Documentation ¶
Index ¶
- Variables
- func DefaultUserExtractor(ctx context.Context) (any, error)
- func StreamServerInterceptor(authorizer Authorizer, opts ...Opt) grpc.StreamServerInterceptor
- func UnaryServerInterceptor(authorizer Authorizer, opts ...Opt) grpc.UnaryServerInterceptor
- type AuthorizeMethodFunc
- type Authorizer
- type ExpressionVar
- type Opt
- type RuleExecutionParams
- type UserExtractor
Constants ¶
This section is empty.
Variables ¶
var DefaultUserExtractorKey ctxKey = "user"
DefaultUserExtractorKey is the default key used to extract a user from the context
Functions ¶
func DefaultUserExtractor ¶ added in v0.5.0
DefaultUserExtractor is the default user extractor function that extracts a user from the context using the DefaultUserExtractorKey
func StreamServerInterceptor ¶
func StreamServerInterceptor(authorizer Authorizer, opts ...Opt) grpc.StreamServerInterceptor
StreamServerInterceptor uses the given authorizer to authorize streaming grpc requests. JavascriptAuthorizer/CELAuthorizer are implementations of Authorizer that use javascript/CEL expressions to authorize requests the request object in the expression evaluation is nil because it is not available in the context for streaming requests
func UnaryServerInterceptor ¶
func UnaryServerInterceptor(authorizer Authorizer, opts ...Opt) grpc.UnaryServerInterceptor
UnaryServerInterceptor uses the given authorizer to authorize unary grpc requests. JavascriptAuthorizer/CELAuthorizer are implementations of Authorizer that use javascript/CEL expressions to authorize requests
Types ¶
type AuthorizeMethodFunc ¶ added in v0.7.0
type AuthorizeMethodFunc func(ctx context.Context, method string, params *RuleExecutionParams) (allow bool, err error)
AuthorizeMethodFunc is a function that authorizes a grpc request
func (AuthorizeMethodFunc) AuthorizeMethod ¶ added in v0.7.0
func (f AuthorizeMethodFunc) AuthorizeMethod(ctx context.Context, method string, params *RuleExecutionParams) (allow bool, err error)
AuthorizeMethod implements the Authorizer interface
type Authorizer ¶
type Authorizer interface { // AuthorizeMethod is called by the grpc interceptor to authorize a request AuthorizeMethod(ctx context.Context, method string, params *RuleExecutionParams) (allow bool, err error) }
Authorizer is an interface for authorizing grpc requests
func Chain ¶ added in v0.7.0
func Chain(authz ...Authorizer) Authorizer
Chain chains multiple authorizers together - if any authorizer returns true, the request is authorized
type ExpressionVar ¶
type ExpressionVar string
ExpressionVar is a global variable injected into a Javascript/CEL authorization expression
const ( // ExpressionVarRequest is the request object ExpressionVarRequest ExpressionVar = "request" // ExpressionVarMetadata is the metadata object ExpressionVarMetadata ExpressionVar = "metadata" // ExpressionVarUser is the user object ExpressionVarUser ExpressionVar = "user" // ExpressionVarIsStream is true if the grpc handler is a streaming handler ExpressionVarIsStream ExpressionVar = "is_stream" // ExpressionVarMethod is the grpc method ExpressionVarMethod ExpressionVar = "method" )
type Opt ¶
type Opt func(o *options)
Opt is an option for configuring the interceptor
func WithSelectors ¶ added in v0.9.0
WithSelectors sets the list of selectors that will be used to determine if the interceptor should be applied to a request
func WithUserExtractor ¶
func WithUserExtractor(extractor UserExtractor) Opt
WithUserExtractor sets the user extractor function that will be used by the interceptor to extract a user from the context so it's attributes can be used in rule expression evaluation. It is injected into the expression vm as the "user" variable
func WithWhiteListMethods ¶ added in v0.5.0
WithWhiteListMethods sets the list of methods that will be allowed without authorization
type RuleExecutionParams ¶
type RuleExecutionParams struct { // User is the user extracted from the context using the Authorizer.ExtractUser function User any // Request is the request object passed to the grpc handler Request any // Metadata is the metadata passed to the grpc handler Metadata metadata.MD // IsStream is true if the grpc handler is a streaming handler IsStream bool }
RuleExecutionParams is the set of parameters passed to the Authorizer.ExecuteRule function