authz

package module
v1.0.33 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jul 30, 2024 License: MIT Imports: 11 Imported by: 4

README

👮‍♀️ AuthZ

Go Reference Go Report Card Taylor Swift

Installation

$ go get github.com/zeiss/fiber-authz

Usage

  • OpenFGA
  • Team-based access control
  • Role-based access control
  • Noop (for testing)

Any authorization model can be implemented by implementing the Authorizer interface.

OpenAPI

Using OpenAPI Extensions individual operations can be protected with OpenFGA.

x-fiber-authz-fga:
  user:
    namespace: user
    auth_type: oidc
  relation:
    name: admin
  object:
    namespace: system
    components:
      - in: params
        name: teamId

There are three parts to the OpenAPI extension:

  • user - The user namespace and authentication type.
  • relation - The relation name.
  • object - The object namespace and components.

Then there are components to construct the relation or object.

  • in - The location of the component (e.g. path).
  • name - The name of the component (e.g. teamId).
  • type - The type of the component (e.g. string).

Examples

See examples to understand the provided interfaces.

License

MIT

Documentation

Index

Constants

View Source 
const (
	AuthzNoPrincipial AuthzPrincipal = ""
	AuthzNoObject     AuthzObject    = ""
	AuthzNoAction     AuthzAction    = ""
)
View Source 
const (
	PermissionsClaim = "perms"
)

Variables

View Source 
var (
	ErrNoAuthHeader      = errors.New("authorization header is missing")
	ErrInvalidAuthHeader = errors.New("authorization header is malformed")
	ErrClaimsInvalid     = errors.New("provided claims do not match expected scopes")
)
View Source 
var ConfigDefault = Config{
	ErrorHandler:      defaultErrorHandler,
	ObjectResolver:    NewNoopObjectResolver(),
	PrincipalResolver: NewNoopPrincipalResolver(),
	ActionResolver:    NewNoopActionResolver(),
	Checker:           NewNoop(),
}

ConfigDefault is the default config.

View Source 
var ErrForbidden = errors.New("forbidden")

ErrForbidden ...

View Source 
var ErrNoAuthzContext = errors.New("no authz context")

ErrNoAuthzContext is the error returned when the context is not found.

Functions

func Authenticate added in v1.0.1 

func Authenticate(handler fiber.Handler, config ...Config) fiber.Handler

Authenticate is a middleware that sets the principal and user in the context.

func Authenticated added in v1.0.25 

func Authenticated(ctx context.Context, checker AuthzChecker, validate JWSValidator, input *openapi3filter.AuthenticationInput) error

Authenticated ...

func CheckTokenClaims added in v1.0.1 

func CheckTokenClaims(expectedClaims []string, t jwt.Token) error

CheckTokenClaims ...

func DefaultAuthzExtractor added in v1.0.19 

func DefaultAuthzExtractor(c *fiber.Ctx) (AuthzPrincipal, AuthzObject, AuthzAction, error)

DefaultAuthzExtractor is the default authz extractor.

func GetClaimsFromToken added in v1.0.1 

func GetClaimsFromToken(t jwt.Token) ([]string, error)

GetClaimsFromToken ...

func GetJWSFromRequest added in v1.0.1 

func GetJWSFromRequest(req *http.Request) (string, error)

GetJWSFromRequest ...

func NewAuthenticator added in v1.0.1 

func NewAuthenticator(c AuthzChecker, v JWSValidator) openapi3filter.AuthenticationFunc

NewAuthenticator ...

func NewCheckerHandler added in v1.0.1 

func NewCheckerHandler(config ...Config) fiber.Handler

NewCheckerHandler returns a new fiber.Handler that checks if the principal can perform the action on the object.

func NewFGA added in v1.0.1 

func NewFGA(c *client.OpenFgaClient) *fga

NewFGA returns a new FGA authz checker

func NewNoop added in v1.0.1 

func NewNoop() *noop

NewNoop returns a new Noop authz checker

func NewOpenAPIAuthenticator added in v1.0.14 

func NewOpenAPIAuthenticator(opts ...OpenAPIAuthenticatorOpt) openapi3filter.AuthenticationFunc

NewOpenAPIAuthenticator creates a new OpenAPI authenticator.

func NewOpenAPIErrorHandler added in v1.0.14 

func NewOpenAPIErrorHandler() middleware.ErrorHandler

NewOpenAPIErrorHandler creates a new OpenAPI error handler.

Types

type AuthzAction added in v1.0.1 

type AuthzAction string

AuthzAction is the action.

func (AuthzAction) String added in v1.0.1 

func (a AuthzAction) String() string

String is the stringer implementation.

type AuthzActionResolver added in v1.0.8 

type AuthzActionResolver interface {
	// Resolve ...
	Resolve(c *fiber.Ctx) (AuthzAction, error)
}

AuthzActionResolver is the interface that wraps the Resolve method.

func NewNoopActionResolver added in v1.0.8 

func NewNoopActionResolver() AuthzActionResolver

NewNoopActionResolver ...

type AuthzChecker 

type AuthzChecker interface {
	// Allowed ...
	Allowed(context.Context, AuthzPrincipal, AuthzObject, AuthzAction) (bool, error)
}

AuthzChecker is the interface that wraps the Allowed method.

type AuthzContext added in v1.0.19 

type AuthzContext struct {
	Principal AuthzPrincipal
	Object    AuthzObject
	Action    AuthzAction
}

AuthzContext is the type of the context key.

func GetAuthzContext added in v1.0.19 

func GetAuthzContext(ctx context.Context) (AuthzContext, error)

GetAuthzContext extracts the AuthzContext from the context.

func NewAuthzContext added in v1.0.19 

func NewAuthzContext(principal AuthzPrincipal, object AuthzObject, action AuthzAction) AuthzContext

NewAuthzContext is the constructor for the AuthzContext.

type AuthzController added in v1.0.28 

type AuthzController interface {
	// GetPrincipial returns the principal.
	GetPrincipial(ctx *fiber.Ctx) (AuthzPrincipal, error)
	// GetObject returns the object.
	GetObject(ctx *fiber.Ctx) (AuthzObject, error)
	// GetAction returns the action.
	GetAction(ctx *fiber.Ctx) (AuthzAction, error)
}

AuthzController is the controller that holds the 3-factors to authenticate.

type AuthzExtractor added in v1.0.19 

type AuthzExtractor func(c *fiber.Ctx) (AuthzPrincipal, AuthzObject, AuthzAction, error)

AuthzExtractor is the interface that wraps the Extract method.

type AuthzFGAAction added in v1.0.25 

type AuthzFGAAction = AuthzAction

AuthzFGAAction is the action.

type AuthzFGARelation added in v1.0.25 

type AuthzFGARelation = AuthzObject

AuthzFGARelation is the object.

type AuthzFGAUser added in v1.0.25 

type AuthzFGAUser = AuthzPrincipal

AuthzFGAUser is the subject.

type AuthzObject added in v1.0.1 

type AuthzObject string

AuthzObject is the object.

func (AuthzObject) String added in v1.0.1 

func (a AuthzObject) String() string

String is the stringer implementation.

type AuthzObjectResolver added in v1.0.8 

type AuthzObjectResolver interface {
	// Resolve ...
	Resolve(c *fiber.Ctx) (AuthzObject, error)
}

AuthzObjectResolver is the interface that wraps the Resolve method.

func NewNoopObjectResolver added in v1.0.8 

func NewNoopObjectResolver() AuthzObjectResolver

NewNoopObjectResolver ...

type AuthzParams added in v1.0.25 

type AuthzParams struct {
	// Principal is the subject.
	Principal AuthzPrincipal `json:"principal" params:"principal" query:"principal" form:"principal"`
	// Object is the object.
	Object AuthzObject `json:"object" params:"object" query:"object" form:"object"`
	// Action is the action.
	Action AuthzAction `json:"action" params:"action" query:"action" form:"action"`
}

AuthzParams is the struct that holds the principal, object and action from the context. There needs to be a :principal, :object and :action in the context.

type AuthzPrincipal 

type AuthzPrincipal string

AuthzPrincipal is the subject.

func (AuthzPrincipal) String added in v1.0.1 

func (a AuthzPrincipal) String() string

String is the stringer implementation.

type AuthzPrincipalResolver added in v1.0.8 

type AuthzPrincipalResolver interface {
	// Resolve ...
	Resolve(c *fiber.Ctx) (AuthzPrincipal, error)
}

AuthzPrincipalResolver is the interface that wraps the Resolve method.

func NewGothAuthzPrincipalResolver added in v1.0.8 

func NewGothAuthzPrincipalResolver() AuthzPrincipalResolver

NewGothAuthzPrincipalResolver returns a new GothAuthzPrincipalResolver.

func NewNoopPrincipalResolver added in v1.0.8 

func NewNoopPrincipalResolver() AuthzPrincipalResolver

NewNoopPrincipalResolver ...

type Config 

type Config struct {
	// Next defines a function to skip this middleware when returned true.
	Next func(c *fiber.Ctx) bool

	// Checker is implementing the AuthzChecker interface.
	Checker AuthzChecker

	// ObjectResolver is the object resolver.
	ObjectResolver AuthzObjectResolver

	// ActionResolver is the action resolver.
	ActionResolver AuthzActionResolver

	// PrincipalResolver is the principal resolver.
	PrincipalResolver AuthzPrincipalResolver

	// ErrorHandler is executed when an error is returned from fiber.Handler.
	//
	// Optional. Default: DefaultErrorHandler
	ErrorHandler fiber.ErrorHandler
}

Config ...

type DefaultAuthzController added in v1.0.28 

type DefaultAuthzController struct {
	PrincipalResolver AuthzPrincipalResolver
	ObjectResolver    AuthzObjectResolver
	ActionResolver    AuthzActionResolver
}

DefaultAuthzController is the default implementation of the AuthzController.

func NewDefaultAuthzController added in v1.0.28 

func NewDefaultAuthzController(pr AuthzPrincipalResolver, or AuthzObjectResolver, ar AuthzActionResolver) *DefaultAuthzController

NewDefaultAuthzController returns a new DefaultAuthzController.

func (*DefaultAuthzController) GetAction added in v1.0.29 

func (d *DefaultAuthzController) GetAction(ctx *fiber.Ctx) (AuthzAction, error)

GetAction returns the action.

func (*DefaultAuthzController) GetObject added in v1.0.29 

func (d *DefaultAuthzController) GetObject(ctx *fiber.Ctx) (AuthzObject, error)

GetObject returns the object.

func (*DefaultAuthzController) GetPrincipial added in v1.0.29 

func (d *DefaultAuthzController) GetPrincipial(ctx *fiber.Ctx) (AuthzPrincipal, error)

GetPrincipial returns the principal.

type Fake added in v1.0.19 

type Fake struct {
	// contains filtered or unexported fields
}

Fake is a fake authz checker.

func NewFake added in v1.0.19 

func NewFake(allowed bool) *Fake

NewFake returns a new Fake authz checker.

func (*Fake) Allowed added in v1.0.19 

func (f *Fake) Allowed(_ context.Context, _ AuthzPrincipal, _ AuthzObject, _ AuthzAction) (bool, error)

Allowed returns true if the principal is allowed to perform the action on the object.

type GothAuthzPrincipalResolver added in v1.0.30 

type GothAuthzPrincipalResolver struct{}

GothAuthzPrincipalResolver is the resolver that resolves the principal from the goth session.

func (*GothAuthzPrincipalResolver) Resolve added in v1.0.30 

func (g *GothAuthzPrincipalResolver) Resolve(c *fiber.Ctx) (AuthzPrincipal, error)

Resolve returns the principal from the goth session.

type JWSValidator added in v1.0.1 

type JWSValidator interface {
	ValidateJWS(jws string) (jwt.Token, error)
}

JWSValidator ...

type OpenAPIAuthenticatorOpt added in v1.0.15 

type OpenAPIAuthenticatorOpt func(*OpenAPIAuthenticatorOpts)

OpenAPIAuthenticatorOpt is a function that sets an option on the OpenAPI authenticator.

func WithAuthzActionResolver added in v1.0.19 

func WithAuthzActionResolver(resolver AuthzActionResolver) OpenAPIAuthenticatorOpt

WithAuthzActionResolver sets the authz extractor.

func WithAuthzChecker added in v1.0.19 

func WithAuthzChecker(checker AuthzChecker) OpenAPIAuthenticatorOpt

WithAuthzChecker sets the authz checker.

func WithAuthzObjectResolver added in v1.0.19 

func WithAuthzObjectResolver(resolver AuthzObjectResolver) OpenAPIAuthenticatorOpt

WithAuthzObjectResolver sets the authz extractor.

func WithAuthzPrincipalResolver added in v1.0.19 

func WithAuthzPrincipalResolver(resolver AuthzPrincipalResolver) OpenAPIAuthenticatorOpt

WithAuthzPrincipalResolver sets the authz extractor.

type OpenAPIAuthenticatorOpts added in v1.0.15 

type OpenAPIAuthenticatorOpts struct {
	AuthzPrincipalResolver AuthzPrincipalResolver
	AuthzObjectResolver    AuthzObjectResolver
	AuthzActionResolver    AuthzActionResolver
	AuthzChecker           AuthzChecker
}

OpenAPIAuthenticatorOpts are the OpenAPI authenticator options.

func OpenAPIAuthenticatorDefaultOpts added in v1.0.15 

func OpenAPIAuthenticatorDefaultOpts() OpenAPIAuthenticatorOpts

OpenAPIAuthenticatorDefaultOpts are the default OpenAPI authenticator options.

func (*OpenAPIAuthenticatorOpts) Conigure added in v1.0.15 

func (o *OpenAPIAuthenticatorOpts) Conigure(opts ...OpenAPIAuthenticatorOpt)

Conigure the OpenAPI authenticator.

type Unimplemented 

type Unimplemented struct{}

Unimplemented is the default implementation.

func (*Unimplemented) Allowed 

func (u *Unimplemented) Allowed(_ context.Context, _ AuthzPrincipal, _ AuthzObject, _ AuthzAction) (bool, error)

Allowed is the default implementation.

Source Files

View all Source files

Directories

Path Synopsis
fga
internal
fake
oas
oidc

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.