Documentation
¶
Overview ¶
Package internal implements the workflow-plugin-authz plugin, providing Casbin-based RBAC authorization and Permit.io authorization as modules and pipeline steps.
Index ¶
- func GetPermitClient(name string) (*permitClient, bool)
- func NewAuthzPlugin() sdk.PluginProvider
- func RegisterModule(m *CasbinModule)
- func RegisterPermitClient(name string, c *permitClient)
- func UnregisterPermitClient(name string)
- type AuthzCapability
- type AuthzProvider
- type CasbinModule
- func (m *CasbinModule) AddGroupingPolicy(rule []string) (bool, error)
- func (m *CasbinModule) AddPolicy(rule []string) (bool, error)
- func (m *CasbinModule) Capabilities() []AuthzCapability
- func (m *CasbinModule) Enforce(sub, obj, act string, extra ...string) (bool, error)
- func (m *CasbinModule) Init() error
- func (m *CasbinModule) Name() string
- func (m *CasbinModule) RemoveGroupingPolicy(rule []string) (bool, error)
- func (m *CasbinModule) RemovePolicy(rule []string) (bool, error)
- func (m *CasbinModule) Start(_ context.Context) error
- func (m *CasbinModule) Stop(_ context.Context) error
- func (m *CasbinModule) SupportsCapability(cap AuthzCapability) bool
- type GORMFilter
- type PermitModule
- func (m *PermitModule) Capabilities() []AuthzCapability
- func (m *PermitModule) Init() error
- func (m *PermitModule) Name() string
- func (m *PermitModule) Start(_ context.Context) error
- func (m *PermitModule) Stop(_ context.Context) error
- func (m *PermitModule) SupportsCapability(cap AuthzCapability) bool
- type StepExecutor
- func NewAddPolicyStep(name string, config map[string]any) (StepExecutor, error)
- func NewAuthzABACAddPolicyStep(name string, config map[string]any) (StepExecutor, error)
- func NewAuthzABACCheckStep(name string, config map[string]any) (StepExecutor, error)
- func NewAuthzACLCheckStep(name string, config map[string]any) (StepExecutor, error)
- func NewAuthzACLGrantStep(name string, config map[string]any) (StepExecutor, error)
- func NewAuthzACLListStep(name string, config map[string]any) (StepExecutor, error)
- func NewAuthzACLRevokeStep(name string, config map[string]any) (StepExecutor, error)
- func NewAuthzCapabilitiesStep(name string, config map[string]any) (StepExecutor, error)
- func NewAuthzReBACAddRelationStep(name string, config map[string]any) (StepExecutor, error)
- func NewAuthzReBACCheckStep(name string, config map[string]any) (StepExecutor, error)
- func NewAuthzReBACListRelationsStep(name string, config map[string]any) (StepExecutor, error)
- func NewAuthzReBACRemoveRelationStep(name string, config map[string]any) (StepExecutor, error)
- func NewCasbinCheckStep(name string, config map[string]any) (StepExecutor, error)
- func NewPermitCheckBulkStep(name string, config map[string]any) (StepExecutor, error)
- func NewPermitCheckStep(name string, config map[string]any) (StepExecutor, error)
- func NewPermitRoleAssignStep(name string, config map[string]any) (StepExecutor, error)
- func NewPermitRoleUnassignStep(name string, config map[string]any) (StepExecutor, error)
- func NewPermitUserSyncStep(name string, config map[string]any) (StepExecutor, error)
- func NewRemovePolicyStep(name string, config map[string]any) (StepExecutor, error)
- func NewRoleAssignStep(name string, config map[string]any) (StepExecutor, error)
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func GetPermitClient ¶
GetPermitClient retrieves a permitClient by module name.
func NewAuthzPlugin ¶
func NewAuthzPlugin() sdk.PluginProvider
NewAuthzPlugin returns a new authzPlugin instance.
func RegisterModule ¶
func RegisterModule(m *CasbinModule)
RegisterModule adds a CasbinModule to the global registry. It is called by CreateModule so that CreateStep can find the enforcer by name.
func RegisterPermitClient ¶
func RegisterPermitClient(name string, c *permitClient)
RegisterPermitClient adds a permitClient to the global permit registry.
func UnregisterPermitClient ¶
func UnregisterPermitClient(name string)
UnregisterPermitClient removes a permitClient from the global permit registry.
Types ¶
type AuthzCapability ¶
type AuthzCapability string
AuthzCapability represents an authorization model supported by a provider.
const ( CapabilityRBAC AuthzCapability = "rbac" // Role-Based Access Control CapabilityABAC AuthzCapability = "abac" // Attribute-Based Access Control CapabilityReBAC AuthzCapability = "rebac" // Relationship-Based Access Control CapabilityACL AuthzCapability = "acl" // Access Control Lists )
type AuthzProvider ¶
type AuthzProvider interface {
Capabilities() []AuthzCapability
SupportsCapability(AuthzCapability) bool
}
AuthzProvider is implemented by authorization providers to declare their supported authorization models.
type CasbinModule ¶
type CasbinModule struct {
// contains filtered or unexported fields
}
CasbinModule implements sdk.ModuleInstance and holds a Casbin enforcer loaded from inline config (model text + policy rows + role assignments), a file adapter, or a GORM adapter backed by postgres/mysql/sqlite3.
func NewCasbinModuleFromConfig ¶
func NewCasbinModuleFromConfig(name string, config map[string]any) (*CasbinModule, error)
NewCasbinModuleFromConfig creates a CasbinModule from raw config. Exported for use by the public authz/ package.
func (*CasbinModule) AddGroupingPolicy ¶
func (m *CasbinModule) AddGroupingPolicy(rule []string) (bool, error)
AddGroupingPolicy adds a role mapping and saves the adapter. When the enforcer uses a FilteredAdapter, SavePolicy is skipped.
func (*CasbinModule) AddPolicy ¶
func (m *CasbinModule) AddPolicy(rule []string) (bool, error)
AddPolicy adds a policy rule and saves it to the adapter. When the enforcer uses a FilteredAdapter, SavePolicy is skipped because the incremental adapter.AddPolicy already persisted the row.
func (*CasbinModule) Capabilities ¶
func (m *CasbinModule) Capabilities() []AuthzCapability
Capabilities returns the authorization models supported by Casbin.
func (*CasbinModule) Enforce ¶
func (m *CasbinModule) Enforce(sub, obj, act string, extra ...string) (bool, error)
Enforce checks whether sub can perform act on obj with optional extra request dimensions. Extra fields are inserted between sub and (obj, act), so the Casbin request tuple becomes (sub, extra[0], extra[1], …, obj, act). This allows multi-tenant models such as r = sub, tenant, obj, act. It is safe for concurrent use.
func (*CasbinModule) Init ¶
func (m *CasbinModule) Init() error
Init builds the Casbin enforcer from the configured adapter.
func (*CasbinModule) RemoveGroupingPolicy ¶
func (m *CasbinModule) RemoveGroupingPolicy(rule []string) (bool, error)
RemoveGroupingPolicy removes a role mapping and saves the adapter. When the enforcer uses a FilteredAdapter, SavePolicy is skipped.
func (*CasbinModule) RemovePolicy ¶
func (m *CasbinModule) RemovePolicy(rule []string) (bool, error)
RemovePolicy removes a policy rule and saves the adapter. When the enforcer uses a FilteredAdapter, SavePolicy is skipped.
func (*CasbinModule) Start ¶
func (m *CasbinModule) Start(_ context.Context) error
Start begins the polling watcher goroutine if watcher.type is "polling".
func (*CasbinModule) Stop ¶
func (m *CasbinModule) Stop(_ context.Context) error
Stop shuts down the polling watcher if running.
func (*CasbinModule) SupportsCapability ¶
func (m *CasbinModule) SupportsCapability(cap AuthzCapability) bool
SupportsCapability reports whether the Casbin module supports the given authorization model.
type GORMFilter ¶
type GORMFilter struct {
// Field is the column name to filter on (one of "v0" through "v5").
Field string
// Value is the value the column must equal.
Value string
}
GORMFilter specifies a WHERE clause for tenant-scoped policy loading. It is the concrete filter type accepted by gormAdapter.LoadFilteredPolicy.
type PermitModule ¶
type PermitModule struct {
// contains filtered or unexported fields
}
PermitModule implements sdk.ModuleInstance for the permit.provider module type. It creates and registers a permitClient backed by direct HTTP calls to the Permit.io management API and PDP API.
func NewPermitModuleFromConfig ¶
func NewPermitModuleFromConfig(name string, config map[string]any) (*PermitModule, error)
NewPermitModuleFromConfig creates a PermitModule from raw config. Exported for use by the public authz/ package.
func (*PermitModule) Capabilities ¶
func (m *PermitModule) Capabilities() []AuthzCapability
Capabilities returns the authorization models supported by Permit.io.
func (*PermitModule) Init ¶
func (m *PermitModule) Init() error
Init creates the HTTP client and registers it in the global permit registry.
func (*PermitModule) Start ¶
func (m *PermitModule) Start(_ context.Context) error
Start is a no-op for the permit module.
func (*PermitModule) Stop ¶
func (m *PermitModule) Stop(_ context.Context) error
Stop removes the client from the registry.
func (*PermitModule) SupportsCapability ¶
func (m *PermitModule) SupportsCapability(cap AuthzCapability) bool
SupportsCapability reports whether the Permit module supports the given authorization model.
type StepExecutor ¶
type StepExecutor interface {
Execute(
ctx context.Context,
triggerData map[string]any,
stepOutputs map[string]map[string]any,
current map[string]any,
metadata map[string]any,
config map[string]any,
) (*sdk.StepResult, error)
}
StepExecutor is the interface satisfied by all internal step types. It matches sdk.StepInstance.Execute but is defined here to avoid leaking the SDK type into the public authz/ package API.
func NewAddPolicyStep ¶
func NewAddPolicyStep(name string, config map[string]any) (StepExecutor, error)
NewAddPolicyStep creates a step.authz_add_policy step instance.
func NewAuthzABACAddPolicyStep ¶
func NewAuthzABACAddPolicyStep(name string, config map[string]any) (StepExecutor, error)
NewAuthzABACAddPolicyStep creates a step.authz_abac_add_policy step instance.
func NewAuthzABACCheckStep ¶
func NewAuthzABACCheckStep(name string, config map[string]any) (StepExecutor, error)
NewAuthzABACCheckStep creates a step.authz_abac_check step instance.
func NewAuthzACLCheckStep ¶
func NewAuthzACLCheckStep(name string, config map[string]any) (StepExecutor, error)
NewAuthzACLCheckStep creates a step.authz_acl_check step instance.
func NewAuthzACLGrantStep ¶
func NewAuthzACLGrantStep(name string, config map[string]any) (StepExecutor, error)
NewAuthzACLGrantStep creates a step.authz_acl_grant step instance.
func NewAuthzACLListStep ¶
func NewAuthzACLListStep(name string, config map[string]any) (StepExecutor, error)
NewAuthzACLListStep creates a step.authz_acl_list step instance.
func NewAuthzACLRevokeStep ¶
func NewAuthzACLRevokeStep(name string, config map[string]any) (StepExecutor, error)
NewAuthzACLRevokeStep creates a step.authz_acl_revoke step instance.
func NewAuthzCapabilitiesStep ¶
func NewAuthzCapabilitiesStep(name string, config map[string]any) (StepExecutor, error)
NewAuthzCapabilitiesStep creates a step.authz_capabilities step instance.
func NewAuthzReBACAddRelationStep ¶
func NewAuthzReBACAddRelationStep(name string, config map[string]any) (StepExecutor, error)
NewAuthzReBACAddRelationStep creates a step.authz_rebac_add_relation step instance.
func NewAuthzReBACCheckStep ¶
func NewAuthzReBACCheckStep(name string, config map[string]any) (StepExecutor, error)
NewAuthzReBACCheckStep creates a step.authz_rebac_check step instance.
func NewAuthzReBACListRelationsStep ¶
func NewAuthzReBACListRelationsStep(name string, config map[string]any) (StepExecutor, error)
NewAuthzReBACListRelationsStep creates a step.authz_rebac_list_relations step instance.
func NewAuthzReBACRemoveRelationStep ¶
func NewAuthzReBACRemoveRelationStep(name string, config map[string]any) (StepExecutor, error)
NewAuthzReBACRemoveRelationStep creates a step.authz_rebac_remove_relation step instance.
func NewCasbinCheckStep ¶
func NewCasbinCheckStep(name string, config map[string]any) (StepExecutor, error)
NewCasbinCheckStep creates a step.authz_check_casbin step instance.
func NewPermitCheckBulkStep ¶
func NewPermitCheckBulkStep(name string, config map[string]any) (StepExecutor, error)
NewPermitCheckBulkStep creates a step.permit_check_bulk step instance.
func NewPermitCheckStep ¶
func NewPermitCheckStep(name string, config map[string]any) (StepExecutor, error)
NewPermitCheckStep creates a step.permit_check step instance.
func NewPermitRoleAssignStep ¶
func NewPermitRoleAssignStep(name string, config map[string]any) (StepExecutor, error)
NewPermitRoleAssignStep creates a step.permit_role_assign step instance.
func NewPermitRoleUnassignStep ¶
func NewPermitRoleUnassignStep(name string, config map[string]any) (StepExecutor, error)
NewPermitRoleUnassignStep creates a step.permit_role_unassign step instance.
func NewPermitUserSyncStep ¶
func NewPermitUserSyncStep(name string, config map[string]any) (StepExecutor, error)
NewPermitUserSyncStep creates a step.permit_user_sync step instance.
func NewRemovePolicyStep ¶
func NewRemovePolicyStep(name string, config map[string]any) (StepExecutor, error)
NewRemovePolicyStep creates a step.authz_remove_policy step instance.
func NewRoleAssignStep ¶
func NewRoleAssignStep(name string, config map[string]any) (StepExecutor, error)
NewRoleAssignStep creates a step.authz_role_assign step instance.
Source Files
¶
- capabilities.go
- exports.go
- gorm_adapter.go
- module_casbin.go
- module_permit.go
- permit_client.go
- permit_registry.go
- plugin.go
- sqlite_dialector.go
- step_abac.go
- step_acl.go
- step_authz_add_policy.go
- step_authz_check.go
- step_authz_remove_policy.go
- step_authz_role_assign.go
- step_permit_check.go
- step_permit_conditions.go
- step_permit_environments.go
- step_permit_instances.go
- step_permit_keys.go
- step_permit_org.go
- step_permit_projects.go
- step_permit_registry.go
- step_permit_relations.go
- step_permit_resource_actions.go
- step_permit_resource_roles.go
- step_permit_resources.go
- step_permit_role_assignments.go
- step_permit_roles.go
- step_permit_tenants.go
- step_permit_tuples.go
- step_permit_users.go
- step_rebac.go