authz

package module

v1.0.31 Latest Latest Go to latest Published: Jun 27, 2024 License: MIT Imports: 11 Imported by: 4

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/zeiss/fiber-authz

Links

Open Source Insights

README ¶

👮‍♀️ AuthZ

Installation

$ go get github.com/zeiss/fiber-authz

Usage

OpenFGA
Team-based access control
Role-based access control
Noop (for testing)

Any authorization model can be implemented by implementing the Authorizer interface.

Examples

See examples to understand the provided interfaces.

License

MIT

Documentation ¶

Index ¶

Constants
Variables
func Authenticate(handler fiber.Handler, config ...Config) fiber.Handler
func Authenticated(ctx context.Context, checker AuthzChecker, validate JWSValidator, ...) error
func CheckTokenClaims(expectedClaims []string, t jwt.Token) error
func DefaultAuthzExtractor(c *fiber.Ctx) (AuthzPrincipal, AuthzObject, AuthzAction, error)
func GetClaimsFromToken(t jwt.Token) ([]string, error)
func GetJWSFromRequest(req *http.Request) (string, error)
func NewAuthenticator(c AuthzChecker, v JWSValidator) openapi3filter.AuthenticationFunc
func NewCheckerHandler(config ...Config) fiber.Handler
func NewFGA(c *client.OpenFgaClient) *fga
func NewNoop() *noop
func NewOpenAPIAuthenticator(opts ...OpenAPIAuthenticatorOpt) openapi3filter.AuthenticationFunc
func NewOpenAPIErrorHandler() middleware.ErrorHandler
type AuthzAction
- func (a AuthzAction) String() string
type AuthzActionResolver
- func NewNoopActionResolver() AuthzActionResolver
type AuthzChecker
type AuthzContext
- func GetAuthzContext(ctx context.Context) (AuthzContext, error)
- func NewAuthzContext(principal AuthzPrincipal, object AuthzObject, action AuthzAction) AuthzContext
type AuthzController
type AuthzExtractor
type AuthzFGAAction
type AuthzFGARelation
type AuthzFGAUser
type AuthzObject
- func (a AuthzObject) String() string
type AuthzObjectResolver
- func NewNoopObjectResolver() AuthzObjectResolver
type AuthzParams
type AuthzPrincipal
- func (a AuthzPrincipal) String() string
type AuthzPrincipalResolver
- func NewGothAuthzPrincipalResolver() AuthzPrincipalResolver
- func NewNoopPrincipalResolver() AuthzPrincipalResolver
type Config
type DefaultAuthzController
- func NewDefaultAuthzController(pr AuthzPrincipalResolver, or AuthzObjectResolver, ar AuthzActionResolver) *DefaultAuthzController
- func (d *DefaultAuthzController) GetAction(ctx *fiber.Ctx) (AuthzAction, error)
- func (d *DefaultAuthzController) GetObject(ctx *fiber.Ctx) (AuthzObject, error)
- func (d *DefaultAuthzController) GetPrincipial(ctx *fiber.Ctx) (AuthzPrincipal, error)
type Fake
- func NewFake(allowed bool) *Fake
- func (f *Fake) Allowed(_ context.Context, _ AuthzPrincipal, _ AuthzObject, _ AuthzAction) (bool, error)
type GothAuthzPrincipalResolver
- func (g *GothAuthzPrincipalResolver) Resolve(c *fiber.Ctx) (AuthzPrincipal, error)
type JWSValidator
type OpenAPIAuthenticatorOpt
- func WithAuthzActionResolver(resolver AuthzActionResolver) OpenAPIAuthenticatorOpt
- func WithAuthzChecker(checker AuthzChecker) OpenAPIAuthenticatorOpt
- func WithAuthzObjectResolver(resolver AuthzObjectResolver) OpenAPIAuthenticatorOpt
- func WithAuthzPrincipalResolver(resolver AuthzPrincipalResolver) OpenAPIAuthenticatorOpt
type OpenAPIAuthenticatorOpts
- func OpenAPIAuthenticatorDefaultOpts() OpenAPIAuthenticatorOpts
- func (o *OpenAPIAuthenticatorOpts) Conigure(opts ...OpenAPIAuthenticatorOpt)
type Unimplemented
- func (u *Unimplemented) Allowed(_ context.Context, _ AuthzPrincipal, _ AuthzObject, _ AuthzAction) (bool, error)

Constants ¶

View Source

const (
	AuthzNoPrincipial AuthzPrincipal = ""
	AuthzNoObject     AuthzObject    = ""
	AuthzNoAction     AuthzAction    = ""
)

View Source

const (
	PermissionsClaim = "perms"
)

Variables ¶

View Source

var (
	ErrNoAuthHeader      = errors.New("authorization header is missing")
	ErrInvalidAuthHeader = errors.New("authorization header is malformed")
	ErrClaimsInvalid     = errors.New("provided claims do not match expected scopes")
)

View Source

var ConfigDefault = Config{
	ErrorHandler:      defaultErrorHandler,
	ObjectResolver:    NewNoopObjectResolver(),
	PrincipalResolver: NewNoopPrincipalResolver(),
	ActionResolver:    NewNoopActionResolver(),
	Checker:           NewNoop(),
}

ConfigDefault is the default config.

View Source

var ErrForbidden = errors.New("forbidden")

ErrForbidden ...

View Source

var ErrNoAuthzContext = errors.New("no authz context")

ErrNoAuthzContext is the error returned when the context is not found.

Functions ¶

func Authenticate ¶ added in v1.0.1

func Authenticate(handler fiber.Handler, config ...Config) fiber.Handler

Authenticate is a middleware that sets the principal and user in the context.

func Authenticated ¶ added in v1.0.25

func Authenticated(ctx context.Context, checker AuthzChecker, validate JWSValidator, input *openapi3filter.AuthenticationInput) error

Authenticated ...

func CheckTokenClaims ¶ added in v1.0.1

func CheckTokenClaims(expectedClaims []string, t jwt.Token) error

CheckTokenClaims ...

func DefaultAuthzExtractor ¶ added in v1.0.19

func DefaultAuthzExtractor(c *fiber.Ctx) (AuthzPrincipal, AuthzObject, AuthzAction, error)

DefaultAuthzExtractor is the default authz extractor.

func GetClaimsFromToken ¶ added in v1.0.1

func GetClaimsFromToken(t jwt.Token) ([]string, error)

GetClaimsFromToken ...

func GetJWSFromRequest ¶ added in v1.0.1

func GetJWSFromRequest(req *http.Request) (string, error)

GetJWSFromRequest ...

func NewAuthenticator ¶ added in v1.0.1

func NewAuthenticator(c AuthzChecker, v JWSValidator) openapi3filter.AuthenticationFunc

NewAuthenticator ...

func NewCheckerHandler ¶ added in v1.0.1

func NewCheckerHandler(config ...Config) fiber.Handler

NewCheckerHandler returns a new fiber.Handler that checks if the principal can perform the action on the object.

func NewFGA ¶ added in v1.0.1

func NewFGA(c *client.OpenFgaClient) *fga

NewFGA returns a new FGA authz checker

func NewNoop ¶ added in v1.0.1

func NewNoop() *noop

NewNoop returns a new Noop authz checker

func NewOpenAPIAuthenticator ¶ added in v1.0.14

func NewOpenAPIAuthenticator(opts ...OpenAPIAuthenticatorOpt) openapi3filter.AuthenticationFunc

NewOpenAPIAuthenticator creates a new OpenAPI authenticator.

func NewOpenAPIErrorHandler ¶ added in v1.0.14

func NewOpenAPIErrorHandler() middleware.ErrorHandler

NewOpenAPIErrorHandler creates a new OpenAPI error handler.

Types ¶

type AuthzAction ¶ added in v1.0.1

type AuthzAction string

AuthzAction is the action.

func (AuthzAction) String ¶ added in v1.0.1

func (a AuthzAction) String() string

String is the stringer implementation.

type AuthzActionResolver ¶ added in v1.0.8

type AuthzActionResolver interface {
	// Resolve ...
	Resolve(c *fiber.Ctx) (AuthzAction, error)
}

AuthzActionResolver is the interface that wraps the Resolve method.

func NewNoopActionResolver ¶ added in v1.0.8

func NewNoopActionResolver() AuthzActionResolver

NewNoopActionResolver ...

type AuthzChecker ¶

type AuthzChecker interface {
	// Allowed ...
	Allowed(context.Context, AuthzPrincipal, AuthzObject, AuthzAction) (bool, error)
}

AuthzChecker is the interface that wraps the Allowed method.

type AuthzContext ¶ added in v1.0.19

type AuthzContext struct {
	Principal AuthzPrincipal
	Object    AuthzObject
	Action    AuthzAction
}

AuthzContext is the type of the context key.

func GetAuthzContext ¶ added in v1.0.19

func GetAuthzContext(ctx context.Context) (AuthzContext, error)

GetAuthzContext extracts the AuthzContext from the context.

func NewAuthzContext ¶ added in v1.0.19

func NewAuthzContext(principal AuthzPrincipal, object AuthzObject, action AuthzAction) AuthzContext

NewAuthzContext is the constructor for the AuthzContext.

type AuthzController ¶ added in v1.0.28

type AuthzController interface {
	// GetPrincipial returns the principal.
	GetPrincipial(ctx *fiber.Ctx) (AuthzPrincipal, error)
	// GetObject returns the object.
	GetObject(ctx *fiber.Ctx) (AuthzObject, error)
	// GetAction returns the action.
	GetAction(ctx *fiber.Ctx) (AuthzAction, error)
}

AuthzController is the controller that holds the 3-factors to authenticate.

type AuthzExtractor ¶ added in v1.0.19

type AuthzExtractor func(c *fiber.Ctx) (AuthzPrincipal, AuthzObject, AuthzAction, error)

AuthzExtractor is the interface that wraps the Extract method.

type AuthzFGAAction ¶ added in v1.0.25

type AuthzFGAAction = AuthzAction

AuthzFGAAction is the action.

type AuthzFGARelation ¶ added in v1.0.25

type AuthzFGARelation = AuthzObject

AuthzFGARelation is the object.

type AuthzFGAUser ¶ added in v1.0.25

type AuthzFGAUser = AuthzPrincipal

AuthzFGAUser is the subject.

type AuthzObject ¶ added in v1.0.1

type AuthzObject string

AuthzObject is the object.

func (AuthzObject) String ¶ added in v1.0.1

func (a AuthzObject) String() string

String is the stringer implementation.

type AuthzObjectResolver ¶ added in v1.0.8

type AuthzObjectResolver interface {
	// Resolve ...
	Resolve(c *fiber.Ctx) (AuthzObject, error)
}

AuthzObjectResolver is the interface that wraps the Resolve method.

func NewNoopObjectResolver ¶ added in v1.0.8

func NewNoopObjectResolver() AuthzObjectResolver

NewNoopObjectResolver ...

type AuthzParams ¶ added in v1.0.25

type AuthzParams struct {
	// Principal is the subject.
	Principal AuthzPrincipal `json:"principal" params:"principal" query:"principal" form:"principal"`
	// Object is the object.
	Object AuthzObject `json:"object" params:"object" query:"object" form:"object"`
	// Action is the action.
	Action AuthzAction `json:"action" params:"action" query:"action" form:"action"`
}

AuthzParams is the struct that holds the principal, object and action from the context. There needs to be a :principal, :object and :action in the context.

type AuthzPrincipal ¶

type AuthzPrincipal string

AuthzPrincipal is the subject.

func (AuthzPrincipal) String ¶ added in v1.0.1

func (a AuthzPrincipal) String() string

String is the stringer implementation.

type AuthzPrincipalResolver ¶ added in v1.0.8

type AuthzPrincipalResolver interface {
	// Resolve ...
	Resolve(c *fiber.Ctx) (AuthzPrincipal, error)
}

AuthzPrincipalResolver is the interface that wraps the Resolve method.

func NewGothAuthzPrincipalResolver ¶ added in v1.0.8

func NewGothAuthzPrincipalResolver() AuthzPrincipalResolver

NewGothAuthzPrincipalResolver returns a new GothAuthzPrincipalResolver.

func NewNoopPrincipalResolver ¶ added in v1.0.8

func NewNoopPrincipalResolver() AuthzPrincipalResolver

NewNoopPrincipalResolver ...

type Config ¶

type Config struct {
	// Next defines a function to skip this middleware when returned true.
	Next func(c *fiber.Ctx) bool

	// Checker is implementing the AuthzChecker interface.
	Checker AuthzChecker

	// ObjectResolver is the object resolver.
	ObjectResolver AuthzObjectResolver

	// ActionResolver is the action resolver.
	ActionResolver AuthzActionResolver

	// PrincipalResolver is the principal resolver.
	PrincipalResolver AuthzPrincipalResolver

	// ErrorHandler is executed when an error is returned from fiber.Handler.
	//
	// Optional. Default: DefaultErrorHandler
	ErrorHandler fiber.ErrorHandler
}

Config ...

type DefaultAuthzController ¶ added in v1.0.28

type DefaultAuthzController struct {
	PrincipalResolver AuthzPrincipalResolver
	ObjectResolver    AuthzObjectResolver
	ActionResolver    AuthzActionResolver
}

DefaultAuthzController is the default implementation of the AuthzController.

func NewDefaultAuthzController ¶ added in v1.0.28

func NewDefaultAuthzController(pr AuthzPrincipalResolver, or AuthzObjectResolver, ar AuthzActionResolver) *DefaultAuthzController

NewDefaultAuthzController returns a new DefaultAuthzController.

func (*DefaultAuthzController) GetAction ¶ added in v1.0.29

func (d *DefaultAuthzController) GetAction(ctx *fiber.Ctx) (AuthzAction, error)

GetAction returns the action.

func (*DefaultAuthzController) GetObject ¶ added in v1.0.29

func (d *DefaultAuthzController) GetObject(ctx *fiber.Ctx) (AuthzObject, error)

GetObject returns the object.

func (*DefaultAuthzController) GetPrincipial ¶ added in v1.0.29

func (d *DefaultAuthzController) GetPrincipial(ctx *fiber.Ctx) (AuthzPrincipal, error)

GetPrincipial returns the principal.

type Fake ¶ added in v1.0.19

type Fake struct {
	// contains filtered or unexported fields
}

Fake is a fake authz checker.

func NewFake ¶ added in v1.0.19

func NewFake(allowed bool) *Fake

NewFake returns a new Fake authz checker.

func (*Fake) Allowed ¶ added in v1.0.19

func (f *Fake) Allowed(_ context.Context, _ AuthzPrincipal, _ AuthzObject, _ AuthzAction) (bool, error)

Allowed returns true if the principal is allowed to perform the action on the object.

type GothAuthzPrincipalResolver ¶ added in v1.0.30

type GothAuthzPrincipalResolver struct{}

GothAuthzPrincipalResolver is the resolver that resolves the principal from the goth session.

func (*GothAuthzPrincipalResolver) Resolve ¶ added in v1.0.30

func (g *GothAuthzPrincipalResolver) Resolve(c *fiber.Ctx) (AuthzPrincipal, error)

Resolve returns the principal from the goth session.

type JWSValidator ¶ added in v1.0.1

type JWSValidator interface {
	ValidateJWS(jws string) (jwt.Token, error)
}

JWSValidator ...

type OpenAPIAuthenticatorOpt ¶ added in v1.0.15

type OpenAPIAuthenticatorOpt func(*OpenAPIAuthenticatorOpts)

OpenAPIAuthenticatorOpt is a function that sets an option on the OpenAPI authenticator.

func WithAuthzActionResolver ¶ added in v1.0.19

func WithAuthzActionResolver(resolver AuthzActionResolver) OpenAPIAuthenticatorOpt

WithAuthzActionResolver sets the authz extractor.

func WithAuthzChecker ¶ added in v1.0.19

func WithAuthzChecker(checker AuthzChecker) OpenAPIAuthenticatorOpt

WithAuthzChecker sets the authz checker.

func WithAuthzObjectResolver ¶ added in v1.0.19

func WithAuthzObjectResolver(resolver AuthzObjectResolver) OpenAPIAuthenticatorOpt

WithAuthzObjectResolver sets the authz extractor.

func WithAuthzPrincipalResolver ¶ added in v1.0.19

func WithAuthzPrincipalResolver(resolver AuthzPrincipalResolver) OpenAPIAuthenticatorOpt

WithAuthzPrincipalResolver sets the authz extractor.

type OpenAPIAuthenticatorOpts ¶ added in v1.0.15

type OpenAPIAuthenticatorOpts struct {
	AuthzPrincipalResolver AuthzPrincipalResolver
	AuthzObjectResolver    AuthzObjectResolver
	AuthzActionResolver    AuthzActionResolver
	AuthzChecker           AuthzChecker
}

OpenAPIAuthenticatorOpts are the OpenAPI authenticator options.

func OpenAPIAuthenticatorDefaultOpts ¶ added in v1.0.15

func OpenAPIAuthenticatorDefaultOpts() OpenAPIAuthenticatorOpts

OpenAPIAuthenticatorDefaultOpts are the default OpenAPI authenticator options.

func (*OpenAPIAuthenticatorOpts) Conigure ¶ added in v1.0.15

func (o *OpenAPIAuthenticatorOpts) Conigure(opts ...OpenAPIAuthenticatorOpt)

Conigure the OpenAPI authenticator.

type Unimplemented ¶

type Unimplemented struct{}

Unimplemented is the default implementation.

func (*Unimplemented) Allowed ¶

func (u *Unimplemented) Allowed(_ context.Context, _ AuthzPrincipal, _ AuthzObject, _ AuthzAction) (bool, error)

Allowed is the default implementation.

Source Files ¶

View all Source files

Directories ¶

Path	Synopsis
examples
fga
internal
fake
openfga
tbrac

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL