Documentation ¶
Overview ¶
Package rights implements rights fetching and checking.
Index ¶
- Variables
- func ListApplication(ctx context.Context, id ttnpb.ApplicationIdentifiers) (rights *ttnpb.Rights, err error)
- func ListClient(ctx context.Context, id ttnpb.ClientIdentifiers) (rights *ttnpb.Rights, err error)
- func ListGateway(ctx context.Context, id ttnpb.GatewayIdentifiers) (rights *ttnpb.Rights, err error)
- func ListOrganization(ctx context.Context, id ttnpb.OrganizationIdentifiers) (rights *ttnpb.Rights, err error)
- func ListUser(ctx context.Context, id ttnpb.UserIdentifiers) (rights *ttnpb.Rights, err error)
- func NewContext(ctx context.Context, rights Rights) context.Context
- func NewContextWithCache(ctx context.Context) context.Context
- func NewContextWithFetcher(ctx context.Context, fetcher Fetcher) context.Context
- func RequireAny(ctx context.Context, ids ...*ttnpb.EntityIdentifiers) error
- func RequireApplication(ctx context.Context, id ttnpb.ApplicationIdentifiers, required ...ttnpb.Right) (err error)
- func RequireClient(ctx context.Context, id ttnpb.ClientIdentifiers, required ...ttnpb.Right) (err error)
- func RequireGateway(ctx context.Context, id ttnpb.GatewayIdentifiers, required ...ttnpb.Right) (err error)
- func RequireOrganization(ctx context.Context, id ttnpb.OrganizationIdentifiers, required ...ttnpb.Right) (err error)
- func RequireUser(ctx context.Context, id ttnpb.UserIdentifiers, required ...ttnpb.Right) (err error)
- type Fetcher
- type FetcherFunc
- func (f FetcherFunc) ApplicationRights(ctx context.Context, ids ttnpb.ApplicationIdentifiers) (*ttnpb.Rights, error)
- func (f FetcherFunc) ClientRights(ctx context.Context, ids ttnpb.ClientIdentifiers) (*ttnpb.Rights, error)
- func (f FetcherFunc) GatewayRights(ctx context.Context, ids ttnpb.GatewayIdentifiers) (*ttnpb.Rights, error)
- func (f FetcherFunc) OrganizationRights(ctx context.Context, ids ttnpb.OrganizationIdentifiers) (*ttnpb.Rights, error)
- func (f FetcherFunc) UserRights(ctx context.Context, ids ttnpb.UserIdentifiers) (*ttnpb.Rights, error)
- type Rights
- func (r Rights) IncludesApplicationRights(appUID string, rights ...ttnpb.Right) bool
- func (r Rights) IncludesClientRights(cliUID string, rights ...ttnpb.Right) bool
- func (r Rights) IncludesGatewayRights(gtwUID string, rights ...ttnpb.Right) bool
- func (r Rights) IncludesOrganizationRights(orgUID string, rights ...ttnpb.Right) bool
- func (r Rights) IncludesUserRights(usrUID string, rights ...ttnpb.Right) bool
- func (r Rights) MissingApplicationRights(appUID string, rights ...ttnpb.Right) []ttnpb.Right
- func (r Rights) MissingClientRights(cliUID string, rights ...ttnpb.Right) []ttnpb.Right
- func (r Rights) MissingGatewayRights(gtwUID string, rights ...ttnpb.Right) []ttnpb.Right
- func (r Rights) MissingOrganizationRights(orgUID string, rights ...ttnpb.Right) []ttnpb.Right
- func (r Rights) MissingUserRights(usrUID string, rights ...ttnpb.Right) []ttnpb.Right
Examples ¶
Constants ¶
This section is empty.
