Documentation
¶
Index ¶
- Constants
- Variables
- func EnsureForbidden(ctx context.Context, mgr PermissionManagementService, ...) error
- func EnsureGrant(ctx context.Context, mgr PermissionManagementService, ...) error
- func FromAlwaysAuthorizationContext(ctx context.Context) (allow bool, ok bool)
- func LoadFromConf(groupConf *PermissionConf)
- func LoadFromYaml(data []byte)
- func NewAlwaysAuthorizationContext(ctx context.Context, allow bool) context.Context
- func NormalizeTenantId(ctx context.Context, tenantId string) string
- func WalkGroups(isHost bool, publicOnly bool, f func(group *PermissionDefGroup))
- type Action
- type ActionStr
- type ClientSubject
- type DefaultAuthorizationService
- func (a *DefaultAuthorizationService) BatchCheck(ctx context.Context, requirement RequirementList) (ResultList, error)
- func (a *DefaultAuthorizationService) BatchCheckForSubjects(ctx context.Context, requirement RequirementList, subjects ...Subject) (ResultList, error)
- func (a *DefaultAuthorizationService) Check(ctx context.Context, resource Resource, action Action) (*Result, error)
- func (a *DefaultAuthorizationService) CheckForSubjects(ctx context.Context, resource Resource, action Action, subjects ...Subject) (*Result, error)
- func (a *DefaultAuthorizationService) FormatError(ctx context.Context, result *Result, subjects ...Subject) (err error)
- type Effect
- type EntityResource
- type Filter
- type FilterFunc
- type HasIdentity
- type Option
- type PermissionAllowSide
- func (PermissionAllowSide) Descriptor() protoreflect.EnumDescriptor
- func (x PermissionAllowSide) Enum() *PermissionAllowSide
- func (PermissionAllowSide) EnumDescriptor() ([]byte, []int)deprecated
- func (x PermissionAllowSide) Number() protoreflect.EnumNumber
- func (x PermissionAllowSide) String() string
- func (PermissionAllowSide) Type() protoreflect.EnumType
- type PermissionBean
- type PermissionChecker
- type PermissionConf
- type PermissionDef
- func (*PermissionDef) Descriptor() ([]byte, []int)deprecated
- func (x *PermissionDef) GetAction() string
- func (x *PermissionDef) GetExtra() *structpb.Struct
- func (x *PermissionDef) GetInternal() bool
- func (x *PermissionDef) GetName() string
- func (x *PermissionDef) GetNamespace() string
- func (x *PermissionDef) GetPriority() int32
- func (x *PermissionDef) GetSide() PermissionAllowSide
- func (*PermissionDef) ProtoMessage()
- func (x *PermissionDef) ProtoReflect() protoreflect.Message
- func (x *PermissionDef) Reset()
- func (x *PermissionDef) String() string
- type PermissionDefGroup
- func (x *PermissionDefGroup) AddDef(def *PermissionDef)
- func (*PermissionDefGroup) Descriptor() ([]byte, []int)deprecated
- func (x *PermissionDefGroup) GetDef() []*PermissionDef
- func (x *PermissionDefGroup) GetExtra() *structpb.Struct
- func (x *PermissionDefGroup) GetInternal() bool
- func (x *PermissionDefGroup) GetName() string
- func (x *PermissionDefGroup) GetPriority() int32
- func (x *PermissionDefGroup) GetSide() PermissionAllowSide
- func (x *PermissionDefGroup) NormalizeAndValidate() error
- func (*PermissionDefGroup) ProtoMessage()
- func (x *PermissionDefGroup) ProtoReflect() protoreflect.Message
- func (x *PermissionDefGroup) Reset()
- func (x *PermissionDefGroup) String() string
- func (x *PermissionDefGroup) Walk(isHost bool, publicOnly bool, f func(def *PermissionDef))
- type PermissionManagementService
- type PermissionRequirement
- type Requirement
- type RequirementList
- type Resource
- type Result
- type ResultList
- type RoleSubject
- type Service
- type Subject
- type SubjectContrib
- type SubjectList
- type SubjectResolver
- type SubjectResolverImpl
- type SubjectStr
- type TenantSubject
- type TokenSubject
- type UpdateSubjectPermission
- type UserSubject
Constants ¶
View Source
const ( AnyNamespace = "*" AnyResource = "*" AnyTenant = "*" )
Variables ¶
View Source
var ( PermissionAllowSide_name = map[int32]string{ 0: "BOTH", 1: "HOST_ONLY", 2: "TENANT_ONLY", } PermissionAllowSide_value = map[string]int32{ "BOTH": 0, "HOST_ONLY": 1, "TENANT_ONLY": 2, } )
Enum value maps for PermissionAllowSide.
View Source
var (
DefNotFoundReason = "PERMISSION_DEF_NOT_FOUND"
)
View Source
var File_authz_authz_def_proto protoreflect.FileDescriptor
View Source
var ProviderSet = wire.NewSet(NewDefaultAuthorizationService, wire.Bind(new(Service), new(*DefaultAuthorizationService)), NewSubjectResolver, wire.Bind(new(SubjectResolver), new(*SubjectResolverImpl)))
Functions ¶
func EnsureForbidden ¶
func EnsureForbidden(ctx context.Context, mgr PermissionManagementService, checker PermissionChecker, resource Resource, action Action, subject Subject, tenantID string) error
func EnsureGrant ¶
func EnsureGrant(ctx context.Context, mgr PermissionManagementService, checker PermissionChecker, resource Resource, action Action, subject Subject, tenantID string) error
func LoadFromConf ¶
func LoadFromConf(groupConf *PermissionConf)
func LoadFromYaml ¶
func LoadFromYaml(data []byte)
func NewAlwaysAuthorizationContext ¶
NewAlwaysAuthorizationContext create a context for always pass or forbidden authorization check. useful for testing
func WalkGroups ¶
func WalkGroups(isHost bool, publicOnly bool, f func(group *PermissionDefGroup))
Types ¶
type Action ¶
type Action interface {
HasIdentity
}
type ClientSubject ¶
type ClientSubject struct {
// contains filtered or unexported fields
}
func NewClientSubject ¶
func NewClientSubject(clientId string) *ClientSubject
func ParseClientSubject ¶
func ParseClientSubject(subject Subject) (*ClientSubject, bool)
func (*ClientSubject) GetClientId ¶
func (c *ClientSubject) GetClientId() string
func (*ClientSubject) GetIdentity ¶
func (c *ClientSubject) GetIdentity() string
type DefaultAuthorizationService ¶
type DefaultAuthorizationService struct {
// contains filtered or unexported fields
}
func NewDefaultAuthorizationService ¶
func NewDefaultAuthorizationService(checker PermissionChecker, sr SubjectResolver, logger log.Logger) *DefaultAuthorizationService
func (*DefaultAuthorizationService) BatchCheck ¶
func (a *DefaultAuthorizationService) BatchCheck(ctx context.Context, requirement RequirementList) (ResultList, error)
func (*DefaultAuthorizationService) BatchCheckForSubjects ¶
func (a *DefaultAuthorizationService) BatchCheckForSubjects(ctx context.Context, requirement RequirementList, subjects ...Subject) (ResultList, error)
func (*DefaultAuthorizationService) CheckForSubjects ¶
func (*DefaultAuthorizationService) FormatError ¶
type EntityResource ¶
func NewEntityResource ¶
func NewEntityResource(namespace string, id string) *EntityResource
func (*EntityResource) GetIdentity ¶
func (r *EntityResource) GetIdentity() string
func (*EntityResource) GetNamespace ¶
func (r *EntityResource) GetNamespace() string
func (*EntityResource) String ¶
func (r *EntityResource) String() string
type FilterFunc ¶
type FilterFunc func(*Filter)
func WithActionFilter ¶
func WithActionFilter(action Action) FilterFunc
func WithEffectsFilter ¶
func WithEffectsFilter(eff ...Effect) FilterFunc
func WithResourceFilter ¶
func WithResourceFilter(resource Resource) FilterFunc
func WithTenantFilter ¶
func WithTenantFilter(tenant string) FilterFunc
type HasIdentity ¶
type HasIdentity interface {
GetIdentity() string
}
type Option ¶
type Option struct {
SubjectContribList []SubjectContrib
}
func NewAuthorizationOption ¶
func NewAuthorizationOption(subjectContribList ...SubjectContrib) *Option
type PermissionAllowSide ¶
type PermissionAllowSide int32
const ( PermissionAllowSide_BOTH PermissionAllowSide = 0 PermissionAllowSide_HOST_ONLY PermissionAllowSide = 1 PermissionAllowSide_TENANT_ONLY PermissionAllowSide = 2 )
func (PermissionAllowSide) Descriptor ¶
func (PermissionAllowSide) Descriptor() protoreflect.EnumDescriptor
func (PermissionAllowSide) Enum ¶
func (x PermissionAllowSide) Enum() *PermissionAllowSide
func (PermissionAllowSide) EnumDescriptor
deprecated
func (PermissionAllowSide) EnumDescriptor() ([]byte, []int)
Deprecated: Use PermissionAllowSide.Descriptor instead.
func (PermissionAllowSide) Number ¶
func (x PermissionAllowSide) Number() protoreflect.EnumNumber
func (PermissionAllowSide) String ¶
func (x PermissionAllowSide) String() string
func (PermissionAllowSide) Type ¶
func (PermissionAllowSide) Type() protoreflect.EnumType
type PermissionBean ¶
type PermissionBean struct {
Namespace string
Resource string
Action string
Subject string
TenantID string
Effect Effect
}
func NewPermissionBean ¶
type PermissionChecker ¶
type PermissionConf ¶
type PermissionConf struct {
Groups []*PermissionDefGroup `protobuf:"bytes,1,rep,name=groups,proto3" json:"groups,omitempty"`
// contains filtered or unexported fields
}
func (*PermissionConf) Descriptor
deprecated
func (*PermissionConf) Descriptor() ([]byte, []int)
Deprecated: Use PermissionConf.ProtoReflect.Descriptor instead.
func (*PermissionConf) GetGroups ¶
func (x *PermissionConf) GetGroups() []*PermissionDefGroup
func (*PermissionConf) ProtoMessage ¶
func (*PermissionConf) ProtoMessage()
func (*PermissionConf) ProtoReflect ¶
func (x *PermissionConf) ProtoReflect() protoreflect.Message
func (*PermissionConf) Reset ¶
func (x *PermissionConf) Reset()
func (*PermissionConf) String ¶
func (x *PermissionConf) String() string
type PermissionDef ¶
type PermissionDef struct {
// name user friendly name
Name string `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"`
Side PermissionAllowSide `protobuf:"varint,2,opt,name=side,proto3,enum=authz.PermissionAllowSide" json:"side,omitempty"`
Namespace string `protobuf:"bytes,3,opt,name=namespace,proto3" json:"namespace,omitempty"`
Action string `protobuf:"bytes,4,opt,name=action,proto3" json:"action,omitempty"`
Extra *structpb.Struct `protobuf:"bytes,5,opt,name=extra,proto3" json:"extra,omitempty"`
// internal will not be displayed by ui
Internal bool `protobuf:"varint,6,opt,name=internal,proto3" json:"internal,omitempty"`
Priority int32 `protobuf:"varint,7,opt,name=priority,proto3" json:"priority,omitempty"`
// contains filtered or unexported fields
}
func FindDef ¶
func FindDef(namespace string, action Action, publicOnly bool) (*PermissionDef, error)
func MustFindDef ¶
func MustFindDef(namespace string, action Action) *PermissionDef
func (*PermissionDef) Descriptor
deprecated
func (*PermissionDef) Descriptor() ([]byte, []int)
Deprecated: Use PermissionDef.ProtoReflect.Descriptor instead.
func (*PermissionDef) GetAction ¶
func (x *PermissionDef) GetAction() string
func (*PermissionDef) GetExtra ¶
func (x *PermissionDef) GetExtra() *structpb.Struct
func (*PermissionDef) GetInternal ¶
func (x *PermissionDef) GetInternal() bool
func (*PermissionDef) GetName ¶
func (x *PermissionDef) GetName() string
func (*PermissionDef) GetNamespace ¶
func (x *PermissionDef) GetNamespace() string
func (*PermissionDef) GetPriority ¶
func (x *PermissionDef) GetPriority() int32
func (*PermissionDef) GetSide ¶
func (x *PermissionDef) GetSide() PermissionAllowSide
func (*PermissionDef) ProtoMessage ¶
func (*PermissionDef) ProtoMessage()
func (*PermissionDef) ProtoReflect ¶
func (x *PermissionDef) ProtoReflect() protoreflect.Message
func (*PermissionDef) Reset ¶
func (x *PermissionDef) Reset()
func (*PermissionDef) String ¶
func (x *PermissionDef) String() string
type PermissionDefGroup ¶
type PermissionDefGroup struct {
Name string `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"`
Side PermissionAllowSide `protobuf:"varint,2,opt,name=side,proto3,enum=authz.PermissionAllowSide" json:"side,omitempty"`
Def []*PermissionDef `protobuf:"bytes,3,rep,name=def,proto3" json:"def,omitempty"`
Extra *structpb.Struct `protobuf:"bytes,4,opt,name=extra,proto3" json:"extra,omitempty"`
Internal bool `protobuf:"varint,5,opt,name=internal,proto3" json:"internal,omitempty"`
Priority int32 `protobuf:"varint,6,opt,name=priority,proto3" json:"priority,omitempty"`
// contains filtered or unexported fields
}
PermissionDefGroup group multiple permission definition
func FindOrAddGroup ¶
func FindOrAddGroup(group *PermissionDefGroup) *PermissionDefGroup
func (*PermissionDefGroup) AddDef ¶
func (x *PermissionDefGroup) AddDef(def *PermissionDef)
func (*PermissionDefGroup) Descriptor
deprecated
func (*PermissionDefGroup) Descriptor() ([]byte, []int)
Deprecated: Use PermissionDefGroup.ProtoReflect.Descriptor instead.
func (*PermissionDefGroup) GetDef ¶
func (x *PermissionDefGroup) GetDef() []*PermissionDef
func (*PermissionDefGroup) GetExtra ¶
func (x *PermissionDefGroup) GetExtra() *structpb.Struct
func (*PermissionDefGroup) GetInternal ¶
func (x *PermissionDefGroup) GetInternal() bool
func (*PermissionDefGroup) GetName ¶
func (x *PermissionDefGroup) GetName() string
func (*PermissionDefGroup) GetPriority ¶
func (x *PermissionDefGroup) GetPriority() int32
func (*PermissionDefGroup) GetSide ¶
func (x *PermissionDefGroup) GetSide() PermissionAllowSide
func (*PermissionDefGroup) NormalizeAndValidate ¶
func (x *PermissionDefGroup) NormalizeAndValidate() error
func (*PermissionDefGroup) ProtoMessage ¶
func (*PermissionDefGroup) ProtoMessage()
func (*PermissionDefGroup) ProtoReflect ¶
func (x *PermissionDefGroup) ProtoReflect() protoreflect.Message
func (*PermissionDefGroup) Reset ¶
func (x *PermissionDefGroup) Reset()
func (*PermissionDefGroup) String ¶
func (x *PermissionDefGroup) String() string
func (*PermissionDefGroup) Walk ¶
func (x *PermissionDefGroup) Walk(isHost bool, publicOnly bool, f func(def *PermissionDef))
type PermissionManagementService ¶
type PermissionManagementService interface {
AddGrant(ctx context.Context, resource Resource, action Action, subject Subject, tenantID string, effect Effect) error
//ListAcl list permission of subjects. if not subjects provided, all acl will be returned
ListAcl(ctx context.Context, subjects ...Subject) ([]PermissionBean, error)
UpdateGrant(ctx context.Context, subject Subject, acl []UpdateSubjectPermission) error
RemoveGrant(ctx context.Context, subject Subject, filter ...FilterFunc) error
}
type PermissionRequirement ¶
type Requirement ¶
func NewRequirement ¶
func NewRequirement(resource Resource, action Action) *Requirement
type RequirementList ¶
type RequirementList []*Requirement
type Resource ¶
type Resource interface {
HasIdentity
GetNamespace() string
}
type Result ¶
type Result struct {
Allowed bool
Requirements []*Requirement
}
func NewAllowAuthorizationResult ¶
func NewAllowAuthorizationResult() *Result
func NewDisallowAuthorizationResult ¶
func NewDisallowAuthorizationResult(requirements ...*Requirement) *Result
type ResultList ¶
type ResultList []*Result
type RoleSubject ¶
type RoleSubject struct {
// contains filtered or unexported fields
}
func NewRoleSubject ¶
func NewRoleSubject(id string) *RoleSubject
func ParseRoleSubject ¶
func ParseRoleSubject(subject Subject) (*RoleSubject, bool)
func (*RoleSubject) GetIdentity ¶
func (r *RoleSubject) GetIdentity() string
func (*RoleSubject) GetName ¶
func (r *RoleSubject) GetName() string
func (*RoleSubject) GetRoleId ¶
func (r *RoleSubject) GetRoleId() string
type Service ¶
type Service interface {
//CheckForSubjects permission of these subjects directly
CheckForSubjects(ctx context.Context, resource Resource, action Action, subjects ...Subject) (*Result, error)
//Check resolve subject from ctx, then check permission of these subjects
Check(ctx context.Context, resource Resource, action Action) (*Result, error)
BatchCheckForSubjects(ctx context.Context, requirement RequirementList, subjects ...Subject) (ResultList, error)
BatchCheck(ctx context.Context, requirement RequirementList) (ResultList, error)
FormatError(ctx context.Context, result *Result, subjects ...Subject) error
}
type Subject ¶
type Subject interface {
HasIdentity
}
type SubjectContrib ¶
SubjectContrib receive one Subject and retrieve as list of subjects
type SubjectList ¶
type SubjectList []Subject
type SubjectResolver ¶
type SubjectResolverImpl ¶
type SubjectResolverImpl struct {
// contains filtered or unexported fields
}
func NewSubjectResolver ¶
func NewSubjectResolver(opt *Option) *SubjectResolverImpl
func (*SubjectResolverImpl) ResolveFromContext ¶
func (s *SubjectResolverImpl) ResolveFromContext(ctx context.Context) ([]Subject, error)
func (*SubjectResolverImpl) ResolveProcessed ¶
type SubjectStr ¶
type SubjectStr string
func (SubjectStr) GetIdentity ¶
func (s SubjectStr) GetIdentity() string
type TenantSubject ¶
type TenantSubject struct {
// contains filtered or unexported fields
}
func NewTenantSubject ¶
func NewTenantSubject(id string) *TenantSubject
func ParseTenantSubject ¶
func ParseTenantSubject(subject Subject) (*TenantSubject, bool)
func (*TenantSubject) GetIdentity ¶
func (r *TenantSubject) GetIdentity() string
func (*TenantSubject) GetName ¶
func (r *TenantSubject) GetName() string
func (*TenantSubject) GetTenantId ¶
func (r *TenantSubject) GetTenantId() string
type TokenSubject ¶
type TokenSubject struct {
// contains filtered or unexported fields
}
func NewTokenSubject ¶
func NewTokenSubject(token string) *TokenSubject
func ParseTokenSubject ¶
func ParseTokenSubject(subject Subject) (*TokenSubject, bool)
func (*TokenSubject) GetIdentity ¶
func (t *TokenSubject) GetIdentity() string
func (*TokenSubject) GetName ¶
func (t *TokenSubject) GetName() string
func (*TokenSubject) GetToken ¶
func (t *TokenSubject) GetToken() string
type UpdateSubjectPermission ¶
type UpdateSubjectPermission struct {
Resource Resource
Action Action
Effect Effect
TenantID string
}
func NewUpdateSubjectPermission ¶
func NewUpdateSubjectPermission(resource Resource, action Action, tenantID string, effect Effect) *UpdateSubjectPermission
type UserSubject ¶
type UserSubject struct {
// contains filtered or unexported fields
}
func NewUserSubject ¶
func NewUserSubject(userId string) *UserSubject
func ParseUserSubject ¶
func ParseUserSubject(subject Subject) (*UserSubject, bool)
func (*UserSubject) GetIdentity ¶
func (u *UserSubject) GetIdentity() string
func (*UserSubject) GetName ¶
func (u *UserSubject) GetName() string
func (*UserSubject) GetUserId ¶
func (u *UserSubject) GetUserId() string
Source Files
Click to show internal directories.
Click to hide internal directories.