Documentation ¶
Overview ¶
Package rbac is a generic library based on code generation to create a role-based access control system.
It is designed in a way that makes it simple, and includes middleware to gate requests based on context.
Index ¶
- func Can(ctx context.Context, perm Permission, subjects ...any) bool
- func SetDefaultRoles(roles []Role)
- func User(ctx context.Context) values.User
- type Permission
- func (p Permission) AnyValidSubject(ctx context.Context, subjects ...any) bool
- func (p Permission) Equals(cmp Permission) bool
- func (p Permission) ValidSubject(ctx context.Context, check any) bool
- func (p Permission) ValidSubjects(ctx context.Context, subjects ...any) bool
- func (p Permission) WithSubjects(subjects []string) Permission
- type Role
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func Can ¶
func Can(ctx context.Context, perm Permission, subjects ...any) bool
Can uses the current context values to determine if an action can be taken.
Usage: if rbac.Can(ctx, permissions.SpecificationCreate) {}
func SetDefaultRoles ¶
func SetDefaultRoles(roles []Role)
SetDefaultRoles is something that should ideally be called from an init function. While it is concurrency-safe for read and write access, it's not advisable to change state between requests.
Types ¶
type Permission ¶
type Permission struct { ID string Name string Description string // Subjects are things this permission can be applied against, such as a database ID, or a special marker. Subjects []string }
Permission holds information on something a role is allowed to do, as well as any subjects within it.
func (Permission) AnyValidSubject ¶
func (p Permission) AnyValidSubject(ctx context.Context, subjects ...any) bool
AnyValidSubject is the inverse of ValidSubject, using logical OR.
func (Permission) Equals ¶
func (p Permission) Equals(cmp Permission) bool
Equals checks two permissions are the same. They can have differing subjects, but if the IDs match, they are treated the same for checks that a user has a role.
func (Permission) ValidSubject ¶
func (p Permission) ValidSubject(ctx context.Context, check any) bool
ValidSubject loops through all subjects on a Permission, returning true if any match. Special behavior is assigned to the constants subject.Wildcard and subject.Self.
- subject.Wildcard will allow any subject as if it matched. - subject.Self will use any available auth in the context to validate against a subject (user) ID.
func (Permission) ValidSubjects ¶
func (p Permission) ValidSubjects(ctx context.Context, subjects ...any) bool
ValidSubjects checks that all given subjects are valid. If you need a logical OR, see AnyValidSubject.
func (Permission) WithSubjects ¶
func (p Permission) WithSubjects(subjects []string) Permission
WithSubjects adds subjects to the current permission. Usage is e.g. permission.Create.WithSubjects([]string{"foo"})
type Role ¶
type Role struct { ID string Name string Description string Permissions []Permission // CustomMappings holds any extra data at generation time used to map this role to another system. CustomMappings map[string]string }
Role is a base unit that can be assigned a group or a user, and contains a set of permissions.
- A user MAY have many roleLookup - A user MAY have many groups - A group MAY have many roleLookup
A user's roleLookup are usually determined as a flattened set of all group roleLookup, plus all direct user roleLookup. The method of obtaining a user's roleLookup is left up to the implementer or middleware.
Roles are considered equal if the ID value matches, but a role with an empty ID will never match another role.
func Roles ¶
Roles returns a list of roleLookup in the current context. The roleLookup must have been set up globally.
func (Role) Can ¶
Can checks if a role has a specific permission. If a subject is passed, they are verified via logical AND.
func (Role) Has ¶
func (r Role) Has(perm Permission) bool
Has checks if a role has a specific permission, regardless of subjects.
Directories ¶
Path | Synopsis |
---|---|
cmd
|
|
middleware
|
|
http
Package http sets up various middleware methods for HTTP requests, and includes options to set defaults.
|
Package http sets up various middleware methods for HTTP requests, and includes options to set defaults. |
Package subject declares methods and constants for checking a permission's subjects.
|
Package subject declares methods and constants for checking a permission's subjects. |