import "github.com/ory/ladon"
audit_logger.go audit_logger_info.go audit_logger_noop.go condition.go condition_boolean.go condition_cidr.go condition_resource_contains.go condition_string_equal.go condition_string_match.go condition_string_pairs_equal.go condition_subject_equal.go const.go context.go errors.go ladon.go manager.go manager_migrator.go manager_test_helper.go matcher.go matcher_regexp.go policy.go warden.go
const AllowAccess = "allow"
AllowAccess should be used as effect for policies that allow access.
const DenyAccess = "deny"
DenyAccess should be used as effect for policies that deny access.
var ( // ErrRequestDenied is returned when an access request can not be satisfied by any policy. ErrRequestDenied = &errorWithContext{ error: errors.New("Request was denied by default"), code: http.StatusForbidden, status: http.StatusText(http.StatusForbidden), reason: "The request was denied because no matching policy was found.", } // ErrRequestForcefullyDenied is returned when an access request is explicitly denied by a policy. ErrRequestForcefullyDenied = &errorWithContext{ error: errors.New("Request was forcefully denied"), code: http.StatusForbidden, status: http.StatusText(http.StatusForbidden), reason: "The request was denied because a policy denied request.", } // ErrNotFound is returned when a resource can not be found. ErrNotFound = &errorWithContext{ error: errors.New("Resource could not be found"), code: http.StatusNotFound, status: http.StatusText(http.StatusNotFound), } )
var ConditionFactories = map[string]func() Condition{ new(StringEqualCondition).GetName(): func() Condition { return new(StringEqualCondition) }, new(CIDRCondition).GetName(): func() Condition { return new(CIDRCondition) }, new(EqualsSubjectCondition).GetName(): func() Condition { return new(EqualsSubjectCondition) }, new(StringPairsEqualCondition).GetName(): func() Condition { return new(StringPairsEqualCondition) }, new(StringMatchCondition).GetName(): func() Condition { return new(StringMatchCondition) }, new(ResourceContainsCondition).GetName(): func() Condition { return new(ResourceContainsCondition) }, new(BooleanCondition).GetName(): func() Condition { return new(BooleanCondition) }, }
ConditionFactories is where you can add custom conditions
var DefaultAuditLogger = &AuditLoggerNoOp{}
var DefaultMatcher = NewRegexpMatcher(512)
var TestManagerPolicies = []*DefaultPolicy{ { ID: uuid.New(), Description: "description", Subjects: []string{"user", "anonymous"}, Effect: AllowAccess, Resources: []string{"article", "user"}, Actions: []string{"create", "update"}, Conditions: Conditions{}, }, { ID: uuid.New(), Description: "description", Subjects: []string{}, Effect: AllowAccess, Resources: []string{"<article|user>"}, Actions: []string{"view"}, Conditions: Conditions{}, }, { ID: uuid.New(), Description: "description", Subjects: []string{}, Effect: AllowAccess, Resources: []string{}, Actions: []string{"view"}, Conditions: Conditions{}, }, { ID: uuid.New(), Description: "description", Subjects: []string{}, Effect: AllowAccess, Resources: []string{}, Actions: []string{}, Conditions: Conditions{}, }, { ID: uuid.New(), Description: "description", Subjects: []string{}, Effect: AllowAccess, Resources: []string{"foo"}, Actions: []string{}, Conditions: Conditions{}, }, { ID: uuid.New(), Description: "description", Subjects: []string{"foo"}, Effect: AllowAccess, Resources: []string{"foo"}, Actions: []string{}, Conditions: Conditions{}, }, { ID: uuid.New(), Description: "description", Subjects: []string{"foo"}, Effect: AllowAccess, Resources: []string{}, Actions: []string{}, Conditions: Conditions{}, }, { ID: uuid.New(), Description: "description", Effect: AllowAccess, Conditions: Conditions{}, }, { ID: uuid.New(), Description: "description", Subjects: []string{"<peter|max>"}, Effect: DenyAccess, Resources: []string{"article", "user"}, Actions: []string{"view"}, Conditions: Conditions{ "owner": &EqualsSubjectCondition{}, }, }, { ID: uuid.New(), Description: "description", Subjects: []string{"<user|max|anonymous>", "peter"}, Effect: DenyAccess, Resources: []string{".*"}, Actions: []string{"disable"}, Conditions: Conditions{ "ip": &CIDRCondition{ CIDR: "1234", }, "owner": &EqualsSubjectCondition{}, }, }, { ID: uuid.New(), Description: "description", Subjects: []string{"<.*>"}, Effect: AllowAccess, Resources: []string{"<article|user>"}, Actions: []string{"view"}, Conditions: Conditions{ "ip": &CIDRCondition{ CIDR: "1234", }, "owner": &EqualsSubjectCondition{}, }, }, { ID: uuid.New(), Description: "description", Subjects: []string{"<us[er]+>"}, Effect: AllowAccess, Resources: []string{"<article|user>"}, Actions: []string{"view"}, Conditions: Conditions{ "ip": &CIDRCondition{ CIDR: "1234", }, "owner": &EqualsSubjectCondition{}, }, }, { ID: uuid.New(), Description: "A failed policy", Subjects: []string{"supplier"}, Effect: AllowAccess, Resources: []string{"product:<.*>"}, Actions: []string{"update"}, Conditions: Conditions{}, }, { ID: uuid.New(), Description: "Another failed policy", Subjects: []string{"buyer"}, Effect: AllowAccess, Resources: []string{"products:attributeGroup:<.*>"}, Actions: []string{"create"}, Conditions: Conditions{}, }, }
type AuditLogger interface { LogRejectedAccessRequest(request *Request, pool Policies, deciders Policies) LogGrantedAccessRequest(request *Request, pool Policies, deciders Policies) }
AuditLogger tracks denied and granted authorizations.
