README
¶
Ladon is the serpent dragon protecting your resources.
Ladon is a library written in Go for access control policies, similar to Role Based Access Control or Access Control Lists. In contrast to ACL and RBAC you get fine-grained access control with the ability to answer questions in complex environments such as multi-tenant or distributed applications and large organizations. Ladon is inspired by AWS IAM Policies.
Ladon ships with storage adapters for SQL (officially supported: MySQL, PostgreSQL), Redis and RethinkDB (community supported).
Hydra, an OAuth2 and OpenID Connect implementation uses Ladon for access control.
Table of Contents
Ladon utilizes ory-am/dockertest for tests. Please refer to ory-am/dockertest for more information of how to setup testing environment.
Installation
go get github.com/ory-am/ladon
We recommend to use Glide for dependency management. Ladon uses semantic
versioning and versions beginning with zero (0.1.2) might introduce backwards compatibility
breaks with each minor version.
Concepts
Ladon is an access control library that answers the question:
Who is able to do what on something given some context
- Who: An arbitrary unique subject name, for example "ken" or "printer-service.mydomain.com".
- Able: The effect which can be either "allow" or "deny".
- What: An arbitrary action name, for example "delete", "create" or "scoped:action:something".
- Something: An arbitrary unique resource name, for example "something", "resources.articles.1234" or some uniform resource name like "urn:isbn:3827370191".
- Context: The current context containing information about the environment such as the IP Address, request date, the resource owner name, the department ken is working in or any other information you want to pass along. (optional)
To decide what the answer is, Ladon uses policy documents which can be represented as JSON
{
"description": "One policy to rule them all.",
"subjects": ["users:<[peter|ken]>", "users:maria", "groups:admins"],
"actions" : ["delete", "<[create|update]>"],
"effect": "allow",
"resources": [
"resources:articles:<.*>",
"resources:printer"
],
"conditions": {
"remoteIP": {
"type": "CIDRCondition",
"options": {
"cidr": "192.168.0.1/16"
}
}
}
}
and can answer access requests that look like:
{
"subject": "users:peter",
"action" : "delete",
"resource": "resource:articles:ladon-introduction",
"context": {
"remoteIP": "192.168.0.5"
}
}
However, Ladon does not come with a HTTP or server implementation. It does not restrict JSON either. We believe that it is your job to decide if you want to use Protobuf, RESTful, HTTP, AMPQ, or some other protocol. It's up to you to write server!
The following example should give you an idea what a RESTful flow could look like. Initially we create a policy by POSTing it to an artificial HTTP endpoint:
> curl \
-X POST \
-H "Content-Type: application/json" \
-d@- \
"https://my-ladon-implementation.localhost/policies" <<EOF
{
"description": "One policy to rule them all.",
"subjects": ["users:<[peter|ken]>", "users:maria", "groups:admins"],
"actions" : ["delete", "<[create|update]>"],
"effect": "allow",
"resources": [
"resources:articles:<.*>",
"resources:printer"
],
"conditions": {
"remoteIP": {
"type": "CIDRCondition",
"options": {
"cidr": "192.168.0.1/16"
}
}
}
}
EOF
Then we test if "peter" (ip: "192.168.0.5") is allowed to "delete" the "ladon-introduction" article:
> curl \
-X POST \
-H "Content-Type: application/json" \
-d@- \
"https://my-ladon-implementation.localhost/warden" <<EOF
{
"subject": "users:peter",
"action" : "delete",
"resource": "resource:articles:ladon-introduction",
"context": {
"remoteIP": "192.168.0.5"
}
}
EOF
{
"allowed": true
}
Usage
We already discussed two essential parts of Ladon: policies and access control requests. Let's take a closer look at those two.
Policies
Policies are the basis for access control decisions. Think of them as a set of rules. In this library, policies
are abstracted as the ladon.Policy interface, and Ladon comes with a standard implementation of this interface
which is ladon.DefaultPolicy. Creating such a policy could look like:
import "github.com/ory-am/ladon"
var pol = &ladon.DefaultPolicy{
// A required unique identifier. Used primarily for database retrieval.
ID: "68819e5a-738b-41ec-b03c-b58a1b19d043",
// A optional human readable description.
Description: "something humanly readable",
// A subject can be an user or a service. It is the "who" in "who is allowed to do what on something".
// As you can see here, you can use regular expressions inside < >.
Subjects: []string{"max", "peter", "<zac|ken>"},
// Which resources this policy affects.
// Again, you can put regular expressions in inside < >.
Resources: []string{"myrn:some.domain.com:resource:123", "myrn:some.domain.com:resource:345", "myrn:something:foo:<.+>"},
// Which actions this policy affects. Supports RegExp
// Again, you can put regular expressions in inside < >.
Actions: []string{"<create|delete>", "get"},
// Should access be allowed or denied?
// Note: If multiple policies match an access request, ladon.DenyAccess will always override ladon.AllowAccess
// and thus deny access.
Effect: ladon.AllowAccess,
// Under which conditions this policy is "active".
Conditions: ladon.Conditions{
// In this example, the policy is only "active" when the requested subject is the owner of the resource as well.
"resourceOwner": &ladon.EqualsSubjectCondition{},
// Additionally, the policy will only match if the requests remote ip address matches address range 127.0.0.1/32
"remoteIPAddress": &ladon.CIDRCondition{
CIDR: "127.0.0.1/32",
},
},
}
Conditions
Conditions are functions returning true or false given a context. Because conditions implement logic, they must
be programmed. Adding conditions to a policy consist of two parts, a key name and an implementation of ladon.Condition:
// StringEqualCondition is an exemplary condition.
type StringEqualCondition struct {
Equals string `json:"equals"`
}
// Fulfills returns true if the given value is a string and is the
// same as in StringEqualCondition.Equals
func (c *StringEqualCondition) Fulfills(value interface{}, _ *ladon.Request) bool {
s, ok := value.(string)
return ok && s == c.Equals
}
// GetName returns the condition's name.
func (c *StringEqualCondition) GetName() string {
return "StringEqualCondition"
}
var pol = &ladon.DefaultPolicy{
// ...
Conditions: ladon.Conditions{
"some-arbitrary-key": &StringEqualCondition{
Equals: "the-value-should-be-this"
}
},
}
The default implementation of Policy supports JSON un-/marshalling. In JSON, this policy would look like:
{
"conditions": {
"some-arbitrary-key": {
"type": "StringEqualCondition",
"options": {
"equals": "the-value-should-be-this"
}
}
}
}
As you can see, type is the value that StringEqualCondition.GetName() is returning and options is used to
set the value of StringEqualCondition.Equals.
This condition is fulfilled by (we will cover the warden in the next section)
var err = warden.IsAllowed(&ladon.Request{
// ...
Context: &ladon.Context{
"some-arbitrary-key": "the-value-should-be-this",
},
}
but not by
var err = warden.IsAllowed(&ladon.Request{
// ...
Context: &ladon.Context{
"some-arbitrary-key": "some other value",
},
}
and neither by:
var err = warden.IsAllowed(&ladon.Request{
// ...
Context: &ladon.Context{
"same value but other key": "the-value-should-be-this",
},
}
Ladon ships with a couple of default conditions:
The CIDR condition matches CIDR IP Ranges. Using this condition would look like this in JSON:
{
"conditions": {
"remoteIP": {
"type": "CIDRCondition",
"options": {
"cidr": "192.168.0.1/16"
}
}
}
}
and in Go:
var pol = &ladon.DefaultPolicy{
Conditions: ladon.Conditions{
"remoteIPAddress": &ladon.CIDRCondition{
CIDR: "192.168.0.1/16",
},
},
}
In this case, we expect that the context of an access request contains a field "remoteIpAddress" matching
the CIDR "192.168.0.1/16", for example "192.168.0.5".
Checks if the value passed in the access request's context is identical with the string that was given initially
var pol = &ladon.DefaultPolicy{
Conditions: ladon.Conditions{
"some-arbitrary-key": &ladon.StringEqualCondition{
Equals: "the-value-should-be-this"
}
},
}
and would match in the following case:
var err = warden.IsAllowed(&ladon.Request{
// ...
Context: &ladon.Context{
"some-arbitrary-key": "the-value-should-be-this",
},
}
Checks if the access request's subject is identical with the string that was given initially
var pol = &ladon.DefaultPolicy{
Conditions: ladon.Conditions{
"some-arbitrary-key": &ladon.EqualsSubjectCondition{}
},
}
and would match
var err = warden.IsAllowed(&ladon.Request{
// ...
Subject: "peter",
Context: &ladon.Context{
"some-arbitrary-key": "peter",
},
}
but not:
var err = warden.IsAllowed(&ladon.Request{
// ...
