Documentation
¶
Overview ¶
Package query provides the client for querying spicedb
Index ¶
Constants ¶
View Source
const ( // ApplicationPrefix is the prefix for all application IDs owned by permissions-api ApplicationPrefix string = "perm" // RolePrefix is the prefix for roles RolePrefix string = ApplicationPrefix + "rol" )
View Source
const ( // DefaultRoleResourceName is the default name for a role resource DefaultRoleResourceName = "role" // DefaultRoleBindingResourceName is the default name for a role binding resource DefaultRoleBindingResourceName = "role_binding" )
Variables ¶
View Source
var ( // ErrActionNotAssigned represents an error condition where the subject is not able to complete // the given request. ErrActionNotAssigned = errors.New("the subject does not have permissions to complete this request") // ErrInvalidAction represents an error condition where the action provided is not valid for the provided resource. ErrInvalidAction = errors.New("invalid action for resource") // ErrInvalidReference represents an error condition where a given SpiceDB object reference is for some reason invalid. ErrInvalidReference = errors.New("invalid reference") // ErrInvalidNamespace represents an error when the id prefix is not found in the resource schema ErrInvalidNamespace = errors.New("invalid namespace") // ErrInvalidType represents an error when a resource type is not found in the resource schema ErrInvalidType = errors.New("invalid type") // ErrInvalidRelationship represents an error when no matching relationship was found ErrInvalidRelationship = errors.New("invalid relationship") // ErrRoleNotFound represents an error when no matching role was found on resource ErrRoleNotFound = errors.New("role not found") // ErrResourceNotFound represents an error when no matching resource was found ErrResourceNotFound = errors.New("resource not found") // ErrRoleBindingNotFound represents an error when no matching role binding was found ErrRoleBindingNotFound = errors.New("role binding not found") // ErrRoleHasTooManyResources represents an error which a role has too many resources ErrRoleHasTooManyResources = errors.New("role has too many resources") // ErrInvalidArgument represents an error when there is an invalid argument passed to a function ErrInvalidArgument = errors.New("invalid argument") // ErrRoleV2ResourceNotDefined is returned when a role v2 resource is not defined // in the policy ErrRoleV2ResourceNotDefined = errors.New("role v2 resource not defined") // ErrDeleteRoleInUse represents an error when a role is in use and cannot be deleted ErrDeleteRoleInUse = fmt.Errorf("%w: role is in use", ErrInvalidArgument) // ErrRoleAlreadyExists represents an error when a role already exists ErrRoleAlreadyExists = fmt.Errorf("%w: role already exists", ErrInvalidArgument) // ErrInvalidRoleBindingSubjectType represents an error when a role binding subject type is invalid ErrInvalidRoleBindingSubjectType = fmt.Errorf("%w: invalid role binding subject type", ErrInvalidArgument) // ErrResourceDoesNotSupportRoleBindingV2 represents an error when a role binding // request attempts to use a resource that does not support role binding v2 ErrResourceDoesNotSupportRoleBindingV2 = fmt.Errorf("%w: resource does not support role binding v2", ErrInvalidArgument) // ErrRoleBindingHasNoRelationships represents an internal error when a // role binding has no relationships ErrRoleBindingHasNoRelationships = errors.New("role binding has no relationships") )
Functions ¶
This section is empty.
Types ¶
type Engine ¶
type Engine interface {
AssignSubjectRole(ctx context.Context, subject types.Resource, role types.Role) error
UnassignSubjectRole(ctx context.Context, subject types.Resource, role types.Role) error
CreateRelationships(ctx context.Context, rels []types.Relationship) error
CreateRole(ctx context.Context, actor, res types.Resource, manager, roleName string, actions []string) (types.Role, error)
UpdateRole(ctx context.Context, actor, roleResource types.Resource, newName string, newActions []string) (types.Role, error)
GetRole(ctx context.Context, roleResource types.Resource) (types.Role, error)
GetRoleResource(ctx context.Context, roleResource types.Resource) (types.Resource, error)
ListAssignments(ctx context.Context, role types.Role) ([]types.Resource, error)
ListRelationshipsFrom(ctx context.Context, resource types.Resource) ([]types.Relationship, error)
ListRelationshipsTo(ctx context.Context, resource types.Resource) ([]types.Relationship, error)
ListRoles(ctx context.Context, resource types.Resource) ([]types.Role, error)
ListManagerRoles(ctx context.Context, manager string, resource types.Resource) ([]types.Role, error)
DeleteRelationships(ctx context.Context, relationships ...types.Relationship) error
DeleteRole(ctx context.Context, roleResource types.Resource) error
DeleteResourceRelationships(ctx context.Context, resource types.Resource) error
NewResourceFromID(id gidx.PrefixedID) (types.Resource, error)
GetResourceType(name string) *types.ResourceType
SubjectHasPermission(ctx context.Context, subject types.Resource, action string, resource types.Resource) error
// CreateRoleV2 creates a v2 role scoped to the given owner resource with the given actions.
CreateRoleV2(ctx context.Context, actor, owner types.Resource, manager, roleName string, actions []string) (types.Role, error)
// ListRolesV2 returns all V2 roles owned by the given resource.
ListRolesV2(ctx context.Context, owner types.Resource) ([]types.Role, error)
// ListManagerRolesV2 returns all V2 roles owned by the given resource with the given manager.
ListManagerRolesV2(ctx context.Context, manager string, owner types.Resource) ([]types.Role, error)
// GetRoleV2 returns a V2 role
GetRoleV2(ctx context.Context, role types.Resource) (types.Role, error)
// UpdateRoleV2 updates a V2 role with the given name and actions.
UpdateRoleV2(ctx context.Context, actor, roleResource types.Resource, newName string, newActions []string) (types.Role, error)
// DeleteRoleV2 deletes a V2 role.
DeleteRoleV2(ctx context.Context, roleResource types.Resource) error
// CreateRoleBinding creates all the necessary relationships for a role binding.
// role binding here establishes a three-way relationship between a role,
// a resource, and the subjects.
CreateRoleBinding(ctx context.Context, actor, resource, role types.Resource, manager string, subjects []types.RoleBindingSubject) (types.RoleBinding, error)
// ListRoleBindings lists all role-bindings for a resource, an optional Role
// can be provided to filter the role-bindings.
ListRoleBindings(ctx context.Context, resource types.Resource, optionalRole *types.Resource) ([]types.RoleBinding, error)
// ListManagerRoleBindings lists all role-bindings for a resource with the given manager,
// an optional Role can be provided to filter the role-bindings.
ListManagerRoleBindings(ctx context.Context, manager string, resource types.Resource, optionalRole *types.Resource) ([]types.RoleBinding, error)
// GetRoleBinding fetches a role-binding by its ID.
GetRoleBinding(ctx context.Context, rolebinding types.Resource) (types.RoleBinding, error)
// UpdateRoleBinding updates the subjects of a role-binding.
UpdateRoleBinding(ctx context.Context, actor, rolebinding types.Resource, subjects []types.RoleBindingSubject) (types.RoleBinding, error)
// DeleteRoleBinding removes subjects from a role-binding.
DeleteRoleBinding(ctx context.Context, rolebinding types.Resource) error
// GetRoleBindingResource fetches the resource to which a role-binding
// belongs
GetRoleBindingResource(ctx context.Context, rb types.Resource) (types.Resource, error)
AllActions() []string
}
Engine represents a client for making permissions queries.
type Option ¶ added in v0.1.4
type Option func(*engine)
Option is a functional option for the engine
func WithLogger ¶ added in v0.1.4
func WithLogger(logger *zap.SugaredLogger) Option
WithLogger sets the logger for the engine
func WithPolicy ¶ added in v0.1.4
WithPolicy sets the policy for the engine
Source Files
¶
Directories
Click to show internal directories.
Click to hide internal directories.