Documentation ¶
Overview ¶
Package doorman is in charge of answering authorization requests by matching a set of policies loaded in memory.
The default implementation relies on Ladon (https://github.com/ory/ladon).
Index ¶
- type Condition
- type Conditions
- type Context
- type Doorman
- type LadonDoorman
- func (doorman *LadonDoorman) Authenticator(service string) (authn.Authenticator, error)
- func (doorman *LadonDoorman) ConfigSources() []string
- func (doorman *LadonDoorman) ExpandPrincipals(service string, principals Principals) Principals
- func (doorman *LadonDoorman) IsAllowed(service string, request *Request) bool
- func (doorman *LadonDoorman) LoadPolicies(configs ServicesConfig) error
- func (doorman *LadonDoorman) SetAuthenticator(service string, a authn.Authenticator)
- type MatchPrincipalsCondition
- type Policies
- type Policy
- type Principals
- type Request
- type ServiceConfig
- type ServicesConfig
- type Tags
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Doorman ¶
type Doorman interface { // LoadPolicies is responsible for loading the services configuration into memory. LoadPolicies(configs ServicesConfig) error // ConfigSources returns the list of configuration sources. ConfigSources() []string // Authenticator by service Authenticator(service string) (authn.Authenticator, error) // ExpandPrincipals looks up and add extra principals to the ones specified. ExpandPrincipals(service string, principals Principals) Principals // IsAllowed is responsible for deciding if the specified authorization is allowed for the specified service. IsAllowed(service string, request *Request) bool }
Doorman is the backend in charge of checking requests against policies.
type LadonDoorman ¶
type LadonDoorman struct {
// contains filtered or unexported fields
}
LadonDoorman is the backend in charge of checking requests against policies.
func NewDefaultLadon ¶
func NewDefaultLadon() *LadonDoorman
NewDefaultLadon instantiates a new doorman.
func (*LadonDoorman) Authenticator ¶
func (doorman *LadonDoorman) Authenticator(service string) (authn.Authenticator, error)
Authenticator returns the authenticator for the specified service or nil.
func (*LadonDoorman) ConfigSources ¶
func (doorman *LadonDoorman) ConfigSources() []string
func (*LadonDoorman) ExpandPrincipals ¶
func (doorman *LadonDoorman) ExpandPrincipals(service string, principals Principals) Principals
ExpandPrincipals will match the tags defined in the configuration for this service against each of the specified principals.
func (*LadonDoorman) IsAllowed ¶
func (doorman *LadonDoorman) IsAllowed(service string, request *Request) bool
IsAllowed is responsible for deciding if subject can perform action on a resource with a context.
func (*LadonDoorman) LoadPolicies ¶
func (doorman *LadonDoorman) LoadPolicies(configs ServicesConfig) error
LoadPolicies instantiates Ladon objects from doorman's.
func (*LadonDoorman) SetAuthenticator ¶
func (doorman *LadonDoorman) SetAuthenticator(service string, a authn.Authenticator)
SetAuthenticator allows to manually set an authenticator instance associated to a domain.
type MatchPrincipalsCondition ¶
type MatchPrincipalsCondition struct{}
MatchPrincipalsCondition is a condition which is fulfilled if the given value string is among principals.
func (*MatchPrincipalsCondition) Fulfills ¶
func (c *MatchPrincipalsCondition) Fulfills(value interface{}, r *ladon.Request) bool
Fulfills returns true if the request's subject is equal to the given value string. This makes sense only because we iterate on principals and set the Request subject.
func (*MatchPrincipalsCondition) GetName ¶
func (c *MatchPrincipalsCondition) GetName() string
GetName returns the condition's name.
type Policy ¶
type Policy struct { ID string Description string Principals []string Effect string Resources []string Actions []string Conditions Conditions }
Policy represents an access control.
type Request ¶
type Request struct { // Principals are strings that identify the user. Principals Principals // Resource is the resource that access is requested to. Resource string // Action is the action that is requested on the resource. Action string // Context is the request's environmental context. Context Context }
Request is the authorization request.
func (*Request) Roles ¶
func (r *Request) Roles() Principals
Roles reads the roles from request context and returns the principals.
type ServiceConfig ¶
type ServiceConfig struct { Source string Service string IdentityProvider string `yaml:"identityProvider"` Tags Tags Policies Policies }
ServiceConfig represents the policies file content.
func (*ServiceConfig) GetTags ¶
func (c *ServiceConfig) GetTags(principals Principals) Principals
GetTags returns the tags principals for the ones specified.
type ServicesConfig ¶
type ServicesConfig []ServiceConfig
ServicesConfig is the whole set of policies files.