oakpolicy

package module

v0.0.1 Latest Latest Go to latest Published: May 1, 2023 License: MIT Imports: 8 Imported by: 1

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/dkotik/oakacs

Links

Open Source Insights

Documentation ¶

Index ¶

Constants
Variables
func AllowAll(_ context.Context, _ Action, _ Resource) error
func DenyAll(_ context.Context, _ Action, _ Resource) error
type Action
- func (a Action) In(set ...Action) bool
- func (a Action) Matches(match Action) bool
type AuthorizationError
type DomainPath
- func NewDomainPath(p ...string) DomainPath
- func (d DomainPath) Match(mask ...string) bool
- func (d DomainPath) String() string
type Policy
type Resource

Constants ¶

View Source

const (
	// DomainPathSeparator divides the sections of resource paths and masks. The value is used for parsing and printing their plain string reprsentations.
	DomainPathSeparator = "/"

	// DomainPathWildCardSegment matches any single value of a resource path. The segment must be present to match.
	DomainPathWildCardSegment = "*"

	// DomainPathWildCardTail matches any resource path ending segments, present or not. Any resource path mask value after DomainPathWildCardSegment is ignored.
	DomainPathWildCardTail = ">"
)

Variables ¶

View Source

var (
	//revive:disable:error-naming
	// Allow is a sentinel error that explicitly indicates that a [Policy] matched [Intention] and grants access.
	Allow = errors.New("authorization granted")
	// Deny is a sentinel error that explicitly indicates that a [Policy] matched [Intention] and denies access.
	Deny = &denyError{}

	ErrNilPolicy       = errors.New("a policy set contains an uninitialized <nil> Policy")
	ErrEmptyPolicyList = errors.New("cannot iterate over an empty policy list")
	// ErrInvalidContext indicates that a context does not include a role that can be retrieved using the package context key. If you see this error, you probably forgot to inject the role using either [ContextWithRole] early in the execution path. This is typically done using a middleware function like [rbac.ContextMiddleWare].
	ErrInvalidContext = errors.New("access control absent in context chain")
	ErrRoleNotFound   = &AuthorizationError{
		cause: errors.New("desired role not found"),
	}
)

Functions ¶

func AllowAll ¶

func AllowAll(_ context.Context, _ Action, _ Resource) error

AllowAll authorizes any action on any resource. Use cautiously.

func DenyAll ¶

func DenyAll(_ context.Context, _ Action, _ Resource) error

DenyAll denies authorization for any action on any resource.

Types ¶

type Action ¶

type Action string

An Action specifies the verb of a Policy. Package comes with a set of most frequently occuring actions. Specify custom actions as constants.

const (
	ActionCreate   Action = "create"
	ActionRetrieve Action = "retrieve"
	ActionUpdate   Action = "update"
	ActionDelete   Action = "delete"
	ActionQuery    Action = "query"

	ActionAny       Action = "*"
	ActionAssign    Action = "assign"
	ActionUnassign  Action = "unassign"
	ActionBlock     Action = "block"
	ActionUnblock   Action = "unblock"
	ActionReset     Action = "reset"
	ActionRecover   Action = "recover"
	ActionPromote   Action = "promote"
	ActionDemote    Action = "demote"
	ActionUpgrade   Action = "upgrade"
	ActionDowngrade Action = "downgrade"
	ActionCommit    Action = "commit"
	ActionClear     Action = "clear"
	ActionInstall   Action = "install"
)

func (Action) In ¶

func (a Action) In(set ...Action) bool

In returns true if the Action is in a given set.

func (Action) Matches ¶

func (a Action) Matches(match Action) bool

Matches returns are of this Action is the equals the match or the wildcard ActionAny.

type AuthorizationError ¶

type AuthorizationError struct {
	// contains filtered or unexported fields
}

AuthorizationError expresses the output of a [Role] as an opaque Deny error to prevent attackers from discovering the internals of the access control system by analyzing its error messages. Use [AuthorizationError.Message] for logging and debugging to discover the conditions for authorization failure.

func (*AuthorizationError) Error ¶

func (e *AuthorizationError) Error() string

Error always returns the value of Deny error regardless of the state to prevent attackers from discovering the internals of the access control system by analyzing its error messages.

func (*AuthorizationError) HTTPStatusCode ¶

func (e *AuthorizationError) HTTPStatusCode() int

HTTPStatusCode returns an HTTP status code to satisfy oakhttp.HTTPError interface.

func (*AuthorizationError) LogValue ¶

func (e *AuthorizationError) LogValue() slog.Value

func (*AuthorizationError) Policy ¶

func (e *AuthorizationError) Policy() Policy

func (*AuthorizationError) Unwrap ¶

func (e *AuthorizationError) Unwrap() error

Unwrap satisfies errors.Is and errors.As interface requirements.

type DomainPath ¶

type DomainPath []string

func NewDomainPath ¶

func NewDomainPath(p ...string) DomainPath

func (DomainPath) Match ¶

func (d DomainPath) Match(mask ...string) bool

Match returns true if the resource path matches mask segments. The DomainPathWildCardSegment matches any present value. The DomainPathWildCardTail matches any values to the end of the path.

func (DomainPath) String ¶

func (d DomainPath) String() string

type Policy ¶

type Policy func(context.Context, Action, Resource) error

Policy returns Allow sentinel error if the session is permitted to interact with the context. Policy returns Deny sentinel error to interrupt the matching loop. Policy returns `nil` if it did not match, but another policy might match.

In order to check a predicate assertion inside the policy, run a an anonymous interface type check on the Resource.

predicated, ok := r.(interface{
  IsOwnedBySession(ctx) (bool, error)
})

func EachOf ¶

func EachOf(ps ...Policy) Policy

EachOf composes a Policy list into one that succeeds only if each included Policy returns an Allow. Panics on empty list of a <nil> Policy inside the list.

func FirstOf ¶

func FirstOf(ps ...Policy) Policy

FirstOf composes a Policy list, which returns when the first Policy that returns an error, Allow, or Deny. Panics on empty list of a <nil> Policy inside the list.

func Log ¶

func Log(l *slog.Logger, p Policy) Policy

func LogAllowedActions ¶

func LogAllowedActions(l *slog.Logger, level slog.Level, p Policy) Policy

func LogDeniedActions ¶

func LogDeniedActions(l *slog.Logger, level slog.Level, p Policy) Policy

func (Policy) File ¶

func (p Policy) File() string

File returns the path to the file containing Policy function definition by using reflection.

func (Policy) Line ¶

func (p Policy) Line() int

Line returns the line number of the Policy function in its file by using reflection.

func (Policy) LogValue ¶

func (p Policy) LogValue() slog.Value

func (Policy) Logger ¶

func (p Policy) Logger(l *slog.Logger) *slog.Logger

func (Policy) Name ¶

func (p Policy) Name() string

Name returns the name of the Policy function by using reflection.

func (Policy) String ¶

func (p Policy) String() string

type Resource ¶

type Resource interface {
	DomainPath() DomainPath
}

Source Files ¶

View all Source files

Directories ¶

Path	Synopsis
document
examples
elementary

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL