import "github.com/ory/ladon"
audit_logger.go audit_logger_info.go audit_logger_noop.go condition.go condition_boolean.go condition_cidr.go condition_resource_contains.go condition_string_equal.go condition_string_match.go condition_string_pairs_equal.go condition_subject_equal.go const.go context.go errors.go ladon.go manager.go manager_migrator.go manager_test_helper.go matcher.go matcher_regexp.go metric.go metric_noop.go policy.go warden.go
const AllowAccess = "allow"AllowAccess should be used as effect for policies that allow access.
const DenyAccess = "deny"DenyAccess should be used as effect for policies that deny access.
var (
// ErrRequestDenied is returned when an access request can not be satisfied by any policy.
ErrRequestDenied = &errorWithContext{
error: errors.New("Request was denied by default"),
code: http.StatusForbidden,
status: http.StatusText(http.StatusForbidden),
reason: "The request was denied because no matching policy was found.",
}
// ErrRequestForcefullyDenied is returned when an access request is explicitly denied by a policy.
ErrRequestForcefullyDenied = &errorWithContext{
error: errors.New("Request was forcefully denied"),
code: http.StatusForbidden,
status: http.StatusText(http.StatusForbidden),
reason: "The request was denied because a policy denied request.",
}
// ErrNotFound is returned when a resource can not be found.
ErrNotFound = &errorWithContext{
error: errors.New("Resource could not be found"),
code: http.StatusNotFound,
status: http.StatusText(http.StatusNotFound),
}
)var ConditionFactories = map[string]func() Condition{ new(StringEqualCondition).GetName(): func() Condition { return new(StringEqualCondition) }, new(CIDRCondition).GetName(): func() Condition { return new(CIDRCondition) }, new(EqualsSubjectCondition).GetName(): func() Condition { return new(EqualsSubjectCondition) }, new(StringPairsEqualCondition).GetName(): func() Condition { return new(StringPairsEqualCondition) }, new(StringMatchCondition).GetName(): func() Condition { return new(StringMatchCondition) }, new(ResourceContainsCondition).GetName(): func() Condition { return new(ResourceContainsCondition) }, new(BooleanCondition).GetName(): func() Condition { return new(BooleanCondition) }, }
ConditionFactories is where you can add custom conditions
var DefaultAuditLogger = &AuditLoggerNoOp{}
var DefaultMatcher = NewRegexpMatcher(512)
var DefaultMetric = &MetricNoOp{}
var TestManagerPolicies = []*DefaultPolicy{ { ID: uuid.New(), Description: "description", Subjects: []string{"user", "anonymous"}, Effect: AllowAccess, Resources: []string{"article", "user"}, Actions: []string{"create", "update"}, Conditions: Conditions{}, }, { ID: uuid.New(), Description: "description", Subjects: []string{}, Effect: AllowAccess, Resources: []string{"<article|user>"}, Actions: []string{"view"}, Conditions: Conditions{}, }, { ID: uuid.New(), Description: "description", Subjects: []string{}, Effect: AllowAccess, Resources: []string{}, Actions: []string{"view"}, Conditions: Conditions{}, }, { ID: uuid.New(), Description: "description", Subjects: []string{}, Effect: AllowAccess, Resources: []string{}, Actions: []string{}, Conditions: Conditions{}, }, { ID: uuid.New(), Description: "description", Subjects: []string{}, Effect: AllowAccess, Resources: []string{"foo"}, Actions: []string{}, Conditions: Conditions{}, }, { ID: uuid.New(), Description: "description", Subjects: []string{"foo"}, Effect: AllowAccess, Resources: []string{"foo"}, Actions: []string{}, Conditions: Conditions{}, }, { ID: uuid.New(), Description: "description", Subjects: []string{"foo"}, Effect: AllowAccess, Resources: []string{}, Actions: []string{}, Conditions: Conditions{}, }, { ID: uuid.New(), Description: "description", Effect: AllowAccess, Conditions: Conditions{}, }, { ID: uuid.New(), Description: "description", Subjects: []string{"<peter|max>"}, Effect: DenyAccess, Resources: []string{"article", "user"}, Actions: []string{"view"}, Conditions: Conditions{ "owner": &EqualsSubjectCondition{}, }, }, { ID: uuid.New(), Description: "description", Subjects: []string{"<user|max|anonymous>", "peter"}, Effect: DenyAccess, Resources: []string{".