authorization

package
v3.0.3 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Sep 5, 2024 License: Apache-2.0 Imports: 5 Imported by: 17

Documentation

Index

Constants

View Source
const (
	HeaderName = "authorization"
)

Variables

View Source
var (
	ErrEmptyAuthorizationHeader = errors.New("authorization header is empty")
	ErrMissingRole              = errors.New("missing required role")
)

Functions

func Context

func Context[T Ctx](ctx context.Context) (t T)

Context returns a typed implementation the authorization context Ctx. It can be used to get information about the (authorized) user / caller.

func IsAuthorized

func IsAuthorized(ctx context.Context) bool

IsAuthorized returns if the caller is authorized

func IsGrantedRole

func IsGrantedRole(ctx context.Context, role string) bool

IsGrantedRole returns if the authorized user is granted the requested role. In case of an unauthorized caller, the returned value is false.

func IsGrantedRoleInOrganization

func IsGrantedRoleInOrganization(ctx context.Context, role, organisationID string) bool

IsGrantedRoleInOrganization returns if the authorized user is granted the requested role in the specified organisation. In case of an unauthorized caller, the returned value is false.

func UserID

func UserID(ctx context.Context) string

UserID returns if the ID of the authorized user. In case of an unauthorized caller, the id is empty.

func WithAuthContext

func WithAuthContext[T Ctx](ctx context.Context, c T) context.Context

WithAuthContext allows to set the authorization context (Ctx), which can later be retrieved by calling the Context function.

Types

type Authorizer

type Authorizer[T Ctx] struct {
	// contains filtered or unexported fields
}

Authorizer provides the functionality to check for authorization such as token verification including role checks.

func New

func New[T Ctx](ctx context.Context, zitadel *zitadel.Zitadel, initVerifier VerifierInitializer[T], options ...Option[T]) (*Authorizer[T], error)

func (*Authorizer[T]) CheckAuthorization

func (a *Authorizer[T]) CheckAuthorization(ctx context.Context, token string, options ...CheckOption) (authCtx T, err error)

CheckAuthorization will verify the token using the configured Verifier and provided Check

type Check

type Check[T Ctx] struct {
	Checks []func(authCtx T) error
}

Check will be executed during the authorization check and provide a mechanism to require additional permission such as a role. There will be options, e.g. caching and more in the near future.

type CheckOption

type CheckOption func(*Check[Ctx])

CheckOption allows customization of the Check like additional permission requirements (e.g. roles)

func WithRole

func WithRole(role string) CheckOption

WithRole requires the authorized user to be granted the provided role. If the role is not granted to the user, an ErrMissingRole is returned.

type Ctx

type Ctx interface {
	IsAuthorized() bool
	UserID() string
	IsGrantedRole(role string) bool
	IsGrantedRoleInOrganization(role, organizationID string) bool
	SetToken(token string)
	GetToken() string
}

Ctx represents the authorization context with information about the authorized user.

type Option

type Option[T Ctx] func(authorizer *Authorizer[T])

Option allows customization of the Authorizer such as caching, logging and more.

func WithLogger

func WithLogger[T Ctx](logger *slog.Logger) Option[T]

WithLogger allows a logger other than slog.Default().

EXPERIMENTAL: Will change to log/slog import after we drop support for Go 1.20

type PermissionDeniedErr

type PermissionDeniedErr struct {
	// contains filtered or unexported fields
}

PermissionDeniedErr is used to provide the information to the caller, that the provided authorization was valid but not sufficient (missing role).

func NewErrorPermissionDenied

func NewErrorPermissionDenied(err error) *PermissionDeniedErr

func (*PermissionDeniedErr) Error

func (e *PermissionDeniedErr) Error() string

func (*PermissionDeniedErr) Is

func (e *PermissionDeniedErr) Is(target error) bool

func (*PermissionDeniedErr) Unwrap

func (e *PermissionDeniedErr) Unwrap() error

type UnauthorizedErr

type UnauthorizedErr struct {
	// contains filtered or unexported fields
}

UnauthorizedErr is used to provide the information to the caller, that the provided authorization is invalid (missing, wrong format, expired, ...).

func NewErrorUnauthorized

func NewErrorUnauthorized(err error) *UnauthorizedErr

func (*UnauthorizedErr) Error

func (e *UnauthorizedErr) Error() string

func (*UnauthorizedErr) Is

func (e *UnauthorizedErr) Is(target error) bool

func (*UnauthorizedErr) Unwrap

func (e *UnauthorizedErr) Unwrap() error

type Verifier

type Verifier[T Ctx] interface {
	CheckAuthorization(ctx context.Context, authorizationToken string) (T, error)
}

Verifier defines the possible verification checks such as validation of the authorizationToken.

type VerifierInitializer

type VerifierInitializer[T Ctx] func(ctx context.Context, zitadel *zitadel.Zitadel) (Verifier[T], error)

VerifierInitializer abstracts the initialization of a Verifier by providing the ZITADEL domain, port and if tls is set

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL