package gorbac

import "github.com/mikespook/gorbac"

Package gorbac provides a lightweight role-based access control implementation in Golang.

For the purposes of this package:

* an identity has one or more roles.
* a role requests access to a permission.
* a permission is given to a role.

Thus, RBAC has the following model:

* many to many relationship between identities and roles.
* many to many relationship between roles and permissions.
* roles can have parent roles.

Index ¶

• Variables
• func AllGranted(rbac *RBAC, roles []string, permission Permission, assert AssertionFunc) (rslt bool)
• func AnyGranted(rbac *RBAC, roles []string, permission Permission, assert AssertionFunc) (rslt bool)
• func InherCircle(rbac *RBAC) (err error)
• func Walk(rbac *RBAC, h WalkHandler) (err error)
• type AssertionFunc
• type LayerPermission
• func (p *LayerPermission) ID() string
• func (p *LayerPermission) Match(a Permission) bool
• type Permission
• func NewLayerPermission(id string) Permission
• func NewStdPermission(id string) Permission
• type Permissions
• type RBAC
• func New() *RBAC
• func (rbac *RBAC) Add(r Role) (err error)
• func (rbac *RBAC) Get(id string) (r Role, parents []string, err error)
• func (rbac *RBAC) GetParents(id string) ([]string, error)
• func (rbac *RBAC) IsGranted(id string, p Permission, assert AssertionFunc) (rslt bool)
• func (rbac *RBAC) Remove(id string) (err error)
• func (rbac *RBAC) RemoveParent(id string, parent string) error
• func (rbac *RBAC) SetParent(id string, parent string) error
• func (rbac *RBAC) SetParents(id string, parents []string) error
• type Role
• type Roles
• type StdPermission
• func (p *StdPermission) ID() string
• func (p *StdPermission) Match(a Permission) bool
• type StdRole
• func NewStdRole(id string) *StdRole
• func (role *StdRole) Assign(p Permission) error
• func (role *StdRole) ID() string
• func (role *StdRole) Permissions() []Permission
• func (role *StdRole) Permit(p Permission) (rslt bool)
• func (role *StdRole) Revoke(p Permission) error
• type WalkHandler

Package Files ¶

helper.go permission.go rbac.go role.go

Variables ¶

var (
    // ErrRoleNotExist occurred if a role cann't be found
    ErrRoleNotExist = errors.New("Role does not exist")
    // ErrRoleExist occurred if a role shouldn't be found
    ErrRoleExist = errors.New("Role has already existed")
)

var (
    ErrFoundCircle = fmt.Errorf("Found circle")
)

func AllGranted ¶ Uses

func AllGranted(rbac *RBAC, roles []string, permission Permission,
    assert AssertionFunc) (rslt bool)

AllGranted checks if all roles have the permission.

func AnyGranted ¶ Uses

func AnyGranted(rbac *RBAC, roles []string, permission Permission,
    assert AssertionFunc) (rslt bool)

AnyGranted checks if any role has the permission.

func InherCircle ¶ Uses

func InherCircle(rbac *RBAC) (err error)

InherCircle returns an error when detecting any circle inheritance.

func Walk ¶ Uses

func Walk(rbac *RBAC, h WalkHandler) (err error)

Walk passes each Role to WalkHandler

type AssertionFunc ¶ Uses

type AssertionFunc func(*RBAC, string, Permission) bool

AssertionFunc supplies more fine-grained permission controls.

type LayerPermission ¶ Uses

type LayerPermission struct {
    IDStr string `json:"id"`
    Sep   string `json:"sep"`
}

LayerPermission firstly checks the Id of permission. If the Id is matched, it can be consIdered having the permission. Otherwise, it checks every layers of permission. A role which has an upper layer granted, will be granted sub-layers permissions.

