Documentation ¶
Overview ¶
Package restrict provides an authorization library, with a hybrid of RBAC and ABAC models.
Index ¶
- Constants
- Variables
- func RegisterConditionFactory(name string, factory ConditionFactory) error
- func UseResource(name string) *baseResource
- func UseSubject(role string) *baseSubject
- type AccessDeniedError
- type AccessManager
- type AccessRequest
- type Condition
- type ConditionFactory
- type ConditionFactoryAlreadyExistsError
- type ConditionFactoryNotFoundError
- type ConditionFatoriesMap
- type ConditionNotSatisfiedError
- type Conditions
- type Context
- type EmptyCondition
- type EqualCondition
- type GrantsMap
- type NotEmptyCondition
- type NotEqualCondition
- type Permission
- type PermissionNotGrantedError
- type PermissionPresetAlreadyExistsError
- type PermissionPresetNotFoundError
- type PermissionPresets
- type Permissions
- type PolicyDefinition
- type PolicyManager
- func (pm *PolicyManager) AddPermission(roleID, resourceID string, permission *Permission) error
- func (pm *PolicyManager) AddPermissionPreset(name string, preset *Permission) error
- func (pm *PolicyManager) AddRole(role *Role) error
- func (pm *PolicyManager) DeletePermission(roleID, resourceID, action string) error
- func (pm *PolicyManager) DeletePermissionPreset(name string) error
- func (pm *PolicyManager) DeleteRole(roleID string) error
- func (pm *PolicyManager) DisableAutoUpdate()
- func (pm *PolicyManager) EnableAutoUpdate()
- func (pm *PolicyManager) GetPolicy() *PolicyDefinition
- func (pm *PolicyManager) GetRole(roleID string) (*Role, error)
- func (pm *PolicyManager) LoadPolicy() error
- func (pm *PolicyManager) SavePolicy() error
- func (pm *PolicyManager) UpdatePermissionPreset(name string, preset *Permission) error
- func (pm *PolicyManager) UpdateRole(role *Role) error
- func (pm *PolicyManager) UpsertPermissionPreset(name string, preset *Permission) error
- func (pm *PolicyManager) UpsertRole(role *Role) error
- type PolicyProvider
- type RequestMalformedError
- type Resource
- type Role
- type RoleAlreadyExistsError
- type RoleInheritanceCycleError
- type RoleNotFoundError
- type Roles
- type StorageAdapter
- type Subject
- type ValueDescriptor
- type ValueDescriptorMalformedError
- type ValueSource
Constants ¶
const ( // EmptyConditionType - EmptyCondition's type identifier. EmptyConditionType = "EMPTY" // NotEmptyConditionType - NotEmptyCondition's type identifier. NotEmptyConditionType = "NOT_EMPTY" )
const ( // EqualConditionType - EqualCondition's type identifier. EqualConditionType = "EQUAL" //NotEqualConditionType - NotEqualCondition's type identifier. NotEqualConditionType = "NOT_EQUAL" )
Variables ¶
var ConditionFactories = ConditionFatoriesMap{ EqualConditionType: func() Condition { return new(EqualCondition) }, NotEqualConditionType: func() Condition { return new(NotEqualCondition) }, EmptyConditionType: func() Condition { return new(EmptyCondition) }, NotEmptyConditionType: func() Condition { return new(NotEmptyCondition) }, }
ConditionFactories - stores a map of functions responsible for creating new Conditions, based on their names.
Functions ¶
func RegisterConditionFactory ¶
func RegisterConditionFactory(name string, factory ConditionFactory) error
RegisterConditionFactory - adds a new ConditionFactory under given name. If given name is already taken, an error is returned.
func UseResource ¶
func UseResource(name string) *baseResource
UseResource - returns baseResource instance.
func UseSubject ¶
func UseSubject(role string) *baseSubject
UseSubject - returns baseSubject instance.
Types ¶
type AccessDeniedError ¶
type AccessDeniedError struct {
// contains filtered or unexported fields
}
AccessDeniedError - thrown when AccessRequest could not be satisfied due to insufficient privileges.
func (*AccessDeniedError) Error ¶
func (e *AccessDeniedError) Error() string
Error - error interface implementation.
func (*AccessDeniedError) FailedCondition ¶
func (e *AccessDeniedError) FailedCondition() Condition
FailedCondition - helper function for retrieving underlying failed Condition.
func (*AccessDeniedError) FailedRequest ¶
func (e *AccessDeniedError) FailedRequest() *AccessRequest
FailedRequest - returns an AccessRequest for which access has been denied.
func (*AccessDeniedError) Reason ¶
func (e *AccessDeniedError) Reason() error
Reason - returns underlying reason (an error) for denying the access.
type AccessManager ¶
type AccessManager struct {
// contains filtered or unexported fields
}
AccessManager - an entity responsible for checking the authorization. It uses underlying PolicyProvider to test an AccessRequest against currently used PolicyDefinition.
func NewAccessManager ¶
func NewAccessManager(policyManager PolicyProvider) *AccessManager
NewAccessManager - returns new AccessManager instance.
func (*AccessManager) Authorize ¶
func (am *AccessManager) Authorize(request *AccessRequest) error
Authorize - checks if given AccessRequest can be satisfied given currently loaded policy. Returns an error if access is not granted or any other problem occurred, nil otherwise.
type AccessRequest ¶
type AccessRequest struct { // Subject - subject (typically a user) that wants to perform given Actions. // Needs to implement Subject interface. Subject Subject // Resource - resource that given Subject wants to interact with. // Needs to implement Resource interface. Resource Resource // Actions - list of operations Subject wants to perform on given Resource. Actions []string // Context - map of any additional values needed while checking the access. Context Context // SkipConditions - allows to skip Conditions while checking the access. SkipConditions bool }
AccessRequest - describes a Subject's intention to perform some Actions against given Resource.
type Condition ¶
type Condition interface { // Type - returns Condition's type. Type() string // Check - returns true if Condition is satisfied by // given AccessRequest, false otherwise. Check(request *AccessRequest) error }
Condition - additional requirement that needs to be satisfied to grant given permission.
type ConditionFactory ¶
type ConditionFactory func() Condition
ConditionFactory - factory function for Condition.
type ConditionFactoryAlreadyExistsError ¶
type ConditionFactoryAlreadyExistsError struct {
// contains filtered or unexported fields
}
ConditionFactoryAlreadyExistsError - thrown when ConditionFactory is being added under a name that's already set in ConditionFactories map.
func (*ConditionFactoryAlreadyExistsError) Error ¶
func (e *ConditionFactoryAlreadyExistsError) Error() string
Error - error interface implementation.
type ConditionFactoryNotFoundError ¶
type ConditionFactoryNotFoundError struct {
// contains filtered or unexported fields
}
ConditionFactoryNotFoundError - thrown when ConditionFactory is not found while unmarshaling a Permission.
func (*ConditionFactoryNotFoundError) Error ¶
func (e *ConditionFactoryNotFoundError) Error() string
Error - error interface implementation.
type ConditionFatoriesMap ¶
type ConditionFatoriesMap = map[string]ConditionFactory
ConditionFatoriesMap - map of Condition factories.
type ConditionNotSatisfiedError ¶
type ConditionNotSatisfiedError struct {
// contains filtered or unexported fields
}
ConditionNotSatisfiedError - thrown when given Condition was not satisfied due to insufficient privileges for given AccessRequest.
func NewConditionNotSatisfiedError ¶
func NewConditionNotSatisfiedError(condition Condition, request *AccessRequest, reason error) *ConditionNotSatisfiedError
NewConditionNotSatisfiedError - returns new ConditionNotSatisfiedError instance.
func (*ConditionNotSatisfiedError) Error ¶
func (e *ConditionNotSatisfiedError) Error() string
Error - error interface implementation.
