import "github.com/mikespook/gorbac"
Package gorbac provides a lightweight role-based access control implementation in Golang.
For the purposes of this package:
* an identity has one or more roles. * a role requests access to a permission. * a permission is given to a role.
Thus, RBAC has the following model:
* many to many relationship between identities and roles. * many to many relationship between roles and permissions. * roles can have parent roles.
helper.go permission.go rbac.go role.go
var ( // ErrRoleNotExist occurred if a role cann't be found ErrRoleNotExist = errors.New("Role does not exist") // ErrRoleExist occurred if a role shouldn't be found ErrRoleExist = errors.New("Role has already existed") )
func AllGranted(rbac *RBAC, roles []string, permission Permission, assert AssertionFunc) (rslt bool)
AllGranted checks if all roles have the permission.
func AnyGranted(rbac *RBAC, roles []string, permission Permission, assert AssertionFunc) (rslt bool)
AnyGranted checks if any role has the permission.
InherCircle returns an error when detecting any circle inheritance.
func Walk(rbac *RBAC, h WalkHandler) (err error)
Walk passes each Role to WalkHandler
type AssertionFunc func(*RBAC, string, Permission) bool
AssertionFunc supplies more fine-grained permission controls.
LayerPermission firstly checks the Id of permission. If the Id is matched, it can be consIdered having the permission. Otherwise, it checks every layers of permission. A role which has an upper layer granted, will be granted sub-layers permissions.
func (p *LayerPermission) ID() string
ID returns the identity of permission
func (p *LayerPermission) Match(a Permission) bool
Match another permission
type Permission interface { ID() string Match(Permission) bool }
Permission exports `Id` and `Match`
func NewLayerPermission(id string) Permission
NewLayerPermission returns an instance of layered permission with `id`
func NewStdPermission(id string) Permission
NewStdPermission returns a Permission instance with `id`
type Permissions map[string]Permission
Permissions is a map
type RBAC struct {
// contains filtered or unexported fields
}
RBAC object, in most cases it should be used as a singleton.
New returns a RBAC structure. The default role structure will be used.
Add a role `r`.
Get the role by `id` and a slice of its parents id.
GetParents return `parents` of the role `id`. If the role is not existing, an error will be returned. Or the role doesn't have any parents, a nil slice will be returned.
func (rbac *RBAC) IsGranted(id string, p Permission, assert AssertionFunc) (rslt bool)
IsGranted tests if the role `id` has Permission `p` with the condition `assert`.
Remove the role by `id`.
RemoveParent unbind the `parent` with the role `id`. If the role or the parent is not existing, an error will be returned.
SetParent bind the `parent` to the role `id`. If the role or the parent is not existing, an error will be returned.
SetParents bind `parents` to the role `id`. If the role or any of parents is not existing, an error will be returned.
type Role interface { ID() string Permit(Permission) bool }
Role is an interface. You should implement this interface for your own role structures.
Roles is a map
StdPermission only checks if the Ids are fully matching.
func (p *StdPermission) ID() string
ID returns the identity of permission
func (p *StdPermission) Match(a Permission) bool
Match another permission
type StdRole struct { sync.RWMutex // IDStr is the identity of role IDStr string `json:"id"` // contains filtered or unexported fields }
StdRole is the default role implement. You can combine this struct into your own Role implement.
NewStdRole is the default role factory function. It matches the declaration to RoleFactoryFunc.
func (role *StdRole) Assign(p Permission) error
Assign a permission to the role.
ID returns the role's identity name.
func (role *StdRole) Permissions() []Permission
Permissions returns all permissions into a slice.
func (role *StdRole) Permit(p Permission) (rslt bool)
Permit returns true if the role has specific permission.
func (role *StdRole) Revoke(p Permission) error
Revoke the specific permission.
WalkHandler is a function defined by user to handle role
Path | Synopsis |
---|---|
examples/persistence | |
examples/user-defined | User-defined gorbac example |
Package gorbac imports 4 packages (graph) and is imported by 8 packages. Updated 2019-01-10. Refresh now. Tools for package owners.