Documentation ¶
Overview ¶
package relationship deals with relationship persistance for the ACP module.
Relationships are required to meet certain criteria before they can be passed onto Zanzi for storage. Due to the discretionary and public nature of the ACP module, prior to relationship storage, it's necessary validating that the relationship actor is allowed to create realationship with the specified relation for the specified object.
An exemple of that would be: bob tries to submit relationship (file:foo.txt, read, charlie). Before storing the relationship the ACP package validates that bob is allowed to create read relations for file:foo.txt. This validation is done using the manages rules in a policy.
Index ¶
Constants ¶
This section is empty.
Variables ¶
var ( ErrDeleteOwnerRel = types.ErrAcpProtocolViolation.Wrapf("cannot delete an owner relationship") ErrSetOwnerRel = types.ErrAcpProtocolViolation.Wrapf("cannot set an owner relationship") )
Functions ¶
This section is empty.
Types ¶
type DeleteRelationshipCommand ¶
type DeleteRelationshipCommand struct { // Policy from which Relationship will be removed Policy *types.Policy // Relationship to be removed Relationship *types.Relationship // Id of actor that initiated the deletion Actor string }
DeleteRelationshipCommand encapsulates the process of removing a relationship from a Policy
func (*DeleteRelationshipCommand) Execute ¶
func (c *DeleteRelationshipCommand) Execute(ctx context.Context, engine auth_engine.AuthEngine, authorizer *RelationshipAuthorizer) (auth_engine.RecordFound, error)
type RegisterObjectCommand ¶
type RegisterObjectCommand struct { Registration *types.Registration Policy *types.Policy CreationTs *prototypes.Timestamp }
RegisterObjectCommand creates an "owner" Relationship for the given object and subject, if the object does not have a previous owner. If the relationship exists but is archived by the same actor, unarchives it if relationship is active this command is a noop
func (*RegisterObjectCommand) Execute ¶
func (c *RegisterObjectCommand) Execute(ctx context.Context, engine auth_engine.AuthEngine) (types.RegistrationResult, error)
type RelationshipAuthorizer ¶
type RelationshipAuthorizer struct {
// contains filtered or unexported fields
}
RelationshipAuthorizer acts as an Authorization Request engine which validates whether a Relationship can be set or deleted by an Actor.
The Permission evaluation is done through a Check call using the auxiliary permissions auto generated by the ACP module and attached to a permission.
For instance, take the Relationship (obj:foo, reader, steve) being submitted by Actor Bob. Bob is allowed to Create that relationship if and only if: Bob has the permission _can_manage_reader for "obj:foo".
func NewRelationshipAuthorizer ¶
func NewRelationshipAuthorizer(engine auth_engine.AuthEngine) *RelationshipAuthorizer
func (*RelationshipAuthorizer) IsAuthorized ¶
func (a *RelationshipAuthorizer) IsAuthorized(ctx context.Context, policy *types.Policy, relationship *types.Relationship, actor *types.Actor) (bool, error)
IsAuthorized validates whether actor is a manager for the given relationship.
A given Relationship is only valid if for the Relationship's Object and Relation the Actor has an associated permission to manage the Object, Relation pair.
type SetRelationshipCommand ¶
type SetRelationshipCommand struct { Policy *types.Policy CreationTs *prototypes.Timestamp Creator string Relationship *types.Relationship }
func (*SetRelationshipCommand) Execute ¶
func (c *SetRelationshipCommand) Execute(ctx context.Context, engine auth_engine.AuthEngine, authorizer *RelationshipAuthorizer) (auth_engine.RecordFound, error)
type UnregisterObjectCommand ¶ added in v0.2.0
type UnregisterObjectCommand struct { // Target Policy Policy *types.Policy // Object to be unregistered Object *types.Object // Actor which initiated request Actor string }
func (*UnregisterObjectCommand) Execute ¶ added in v0.2.0
func (c *UnregisterObjectCommand) Execute(ctx context.Context, engine auth_engine.AuthEngine, authorizer *RelationshipAuthorizer) (uint, error)