AuditLoggerInfo outputs information about granting or rejecting policies.
func (a *AuditLoggerInfo) LogGrantedAccessRequest(r *Request, p Policies, d Policies)
func (a *AuditLoggerInfo) LogRejectedAccessRequest(r *Request, p Policies, d Policies)
type AuditLoggerNoOp struct{}
AuditLoggerNoOp is the default AuditLogger, that tracks nothing.
func (*AuditLoggerNoOp) LogGrantedAccessRequest(r *Request, p Policies, d Policies)
func (*AuditLoggerNoOp) LogRejectedAccessRequest(r *Request, p Policies, d Policies)
BooleanCondition is used to determine if a boolean context matches an expected boolean condition.
BooleanCondition implements the ladon.Condition interface. See https://github.com/ory/ladon/blob/master/condition.go
func (c *BooleanCondition) Fulfills(value interface{}, _ *Request) bool
Fulfills determines if the BooleanCondition is fulfilled. The BooleanCondition is fulfilled if the provided boolean value matches the conditions boolean value.
func (c *BooleanCondition) GetName() string
GetName returns the name of the BooleanCondition
CIDRCondition makes sure that the warden requests' IP address is in the given CIDR.
func (c *CIDRCondition) Fulfills(value interface{}, _ *Request) bool
Fulfills returns true if the the request is fulfilled by the condition.
func (c *CIDRCondition) GetName() string
GetName returns the condition's name.
type Condition interface { // GetName returns the condition's name. GetName() string // Fulfills returns true if the request is fulfilled by the condition. Fulfills(interface{}, *Request) bool }
Condition either do or do not fulfill an access request.
Conditions is a collection of conditions.
func (cs Conditions) AddCondition(key string, c Condition)
AddCondition adds a condition to the collection.
func (cs Conditions) MarshalJSON() ([]byte, error)
MarshalJSON marshals a list of conditions to json.
func (cs Conditions) UnmarshalJSON(data []byte) error
UnmarshalJSON unmarshals a list of conditions from json.
Context is used as request's context.
type DefaultPolicy struct { ID string `json:"id" gorethink:"id"` Description string `json:"description" gorethink:"description"` Subjects []string `json:"subjects" gorethink:"subjects"` Effect string `json:"effect" gorethink:"effect"` Resources []string `json:"resources" gorethink:"resources"` Actions []string `json:"actions" gorethink:"actions"` Conditions Conditions `json:"conditions" gorethink:"conditions"` Meta []byte `json:"meta" gorethink:"meta"` }
DefaultPolicy is the default implementation of the policy interface.
func (p *DefaultPolicy) AllowAccess() bool
AllowAccess returns true if the policy effect is allow, otherwise false.
func (p *DefaultPolicy) GetActions() []string
GetActions returns the policies actions.
func (p *DefaultPolicy) GetConditions() Conditions
GetConditions returns the policies conditions.
func (p *DefaultPolicy) GetDescription() string
GetDescription returns the policies description.
func (p *DefaultPolicy) GetEffect() string
GetEffect returns the policies effect which might be 'allow' or 'deny'.
func (p *DefaultPolicy) GetEndDelimiter() byte
GetEndDelimiter returns the delimiter which identifies the end of a regular expression.
func (p *DefaultPolicy) GetID() string
GetID returns the policies id.
func (p *DefaultPolicy) GetMeta() []byte
GetMeta returns the policies arbitrary metadata set by the user.
func (p *DefaultPolicy) GetResources() []string
GetResources returns the policies resources.
func (p *DefaultPolicy) GetStartDelimiter() byte
GetStartDelimiter returns the delimiter which identifies the beginning of a regular expression.
func (p *DefaultPolicy) GetSubjects() []string
GetSubjects returns the policies subjects.
func (p *DefaultPolicy) UnmarshalJSON(data []byte) error
UnmarshalJSON overwrite own policy with values of the given in policy in JSON format
func (p *DefaultPolicy) UnmarshalMeta(v interface{}) error
UnmarshalMeta parses the policies []byte encoded metadata and stores the result in the value pointed to by v.
type EqualsSubjectCondition struct{}
EqualsSubjectCondition is a condition which is fulfilled if the request's subject is equal to the given value string
func (c *EqualsSubjectCondition) Fulfills(value interface{}, r *Request) bool
Fulfills returns true if the request's subject is equal to the given value string
func (c *EqualsSubjectCondition) GetName() string
GetName returns the condition's name.
type Ladon struct { Manager Manager Matcher matcher AuditLogger AuditLogger }
Ladon is an implementation of Warden.
DoPoliciesAllow returns nil if subject s has permission p on resource r with context c for a given policy list or an error otherwise. The IsAllowed interface should be preferred since it uses the manager directly. This is a lower level interface for when you don't want to use the ladon manager.
IsAllowed returns nil if subject s has permission p on resource r with context c or an error otherwise.
type Manager interface { // Create persists the policy. Create(policy Policy) error // Update updates an existing policy. Update(policy Policy) error // Get retrieves a policy. Get(id string) (Policy, error) // Delete removes a policy. Delete(id string) error // GetAll retrieves all policies. GetAll(limit, offset int64) (Policies, error) // FindRequestCandidates returns candidates that could match the request object. It either returns // a set that exactly matches the request, or a superset of it. If an error occurs, it returns nil and // the error. FindRequestCandidates(r *Request) (Policies, error) // FindPoliciesForSubject returns policies that could match the subject. It either returns // a set of policies that applies to the subject, or a superset of it. // If an error occurs, it returns nil and the error. FindPoliciesForSubject(subject string) (Policies, error) // FindPoliciesForResource returns policies that could match the resource. It either returns // a set of policies that apply to the resource, or a superset of it. // If an error occurs, it returns nil and the error. FindPoliciesForResource(resource string) (Policies, error) }
Manager is responsible for managing and persisting policies.
type ManagerMigrator interface { Create(policy Policy) (err error) Migrate() (err error) GetManager() Manager }
Policies is an array of policies.
type Policy interface { // GetID returns the policies id. GetID() string // GetDescription returns the policies description. GetDescription() string // GetSubjects returns the policies subjects. GetSubjects() []string // AllowAccess returns true if the policy effect is allow, otherwise false. AllowAccess() bool // GetEffect returns the policies effect which might be 'allow' or 'deny'. GetEffect() string // GetResources returns the policies resources. GetResources() []string // GetActions returns the policies actions. GetActions() []string // GetConditions returns the policies conditions. GetConditions() Conditions // GetMeta returns the policies arbitrary metadata set by the user. GetMeta() []byte // GetStartDelimiter returns the delimiter which identifies the beginning of a regular expression. GetStartDelimiter() byte // GetEndDelimiter returns the delimiter which identifies the end of a regular expression. GetEndDelimiter() byte }
Policy represent a policy model.
func NewRegexpMatcher(size int) *RegexpMatcher
Matches a needle with an array of regular expressions and returns true if a match was found.
type Request struct { // Resource is the resource that access is requested to. Resource string `json:"resource"` // Action is the action that is requested on the resource. Action string `json:"action"` // Subejct is the subject that is requesting access. Subject string `json:"subject"` // Context is the request's environmental context. Context Context `json:"context"` }
Request is the warden's request object.
type ResourceContainsCondition struct{}
ResourceContainsCondition is fulfilled if the context matches a substring within the resource name
func (c *ResourceContainsCondition) Fulfills(value interface{}, r *Request) bool
Fulfills returns true if the request's resouce contains the given value string
func (c *ResourceContainsCondition) GetName() string
GetName returns the condition's name.
StringEqualCondition is a condition which is fulfilled if the given string value is the same as specified in StringEqualCondition
func (c *StringEqualCondition) Fulfills(value interface{}, _ *Request) bool
Fulfills returns true if the given value is a string and is the same as in StringEqualCondition.Equals
func (c *StringEqualCondition) GetName() string
GetName returns the condition's name.
StringMatchCondition is a condition which is fulfilled if the given string value matches the regex pattern specified in StringMatchCondition
func (c *StringMatchCondition) Fulfills(value interface{}, _ *Request) bool
Fulfills returns true if the given value is a string and matches the regex pattern in StringMatchCondition.Matches
func (c *StringMatchCondition) GetName() string
GetName returns the condition's name.
type StringPairsEqualCondition struct{}
StringPairsEqualCondition is a condition which is fulfilled if the given array of pairs contains two-element string arrays where both elements in the string array are equal
func (c *StringPairsEqualCondition) Fulfills(value interface{}, _ *Request) bool
Fulfills returns true if the given value is an array of string arrays and each string array has exactly two values which are equal
func (c *StringPairsEqualCondition) GetName() string
GetName returns the condition's name.
type Warden interface { // IsAllowed returns nil if subject s can perform action a on resource r with context c or an error otherwise. // if err := guard.IsAllowed(&Request{Resource: "article/1234", Action: "update", Subject: "peter"}); err != nil { // return errors.New("Not allowed") // } IsAllowed(r *Request) error }
Warden is responsible for deciding if subject s can perform action a on resource r with context c.
Path | Synopsis |
---|---|
compiler | |
manager/memory |
Package ladon imports 16 packages (graph) and is imported by 90 packages. Updated 2019-11-18. Refresh now. Tools for package owners.