Subject: "peter",
Context: &ladon.Context{
"some-arbitrary-key": "max",
},
}
Checks if the value passed in the access request's context contains two-element arrays and that both elements in each pair are equal.
var pol = &ladon.DefaultPolicy{
Conditions: ladon.Conditions{
"some-arbitrary-key": &ladon.StringPairsEqualCondition{}
},
}
and would match
var err = warden.IsAllowed(&ladon.Request{
// ...
Context: &ladon.Context{
"some-arbitrary-key": [
["some-arbitrary-pair-value", "some-arbitrary-pair-value"],
["some-other-arbitrary-pair-value", "some-other-arbitrary-pair-value"],
]
},
}
but not:
var err = warden.IsAllowed(&ladon.Request{
// ...
Context: &ladon.Context{
"some-arbitrary-key": [
["some-arbitrary-pair-value", "some-other-arbitrary-pair-value"],
]
},
}
You can add custom conditions by appending it to ladon.ConditionFactories:
import "github.com/ory-am/ladon"
func main() {
// ...
ladon.ConditionFactories[new(CustomCondition).GetName()] = func() Condition {
return new(CustomCondition)
}
// ...
}
Persistence
Obviously, creating such a policy is not enough. You want to persist it too. Ladon ships an interface ladon.Manager for
this purpose with default implementations for In-Memory, RethinkDB, SQL (PostgreSQL, MySQL) and Redis. Let's take a look how to
instantiate those.
In-Memory
import (
"github.com/ory-am/ladon"
)
func main() {
warden := &ladon.Ladon{
Manager: ladon.NewMemoryManager(),
}
err := warden.Manager.Create(pol)
// ...
}
SQL
import "github.com/ory-am/ladon"
import "database/sql"
import _ "github.com/go-sql-driver/mysql"
func main() {
db, err = sql.Open("mysql", "user:pass@tcp(127.0.0.1:3306)"")
// Or, if using postgres:
// import _ "github.com/lib/pq"
//
// db, err = sql.Open("postgres", "postgres://foo:bar@localhost/ladon")
if err != nil {
log.Fatalf("Could not connect to database: %s", err)
}
warden := ladon.Ladon{
Manager: ladon.NewSQLManager(db, nil),
}
// ...
}
Redis
import (
"github.com/ory-am/ladon"
"gopkg.in/redis.v5"
)
func main () {
db = redis.NewClient(&redis.Options{
Addr: "localhost:6379",
})
if err := db.Ping().Err(); err != nil {
log.Fatalf("Could not connect to database: %s". err)
}
warden := ladon.Ladon{
Manager: ladon.NewRedisManager(db, "redis_key_prefix:")
}
// ...
}
Access Control (Warden)
Now that we have defined our policies, we can use the warden to check if a request is valid.
ladon.Ladon, which is the default implementation for the ladon.Warden interface defines ladon.Ladon.IsAllowed() which
will return nil if the access request can be granted and an error otherwise.
import "github.com/ory-am/ladon"
func main() {
// ...
if err := warden.IsAllowed(&ladon.Request{
Subject: "peter",
Action: "delete",
Resource: "myrn:some.domain.com:resource:123",
Context: ladon.Context{
"ip": "127.0.0.1",
},
}); err != nil {
log.Fatal("Access denied")
}
// ...
}
Examples
Check out ladon_test.go which includes a couple of policies and tests cases. You can run the code with go test -run=TestLadon -v .
Good to know
- All checks are case sensitive because subject values could be case sensitive IDs.
- If
ladon.Ladonis not able to match a policy with the request, it will default to denying the request and return an error.
Ladon does not use reflection for matching conditions to their appropriate structs due to security considerations.
