Documentation ¶
Overview ¶
Package std provides authorization middleware for HTTP servers built on top of the standard net/http.
The middleware intercepts incoming requests and calls the Aserto authorizer service to determine if access should be allowed or denied.
Example ¶
package main import ( "context" "log" "net/http" "time" "github.com/aserto-dev/go-aserto/authorizer/grpc" "github.com/aserto-dev/go-aserto/client" mw "github.com/aserto-dev/go-aserto/middleware/http/std" ) func Hello(w http.ResponseWriter, _ *http.Request) { if _, err := w.Write([]byte(`"hello"`)); err != nil { log.Println("Failed to write HTTP response:", err) } } func main() { ctx := context.Background() // Create authorizer client. authorizer, err := grpc.New( ctx, client.WithAPIKeyAuth("<Aserto authorizer API Key>"), client.WithTenantID("<Aserto tenant ID>"), ) if err != nil { log.Fatal("Failed to create authorizer client:", err) } // Create HTTP middleware. middleware := mw.New( authorizer, &mw.Policy{ Name: "<Aserto policy Name>", Decision: "<authorization decision (e.g. 'allowed')", InstanceLabel: "<Aserto policy instance label>", }, ) // Define HTTP route. http.Handle( "/", middleware.Handler(http.HandlerFunc(Hello)), // Attach middleware to route. ) // Start server. server := &http.Server{ Addr: ":8080", ReadHeaderTimeout: 2 * time.Second, } log.Fatal(server.ListenAndServe()) }
Output:
Index ¶
- type AuthorizerClient
- type Check
- type CheckOption
- func WithIdentityMapper(mapper httpmw.IdentityMapper) CheckOption
- func WithObjectID(id string) CheckOption
- func WithObjectIDFromVar(name string) CheckOption
- func WithObjectIDMapper(mapper StringMapper) CheckOption
- func WithObjectMapper(mapper ObjectMapper) CheckOption
- func WithObjectType(objType string) CheckOption
- func WithPolicyPath(path string) CheckOption
- func WithRelation(name string) CheckOption
- func WithRelationMapper(mapper StringMapper) CheckOption
- type CheckOptions
- type Middleware
- func (m *Middleware) Check(options ...CheckOption) *Check
- func (m *Middleware) Handler(next http.Handler) http.Handler
- func (m *Middleware) HandlerFunc(next http.HandlerFunc) http.Handler
- func (m *Middleware) WithNoResourceContext() *Middleware
- func (m *Middleware) WithPolicyFromURL(prefix string) *Middleware
- func (m *Middleware) WithPolicyPathMapper(mapper StringMapper) *Middleware
- func (m *Middleware) WithResourceMapper(mapper ResourceMapper) *Middleware
- type ObjectMapper
- type Policy
- type ResourceMapper
- type StringMapper
Examples ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type AuthorizerClient ¶
type AuthorizerClient = authz.AuthorizerClient
type Check ¶ added in v0.30.0
type Check struct {
// contains filtered or unexported fields
}
func (*Check) Handler ¶ added in v0.30.0
Handler returns a middleware handler that checks incoming requests.
func (*Check) HandlerFunc ¶ added in v0.30.0
func (c *Check) HandlerFunc(next http.HandlerFunc) http.HandlerFunc
HandlerFunc returns a middleware handler that wraps the given http.HandlerFunc and checks incoming requests.
type CheckOption ¶ added in v0.30.0
type CheckOption func(*CheckOptions)
CheckOption is used to configure the check middleware.
func WithIdentityMapper ¶ added in v0.30.0
func WithIdentityMapper(mapper httpmw.IdentityMapper) CheckOption
WithIdentityMapper takes an identity mapper function that is used to determine the subject id for the check call.
func WithObjectID ¶ added in v0.30.0
func WithObjectID(id string) CheckOption
WithObjectID set the id of the object to check.
func WithObjectIDFromVar ¶ added in v0.30.0
func WithObjectIDFromVar(name string) CheckOption
WithObjectIDFromVar takes the name of a variable in the request path that is used as the object id to check.
func WithObjectIDMapper ¶ added in v0.30.0
func WithObjectIDMapper(mapper StringMapper) CheckOption
WithObjectIDMapper takes a function that is used to determine the object id to check from the incoming request.
func WithObjectMapper ¶ added in v0.30.0
func WithObjectMapper(mapper ObjectMapper) CheckOption
WithObjectMapper takes a function that is used to determine the object type and id to check from the incoming request.
func WithObjectType ¶ added in v0.30.0
func WithObjectType(objType string) CheckOption
WithObjectType sets the object type to check.
func WithPolicyPath ¶ added in v0.30.0
func WithPolicyPath(path string) CheckOption
WithPolicyPath sets the path of the policy module to use for the check call.
func WithRelation ¶ added in v0.30.0
func WithRelation(name string) CheckOption
WithRelation sets the relation/permission to check.
func WithRelationMapper ¶ added in v0.30.0
func WithRelationMapper(mapper StringMapper) CheckOption
WithRelation takes a function that is used to determine the relation/permission to check from the incoming request.
type CheckOptions ¶ added in v0.30.0
type CheckOptions struct {
// contains filtered or unexported fields
}
CheckOptions is used to configure the check middleware.
type Middleware ¶
type Middleware struct { // Identity determines the caller identity used in authorization calls. Identity *httpmw.IdentityBuilder // contains filtered or unexported fields }
Middleware implements an http.Handler that can be added to routes in net/http servers.
To authorize incoming requests, the middleware needs information about:
1. The user making the request.
2. The Aserto authorization policy to evaluate.
3. Optional, additional input data to the authorization policy.
The values for these parameters can be set globally or extracted dynamically from incoming messages.
func New ¶
func New(client AuthorizerClient, policy *Policy) *Middleware
New creates middleware for the specified policy.
The new middleware is created with default identity and policy path mapper. Those can be overridden using `Middleware.Identity` to specify the caller's identity, or using the middleware's ".With...()" functions to set policy path and resource mappers.
func (*Middleware) Check ¶ added in v0.30.0
func (m *Middleware) Check(options ...CheckOption) *Check
Check returns a new Check middleware object that can be used to make ReBAC authorization decisions for individual routes. A check call returns true if a given relation exists between an object and a subject.
func (*Middleware) Handler ¶
func (m *Middleware) Handler(next http.Handler) http.Handler
Handler returns a middlleware handler that authorizes incoming requests.
func (*Middleware) HandlerFunc ¶ added in v0.30.0
func (m *Middleware) HandlerFunc(next http.HandlerFunc) http.Handler
HandlerFunc returns a middleware handler that wraps the given http.HandlerFunc and authorizes incoming requests.
func (*Middleware) WithNoResourceContext ¶
func (m *Middleware) WithNoResourceContext() *Middleware
WithNoResourceContext causes the middleware to include no resource context in authorization request instead of the default behavior that sends all URL path parameters.
func (*Middleware) WithPolicyFromURL ¶
func (m *Middleware) WithPolicyFromURL(prefix string) *Middleware
WithPolicyFromURL instructs the middleware to construct the policy path from the path segment of the incoming request's URL.
Path separators ('/') are replaced with dots ('.'). If the request uses gorilla/mux to define path parameters, those are added to the path with two leading underscores. An optional prefix can be specified to be included in all paths.
Example ¶
Using 'WithPolicyFromURL("myapp")', the route
POST /products/{id}
becomes the policy path
"myapp.POST.products.__id"
func (*Middleware) WithPolicyPathMapper ¶
func (m *Middleware) WithPolicyPathMapper(mapper StringMapper) *Middleware
WithPolicyPathMapper sets a custom policy mapper, a function that takes an incoming request and returns the path within the policy of the package to query.
func (*Middleware) WithResourceMapper ¶
func (m *Middleware) WithResourceMapper(mapper ResourceMapper) *Middleware
WithResourceMapper sets a custom resource mapper, a function that takes an incoming request and returns the resource object to include with the authorization request as a `structpb.Struct`.
type ObjectMapper ¶ added in v0.30.0
ObjectMapper takes an incoming request and returns the object type and id to check.
type Policy ¶
type Policy = middleware.Policy
type ResourceMapper ¶ added in v0.20.1
ResourceMapper functions are used to extract structured data from incoming requests.
type StringMapper ¶
StringMapper functions are used to extract string values from incoming requests. They are used to define policy mappers.