Documentation
¶
Overview ¶
Package authz provides the authorization utilities for minder
Package authz provides the authorization utilities for minder
Index ¶
- Variables
- type Client
- type ClientWrapper
- func (a *ClientWrapper) Adopt(ctx context.Context, parent, child uuid.UUID) error
- func (a *ClientWrapper) AssignmentsToProject(ctx context.Context, project uuid.UUID) ([]*minderv1.RoleAssignment, error)
- func (a *ClientWrapper) Check(ctx context.Context, action string, project uuid.UUID) error
- func (a *ClientWrapper) Delete(ctx context.Context, user string, role Role, project uuid.UUID) error
- func (a *ClientWrapper) DeleteUser(ctx context.Context, user string) error
- func (a *ClientWrapper) MigrateUp(ctx context.Context) error
- func (a *ClientWrapper) Orphan(ctx context.Context, parent, child uuid.UUID) error
- func (a *ClientWrapper) PrepareForRun(ctx context.Context) error
- func (a *ClientWrapper) ProjectsForUser(ctx context.Context, sub string) ([]uuid.UUID, error)
- func (a *ClientWrapper) StoreIDProvided() bool
- func (a *ClientWrapper) Write(ctx context.Context, user string, role Role, project uuid.UUID) error
- type Role
Constants ¶
This section is empty.
Variables ¶
View Source
var ( // AllRolesDescriptions is a list of all roles AllRolesDescriptions = map[Role]string{ RoleAdmin: "Admins have full permissions on the project. In addition to the editor permissions, users with this role can modify the project, enroll additional providers, and manage roles for other users within the project.", RoleEditor: "In addition to the viewer permissions, editors can author profiles and rule types, as well as add resources to manage. Editors cannot enroll additional providers or change or delete projects.", RoleViewer: "Provides read-only access to the project. Users with this role can view associated resources such as enrolled repositories, rule types, profiles and the status of rule evaluations.", RolePolicyWriter: "Allows users to create rule types and profiles. Unlike editors, policy writers cannot add or remove resources from the project.", RolePermissionsManager: "Allows users to manage roles for other users within the project.", } // AllRolesDisplayName is a list of all roles with their display names AllRolesDisplayName = map[Role]string{ RoleAdmin: "Admin", RoleEditor: "Editor", RoleViewer: "Viewer", RolePolicyWriter: "Policy Writer", RolePermissionsManager: "Permissions Manager", } // AllRolesSorted is a list of all roles sorted AllRolesSorted = []Role{RoleAdmin, RoleEditor, RoleViewer, RolePolicyWriter, RolePermissionsManager} // AllRolesVerbs is a list of all roles with their verbs AllRolesVerbs = map[Role]string{ RoleAdmin: "administer", RoleEditor: "edit", RoleViewer: "view", RolePolicyWriter: "write policies for", RolePermissionsManager: "manage permissions for", } )
nolint:lll
View Source
var ErrNotAuthorized = fmt.Errorf("not authorized")
ErrNotAuthorized is the error returned when a user is not authorized to perform an action
View Source
var ( // ErrStoreNotFound denotes the error where the store wasn't found via the // given configuration. ErrStoreNotFound = errors.New("Store not found") )
Functions ¶
This section is empty.
Types ¶
type Client ¶
type Client interface {
// Check returns a NotAuthorized if the action is not allowed on the resource, or nil if it is allowed
Check(ctx context.Context, action string, project uuid.UUID) error
// Write stores an authorization tuple allowing user (an OAuth2 subject) to
// act in the specified role on the project.
//
// NOTE: this method _DOES NOT CHECK_ that the current user in the context
// has permissions to update the project.
Write(ctx context.Context, user string, role Role, project uuid.UUID) error
// Delete removes an authorization from user (an OAuth2 subject) to act in
// the specified role on the project.
//
// NOTE: this method _DOES NOT CHECK_ that the current user in the context
// has permissions to update the project.
Delete(ctx context.Context, user string, role Role, project uuid.UUID) error
// DeleteUser removes all authorizations for the given user.
DeleteUser(ctx context.Context, user string) error
// AssignmentsToProject outputs the existing role assignments for a given project.
AssignmentsToProject(ctx context.Context, project uuid.UUID) ([]*minderv1.RoleAssignment, error)
// ProjectsForUser outputs the projects a user has access to.
ProjectsForUser(ctx context.Context, sub string) ([]uuid.UUID, error)
// PrepareForRun allows for any preflight configurations to be done before
// the server is started.
PrepareForRun(ctx context.Context) error
// MigrateUp runs the authz migrations
MigrateUp(ctx context.Context) error
// Adopt stores an authorization relationship from one project to another
Adopt(ctx context.Context, parent, child uuid.UUID) error
// Orphan removes an authorization relationship from one project to another
Orphan(ctx context.Context, parent, child uuid.UUID) error
}
Client provides an abstract interface which simplifies interacting with OpenFGA and supports no-op and fake implementations.
func NewAuthzClient ¶
NewAuthzClient returns a new AuthzClientWrapper
type ClientWrapper ¶
type ClientWrapper struct {
// contains filtered or unexported fields
}
ClientWrapper is a wrapper for the OpenFgaClient. It is used to provide a common interface for the client and a way to refresh authentication to the authz provider when needed.
func (*ClientWrapper) AssignmentsToProject ¶
func (a *ClientWrapper) AssignmentsToProject(ctx context.Context, project uuid.UUID) ([]*minderv1.RoleAssignment, error)
AssignmentsToProject lists the current role assignments that are scoped to a project
func (*ClientWrapper) Check ¶
Check checks if the user is authorized to perform the given action on the given project.
func (*ClientWrapper) Delete ¶
func (a *ClientWrapper) Delete(ctx context.Context, user string, role Role, project uuid.UUID) error
Delete removes the given role for the given user and project
func (*ClientWrapper) DeleteUser ¶
func (a *ClientWrapper) DeleteUser(ctx context.Context, user string) error
DeleteUser removes all tuples for the given user
func (*ClientWrapper) MigrateUp ¶
func (a *ClientWrapper) MigrateUp(ctx context.Context) error
MigrateUp runs the authz migrations. For OpenFGA this means creating the store and writing the authz model.
func (*ClientWrapper) Orphan ¶
Orphan removes the relationship between the parent and child projects
func (*ClientWrapper) PrepareForRun ¶
func (a *ClientWrapper) PrepareForRun(ctx context.Context) error
PrepareForRun initializes the authz client based on the configuration. This is handy when migrations have already been done and helps us auto-discover the store ID and model.
func (*ClientWrapper) ProjectsForUser ¶
ProjectsForUser lists the projects that the given user has access to
func (*ClientWrapper) StoreIDProvided ¶
func (a *ClientWrapper) StoreIDProvided() bool
StoreIDProvided returns true if the store ID was provided in the configuration
type Role ¶
type Role string
Role is the role a user can have on a project
const ( // RoleAdmin is the admin role RoleAdmin Role = "admin" // RoleEditor is the editor role RoleEditor Role = "editor" // RoleViewer is the viewer role RoleViewer Role = "viewer" // RolePolicyWriter is the `policy_writer` role RolePolicyWriter Role = "policy_writer" // RolePermissionsManager is the `permissions_manager` role RolePermissionsManager Role = "permissions_manager" )
Source Files
Directories
Click to show internal directories.
Click to hide internal directories.