Useful commands
Create mocks
mockgen -package ladon_test -destination manager_mock_test.go github.com/ory-am/ladon Manager
Documentation
¶
Index ¶
- Constants
- Variables
- func Match(p Policy, haystack []string, needle string) (bool, error)
- type CIDRCondition
- type Condition
- type Conditions
- type Context
- type DefaultPolicy
- func (p *DefaultPolicy) AllowAccess() bool
- func (p *DefaultPolicy) GetActions() []string
- func (p *DefaultPolicy) GetConditions() Conditions
- func (p *DefaultPolicy) GetDescription() string
- func (p *DefaultPolicy) GetEffect() string
- func (p *DefaultPolicy) GetEndDelimiter() byte
- func (p *DefaultPolicy) GetID() string
- func (p *DefaultPolicy) GetResources() []string
- func (p *DefaultPolicy) GetStartDelimiter() byte
- func (p *DefaultPolicy) GetSubjects() []string
- func (p *DefaultPolicy) UnmarshalJSON(data []byte) error
- type EqualsSubjectCondition
- type Ladon
- type Manager
- type MemoryManager
- type Policies
- type Policy
- type RedisManager
- type Request
- type RethinkManager
- func (m *RethinkManager) ColdStart() error
- func (m *RethinkManager) Create(policy Policy) error
- func (m *RethinkManager) Delete(id string) error
- func (m *RethinkManager) FindPoliciesForSubject(subject string) (Policies, error)
- func (m *RethinkManager) Get(id string) (Policy, error)
- func (m *RethinkManager) Watch(ctx context.Context)
- type SQLManager
- type StringEqualCondition
- type StringPairsEqualCondition
- type Warden
Constants ¶
const AllowAccess = "allow"
AllowAccess should be used as effect for policies that allow access.
const DenyAccess = "deny"
DenyAccess should be used as effect for policies that deny access.
Variables ¶
var ( // ErrRequestDenied is returned when an access request can not be satisfied by any policy. ErrRequestDenied = errors.New("Request was denied by default") // ErrRequestForcefullyDenied is returned when an access request is explicitly denied by a policy. ErrRequestForcefullyDenied = errors.New("Request was forcefully denied") )
var ConditionFactories = map[string]func() Condition{ new(StringEqualCondition).GetName(): func() Condition { return new(StringEqualCondition) }, new(CIDRCondition).GetName(): func() Condition { return new(CIDRCondition) }, new(EqualsSubjectCondition).GetName(): func() Condition { return new(EqualsSubjectCondition) }, new(StringPairsEqualCondition).GetName(): func() Condition { return new(StringPairsEqualCondition) }, }
ConditionFactories is where you can add custom conditions
Functions ¶
Types ¶
type CIDRCondition ¶
type CIDRCondition struct {
CIDR string `json:"cidr"`
}
CIDRCondition makes sure that the warden requests' IP address is in the given CIDR.
func (*CIDRCondition) Fulfills ¶
func (c *CIDRCondition) Fulfills(value interface{}, _ *Request) bool
Fulfills returns true if the the request is fulfilled by the condition.
func (*CIDRCondition) GetName ¶
func (c *CIDRCondition) GetName() string
GetName returns the condition's name.
type Condition ¶
type Condition interface {
// GetName returns the condition's name.
GetName() string
// Fulfills returns true if the request is fulfilled by the condition.
Fulfills(interface{}, *Request) bool
}
Condition either do or do not fulfill an access request.
type Conditions ¶
Conditions is a collection of conditions.
func (Conditions) AddCondition ¶
func (cs Conditions) AddCondition(key string, c Condition)
AddCondition adds a condition to the collection.
func (Conditions) MarshalJSON ¶
func (cs Conditions) MarshalJSON() ([]byte, error)
MarshalJSON marshals a list of conditions to json.
func (Conditions) UnmarshalJSON ¶
func (cs Conditions) UnmarshalJSON(data []byte) error
UnmarshalJSON unmarshals a list of conditions from json.
type DefaultPolicy ¶
type DefaultPolicy struct {
ID string `json:"id" gorethink:"id"`
Description string `json:"description" gorethink:"description"`
Subjects []string `json:"subjects" gorethink:"subjects"`
Effect string `json:"effect" gorethink:"effect"`
Resources []string `json:"resources" gorethink:"resources"`
Actions []string `json:"actions" gorethink:"actions"`
Conditions Conditions `json:"conditions" gorethink:"conditions"`
}
DefaultPolicy is the default implementation of the policy interface.
func (*DefaultPolicy) AllowAccess ¶
func (p *DefaultPolicy) AllowAccess() bool
AllowAccess returns true if the policy effect is allow, otherwise false.
func (*DefaultPolicy) GetActions ¶
func (p *DefaultPolicy) GetActions() []string
GetActions returns the policies actions.
func (*DefaultPolicy) GetConditions ¶
func (p *DefaultPolicy) GetConditions() Conditions
GetConditions returns the policies conditions.
func (*DefaultPolicy) GetDescription ¶
func (p *DefaultPolicy) GetDescription() string
GetDescription returns the policies description.
func (*DefaultPolicy) GetEffect ¶
func (p *DefaultPolicy) GetEffect() string
GetEffect returns the policies effect which might be 'allow' or 'deny'.
func (*DefaultPolicy) GetEndDelimiter ¶
func (p *DefaultPolicy) GetEndDelimiter() byte
GetEndDelimiter returns the delimiter which identifies the end of a regular expression.
func (*DefaultPolicy) GetResources ¶
func (p *DefaultPolicy) GetResources() []string
GetResources returns the policies resources.
func (*DefaultPolicy) GetStartDelimiter ¶
func (p *DefaultPolicy) GetStartDelimiter() byte
GetStartDelimiter returns the delimiter which identifies the beginning of a regular expression.
func (*DefaultPolicy) GetSubjects ¶
func (p *DefaultPolicy) GetSubjects() []string
GetSubjects returns the policies subjects.
func (*DefaultPolicy) UnmarshalJSON ¶
func (p *DefaultPolicy) UnmarshalJSON(data []byte) error
UnmarshalJSON overwrite own policy with values of the given in policy in JSON format
type EqualsSubjectCondition ¶
type EqualsSubjectCondition struct{}
EqualsSubjectCondition is a condition which is fulfilled if the request's subject is equal to the given value string
func (*EqualsSubjectCondition) Fulfills ¶
func (c *EqualsSubjectCondition) Fulfills(value interface{}, r *Request) bool
Fulfills returns true if the request's subject is equal to the given value string
func (*EqualsSubjectCondition) GetName ¶
func (c *EqualsSubjectCondition) GetName() string
GetName returns the condition's name.
type Manager ¶
type Manager interface {
// Create persists the policy.
Create(policy Policy) error
// Get retrieves a policy.
Get(id string) (Policy, error)
// Delete removes a policy.
Delete(id string) error
// Finds all policies associated with the subject.
FindPoliciesForSubject(subject string) (Policies, error)
}
Manager is responsible for managing and persisting policies.
type MemoryManager ¶
MemoryManager is an in-memory (non-persistent) implementation of Manager.
func NewMemoryManager ¶
func NewMemoryManager() *MemoryManager
NewMemoryManager constructs and initalizes new MemoryManager with no policies
func (*MemoryManager) Create ¶
func (m *MemoryManager) Create(policy Policy) error
Create a new pollicy to MemoryManager
func (*MemoryManager) Delete ¶
func (m *MemoryManager) Delete(id string) error
Delete removes a policy.
func (*MemoryManager) FindPoliciesForSubject ¶
func (m *MemoryManager) FindPoliciesForSubject(subject string) (Policies, error)
FindPoliciesForSubject finds all policies associated with the subject.
type Policy ¶
type Policy interface {
// GetID returns the policies id.
GetID() string
// GetDescription returns the policies description.
GetDescription() string
// GetSubjects returns the policies subjects.
GetSubjects() []string
// AllowAccess returns true if the policy effect is allow, otherwise false.
AllowAccess() bool
// GetEffect returns the policies effect which might be 'allow' or 'deny'.
GetEffect() string
// GetResources returns the policies resources.
GetResources() []string
// GetActions returns the policies actions.
GetActions() []string
// GetConditions returns the policies conditions.
GetConditions() Conditions
// GetStartDelimiter returns the delimiter which identifies the beginning of a regular expression.
GetStartDelimiter() byte
// GetEndDelimiter returns the delimiter which identifies the end of a regular expression.
GetEndDelimiter() byte
}
Policy represent a policy model.
type RedisManager ¶ added in v0.3.4
type RedisManager struct {
// contains filtered or unexported fields
}
RedisManager is a redis implementation of Manager to store policies persistently.
func NewRedisManager ¶ added in v0.3.4
func NewRedisManager(db *redis.Client, keyPrefix string) *RedisManager
NewRedisManager initializes a new RedisManager with no policies
func (*RedisManager) Create ¶ added in v0.3.4
func (m *RedisManager) Create(policy Policy) error
Create a new policy to RedisManager
func (*RedisManager) Delete ¶ added in v0.3.4
func (m *RedisManager) Delete(id string) error
Delete removes a policy.
func (*RedisManager) FindPoliciesForSubject ¶ added in v0.3.4
func (m *RedisManager) FindPoliciesForSubject(subject string) (Policies, error)
FindPoliciesForSubject finds all policies associated with the subject.
type Request ¶
type Request struct {
// Resource is the resource that access is requested to.
