Documentation ¶
Index ¶
Constants ¶
const ( // DomainPathSeparator divides the sections of resource paths and masks. The value is used for parsing and printing their plain string reprsentations. DomainPathSeparator = "/" // DomainPathWildCardSegment matches any single value of a resource path. The segment must be present to match. DomainPathWildCardSegment = "*" // DomainPathWildCardTail matches any resource path ending segments, present or not. Any resource path mask value after DomainPathWildCardSegment is ignored. DomainPathWildCardTail = ">" )
Variables ¶
var ( //revive:disable:error-naming // Allow is a sentinel error that explicitly indicates that a [Policy] matched [Intention] and grants access. Allow = errors.New("authorization granted") // Deny is a sentinel error that explicitly indicates that a [Policy] matched [Intention] and denies access. Deny = &denyError{} ErrNilPolicy = errors.New("a policy set contains an uninitialized <nil> Policy") ErrEmptyPolicyList = errors.New("cannot iterate over an empty policy list") // ErrInvalidContext indicates that a context does not include a role that can be retrieved using the package context key. If you see this error, you probably forgot to inject the role using either [ContextWithRole] early in the execution path. This is typically done using a middleware function like [rbac.ContextMiddleWare]. ErrInvalidContext = errors.New("access control absent in context chain") ErrRoleNotFound = &AuthorizationError{ cause: errors.New("desired role not found"), } )
Functions ¶
Types ¶
type Action ¶
type Action string
An Action specifies the verb of a Policy. Package comes with a set of most frequently occuring actions. Specify custom actions as constants.
const ( ActionCreate Action = "create" ActionRetrieve Action = "retrieve" ActionUpdate Action = "update" ActionDelete Action = "delete" ActionQuery Action = "query" ActionAny Action = "*" ActionAssign Action = "assign" ActionUnassign Action = "unassign" ActionBlock Action = "block" ActionUnblock Action = "unblock" ActionReset Action = "reset" ActionRecover Action = "recover" ActionPromote Action = "promote" ActionDemote Action = "demote" ActionUpgrade Action = "upgrade" ActionDowngrade Action = "downgrade" ActionCommit Action = "commit" ActionClear Action = "clear" ActionInstall Action = "install" )
type AuthorizationError ¶
type AuthorizationError struct {
// contains filtered or unexported fields
}
AuthorizationError expresses the output of a [Role] as an opaque Deny error to prevent attackers from discovering the internals of the access control system by analyzing its error messages. Use [AuthorizationError.Message] for logging and debugging to discover the conditions for authorization failure.
func (*AuthorizationError) Error ¶
func (e *AuthorizationError) Error() string
Error always returns the value of Deny error regardless of the state to prevent attackers from discovering the internals of the access control system by analyzing its error messages.
func (*AuthorizationError) HTTPStatusCode ¶
func (e *AuthorizationError) HTTPStatusCode() int
HTTPStatusCode returns an HTTP status code to satisfy oakhttp.HTTPError interface.
func (*AuthorizationError) LogValue ¶
func (e *AuthorizationError) LogValue() slog.Value
func (*AuthorizationError) Policy ¶
func (e *AuthorizationError) Policy() Policy
type DomainPath ¶
type DomainPath []string
func NewDomainPath ¶
func NewDomainPath(p ...string) DomainPath
func (DomainPath) Match ¶
func (d DomainPath) Match(mask ...string) bool
Match returns true if the resource path matches mask segments. The DomainPathWildCardSegment matches any present value. The DomainPathWildCardTail matches any values to the end of the path.
func (DomainPath) String ¶
func (d DomainPath) String() string
type Policy ¶
Policy returns Allow sentinel error if the session is permitted to interact with the context. Policy returns Deny sentinel error to interrupt the matching loop. Policy returns `nil` if it did not match, but another policy might match.
In order to check a predicate assertion inside the policy, run a an anonymous interface type check on the Resource.
predicated, ok := r.(interface{ IsOwnedBySession(ctx) (bool, error) })
func EachOf ¶
EachOf composes a Policy list into one that succeeds only if each included Policy returns an Allow. Panics on empty list of a <nil> Policy inside the list.
func FirstOf ¶
FirstOf composes a Policy list, which returns when the first Policy that returns an error, Allow, or Deny. Panics on empty list of a <nil> Policy inside the list.
func (Policy) File ¶
File returns the path to the file containing Policy function definition by using reflection.
func (Policy) Line ¶
Line returns the line number of the Policy function in its file by using reflection.
type Resource ¶
type Resource interface {
DomainPath() DomainPath
}