func (*ConditionNotSatisfiedError) FailedCondition ¶
func (e *ConditionNotSatisfiedError) FailedCondition() Condition
FailedCondition - returns failed Condition.
func (*ConditionNotSatisfiedError) FailedRequest ¶
func (e *ConditionNotSatisfiedError) FailedRequest() *AccessRequest
FailedRequest - returns failed AccessRequest.
func (*ConditionNotSatisfiedError) Reason ¶
func (e *ConditionNotSatisfiedError) Reason() error
Reason - returns underlying reason (an error) of failing Condition.
type Conditions ¶
type Conditions []Condition
Conditions - alias type for Conditions array.
func (Conditions) MarshalJSON ¶
func (cs Conditions) MarshalJSON() ([]byte, error)
MarshalJSON - marshals a map of Conditions to JSON data.
func (Conditions) MarshalYAML ¶
func (cs Conditions) MarshalYAML() (interface{}, error)
MarshalYAML - marshals a map of Conditions to YAML data.
func (*Conditions) UnmarshalJSON ¶
func (cs *Conditions) UnmarshalJSON(jsonData []byte) error
UnmarshalJSON - unmarshals a JSON-coded map of Conditions.
func (*Conditions) UnmarshalYAML ¶
func (cs *Conditions) UnmarshalYAML(value *yaml.Node) error
UnmarshalYAML - unmarshals a YAML-coded map of Conditions.
type EmptyCondition ¶
type EmptyCondition baseEmptyCondition
EmptyCondition - Condition for testing whether given value is empty.
func (*EmptyCondition) Check ¶
func (c *EmptyCondition) Check(request *AccessRequest) error
Check - returns true if value is empty (zero-like), false otherwise.
func (*EmptyCondition) Type ¶
func (c *EmptyCondition) Type() string
Type - returns Condition's type.
type EqualCondition ¶
type EqualCondition baseEqualCondition
EqualCondition - checks whether given value (Left) is equal to some other value (Right).
func (*EqualCondition) Check ¶
func (c *EqualCondition) Check(request *AccessRequest) error
Check - returns true if values are equal, false otherwise.
func (*EqualCondition) Type ¶
func (c *EqualCondition) Type() string
Type - returns Condition's type.
type GrantsMap ¶
type GrantsMap map[string]Permissions
GrantsMap - alias type for map of Permission slices.
type NotEmptyCondition ¶
type NotEmptyCondition baseEmptyCondition
func (*NotEmptyCondition) Check ¶
func (c *NotEmptyCondition) Check(request *AccessRequest) error
Check - returns true if value is not empty (zero-like), false otherwise.
func (*NotEmptyCondition) Type ¶
func (c *NotEmptyCondition) Type() string
Type - returns Condition's type.
type NotEqualCondition ¶
type NotEqualCondition baseEqualCondition
EqualCondition - checks whether given value (Left) is not equal to some other value (Right).
func (*NotEqualCondition) Check ¶
func (c *NotEqualCondition) Check(request *AccessRequest) error
Check - returns true if values are not equal, false otherwise.
func (*NotEqualCondition) Type ¶
func (c *NotEqualCondition) Type() string
Type - returns Condition's type.
type Permission ¶
type Permission struct { // Action that will be allowed to perform if the Permission is granted, and Conditions // are satisfied. Action string `json:"action,omitempty" yaml:"action,omitempty"` // Conditions that need to be satisfied in order to allow the subject perform given Action. Conditions Conditions `json:"conditions,omitempty" yaml:"conditions,omitempty"` // Preset allows to extend Permission defined in PolicyDefinition. Preset string `json:"preset,omitempty" yaml:"preset,omitempty"` }
Permission - describes an Action that can be performed in regards to some Resource, with specified Conditions.
type PermissionNotGrantedError ¶
type PermissionNotGrantedError struct {
// contains filtered or unexported fields
}
PermissionNotGrantedError - thrown when Permission grant for action was not found for given Resource.
func (*PermissionNotGrantedError) Error ¶
func (e *PermissionNotGrantedError) Error() string
Error - error interface implementation.
type PermissionPresetAlreadyExistsError ¶
type PermissionPresetAlreadyExistsError struct {
// contains filtered or unexported fields
}
PermissionPresetAlreadyExistsError - thrown when a new Permission preset is being added with a name (key) that already exists.
func (*PermissionPresetAlreadyExistsError) Error ¶
func (e *PermissionPresetAlreadyExistsError) Error() string
type PermissionPresetNotFoundError ¶
type PermissionPresetNotFoundError struct {
// contains filtered or unexported fields
}
PermissionPresetNotFoundError - thrown when Permission specifies a preset which is not defined in PermissionPresets on PolicyDefinition.
func (*PermissionPresetNotFoundError) Error ¶
func (e *PermissionPresetNotFoundError) Error() string
Error - error interface implementation.
type PermissionPresets ¶
type PermissionPresets map[string]*Permission
PermissionPresets - a map of reusable Permissions. Map key serves as a preset's name, that can be later referenced by Permission. Presets are applied when policy is loaded.
type Permissions ¶
type Permissions []*Permission
Permissions - alias type for slice of Permissions.
type PolicyDefinition ¶
type PolicyDefinition struct { // PermissionPresets - a map of Permission presets. PermissionPresets PermissionPresets `json:"permissionPresets,omitempty" yaml:"permissionPresets,omitempty"` // Roles - collection of Roles used in the domain. Roles Roles `json:"roles" yaml:"roles"` }
PolicyDefinition - describes a model of Roles and Permissions that are defined for the domain.
type PolicyManager ¶
type PolicyManager struct { // PolicyManager should thread-safe for writing operations, therefore it uses RWMutex. sync.RWMutex // contains filtered or unexported fields }
PolicyManager - an entity responsible for managing PolicyDefinition. It uses passed StorageAdapter for policy persistence.
func NewPolicyManager ¶
func NewPolicyManager(adapter StorageAdapter, autoUpdate bool) (*PolicyManager, error)
NewPolicyManager - returns new PolicyManager instance and loads PolicyDefinition using passed StorageAdapter.
func (*PolicyManager) AddPermission ¶
func (pm *PolicyManager) AddPermission(roleID, resourceID string, permission *Permission) error
AddPermission - adds a new Permission for the Role and Resource with passed ids. Saves with StorageAdapter if autoUpdate is set to true.
func (*PolicyManager) AddPermissionPreset ¶
func (pm *PolicyManager) AddPermissionPreset(name string, preset *Permission) error
AddPermissionPreset - adds new Permission preset to PolicyDefinition. Saves with StorageAdapter if autoUpdate is set to true.
func (*PolicyManager) AddRole ¶
func (pm *PolicyManager) AddRole(role *Role) error
AddRole - adds a new role to the policy. Saves with StorageAdapter if autoUpdate is set to true.
func (*PolicyManager) DeletePermission ¶
func (pm *PolicyManager) DeletePermission(roleID, resourceID, action string) error
DeletePermission - removes a Permission with given name for Role and Resource with passed ids. Please note that deleting a Permission for given action will revoke ALL of the Permissions that share this action. Saves with StorageAdapter if autoUpdate is set to true.
func (*PolicyManager) DeletePermissionPreset ¶
func (pm *PolicyManager) DeletePermissionPreset(name string) error
DeletePermissionPreset - removes Permission preset with given name. Saves with StorageAdapter if autoUpdate is set to true.
func (*PolicyManager) DeleteRole ¶
func (pm *PolicyManager) DeleteRole(roleID string) error
DeleteRole - removes a Role with given ID. Saves with StorageAdapter if autoUpdate is set to true.
func (*PolicyManager) DisableAutoUpdate ¶
func (pm *PolicyManager) DisableAutoUpdate()
DisableAutoUpdate - disables automatic update.
func (*PolicyManager) EnableAutoUpdate ¶
func (pm *PolicyManager) EnableAutoUpdate()
EnableAutoUpdate - enables automatic update.
func (*PolicyManager) GetPolicy ¶
func (pm *PolicyManager) GetPolicy() *PolicyDefinition
GetPolicy - returns currently loaded PolicyDefinition.
func (*PolicyManager) GetRole ¶
func (pm *PolicyManager) GetRole(roleID string) (*Role, error)
GetRole - returns a Role with given ID from currently loaded PolicyDefiniton.
func (*PolicyManager) LoadPolicy ¶
func (pm *PolicyManager) LoadPolicy() error
LoadPolicy - proxy method for loading the policy via StorageAdapter set when creating PolicyManager instance. Calling this method will override currently loaded policy.
func (*PolicyManager) SavePolicy ¶
func (pm *PolicyManager) SavePolicy() error
SavePolicy - proxy method for saving the policy via StorageAdapter set when creating PolicyManager instance.
func (*PolicyManager) UpdatePermissionPreset ¶
func (pm *PolicyManager) UpdatePermissionPreset(name string, preset *Permission) error
UpdatePermissionPreset - updates a Permission preset in PolicyDefinition. Saves with StorageAdapter if autoUpdate is set to true.
func (*PolicyManager) UpdateRole ¶
func (pm *PolicyManager) UpdateRole(role *Role) error
UpdateRole - updates existing Role in currently loaded policy. Saves with StorageAdapter if autoUpdate is set to true.
func (*PolicyManager) UpsertPermissionPreset ¶
func (pm *PolicyManager) UpsertPermissionPreset(name string, preset *Permission) error
UpsertPermissionPreset - updates Permission preset if exists, adds a new otherwise. Saves with StorageAdapter if autoUpdate is set to true.
func (*PolicyManager) UpsertRole ¶
func (pm *PolicyManager) UpsertRole(role *Role) error
UpsertRole - updates a Role if exists, adds new Role otherwise. Saves with StorageAdapter if autoUpdate is set to true.
type PolicyProvider ¶
PolicyProvider - interface for an entity that will provide Role configuration for AccessProvider.
type RequestMalformedError ¶
type RequestMalformedError struct {
// contains filtered or unexported fields
}
RequestMalformedError - thrown when AccessRequest is not correct or does not contain all necessary information.
func (*RequestMalformedError) Error ¶
func (e *RequestMalformedError) Error() string
Error - error interface implementation.
func (*RequestMalformedError) FailedRequest ¶
func (e *RequestMalformedError) FailedRequest() *AccessRequest
FailedRequest - returns an AccessRequest for which access has been denied.
func (*RequestMalformedError) Reason ¶
func (e *RequestMalformedError) Reason() error
Reason - returns underlying reason (an error) of malformed Request.
type Resource ¶
type Resource interface { // GetResourceName - returns a Resource's name. Should be the same as the one // used in PolicyDefinition. GetResourceName() string }
Resource - interface that needs to be implemented by any entity which acts as a resource in the system.
type Role ¶
type Role struct { // ID - unique identifier of the Role. ID string `json:"-" yaml:"-"` // Description - optional description for a Role. Description string `json:"description,omitempty" yaml:"description,omitempty"` // Grants - contains sets of Permissions assigned to Resources. Grants GrantsMap `json:"grants" yaml:"grants"` // Parents - other Roles that given Role inherits from. If a Permission is granted // for a parent, it is also granted for a child. Parents []string `json:"parents,omitempty" yaml:"parents,omitempty"` }
Role - describes privileges of a Role's members.
type RoleAlreadyExistsError ¶
type RoleAlreadyExistsError struct {
// contains filtered or unexported fields
}
RoleAlreadyExistsError - thrown when new Role is being added with ID that already exists in the PolicyDefinition.
func (*RoleAlreadyExistsError) Error ¶
func (e *RoleAlreadyExistsError) Error() string
Error - error interface implementation.
type RoleInheritanceCycleError ¶
type RoleInheritanceCycleError struct {
// contains filtered or unexported fields
}
RoleInheritanceCycleError - thrown when circular Role inheritance is detected.
func (*RoleInheritanceCycleError) Error ¶
func (e *RoleInheritanceCycleError) Error() string
Error - error interface implementation.
type RoleNotFoundError ¶
type RoleNotFoundError struct {
// contains filtered or unexported fields
}
RoleNotFoundError - thrown when there is an operation called for a Role that does not exist.
func (*RoleNotFoundError) Error ¶
func (e *RoleNotFoundError) Error() string
Error - error interface implementation.
type Roles ¶
Roles - alias type for map of Roles.
func (*Roles) UnmarshalJSON ¶
UnmarshalJSON - unmarshals a JSON-coded map of Roles.
func (*Roles) UnmarshalYAML ¶
UnmarshalYAML - unmarshals a YAML-coded map of Roles.
type StorageAdapter ¶
type StorageAdapter interface { // LoadPolicy - loads and returns PolicyDefinition from underlying // storage provider. LoadPolicy() (*PolicyDefinition, error) // SavePolicy - saves PolicyDefinition in underlying storage provider. SavePolicy(policy *PolicyDefinition) error }
StorageAdapter - interface for an entity that will provide persistence logic for PolicyDefinition.
type Subject ¶
type Subject interface { // GetRole - returns a Subject's role. GetRole() string }
Subject - interface that has to be implemented by any entity which authorization needs to be checked.
type ValueDescriptor ¶
type ValueDescriptor struct { // Source - source of the value, one of the predefined enum type (ValueSource). Source ValueSource `json:"source,omitempty" yaml:"source,omitempty"` // Field - field on the given ValueSource that should hold the value. Field string `json:"field,omitempty" yaml:"field,omitempty"` // Value - explicit value taken when using ValueSource.Explicit as value source. Value interface{} `json:"value,omitempty" yaml:"value,omitempty"` }
ValueDescriptor - describes a value that will be tested in its parent Condition.
func (*ValueDescriptor) GetValue ¶
func (vd *ValueDescriptor) GetValue(request *AccessRequest) (interface{}, error)
GetValue - returns real value represented by given ValueDescriptor.
type ValueDescriptorMalformedError ¶
type ValueDescriptorMalformedError struct {
// contains filtered or unexported fields
}
ValueDescriptorMalformedError - thrown when malformed ValueDescriptor is being resolved.
func (*ValueDescriptorMalformedError) Error ¶
func (e *ValueDescriptorMalformedError) Error() string
Error - error interface implementation.
func (*ValueDescriptorMalformedError) FailedDescriptor ¶
func (e *ValueDescriptorMalformedError) FailedDescriptor() *ValueDescriptor
FailedDescriptor - returns failed ValueDescriptor.
func (*ValueDescriptorMalformedError) Reason ¶
func (e *ValueDescriptorMalformedError) Reason() error
Reason - returns underlying reason (an error) of malformed ValueDescriptor.
type ValueSource ¶
type ValueSource int
ValueSource - enum type for source of value for given ValueDescriptor.
const ( // SubjectField - value that comes from Subject's field. SubjectField ValueSource // ResourceField - value that comes from Resource's field. ResourceField // ContextField - value that comes from Context's field. ContextField // Explicit - value set explicitly in PolicyDefinition. Explicit )
func (ValueSource) MarshalJSON ¶
func (vs ValueSource) MarshalJSON() ([]byte, error)
MarshalJSON - marshals a ValueSource enum into its name as string.
func (ValueSource) MarshalYAML ¶
func (vs ValueSource) MarshalYAML() (interface{}, error)
MarshalYAML - marshals a ValueSource enum into its name as string.
func (*ValueSource) UnmarshalJSON ¶
func (vs *ValueSource) UnmarshalJSON(jsonData []byte) error
UnmarshalJSON - unmarshals a string into ValueSource.
func (*ValueSource) UnmarshalYAML ¶
func (vs *ValueSource) UnmarshalYAML(value *yaml.Node) error
UnmarshalYAML - unmarshals a string into ValueSource.