Resource string `json:"resource"`
// Action is the action that is requested on the resource.
Action string `json:"action"`
// Subejct is the subject that is requesting access.
Subject string `json:"subject"`
// Context is the request's environmental context.
Context Context `json:"context"`
}
Request is the warden's request object.
type RethinkManager ¶
type RethinkManager struct {
Session *r.Session
Table r.Term
sync.RWMutex
Policies map[string]Policy
}
RethinkManager is a rethinkdb implementation of Manager to store policies persistently.
func NewRethinkManager ¶ added in v0.4.3
func NewRethinkManager(session *r.Session, table string) *RethinkManager
NewRethinkManager initializes a new RethinkManager for given session, table name defaults to "policies".
func (*RethinkManager) ColdStart ¶
func (m *RethinkManager) ColdStart() error
ColdStart loads all policies from rethinkdb into memory.
func (*RethinkManager) Create ¶
func (m *RethinkManager) Create(policy Policy) error
Create inserts a new policy.
func (*RethinkManager) Delete ¶
func (m *RethinkManager) Delete(id string) error
Delete removes a policy.
func (*RethinkManager) FindPoliciesForSubject ¶
func (m *RethinkManager) FindPoliciesForSubject(subject string) (Policies, error)
FindPoliciesForSubject returns Policies (an array of policy) for a given subject.
func (*RethinkManager) Get ¶
func (m *RethinkManager) Get(id string) (Policy, error)
Get retrieves a policy.
func (*RethinkManager) Watch ¶
func (m *RethinkManager) Watch(ctx context.Context)
Watch is used to watch for changes on rethinkdb (which happens asynchronous) and updates manager's policy accordingly.
type SQLManager ¶ added in v0.3.0
type SQLManager struct {
// contains filtered or unexported fields
}
SQLManager is a postgres implementation for Manager to store policies persistently.
func NewSQLManager ¶ added in v0.3.0
func NewSQLManager(db *sqlx.DB, schema []string) *SQLManager
NewSQLManager initializes a new SQLManager for given db instance.
func (*SQLManager) Create ¶ added in v0.3.0
func (s *SQLManager) Create(policy Policy) (err error)
Create inserts a new policy
func (*SQLManager) CreateSchemas ¶ added in v0.3.0
func (s *SQLManager) CreateSchemas() error
CreateSchemas creates ladon_policy tables
func (*SQLManager) Delete ¶ added in v0.3.0
func (s *SQLManager) Delete(id string) error
Delete removes a policy.
func (*SQLManager) FindPoliciesForSubject ¶ added in v0.3.0
func (s *SQLManager) FindPoliciesForSubject(subject string) (policies Policies, err error)
FindPoliciesForSubject returns Policies (an array of policy) for a given subject
type StringEqualCondition ¶
type StringEqualCondition struct {
Equals string `json:"equals"`
}
StringEqualCondition is a condition which is fulfilled if the given string value is the same as specified in StringEqualCondition
func (*StringEqualCondition) Fulfills ¶
func (c *StringEqualCondition) Fulfills(value interface{}, _ *Request) bool
Fulfills returns true if the given value is a string and is the same as in StringEqualCondition.Equals
func (*StringEqualCondition) GetName ¶
func (c *StringEqualCondition) GetName() string
GetName returns the condition's name.
type StringPairsEqualCondition ¶ added in v0.4.3
type StringPairsEqualCondition struct{}
StringPairsEqualCondition is a condition which is fulfilled if the given array of pairs contains two-element string arrays where both elements in the string array are equal
func (*StringPairsEqualCondition) Fulfills ¶ added in v0.4.3
func (c *StringPairsEqualCondition) Fulfills(value interface{}, _ *Request) bool
Fulfills returns true if the given value is an array of string arrays and each string array has exactly two values which are equal
func (*StringPairsEqualCondition) GetName ¶ added in v0.4.3
func (c *StringPairsEqualCondition) GetName() string
GetName returns the condition's name.
type Warden ¶
type Warden interface {
// IsAllowed returns nil if subject s can perform action a on resource r with context c or an error otherwise.
// if err := guard.IsAllowed(&Request{Resource: "article/1234", Action: "update", Subject: "peter"}); err != nil {
// return errors.New("Not allowed")
// }
IsAllowed(r *Request) error
}
Warden is responsible for deciding if subject s can perform action a on resource r with context c.
Source Files