*"}, Actions: []string{"disable"}, Conditions: Conditions{ "ip": &CIDRCondition{ CIDR: "1234", }, "owner": &EqualsSubjectCondition{}, }, }, { ID: uuid.New(), Description: "description", Subjects: []string{"<.*>"}, Effect: AllowAccess, Resources: []string{"<article|user>"}, Actions: []string{"view"}, Conditions: Conditions{ "ip": &CIDRCondition{ CIDR: "1234", }, "owner": &EqualsSubjectCondition{}, }, }, { ID: uuid.New(), Description: "description", Subjects: []string{"<us[er]+>"}, Effect: AllowAccess, Resources: []string{"<article|user>"}, Actions: []string{"view"}, Conditions: Conditions{ "ip": &CIDRCondition{ CIDR: "1234", }, "owner": &EqualsSubjectCondition{}, }, }, { ID: uuid.New(), Description: "A failed policy", Subjects: []string{"supplier"}, Effect: AllowAccess, Resources: []string{"product:<.*>"}, Actions: []string{"update"}, Conditions: Conditions{}, }, { ID: uuid.New(), Description: "Another failed policy", Subjects: []string{"buyer"}, Effect: AllowAccess, Resources: []string{"products:attributeGroup:<.*>"}, Actions: []string{"create"}, Conditions: Conditions{}, }, }
type AuditLogger interface {
LogRejectedAccessRequest(request *Request, pool Policies, deciders Policies)
LogGrantedAccessRequest(request *Request, pool Policies, deciders Policies)
}AuditLogger tracks denied and granted authorizations.
AuditLoggerInfo outputs information about granting or rejecting policies.
func (a *AuditLoggerInfo) LogGrantedAccessRequest(r *Request, p Policies, d Policies)
func (a *AuditLoggerInfo) LogRejectedAccessRequest(r *Request, p Policies, d Policies)
type AuditLoggerNoOp struct{}AuditLoggerNoOp is the default AuditLogger, that tracks nothing.
func (*AuditLoggerNoOp) LogGrantedAccessRequest(r *Request, p Policies, d Policies)
func (*AuditLoggerNoOp) LogRejectedAccessRequest(r *Request, p Policies, d Policies)
BooleanCondition is used to determine if a boolean context matches an expected boolean condition.
BooleanCondition implements the ladon.Condition interface. See https://github.com/ory/ladon/blob/master/condition.go
func (c *BooleanCondition) Fulfills(value interface{}, _ *Request) bool
Fulfills determines if the BooleanCondition is fulfilled. The BooleanCondition is fulfilled if the provided boolean value matches the conditions boolean value.
func (c *BooleanCondition) GetName() string
GetName returns the name of the BooleanCondition
CIDRCondition makes sure that the warden requests' IP address is in the given CIDR.
func (c *CIDRCondition) Fulfills(value interface{}, _ *Request) bool
Fulfills returns true if the the request is fulfilled by the condition.
func (c *CIDRCondition) GetName() string
GetName returns the condition's name.
type Condition interface {
// GetName returns the condition's name.
GetName() string
// Fulfills returns true if the request is fulfilled by the condition.
Fulfills(interface{}, *Request) bool
}Condition either do or do not fulfill an access request.
Conditions is a collection of conditions.
func (cs Conditions) AddCondition(key string, c Condition)
AddCondition adds a condition to the collection.
func (cs Conditions) MarshalJSON() ([]byte, error)
MarshalJSON marshals a list of conditions to json.
func (cs Conditions) UnmarshalJSON(data []byte) error
UnmarshalJSON unmarshals a list of conditions from json.
