role ¶
type Role struct { Name string `json:"name"` Site []Permission `json:"site"` // Org is a map of orgid to permissions. We represent orgid as a string. Org map[string][]Permission `json:"org"` User []Permission `json:"user"` }
Role is a set of permissions at multiple levels: - Site level permissions apply EVERYWHERE - Org level permissions apply to EVERYTHING in a given ORG - User level permissions are the lowest In most cases, you will just want to use the pre-defined roles below.
func RoleOrgAdmin ¶
RoleOrgAdmin returns a role with all actions allows in a given organization scope.
func RoleOrgDenyAll ¶
func RoleOrgMember ¶
RoleOrgMember returns a role with default permissions in a given organization scope.
func RoleWorkspaceAgent ¶
RoleWorkspaceAgent returns a role with permission to read a given workspace.
type UnauthorizedError ¶
type UnauthorizedError struct {
// contains filtered or unexported fields
}
UnauthorizedError is the error type for authorization errors
func ForbiddenWithInternal ¶
func ForbiddenWithInternal(internal error, input map[string]interface{}, output rego.ResultSet) *UnauthorizedError
ForbiddenWithInternal creates a new error that will return a simple "forbidden" to the client, logging internally the more detailed message provided.
func (UnauthorizedError) Error ¶
func (UnauthorizedError) Error() string
Error implements the error interface.
func (*UnauthorizedError) Input ¶
func (e *UnauthorizedError) Input() map[string]interface{}
func (*UnauthorizedError) Internal ¶
func (e *UnauthorizedError) Internal() error
Internal allows the internal error message to be logged.
func (*UnauthorizedError) Output ¶
func (e *UnauthorizedError) Output() rego.ResultSet
Output contains the results of the Rego query for debugging.