relationship

package
v0.2.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jan 23, 2024 License: Apache-2.0 Imports: 6 Imported by: 0

Documentation

Overview

package relationship deals with relationship persistance for the ACP module.

Relationships are required to meet certain criteria before they can be passed onto Zanzi for storage. Due to the discretionary and public nature of the ACP module, prior to relationship storage, it's necessary validating that the relationship actor is allowed to create realationship with the specified relation for the specified object.

An exemple of that would be: bob tries to submit relationship (file:foo.txt, read, charlie). Before storing the relationship the ACP package validates that bob is allowed to create read relations for file:foo.txt. This validation is done using the manages rules in a policy.

Index

Constants

This section is empty.

Variables

View Source
var (
	ErrDeleteOwnerRel = types.ErrAcpProtocolViolation.Wrapf("cannot delete an owner relationship")
	ErrSetOwnerRel    = types.ErrAcpProtocolViolation.Wrapf("cannot set an owner relationship")
)

Functions

This section is empty.

Types

type DeleteRelationshipCommand

type DeleteRelationshipCommand struct {
	// Policy from which Relationship will be removed
	Policy *types.Policy

	// Relationship to be removed
	Relationship *types.Relationship

	// Id of actor that initiated the deletion
	Actor string
}

DeleteRelationshipCommand encapsulates the process of removing a relationship from a Policy

func (*DeleteRelationshipCommand) Execute

type RegisterObjectCommand

type RegisterObjectCommand struct {
	Registration *types.Registration
	Policy       *types.Policy
	CreationTs   *prototypes.Timestamp
}

RegisterObjectCommand creates an "owner" Relationship for the given object and subject, if the object does not have a previous owner. If the relationship exists but is archived by the same actor, unarchives it if relationship is active this command is a noop

func (*RegisterObjectCommand) Execute

type RelationshipAuthorizer

type RelationshipAuthorizer struct {
	// contains filtered or unexported fields
}

RelationshipAuthorizer acts as an Authorization Request engine which validates whether a Relationship can be set or deleted by an Actor.

The Permission evaluation is done through a Check call using the auxiliary permissions auto generated by the ACP module and attached to a permission.

For instance, take the Relationship (obj:foo, reader, steve) being submitted by Actor Bob. Bob is allowed to Create that relationship if and only if: Bob has the permission _can_manage_reader for "obj:foo".

func NewRelationshipAuthorizer

func NewRelationshipAuthorizer(engine auth_engine.AuthEngine) *RelationshipAuthorizer

func (*RelationshipAuthorizer) IsAuthorized

func (a *RelationshipAuthorizer) IsAuthorized(ctx context.Context, policy *types.Policy, relationship *types.Relationship, actor *types.Actor) (bool, error)

IsAuthorized validates whether actor is a manager for the given relationship.

A given Relationship is only valid if for the Relationship's Object and Relation the Actor has an associated permission to manage the Object, Relation pair.

type SetRelationshipCommand

type SetRelationshipCommand struct {
	Policy       *types.Policy
	CreationTs   *prototypes.Timestamp
	Creator      string
	Relationship *types.Relationship
}

func (*SetRelationshipCommand) Execute

type UnregisterObjectCommand added in v0.2.0

type UnregisterObjectCommand struct {
	// Target Policy
	Policy *types.Policy

	// Object to be unregistered
	Object *types.Object

	// Actor which initiated request
	Actor string
}

func (*UnregisterObjectCommand) Execute added in v0.2.0

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL