authz

package module
v1.0.27 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jun 13, 2024 License: MIT Imports: 11 Imported by: 4

README

👮‍♀️ AuthZ

Go Reference Go Report Card Taylor Swift

Installation

$ go get github.com/zeiss/fiber-authz

Usage

  • OpenFGA
  • Team-based access control
  • Role-based access control
  • Noop (for testing)

Any authorization model can be implemented by implementing the Authorizer interface.

Examples

See examples to understand the provided interfaces.

License

MIT

Documentation

Index

Constants

View Source
const (
	AuthzNoPrincipial AuthzPrincipal = ""
	AuthzNoObject     AuthzObject    = ""
	AuthzNoAction     AuthzAction    = ""
)
View Source
const (
	PermissionsClaim = "perms"
)

Variables

View Source
var (
	ErrNoAuthHeader      = errors.New("authorization header is missing")
	ErrInvalidAuthHeader = errors.New("authorization header is malformed")
	ErrClaimsInvalid     = errors.New("provided claims do not match expected scopes")
)
View Source
var ConfigDefault = Config{
	ErrorHandler:      defaultErrorHandler,
	ObjectResolver:    NewNoopObjectResolver(),
	PrincipalResolver: NewNoopPrincipalResolver(),
	ActionResolver:    NewNoopActionResolver(),
	Checker:           NewNoop(),
}

ConfigDefault is the default config.

View Source
var ErrForbidden = errors.New("forbidden")

ErrForbidden ...

View Source
var ErrNoAuthzContext = errors.New("no authz context")

ErrNoAuthzContext is the error returned when the context is not found.

Functions

func Authenticate added in v1.0.1

func Authenticate(handler fiber.Handler, config ...Config) fiber.Handler

Authenticate is a middleware that sets the principal and user in the context.

func Authenticated added in v1.0.25

func Authenticated(ctx context.Context, checker AuthzChecker, validate JWSValidator, input *openapi3filter.AuthenticationInput) error

Authenticated ...

func CheckTokenClaims added in v1.0.1

func CheckTokenClaims(expectedClaims []string, t jwt.Token) error

CheckTokenClaims ...

func DefaultAuthzExtractor added in v1.0.19

func DefaultAuthzExtractor(c *fiber.Ctx) (AuthzPrincipal, AuthzObject, AuthzAction, error)

DefaultAuthzExtractor is the default authz extractor.

func GetClaimsFromToken added in v1.0.1

func GetClaimsFromToken(t jwt.Token) ([]string, error)

GetClaimsFromToken ...

func GetJWSFromRequest added in v1.0.1

func GetJWSFromRequest(req *http.Request) (string, error)

GetJWSFromRequest ...

func NewAuthenticator added in v1.0.1

NewAuthenticator ...

func NewCheckerHandler added in v1.0.1

func NewCheckerHandler(config ...Config) fiber.Handler

NewCheckerHandler returns a new fiber.Handler that checks if the principal can perform the action on the object.

func NewFGA added in v1.0.1

func NewFGA(c *client.OpenFgaClient) *fga

NewFGA returns a new FGA authz checker

func NewNoop added in v1.0.1

func NewNoop() *noop

NewNoop returns a new Noop authz checker

func NewOpenAPIAuthenticator added in v1.0.14

func NewOpenAPIAuthenticator(opts ...OpenAPIAuthenticatorOpt) openapi3filter.AuthenticationFunc

NewOpenAPIAuthenticator creates a new OpenAPI authenticator.

func NewOpenAPIErrorHandler added in v1.0.14

func NewOpenAPIErrorHandler() middleware.ErrorHandler

NewOpenAPIErrorHandler creates a new OpenAPI error handler.

Types

type AuthzAction added in v1.0.1

type AuthzAction string

AuthzAction is the action.

func (AuthzAction) String added in v1.0.1

func (a AuthzAction) String() string

String is the stringer implementation.

type AuthzActionResolver added in v1.0.8

type AuthzActionResolver interface {
	// Resolve ...
	Resolve(c *fiber.Ctx) (AuthzAction, error)
}

AuthzActionResolver is the interface that wraps the Resolve method.

func NewNoopActionResolver added in v1.0.8

func NewNoopActionResolver() AuthzActionResolver

NewNoopActionResolver ...

type AuthzChecker

type AuthzChecker interface {
	// Allowed ...
	Allowed(context.Context, AuthzPrincipal, AuthzObject, AuthzAction) (bool, error)
}

AuthzChecker is the interface that wraps the Allowed method.

type AuthzContext added in v1.0.19

type AuthzContext struct {
	Principal AuthzPrincipal
	Object    AuthzObject
	Action    AuthzAction
}

AuthzContext is the type of the context key.

func GetAuthzContext added in v1.0.19

func GetAuthzContext(ctx context.Context) (AuthzContext, error)

GetAuthzContext extracts the AuthzContext from the context.

func NewAuthzContext added in v1.0.19

func NewAuthzContext(principal AuthzPrincipal, object AuthzObject, action AuthzAction) AuthzContext

NewAuthzContext is the constructor for the AuthzContext.

type AuthzExtractor added in v1.0.19

type AuthzExtractor func(c *fiber.Ctx) (AuthzPrincipal, AuthzObject, AuthzAction, error)

AuthzExtractor is the interface that wraps the Extract method.

type AuthzFGAAction added in v1.0.25

type AuthzFGAAction = AuthzAction

AuthzFGAAction is the action.

type AuthzFGARelation added in v1.0.25

type AuthzFGARelation = AuthzObject

AuthzFGARelation is the object.

type AuthzFGAUser added in v1.0.25

type AuthzFGAUser = AuthzPrincipal

AuthzFGAUser is the subject.

type AuthzObject added in v1.0.1

type AuthzObject string

AuthzObject is the object.

func (AuthzObject) String added in v1.0.1

func (a AuthzObject) String() string

String is the stringer implementation.

type AuthzObjectResolver added in v1.0.8

type AuthzObjectResolver interface {
	// Resolve ...
	Resolve(c *fiber.Ctx) (AuthzObject, error)
}

AuthzObjectResolver is the interface that wraps the Resolve method.

func NewNoopObjectResolver added in v1.0.8

func NewNoopObjectResolver() AuthzObjectResolver

NewNoopObjectResolver ...

type AuthzParams added in v1.0.25

type AuthzParams struct {
	// Principal is the subject.
	Principal AuthzPrincipal `json:"principal" params:"principal" query:"principal" form:"principal"`
	// Object is the object.
	Object AuthzObject `json:"object" params:"object" query:"object" form:"object"`
	// Action is the action.
	Action AuthzAction `json:"action" params:"action" query:"action" form:"action"`
}

AuthzParams is the struct that holds the principal, object and action from the context. There needs to be a :principal, :object and :action in the context.

type AuthzPrincipal

type AuthzPrincipal string

AuthzPrincipal is the subject.

func (AuthzPrincipal) String added in v1.0.1

func (a AuthzPrincipal) String() string

String is the stringer implementation.

type AuthzPrincipalResolver added in v1.0.8

type AuthzPrincipalResolver interface {
	// Resolve ...
	Resolve(c *fiber.Ctx) (AuthzPrincipal, error)
}

AuthzPrincipalResolver is the interface that wraps the Resolve method.

func NewGothAuthzPrincipalResolver added in v1.0.8

func NewGothAuthzPrincipalResolver() AuthzPrincipalResolver

NewGothAuthzPrincipalResolver ...

func NewNoopPrincipalResolver added in v1.0.8

func NewNoopPrincipalResolver() AuthzPrincipalResolver

NewNoopPrincipalResolver ...

type Config

type Config struct {
	// Next defines a function to skip this middleware when returned true.
	Next func(c *fiber.Ctx) bool

	// Checker is implementing the AuthzChecker interface.
	Checker AuthzChecker

	// ObjectResolver is the object resolver.
	ObjectResolver AuthzObjectResolver

	// ActionResolver is the action resolver.
	ActionResolver AuthzActionResolver

	// PrincipalResolver is the principal resolver.
	PrincipalResolver AuthzPrincipalResolver

	// ErrorHandler is executed when an error is returned from fiber.Handler.
	//
	// Optional. Default: DefaultErrorHandler
	ErrorHandler fiber.ErrorHandler
}

Config ...

type Fake added in v1.0.19

type Fake struct {
	// contains filtered or unexported fields
}

Fake is a fake authz checker.

func NewFake added in v1.0.19

func NewFake(allowed bool) *Fake

NewFake returns a new Fake authz checker.

func (*Fake) Allowed added in v1.0.19

func (f *Fake) Allowed(_ context.Context, _ AuthzPrincipal, _ AuthzObject, _ AuthzAction) (bool, error)

Allowed returns true if the principal is allowed to perform the action on the object.

type JWSValidator added in v1.0.1

type JWSValidator interface {
	ValidateJWS(jws string) (jwt.Token, error)
}

JWSValidator ...

type OpenAPIAuthenticatorOpt added in v1.0.15

type OpenAPIAuthenticatorOpt func(*OpenAPIAuthenticatorOpts)

OpenAPIAuthenticatorOpt is a function that sets an option on the OpenAPI authenticator.

func WithAuthzActionResolver added in v1.0.19

func WithAuthzActionResolver(resolver AuthzActionResolver) OpenAPIAuthenticatorOpt

WithAuthzActionResolver sets the authz extractor.

func WithAuthzChecker added in v1.0.19

func WithAuthzChecker(checker AuthzChecker) OpenAPIAuthenticatorOpt

WithAuthzChecker sets the authz checker.

func WithAuthzObjectResolver added in v1.0.19

func WithAuthzObjectResolver(resolver AuthzObjectResolver) OpenAPIAuthenticatorOpt

WithAuthzObjectResolver sets the authz extractor.

func WithAuthzPrincipalResolver added in v1.0.19

func WithAuthzPrincipalResolver(resolver AuthzPrincipalResolver) OpenAPIAuthenticatorOpt

WithAuthzPrincipalResolver sets the authz extractor.

type OpenAPIAuthenticatorOpts added in v1.0.15

type OpenAPIAuthenticatorOpts struct {
	AuthzPrincipalResolver AuthzPrincipalResolver
	AuthzObjectResolver    AuthzObjectResolver
	AuthzActionResolver    AuthzActionResolver
	AuthzChecker           AuthzChecker
}

OpenAPIAuthenticatorOpts are the OpenAPI authenticator options.

func OpenAPIAuthenticatorDefaultOpts added in v1.0.15

func OpenAPIAuthenticatorDefaultOpts() OpenAPIAuthenticatorOpts

OpenAPIAuthenticatorDefaultOpts are the default OpenAPI authenticator options.

func (*OpenAPIAuthenticatorOpts) Conigure added in v1.0.15

Conigure the OpenAPI authenticator.

type Unimplemented

type Unimplemented struct{}

Unimplemented is the default implementation.

func (*Unimplemented) Allowed

Allowed is the default implementation.

Directories

Path Synopsis
fga
internal

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL