ladon: github.com/ory/ladon Index | Files | Directories

package ladon

import "github.com/ory/ladon"

Index

Package Files

audit_logger.go audit_logger_info.go audit_logger_noop.go condition.go condition_boolean.go condition_cidr.go condition_resource_contains.go condition_string_equal.go condition_string_match.go condition_string_pairs_equal.go condition_subject_equal.go const.go context.go errors.go ladon.go manager.go manager_migrator.go manager_test_helper.go matcher.go matcher_regexp.go policy.go warden.go

Constants

const AllowAccess = "allow"

AllowAccess should be used as effect for policies that allow access.

const DenyAccess = "deny"

DenyAccess should be used as effect for policies that deny access.

Variables

var (
    // ErrRequestDenied is returned when an access request can not be satisfied by any policy.
    ErrRequestDenied = &errorWithContext{
        error:  errors.New("Request was denied by default"),
        code:   http.StatusForbidden,
        status: http.StatusText(http.StatusForbidden),
        reason: "The request was denied because no matching policy was found.",
    }

    // ErrRequestForcefullyDenied is returned when an access request is explicitly denied by a policy.
    ErrRequestForcefullyDenied = &errorWithContext{
        error:  errors.New("Request was forcefully denied"),
        code:   http.StatusForbidden,
        status: http.StatusText(http.StatusForbidden),
        reason: "The request was denied because a policy denied request.",
    }

    // ErrNotFound is returned when a resource can not be found.
    ErrNotFound = &errorWithContext{
        error:  errors.New("Resource could not be found"),
        code:   http.StatusNotFound,
        status: http.StatusText(http.StatusNotFound),
    }
)
var ConditionFactories = map[string]func() Condition{
    new(StringEqualCondition).GetName(): func() Condition {
        return new(StringEqualCondition)
    },
    new(CIDRCondition).GetName(): func() Condition {
        return new(CIDRCondition)
    },
    new(EqualsSubjectCondition).GetName(): func() Condition {
        return new(EqualsSubjectCondition)
    },
    new(StringPairsEqualCondition).GetName(): func() Condition {
        return new(StringPairsEqualCondition)
    },
    new(StringMatchCondition).GetName(): func() Condition {
        return new(StringMatchCondition)
    },
    new(ResourceContainsCondition).GetName(): func() Condition {
        return new(ResourceContainsCondition)
    },
}

ConditionFactories is where you can add custom conditions

var DefaultAuditLogger = &AuditLoggerNoOp{}
var DefaultMatcher = NewRegexpMatcher(512)
var TestManagerPolicies = []*DefaultPolicy{
    {
        ID:          uuid.New(),
        Description: "description",
        Subjects:    []string{"user", "anonymous"},
        Effect:      AllowAccess,
        Resources:   []string{"article", "user"},
        Actions:     []string{"create", "update"},
        Conditions:  Conditions{},
    },
    {
        ID:          uuid.New(),
        Description: "description",
        Subjects:    []string{},
        Effect:      AllowAccess,
        Resources:   []string{"<article|user>"},
        Actions:     []string{"view"},
        Conditions:  Conditions{},
    },
    {
        ID:          uuid.New(),
        Description: "description",
        Subjects:    []string{},
        Effect:      AllowAccess,
        Resources:   []string{},
        Actions:     []string{"view"},
        Conditions:  Conditions{},
    },
    {
        ID:          uuid.New(),
        Description: "description",
        Subjects:    []string{},
        Effect:      AllowAccess,
        Resources:   []string{},
        Actions:     []string{},
        Conditions:  Conditions{},
    },
    {
        ID:          uuid.New(),
        Description: "description",
        Subjects:    []string{},
        Effect:      AllowAccess,
        Resources:   []string{"foo"},
        Actions:     []string{},
        Conditions:  Conditions{},
    },
    {
        ID:          uuid.New(),
        Description: "description",
        Subjects:    []string{"foo"},
        Effect:      AllowAccess,
        Resources:   []string{"foo"},
        Actions:     []string{},
        Conditions:  Conditions{},
    },
    {
        ID:          uuid.New(),
        Description: "description",
        Subjects:    []string{"foo"},
        Effect:      AllowAccess,
        Resources:   []string{},
        Actions:     []string{},
        Conditions:  Conditions{},
    },
    {
        ID:          uuid.New(),
        Description: "description",
        Effect:      AllowAccess,
        Conditions:  Conditions{},
    },
    {
        ID:          uuid.New(),
        Description: "description",
        Subjects:    []string{"<peter|max>"},
        Effect:      DenyAccess,
        Resources:   []string{"article", "user"},
        Actions:     []string{"view"},
        Conditions: Conditions{
            "owner": &EqualsSubjectCondition{},
        },
    },
    {
        ID:          uuid.New(),
        Description: "description",
        Subjects:    []string{"<user|max|anonymous>", "peter"},
        Effect:      DenyAccess,
        Resources:   []string{".*"},
        Actions:     []string{"disable"},
        Conditions: Conditions{
            "ip": &CIDRCondition{
                CIDR: "1234",
            },
            "owner": &EqualsSubjectCondition{},
        },
    },
    {
        ID:          uuid.New(),
        Description: "description",
        Subjects:    []string{"<.*>"},
        Effect:      AllowAccess,
        Resources:   []string{"<article|user>"},
        Actions:     []string{"view"},
        Conditions: Conditions{
            "ip": &CIDRCondition{
                CIDR: "1234",
            },
            "owner": &EqualsSubjectCondition{},
        },
    },
    {
        ID:          uuid.New(),
        Description: "description",
        Subjects:    []string{"<us[er]+>"},
        Effect:      AllowAccess,
        Resources:   []string{"<article|user>"},
        Actions:     []string{"view"},
        Conditions: Conditions{
            "ip": &CIDRCondition{
                CIDR: "1234",
            },
            "owner": &EqualsSubjectCondition{},
        },
    },

    {
        ID:          uuid.New(),
        Description: "A failed policy",
        Subjects:    []string{"supplier"},
        Effect:      AllowAccess,
        Resources:   []string{"product:<.*>"},
        Actions:     []string{"update"},
        Conditions:  Conditions{},
    },
    {
        ID:          uuid.New(),
        Description: "Another failed policy",
        Subjects:    []string{"buyer"},
        Effect:      AllowAccess,
        Resources:   []string{"products:attributeGroup:<.*>"},
        Actions:     []string{"create"},
        Conditions:  Conditions{},
    },
}

func AssertPolicyEqual Uses

func AssertPolicyEqual(t *testing.T, expected, got Policy)

func NewErrResourceNotFound Uses

func NewErrResourceNotFound(err error) error

func TestHelperCreateGetDelete Uses

func TestHelperCreateGetDelete(s Manager) func(t *testing.T)

func TestHelperFindPoliciesForResource Uses

func TestHelperFindPoliciesForResource(k string, s Manager) func(t *testing.T)

func TestHelperFindPoliciesForSubject Uses

func TestHelperFindPoliciesForSubject(k string, s Manager) func(t *testing.T)

func TestHelperGetErrors Uses

func TestHelperGetErrors(s Manager) func(t *testing.T)

type AuditLogger Uses

type AuditLogger interface {
    LogRejectedAccessRequest(request *Request, pool Policies, deciders Policies)
    LogGrantedAccessRequest(request *Request, pool Policies, deciders Policies)
}

AuditLogger tracks denied and granted authorizations.

type AuditLoggerInfo Uses

type AuditLoggerInfo struct {
    Logger *log.Logger
}

AuditLoggerInfo outputs information about granting or rejecting policies.

func (*AuditLoggerInfo) LogGrantedAccessRequest Uses

func (a *AuditLoggerInfo) LogGrantedAccessRequest(r *Request, p Policies, d Policies)

func (*AuditLoggerInfo) LogRejectedAccessRequest Uses

func (a *AuditLoggerInfo) LogRejectedAccessRequest(r *Request, p Policies, d Policies)

type AuditLoggerNoOp Uses

type AuditLoggerNoOp struct{}

AuditLoggerNoOp is the default AuditLogger, that tracks nothing.

func (*AuditLoggerNoOp) LogGrantedAccessRequest Uses

func (*AuditLoggerNoOp) LogGrantedAccessRequest(r *Request, p Policies, d Policies)

func (*AuditLoggerNoOp) LogRejectedAccessRequest Uses

func (*AuditLoggerNoOp) LogRejectedAccessRequest(r *Request, p Policies, d Policies)

type BooleanCondition Uses

type BooleanCondition struct {
    BooleanValue bool `json:"value"`
}

BooleanCondition is used to determine if a boolean context matches an expected boolean condition.

BooleanCondition implements the ladon.Condition interface. See https://github.com/ory/ladon/blob/master/condition.go

func (*BooleanCondition) Fulfills Uses

func (c *BooleanCondition) Fulfills(value interface{}, _ *Request) bool

Fulfills determines if the BooleanCondition is fulfilled. The BooleanCondition is fulfilled if the provided boolean value matches the conditions boolean value.

func (*BooleanCondition) GetName Uses

func (c *BooleanCondition) GetName() string

GetName returns the name of the BooleanCondition

type CIDRCondition Uses

type CIDRCondition struct {
    CIDR string `json:"cidr"`
}

CIDRCondition makes sure that the warden requests' IP address is in the given CIDR.

func (*CIDRCondition) Fulfills Uses

func (c *CIDRCondition) Fulfills(value interface{}, _ *Request) bool

Fulfills returns true if the the request is fulfilled by the condition.

func (*CIDRCondition) GetName Uses

func (c *CIDRCondition) GetName() string

GetName returns the condition's name.

type Condition Uses

type Condition interface {
    // GetName returns the condition's name.
    GetName() string

    // Fulfills returns true if the request is fulfilled by the condition.
    Fulfills(interface{}, *Request) bool
}

Condition either do or do not fulfill an access request.

type Conditions Uses

type Conditions map[string]Condition

Conditions is a collection of conditions.

func (Conditions) AddCondition Uses

func (cs Conditions) AddCondition(key string, c Condition)

AddCondition adds a condition to the collection.

func (Conditions) MarshalJSON Uses

func (cs Conditions) MarshalJSON() ([]byte, error)

MarshalJSON marshals a list of conditions to json.

func (Conditions) UnmarshalJSON Uses

func (cs Conditions) UnmarshalJSON(data []byte) error

UnmarshalJSON unmarshals a list of conditions from json.

type Context Uses

type Context map[string]interface{}

Context is used as request's context.

type DefaultPolicy Uses

type DefaultPolicy struct {
    ID          string     `json:"id" gorethink:"id"`
    Description string     `json:"description" gorethink:"description"`
    Subjects    []string   `json:"subjects" gorethink:"subjects"`
    Effect      string     `json:"effect" gorethink:"effect"`
    Resources   []string   `json:"resources" gorethink:"resources"`
    Actions     []string   `json:"actions" gorethink:"actions"`
    Conditions  Conditions `json:"conditions" gorethink:"conditions"`
    Meta        []byte     `json:"meta" gorethink:"meta"`
}

DefaultPolicy is the default implementation of the policy interface.

func (*DefaultPolicy) AllowAccess Uses

func (p *DefaultPolicy) AllowAccess() bool

AllowAccess returns true if the policy effect is allow, otherwise false.

func (*DefaultPolicy) GetActions Uses

func (p *DefaultPolicy) GetActions() []string

GetActions returns the policies actions.

func (*DefaultPolicy) GetConditions Uses

func (p *DefaultPolicy) GetConditions() Conditions

GetConditions returns the policies conditions.

func (*DefaultPolicy) GetDescription Uses

func (p *DefaultPolicy) GetDescription() string

GetDescription returns the policies description.

func (*DefaultPolicy) GetEffect Uses

func (p *DefaultPolicy) GetEffect() string

GetEffect returns the policies effect which might be 'allow' or 'deny'.

func (*DefaultPolicy) GetEndDelimiter Uses

func (p *DefaultPolicy) GetEndDelimiter() byte

GetEndDelimiter returns the delimiter which identifies the end of a regular expression.

func (*DefaultPolicy) GetID Uses

func (p *DefaultPolicy) GetID() string

GetID returns the policies id.

func (*DefaultPolicy) GetMeta Uses

func (p *DefaultPolicy) GetMeta() []byte

GetMeta returns the policies arbitrary metadata set by the user.

func (*DefaultPolicy) GetResources Uses

func (p *DefaultPolicy) GetResources() []string

GetResources returns the policies resources.

func (*DefaultPolicy) GetStartDelimiter Uses

func (p *DefaultPolicy) GetStartDelimiter() byte

GetStartDelimiter returns the delimiter which identifies the beginning of a regular expression.

func (*DefaultPolicy) GetSubjects Uses

func (p *DefaultPolicy) GetSubjects() []string

GetSubjects returns the policies subjects.

func (*DefaultPolicy) UnmarshalJSON Uses

func (p *DefaultPolicy) UnmarshalJSON(data []byte) error

UnmarshalJSON overwrite own policy with values of the given in policy in JSON format

func (*DefaultPolicy) UnmarshalMeta Uses

func (p *DefaultPolicy) UnmarshalMeta(v interface{}) error

UnmarshalMeta parses the policies []byte encoded metadata and stores the result in the value pointed to by v.

type EqualsSubjectCondition Uses

type EqualsSubjectCondition struct{}

EqualsSubjectCondition is a condition which is fulfilled if the request's subject is equal to the given value string

func (*EqualsSubjectCondition) Fulfills Uses

func (c *EqualsSubjectCondition) Fulfills(value interface{}, r *Request) bool

Fulfills returns true if the request's subject is equal to the given value string

func (*EqualsSubjectCondition) GetName Uses

func (c *EqualsSubjectCondition) GetName() string

GetName returns the condition's name.

type Ladon Uses

type Ladon struct {
    Manager     Manager
    Matcher     matcher
    AuditLogger AuditLogger
}

Ladon is an implementation of Warden.

func (*Ladon) DoPoliciesAllow Uses

func (l *Ladon) DoPoliciesAllow(r *Request, policies []Policy) (err error)

DoPoliciesAllow returns nil if subject s has permission p on resource r with context c for a given policy list or an error otherwise. The IsAllowed interface should be preferred since it uses the manager directly. This is a lower level interface for when you don't want to use the ladon manager.

func (*Ladon) IsAllowed Uses

func (l *Ladon) IsAllowed(r *Request) (err error)

IsAllowed returns nil if subject s has permission p on resource r with context c or an error otherwise.

type Manager Uses

type Manager interface {

    // Create persists the policy.
    Create(policy Policy) error

    // Update updates an existing policy.
    Update(policy Policy) error

    // Get retrieves a policy.
    Get(id string) (Policy, error)

    // Delete removes a policy.
    Delete(id string) error

    // GetAll retrieves all policies.
    GetAll(limit, offset int64) (Policies, error)

    // FindRequestCandidates returns candidates that could match the request object. It either returns
    // a set that exactly matches the request, or a superset of it. If an error occurs, it returns nil and
    // the error.
    FindRequestCandidates(r *Request) (Policies, error)

    // FindPoliciesForSubject returns policies that could match the subject. It either returns
    // a set of policies that applies to the subject, or a superset of it.
    // If an error occurs, it returns nil and the error.
    FindPoliciesForSubject(subject string) (Policies, error)

    // FindPoliciesForResource returns policies that could match the resource. It either returns
    // a set of policies that apply to the resource, or a superset of it.
    // If an error occurs, it returns nil and the error.
    FindPoliciesForResource(resource string) (Policies, error)
}

Manager is responsible for managing and persisting policies.

type ManagerMigrator Uses

type ManagerMigrator interface {
    Create(policy Policy) (err error)
    Migrate() (err error)
    GetManager() Manager
}

type Policies Uses

type Policies []Policy

Policies is an array of policies.

type Policy Uses

type Policy interface {
    // GetID returns the policies id.
    GetID() string

    // GetDescription returns the policies description.
    GetDescription() string

    // GetSubjects returns the policies subjects.
    GetSubjects() []string

    // AllowAccess returns true if the policy effect is allow, otherwise false.
    AllowAccess() bool

    // GetEffect returns the policies effect which might be 'allow' or 'deny'.
    GetEffect() string

    // GetResources returns the policies resources.
    GetResources() []string

    // GetActions returns the policies actions.
    GetActions() []string

    // GetConditions returns the policies conditions.
    GetConditions() Conditions

    // GetMeta returns the policies arbitrary metadata set by the user.
    GetMeta() []byte

    // GetStartDelimiter returns the delimiter which identifies the beginning of a regular expression.
    GetStartDelimiter() byte

    // GetEndDelimiter returns the delimiter which identifies the end of a regular expression.
    GetEndDelimiter() byte
}

Policy represent a policy model.

type RegexpMatcher Uses

type RegexpMatcher struct {
    *lru.Cache

    C   map[string]*regexp.Regexp
}

func NewRegexpMatcher Uses

func NewRegexpMatcher(size int) *RegexpMatcher

func (*RegexpMatcher) Matches Uses

func (m *RegexpMatcher) Matches(p Policy, haystack []string, needle string) (bool, error)

Matches a needle with an array of regular expressions and returns true if a match was found.

type Request Uses

type Request struct {
    // Resource is the resource that access is requested to.
    Resource string `json:"resource"`

    // Action is the action that is requested on the resource.
    Action string `json:"action"`

    // Subejct is the subject that is requesting access.
    Subject string `json:"subject"`

    // Context is the request's environmental context.
    Context Context `json:"context"`
}

Request is the warden's request object.

type ResourceContainsCondition Uses

type ResourceContainsCondition struct{}

ResourceContainsCondition is fulfilled if the context matches a substring within the resource name

func (*ResourceContainsCondition) Fulfills Uses

func (c *ResourceContainsCondition) Fulfills(value interface{}, r *Request) bool

Fulfills returns true if the request's resouce contains the given value string

func (*ResourceContainsCondition) GetName Uses

func (c *ResourceContainsCondition) GetName() string

GetName returns the condition's name.

type StringEqualCondition Uses

type StringEqualCondition struct {
    Equals string `json:"equals"`
}

StringEqualCondition is a condition which is fulfilled if the given string value is the same as specified in StringEqualCondition

func (*StringEqualCondition) Fulfills Uses

func (c *StringEqualCondition) Fulfills(value interface{}, _ *Request) bool

Fulfills returns true if the given value is a string and is the same as in StringEqualCondition.Equals

func (*StringEqualCondition) GetName Uses

func (c *StringEqualCondition) GetName() string

GetName returns the condition's name.

type StringMatchCondition Uses

type StringMatchCondition struct {
    Matches string `json:"matches"`
}

StringMatchCondition is a condition which is fulfilled if the given string value matches the regex pattern specified in StringMatchCondition

func (*StringMatchCondition) Fulfills Uses

func (c *StringMatchCondition) Fulfills(value interface{}, _ *Request) bool

Fulfills returns true if the given value is a string and matches the regex pattern in StringMatchCondition.Matches

func (*StringMatchCondition) GetName Uses

func (c *StringMatchCondition) GetName() string

GetName returns the condition's name.

type StringPairsEqualCondition Uses

type StringPairsEqualCondition struct{}

StringPairsEqualCondition is a condition which is fulfilled if the given array of pairs contains two-element string arrays where both elements in the string array are equal

func (*StringPairsEqualCondition) Fulfills Uses

func (c *StringPairsEqualCondition) Fulfills(value interface{}, _ *Request) bool

Fulfills returns true if the given value is an array of string arrays and each string array has exactly two values which are equal

func (*StringPairsEqualCondition) GetName Uses

func (c *StringPairsEqualCondition) GetName() string

GetName returns the condition's name.

type Warden Uses

type Warden interface {
    // IsAllowed returns nil if subject s can perform action a on resource r with context c or an error otherwise.
    //  if err := guard.IsAllowed(&Request{Resource: "article/1234", Action: "update", Subject: "peter"}); err != nil {
    //    return errors.New("Not allowed")
    //  }
    IsAllowed(r *Request) error
}

Warden is responsible for deciding if subject s can perform action a on resource r with context c.

Directories

PathSynopsis
compiler
manager/memory

Package ladon imports 16 packages (graph) and is imported by 41 packages. Updated 2018-10-26. Refresh now. Tools for package owners.