Variables ¶
var ( ErrNoApplicationRights = errors.DefinePermissionDenied( "no_application_rights", "no rights for application `{uid}`", ) ErrInsufficientApplicationRights = errors.DefinePermissionDenied( "insufficient_application_rights", "insufficient rights for application `{uid}`", ) ErrNoClientRights = errors.DefinePermissionDenied( "no_client_rights", "no rights for client `{uid}`", ) ErrInsufficientClientRights = errors.DefinePermissionDenied( "insufficient_client_rights", "insufficient rights for client `{uid}`", ) ErrNoGatewayRights = errors.DefinePermissionDenied( "no_gateway_rights", "no rights for gateway `{uid}`", ) ErrInsufficientGatewayRights = errors.DefinePermissionDenied( "insufficient_gateway_rights", "insufficient rights for gateway `{uid}`", ) ErrNoOrganizationRights = errors.DefinePermissionDenied( "no_organization_rights", "no rights for organization `{uid}`", ) ErrInsufficientOrganizationRights = errors.DefinePermissionDenied( "insufficient_organization_rights", "insufficient rights for organization `{uid}`", ) ErrNoUserRights = errors.DefinePermissionDenied( "no_user_rights", "no rights for user `{uid}`", ) ErrInsufficientUserRights = errors.DefinePermissionDenied( "insufficient_user_rights", "insufficient rights for user `{uid}`", ) )
Errors for no/insufficient rights.
Functions ¶
func ListApplication ¶
func ListApplication(ctx context.Context, id ttnpb.ApplicationIdentifiers) (rights *ttnpb.Rights, err error)
ListApplication lists the rights for the given application ID in the context.
func ListClient ¶
ListClient lists the rights for the given client ID in the context.
func ListGateway ¶
func ListGateway(ctx context.Context, id ttnpb.GatewayIdentifiers) (rights *ttnpb.Rights, err error)
ListGateway lists the rights for the given gateway ID in the context.
func ListOrganization ¶
func ListOrganization(ctx context.Context, id ttnpb.OrganizationIdentifiers) (rights *ttnpb.Rights, err error)
ListOrganization lists the rights for the given organization ID in the context.
func NewContext ¶
NewContext returns a derived context with the given rights.
func NewContextWithCache ¶
NewContextWithCache returns a derived context with a rights cache. This should only be used for request contexts.
func NewContextWithFetcher ¶
NewContextWithFetcher returns a new context with the given rights fetcher.
func RequireAny ¶
func RequireAny(ctx context.Context, ids ...*ttnpb.EntityIdentifiers) error
RequireAny checks that context contains any rights for each of the given entity identifiers.
func RequireApplication ¶
func RequireApplication(ctx context.Context, id ttnpb.ApplicationIdentifiers, required ...ttnpb.Right) (err error)
RequireApplication checks that context contains the required rights for the given application ID.
Example ¶
package main import ( "context" "go.thethings.network/lorawan-stack/v3/pkg/auth/rights" "go.thethings.network/lorawan-stack/v3/pkg/ttnpb" ) func main() { var ( // Assume these come from a hypothetical Set RPC call. ctx context.Context dev ttnpb.EndDevice ) if err := rights.RequireApplication(ctx, dev.ApplicationIdentifiers, ttnpb.RIGHT_APPLICATION_DEVICES_WRITE); err != nil { // return nil, err } }
Output:
func RequireClient ¶
func RequireClient(ctx context.Context, id ttnpb.ClientIdentifiers, required ...ttnpb.Right) (err error)
RequireClient checks that context contains the required rights for the given client ID.
func RequireGateway ¶
func RequireGateway(ctx context.Context, id ttnpb.GatewayIdentifiers, required ...ttnpb.Right) (err error)
RequireGateway checks that context contains the required rights for the given gateway ID.
func RequireOrganization ¶
func RequireOrganization(ctx context.Context, id ttnpb.OrganizationIdentifiers, required ...ttnpb.Right) (err error)
RequireOrganization checks that context contains the required rights for the given organization ID.
func RequireUser ¶
func RequireUser(ctx context.Context, id ttnpb.UserIdentifiers, required ...ttnpb.Right) (err error)
RequireUser checks that context contains the required rights for the given user ID.
Types ¶
type Fetcher ¶
type Fetcher interface { ApplicationRights(context.Context, ttnpb.ApplicationIdentifiers) (*ttnpb.Rights, error) ClientRights(context.Context, ttnpb.ClientIdentifiers) (*ttnpb.Rights, error) GatewayRights(context.Context, ttnpb.GatewayIdentifiers) (*ttnpb.Rights, error) OrganizationRights(context.Context, ttnpb.OrganizationIdentifiers) (*ttnpb.Rights, error) UserRights(context.Context, ttnpb.UserIdentifiers) (*ttnpb.Rights, error) }
Fetcher interface for rights fetching.
func NewAccessFetcher ¶
func NewAccessFetcher(getConn func(ctx context.Context) *grpc.ClientConn, allowInsecure bool) Fetcher
NewAccessFetcher returns a new rights fetcher that fetches from the Access role returned by getConn. The allowInsecure argument indicates whether it's allowed to send credentials over connections without TLS.
func NewInMemoryCache ¶
NewInMemoryCache returns a new in-memory cache on top of the given fetcher. Successful responses are valid for the duration of successTTL, unsuccessful responses are valid for the duration of errorTTL.
type FetcherFunc ¶
FetcherFunc is a function that implements the Fetcher interface.
A FetcherFunc that returns all Application rights for any Application, would look like this:
fetcher := rights.FetcherFunc(func(ctx context.Context, ids ttnpb.Identifiers) (*ttnpb.Rights, error) { rights := ttnpb.AllApplicationRights // Instead this usually comes from an identity server or a database. return &rights, nil })
func (FetcherFunc) ApplicationRights ¶
func (f FetcherFunc) ApplicationRights(ctx context.Context, ids ttnpb.ApplicationIdentifiers) (*ttnpb.Rights, error)
ApplicationRights implements the Fetcher interface.
func (FetcherFunc) ClientRights ¶
func (f FetcherFunc) ClientRights(ctx context.Context, ids ttnpb.ClientIdentifiers) (*ttnpb.Rights, error)
ClientRights implements the Fetcher interface.
func (FetcherFunc) GatewayRights ¶
func (f FetcherFunc) GatewayRights(ctx context.Context, ids ttnpb.GatewayIdentifiers) (*ttnpb.Rights, error)
GatewayRights implements the Fetcher interface.
func (FetcherFunc) OrganizationRights ¶
func (f FetcherFunc) OrganizationRights(ctx context.Context, ids ttnpb.OrganizationIdentifiers) (*ttnpb.Rights, error)
OrganizationRights implements the Fetcher interface.
func (FetcherFunc) UserRights ¶
func (f FetcherFunc) UserRights(ctx context.Context, ids ttnpb.UserIdentifiers) (*ttnpb.Rights, error)
UserRights implements the Fetcher interface.
type Rights ¶
type Rights struct { ApplicationRights map[string]*ttnpb.Rights ClientRights map[string]*ttnpb.Rights GatewayRights map[string]*ttnpb.Rights OrganizationRights map[string]*ttnpb.Rights UserRights map[string]*ttnpb.Rights }
Rights for the request.
func (Rights) IncludesApplicationRights ¶
IncludesApplicationRights returns whether the given rights are included for the given application.
func (Rights) IncludesClientRights ¶
IncludesClientRights returns whether the given rights are included for the given client.
func (Rights) IncludesGatewayRights ¶
IncludesGatewayRights returns whether the given rights are included for the given gateway.
func (Rights) IncludesOrganizationRights ¶
IncludesOrganizationRights returns whether the given rights are included for the given organization.
func (Rights) IncludesUserRights ¶
IncludesUserRights returns whether the given rights are included for the given user.
func (Rights) MissingApplicationRights ¶
MissingApplicationRights returns the rights that are missing for the given application.
func (Rights) MissingClientRights ¶
MissingClientRights returns the rights that are missing for the given client.
func (Rights) MissingGatewayRights ¶
MissingGatewayRights returns the rights that are missing for the given gateway.
func (Rights) MissingOrganizationRights ¶
MissingOrganizationRights returns the rights that are missing for the given organization.