Context is used as request's context.
type DefaultPolicy struct {
ID string `json:"id" gorethink:"id"`
Description string `json:"description" gorethink:"description"`
Subjects []string `json:"subjects" gorethink:"subjects"`
Effect string `json:"effect" gorethink:"effect"`
Resources []string `json:"resources" gorethink:"resources"`
Actions []string `json:"actions" gorethink:"actions"`
Conditions Conditions `json:"conditions" gorethink:"conditions"`
Meta []byte `json:"meta" gorethink:"meta"`
}DefaultPolicy is the default implementation of the policy interface.
func (p *DefaultPolicy) AllowAccess() bool
AllowAccess returns true if the policy effect is allow, otherwise false.
func (p *DefaultPolicy) GetActions() []string
GetActions returns the policies actions.
func (p *DefaultPolicy) GetConditions() Conditions
GetConditions returns the policies conditions.
func (p *DefaultPolicy) GetDescription() string
GetDescription returns the policies description.
func (p *DefaultPolicy) GetEffect() string
GetEffect returns the policies effect which might be 'allow' or 'deny'.
func (p *DefaultPolicy) GetEndDelimiter() byte
GetEndDelimiter returns the delimiter which identifies the end of a regular expression.
func (p *DefaultPolicy) GetID() string
GetID returns the policies id.
func (p *DefaultPolicy) GetMeta() []byte
GetMeta returns the policies arbitrary metadata set by the user.
func (p *DefaultPolicy) GetResources() []string
GetResources returns the policies resources.
func (p *DefaultPolicy) GetStartDelimiter() byte
GetStartDelimiter returns the delimiter which identifies the beginning of a regular expression.
func (p *DefaultPolicy) GetSubjects() []string
GetSubjects returns the policies subjects.
func (p *DefaultPolicy) UnmarshalJSON(data []byte) error
UnmarshalJSON overwrite own policy with values of the given in policy in JSON format
func (p *DefaultPolicy) UnmarshalMeta(v interface{}) error
UnmarshalMeta parses the policies []byte encoded metadata and stores the result in the value pointed to by v.
type EqualsSubjectCondition struct{}EqualsSubjectCondition is a condition which is fulfilled if the request's subject is equal to the given value string
func (c *EqualsSubjectCondition) Fulfills(value interface{}, r *Request) bool
Fulfills returns true if the request's subject is equal to the given value string
func (c *EqualsSubjectCondition) GetName() string
GetName returns the condition's name.
type Ladon struct {
Manager Manager
Matcher matcher
AuditLogger AuditLogger
Metric Metric
}Ladon is an implementation of Warden.
DoPoliciesAllow returns nil if subject s has permission p on resource r with context c for a given policy list or an error otherwise. The IsAllowed interface should be preferred since it uses the manager directly. This is a lower level interface for when you don't want to use the ladon manager.
IsAllowed returns nil if subject s has permission p on resource r with context c or an error otherwise.
type Manager interface {
// Create persists the policy.
Create(policy Policy) error
// Update updates an existing policy.
Update(policy Policy) error
// Get retrieves a policy.
Get(id string) (Policy, error)
// Delete removes a policy.
Delete(id string) error
// GetAll retrieves all policies.
GetAll(limit, offset int64) (Policies, error)
// FindRequestCandidates returns candidates that could match the request object. It either returns
// a set that exactly matches the request, or a superset of it. If an error occurs, it returns nil and
// the error.
FindRequestCandidates(r *Request) (Policies, error)
// FindPoliciesForSubject returns policies that could match the subject. It either returns
// a set of policies that applies to the subject, or a superset of it.
// If an error occurs, it returns nil and the error.
FindPoliciesForSubject(subject string) (Policies, error)
// FindPoliciesForResource returns policies that could match the resource. It either returns
// a set of policies that apply to the resource, or a superset of it.
// If an error occurs, it returns nil and the error.
FindPoliciesForResource(resource string) (Policies, error)
}Manager is responsible for managing and persisting policies.
type ManagerMigrator interface {
Create(policy Policy) (err error)
Migrate() (err error)
GetManager() Manager
}type Metric interface {
// RequestDeniedBy is called when we get explicit deny by policy
RequestDeniedBy(Request, Policy)
// RequestAllowedBy is called when a matching policy has been found.