func (*LayerPermission) ID ¶ Uses

func (p *LayerPermission) ID() string

ID returns the identity of permission

func (*LayerPermission) Match ¶ Uses

func (p *LayerPermission) Match(a Permission) bool

Match another permission

type Permission ¶ Uses

type Permission interface {
    ID() string
    Match(Permission) bool
}

Permission exports `Id` and `Match`

func NewLayerPermission ¶ Uses

func NewLayerPermission(id string) Permission

NewLayerPermission returns an instance of layered permission with `id`

func NewStdPermission ¶ Uses

func NewStdPermission(id string) Permission

NewStdPermission returns a Permission instance with `id`

type Permissions ¶ Uses

type Permissions map[string]Permission

Permissions is a map

type RBAC ¶ Uses

type RBAC struct {
    // contains filtered or unexported fields
}

RBAC object, in most cases it should be used as a singleton.

func New ¶ Uses

func New() *RBAC

New returns a RBAC structure. The default role structure will be used.

func (*RBAC) Add ¶ Uses

func (rbac *RBAC) Add(r Role) (err error)

Add a role `r`.

func (*RBAC) Get ¶ Uses

func (rbac *RBAC) Get(id string) (r Role, parents []string, err error)

Get the role by `id` and a slice of its parents id.

func (*RBAC) GetParents ¶ Uses

func (rbac *RBAC) GetParents(id string) ([]string, error)

GetParents return `parents` of the role `id`. If the role is not existing, an error will be returned. Or the role doesn't have any parents, a nil slice will be returned.

func (*RBAC) IsGranted ¶ Uses

func (rbac *RBAC) IsGranted(id string, p Permission, assert AssertionFunc) (rslt bool)

IsGranted tests if the role `id` has Permission `p` with the condition `assert`.

func (*RBAC) Remove ¶ Uses

func (rbac *RBAC) Remove(id string) (err error)

Remove the role by `id`.

func (*RBAC) RemoveParent ¶ Uses

func (rbac *RBAC) RemoveParent(id string, parent string) error

RemoveParent unbind the `parent` with the role `id`. If the role or the parent is not existing, an error will be returned.

func (*RBAC) SetParent ¶ Uses

func (rbac *RBAC) SetParent(id string, parent string) error

SetParent bind the `parent` to the role `id`. If the role or the parent is not existing, an error will be returned.

func (*RBAC) SetParents ¶ Uses

func (rbac *RBAC) SetParents(id string, parents []string) error

SetParents bind `parents` to the role `id`. If the role or any of parents is not existing, an error will be returned.

type Role ¶ Uses

type Role interface {
    ID() string
    Permit(Permission) bool
}

Role is an interface. You should implement this interface for your own role structures.

type Roles ¶ Uses

type Roles map[string]Role

Roles is a map

type StdPermission ¶ Uses

type StdPermission struct {
    IDStr string
}

StdPermission only checks if the Ids are fully matching.

func (*StdPermission) ID ¶ Uses

func (p *StdPermission) ID() string

ID returns the identity of permission

func (*StdPermission) Match ¶ Uses

func (p *StdPermission) Match(a Permission) bool

Match another permission

type StdRole ¶ Uses

type StdRole struct {
    sync.RWMutex
    // IDStr is the identity of role
    IDStr string `json:"id"`
    // contains filtered or unexported fields
}

StdRole is the default role implement. You can combine this struct into your own Role implement.

func NewStdRole ¶ Uses

func NewStdRole(id string) *StdRole

NewStdRole is the default role factory function. It matches the declaration to RoleFactoryFunc.

func (*StdRole) Assign ¶ Uses

func (role *StdRole) Assign(p Permission) error

Assign a permission to the role.

func (*StdRole) ID ¶ Uses

func (role *StdRole) ID() string

ID returns the role's identity name.

func (*StdRole) Permissions ¶ Uses

func (role *StdRole) Permissions() []Permission

Permissions returns all permissions into a slice.

func (*StdRole) Permit ¶ Uses

func (role *StdRole) Permit(p Permission) (rslt bool)

Permit returns true if the role has specific permission.

func (*StdRole) Revoke ¶ Uses

func (role *StdRole) Revoke(p Permission) error

Revoke the specific permission.

type WalkHandler ¶ Uses

type WalkHandler func(Role, []string) error

WalkHandler is a function defined by user to handle role

Directories ¶