Documentation
¶
Overview ¶
Package fgax includes client libraries to interact with openfga authorization credit to https://github.com/canonical/ofga/blob/main/tuples.go
Index ¶
- Constants
- Variables
- func Healthcheck(client Client) func(ctx context.Context) error
- func ListContains(entityType string, l []string, i string) bool
- type AccessCheck
- type Client
- func (c *Client) CheckAccess(ctx context.Context, ac AccessCheck) (bool, error)
- func (c *Client) CheckGroupAccess(ctx context.Context, userID, groupID, relation string) (bool, error)
- func (c *Client) CheckOrgAccess(ctx context.Context, userID, orgID, relation string) (bool, error)
- func (c *Client) CheckTuple(ctx context.Context, check ofgaclient.ClientCheckRequest) (bool, error)
- func (c *Client) CreateModel(ctx context.Context, fn string, forceCreate bool) (string, error)
- func (c *Client) CreateStore(ctx context.Context, storeName string) (string, error)
- func (c *Client) DeleteAllObjectRelations(ctx context.Context, object string) error
- func (c *Client) DeleteRelationshipTuple(ctx context.Context, tuples []openfga.TupleKeyWithoutCondition) (*ofgaclient.ClientWriteResponse, error)
- func (c *Client) GetModelID() string
- func (c *Client) ListObjectsRequest(ctx context.Context, userID, objectType, relation string) (*ofgaclient.ClientListObjectsResponse, error)
- func (c *Client) WriteTupleKeys(ctx context.Context, writes []TupleKey, deletes []TupleKey) (*ofgaclient.ClientWriteResponse, error)
- type Config
- type Entity
- type InvalidEntityError
- type Kind
- type Option
- type Relation
- type TupleKey
- type WritingTuplesError
Constants ¶
const ( // setup relations for use in creating tuples MemberRelation = "member" AdminRelation = "admin" OwnerRelation = "owner" ParentRelation = "parent" CanView = "can_view" CanEdit = "can_edit" CanDelete = "can_delete" )
Variables ¶
var ( // ErrFGAMissingHost is returned when a host is not provided ErrFGAMissingHost = errors.New("invalid OpenFGA config: missing host") // ErrMissingRelation is returned when a relation is empty in a tuple creation ErrMissingRelation = errors.New("unable to create tuple, missing relation") // ErrInvalidAccessCheck is returned when a field required to check a tuple is empty ErrInvalidAccessCheck = errors.New("unable to check tuple, missing required field") // ErrMissingObject is returned when a object is empty in a tuple creation ErrMissingObject = errors.New("unable to create tuple, missing object") // ErrMissingObjectOnDeletion is returned when a object is empty in a tuple deletion ErrMissingObjectOnDeletion = errors.New("unable to delete tuple, missing object") // ErrFailedToTransformModel is returned when the FGA model cannot be transformed to JSON ErrFailedToTransformModel = errors.New("failed to transform fga model") )
Functions ¶
func Healthcheck ¶
Healthcheck reads the model to check if the connection is working
Types ¶
type AccessCheck ¶ added in v0.0.4
type AccessCheck struct { // ObjectType is the type of object being checked ObjectType Kind // ObjectID is the ID of the object being checked ObjectID string // Relation is the relationship being checked (e.g. "view", "edit", "delete") Relation string // UserID is the ID of the user making the request UserID string }
AccessCheck is a struct to hold the information needed to check access
type Client ¶
type Client struct { // Ofga is the openFGA client Ofga ofgaclient.SdkClient // Config is the client configuration Config ofgaclient.ClientConfiguration // Logger is the provided Logger Logger *zap.SugaredLogger }
Client is an event bus client with some configuration
func CreateFGAClientWithStore ¶
CreateFGAClientWithStore returns a Client with a store and model configured
func NewClient ¶
NewClient returns a wrapped OpenFGA API client ensuring all calls are made to the provided authorization model (id) and returns what is necessary.
func NewMockFGAClient ¶
func NewMockFGAClient(t *testing.T, c *mock_fga.MockSdkClient) *Client
NewMockFGAClient is a mock client based on the mockery testing framework
func (*Client) CheckAccess ¶ added in v0.0.4
CheckAccess checks if the user has access to the object type with the given relation
func (*Client) CheckGroupAccess ¶
func (c *Client) CheckGroupAccess(ctx context.Context, userID, groupID, relation string) (bool, error)
CheckGroupAccess checks if the user has access to the group with the given relation
func (*Client) CheckOrgAccess ¶
CheckOrgAccess checks if the user has access to the organization with the given relation
func (*Client) CheckTuple ¶
func (c *Client) CheckTuple(ctx context.Context, check ofgaclient.ClientCheckRequest) (bool, error)
CheckTuple checks the openFGA store for provided relationship tuple
func (*Client) CreateModel ¶
CreateModel creates a new fine grained authorization model and returns the model ID
func (*Client) CreateStore ¶
CreateStore creates a new fine grained authorization store and returns the store ID
func (*Client) DeleteAllObjectRelations ¶
func (*Client) DeleteRelationshipTuple ¶
func (c *Client) DeleteRelationshipTuple(ctx context.Context, tuples []openfga.TupleKeyWithoutCondition) (*ofgaclient.ClientWriteResponse, error)
DeleteRelationshipTuple deletes a relationship tuple in the openFGA store
func (*Client) GetModelID ¶
func (*Client) ListObjectsRequest ¶
func (c *Client) ListObjectsRequest(ctx context.Context, userID, objectType, relation string) (*ofgaclient.ClientListObjectsResponse, error)
ListObjectsRequest creates the ClientListObjectsRequest and queries the FGA store for all objects with the user+relation
func (*Client) WriteTupleKeys ¶
func (c *Client) WriteTupleKeys(ctx context.Context, writes []TupleKey, deletes []TupleKey) (*ofgaclient.ClientWriteResponse, error)
WriteTupleKeys takes a tuples keys, converts them to a client write request, which can contain up to 10 writes and deletes, and executes in a single transaction
type Config ¶
type Config struct { // Enabled - checks this first before reading the config Enabled bool `json:"enabled" koanf:"enabled" jsonschema:"description=enables authorization checks with openFGA" default:"true"` // StoreName of the FGA Store StoreName string `json:"store_name" koanf:"store_name" jsonschema:"description=name of openFGA store" default:"datum"` // HostURL of the fga API, replaces Host and Scheme settings HostURL string `` /* 140-byte string literal not displayed */ // StoreID of the authorization store in FGA StoreID string `json:"store_id" koanf:"store_id" jsonschema:"description=id of openFGA store"` // ModelID that already exists in authorization store to be used ModelID string `json:"model_id" koanf:"model_id" jsonschema:"description=id of openFGA model"` // CreateNewModel force creates a new model, even if one already exists CreateNewModel bool `` /* 142-byte string literal not displayed */ }
Config configures the openFGA setup
type Entity ¶
Entity represents an entity/entity-set in OpenFGA. Example: `user:<user-id>`, `org:<org-id>#member`
func ParseEntity ¶
ParseEntity will parse a string representation into an Entity. It expects to find entities of the form:
- <entityType>:<Identifier> eg. organization:datum
- <entityType>:<Identifier>#<relationship-set> eg. organization:datum#member
type InvalidEntityError ¶
type InvalidEntityError struct {
EntityRepresentation string
}
InvalidEntityError is returned when an invalid openFGA entity is configured
func (*InvalidEntityError) Error ¶
func (e *InvalidEntityError) Error() string
Error returns the InvalidEntityError in string format
type Option ¶
type Option func(c *Client)
Option is a functional configuration option for openFGA client
func WithAuthorizationModelID ¶
WithAuthorizationModelID sets the authorization model ID
func WithStoreID ¶
WithStoreID sets the store IDs, not needed when calling `CreateStore` or `ListStores`
type Relation ¶
type Relation string
Relation represents the type of relation between entities in OpenFGA.
type TupleKey ¶
func GetTupleKey ¶
GetTupleKey creates a Tuple key with the provided subject, object, and role
func NewTupleKey ¶
func NewTupleKey() TupleKey
type WritingTuplesError ¶
type WritingTuplesError struct { User string Relation string Object string Operation string ErrorResponse error }
WritingTuplesError is returned when an error is returned writing a relationship tuple
func (*WritingTuplesError) Error ¶
func (e *WritingTuplesError) Error() string
Error returns the InvalidEntityError in string format
Source Files
¶
Directories
¶
Path | Synopsis |
---|---|
Package entfga is an ent extension that creates hooks for OpenFGA relationships
|
Package entfga is an ent extension that creates hooks for OpenFGA relationships |
Package client includes the mock FGA client generated by testify mockery
|
Package client includes the mock FGA client generated by testify mockery |