RequestAllowedBy(Request, Policies)
// RequestNoMatch is called when no policy has matched our request
RequestNoMatch(Request)
// RequestProcessingError is called when unexpected error occured
RequestProcessingError(Request, Policy, error)
}Metric is used to expose metrics about authz
type MetricNoOp struct{}MetricNoOp is the default metrics implementation , that tracks nothing.
func (*MetricNoOp) RequestAllowedBy(r Request, p Policies)
func (*MetricNoOp) RequestDeniedBy(r Request, p Policy)
func (*MetricNoOp) RequestNoMatch(r Request)
func (*MetricNoOp) RequestProcessingError(r Request, p Policy, err error)
Policies is an array of policies.
type Policy interface {
// GetID returns the policies id.
GetID() string
// GetDescription returns the policies description.
GetDescription() string
// GetSubjects returns the policies subjects.
GetSubjects() []string
// AllowAccess returns true if the policy effect is allow, otherwise false.
AllowAccess() bool
// GetEffect returns the policies effect which might be 'allow' or 'deny'.
GetEffect() string
// GetResources returns the policies resources.
GetResources() []string
// GetActions returns the policies actions.
GetActions() []string
// GetConditions returns the policies conditions.
GetConditions() Conditions
// GetMeta returns the policies arbitrary metadata set by the user.
GetMeta() []byte
// GetStartDelimiter returns the delimiter which identifies the beginning of a regular expression.
GetStartDelimiter() byte
// GetEndDelimiter returns the delimiter which identifies the end of a regular expression.
GetEndDelimiter() byte
}Policy represent a policy model.
func NewRegexpMatcher(size int) *RegexpMatcher
Matches a needle with an array of regular expressions and returns true if a match was found.
type Request struct {
// Resource is the resource that access is requested to.
Resource string `json:"resource"`
// Action is the action that is requested on the resource.
Action string `json:"action"`
// Subejct is the subject that is requesting access.
Subject string `json:"subject"`
// Context is the request's environmental context.
Context Context `json:"context"`
}Request is the warden's request object.
type ResourceContainsCondition struct{}ResourceContainsCondition is fulfilled if the context matches a substring within the resource name
func (c *ResourceContainsCondition) Fulfills(value interface{}, r *Request) bool
Fulfills returns true if the request's resouce contains the given value string
func (c *ResourceContainsCondition) GetName() string
GetName returns the condition's name.
StringEqualCondition is a condition which is fulfilled if the given string value is the same as specified in StringEqualCondition
func (c *StringEqualCondition) Fulfills(value interface{}, _ *Request) bool
Fulfills returns true if the given value is a string and is the same as in StringEqualCondition.Equals
func (c *StringEqualCondition) GetName() string
GetName returns the condition's name.
StringMatchCondition is a condition which is fulfilled if the given string value matches the regex pattern specified in StringMatchCondition
func (c *StringMatchCondition) Fulfills(value interface{}, _ *Request) bool
Fulfills returns true if the given value is a string and matches the regex pattern in StringMatchCondition.Matches
func (c *StringMatchCondition) GetName() string
GetName returns the condition's name.
type StringPairsEqualCondition struct{}StringPairsEqualCondition is a condition which is fulfilled if the given array of pairs contains two-element string arrays where both elements in the string array are equal
func (c *StringPairsEqualCondition) Fulfills(value interface{}, _ *Request) bool
Fulfills returns true if the given value is an array of string arrays and each string array has exactly two values which are equal
func (c *StringPairsEqualCondition) GetName() string
GetName returns the condition's name.
type Warden interface {
// IsAllowed returns nil if subject s can perform action a on resource r with context c or an error otherwise.
// if err := guard.IsAllowed(&Request{Resource: "article/1234", Action: "update", Subject: "peter"}); err != nil {
// return errors.New("Not allowed")
// }
IsAllowed(r *Request) error
}Warden is responsible for deciding if subject s can perform action a on resource r with context c.
| Path | Synopsis |
|---|---|
| compiler | |
| manager/memory |
Package ladon imports 17 packages (graph) and is imported by 103 packages. Updated 2020-01-08. Refresh now. Tools for package owners.