authz

package
v0.0.0-...-582136a Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 18, 2026 License: Apache-2.0 Imports: 23 Imported by: 1

Documentation

Index

Constants

View Source 
const (
	NamespaceServiceAccount = "service-account"
	NamespaceUser           = "user"
)

Variables

View Source 
var (
	ErrMissingAuthInfo   = errors.New("missing auth info")
	ErrNamespaceMismatch = errors.New("namespace mismatch")
)
View Source 
var (
	ErrInvalidQuery          = errors.New("invalid query")
	ErrInvalidIDToken        = errors.New("invalid id token: cannot extract namespaced ID")
	ErrInvalidToken          = errors.New("invalid token: cannot query server")
	ErrInvalidResponse       = errors.New("invalid response from server")
	ErrUnexpectedStatus      = errors.New("unexpected response status")
	ErrInvalidTokenNamespace = errors.New("invalid token: can only query server for users and service-accounts")
)
View Source 
var (
	ErrTooManyPermissions = errors.New("unexpected number of permissions returned by the server")
)

Functions

func FilterAuthorized 

func FilterAuthorized[T any](
	ctx context.Context,
	access types.AccessClient,
	items iter.Seq[T],
	extractFn func(T) BatchCheckItem,
	opts ...FilterOption,
) iter.Seq2[T, error]

FilterAuthorized returns an iterator that yields only authorized items. User is extracted from context. Items are batched internally for efficient authorization checks. Yields (item, nil) for authorized items, (zero, err) on error.

func IsUnauthorizedErr 

func IsUnauthorizedErr(err error) bool

Types

type AuthzClientOption 

type AuthzClientOption func(*ClientImpl)

func WithCacheClientOption 

func WithCacheClientOption(cache cache.Cache) AuthzClientOption

func WithTracerClientOption 

func WithTracerClientOption(tracer trace.Tracer) AuthzClientOption

type BatchCheckItem 

type BatchCheckItem struct {
	Name      string
	Folder    string
	Group     string
	Resource  string
	Verb      string
	Namespace string
	// FreshnessTimestamp is when the resource was last modified.
	// If provided, the server will skip cache for this item if the cached result
	// is older than this timestamp.
	FreshnessTimestamp time.Time
}

BatchCheckItem represents an item that needs batch authorization.

type Checker 

type Checker func(resources ...Resource) bool

Checker checks whether a user has access to any of the provided resources.

type ClientImpl 

type ClientImpl struct {
	// contains filtered or unexported fields
}

func NewClient 

func NewClient(cc grpc.ClientConnInterface, opts ...AuthzClientOption) *ClientImpl

func (*ClientImpl) BatchCheck 

func (c *ClientImpl) BatchCheck(ctx context.Context, authInfo types.AuthInfo, req types.BatchCheckRequest) (types.BatchCheckResponse, error)

BatchCheck performs multiple access checks in a single request.

func (*ClientImpl) Check 

func (c *ClientImpl) Check(ctx context.Context, authInfo types.AuthInfo, req types.CheckRequest, folder string) (types.CheckResponse, error)

func (*ClientImpl) Compile 

func (c *ClientImpl) Compile(ctx context.Context, authInfo types.AuthInfo, list types.ListRequest) (types.ItemChecker, types.Zookie, error)

type ClientOption 

type ClientOption func(*EnforcementClientImpl) error

ClientOption allows setting custom parameters during construction.

func WithCache 

func WithCache(cache cache.Cache) ClientOption

func WithHTTPClient 

func WithHTTPClient(doer HTTPRequestDoer) ClientOption

func WithSearchByPrefix 

func WithSearchByPrefix(prefix string) ClientOption

WithSearchByPrefix makes the client search for permissions always using the given prefix. This can improve performance when the client is used to check permissions for a single action prefix.

type Config 

type Config struct {
	APIURL  string
	Token   string
	JWKsURL string
}

type EnforcementClient 

type EnforcementClient interface {
	// Compile generates a function to check whether the user has access to any scope of a given list of scopes.
	// This is particularly useful when you want to verify access to a list of resources.
	Compile(ctx context.Context, idToken string, action string, kinds ...string) (Checker, error)

	// HasAccess checks whether the user can perform the given action on any of the given resources.
	// If the scope is empty, it checks whether the user can perform the action.
	HasAccess(ctx context.Context, idToken string, action string, resources ...Resource) (bool, error)

	// Experimental: LookupResources returns the resources that the user has access to for the given action.
	LookupResources(ctx context.Context, idToken string, action string) ([]Resource, error)
}

type EnforcementClientImpl 

type EnforcementClientImpl struct {
	// contains filtered or unexported fields
}

func NewEnforcementClient 

func NewEnforcementClient(cfg Config, opt ...ClientOption) (*EnforcementClientImpl, error)

func (*EnforcementClientImpl) Compile 

func (s *EnforcementClientImpl) Compile(ctx context.Context, idToken string,
	action string, kinds ...string) (Checker, error)

func (*EnforcementClientImpl) HasAccess 

func (s *EnforcementClientImpl) HasAccess(ctx context.Context, idToken string,
	action string, resources ...Resource) (bool, error)

func (*EnforcementClientImpl) LookupResources 

func (s *EnforcementClientImpl) LookupResources(ctx context.Context, idToken string, action string) ([]Resource, error)

Experimental: LookupResources returns the resources that the user has access to for the given action. Resource expansion is still not supported in this method.

type FilterOption 

type FilterOption func(*FilterOptions)

FilterOption is a function that configures FilterOptions.

func WithTracer 

func WithTracer(tracer trace.Tracer) FilterOption

WithTracer sets the tracer for FilterAuthorized.

type FilterOptions 

type FilterOptions struct {
	Tracer trace.Tracer
}

FilterOptions configures the behavior of FilterAuthorized.

type HTTPRequestDoer 

type HTTPRequestDoer interface {
	Do(req *http.Request) (*http.Response, error)
}

HTTPRequestDoer performs HTTP requests. The standard http.Client implements this interface.

type Resource 

type Resource struct {
	// Kind is the type of resource. Ex: "teams", "dashboards", "datasources"
	Kind string
	// The attribute is required for compatibility with the way scopes are defined in Grafana. Ex: "id", "uid"
	Attr string
	// ID is the unique identifier of the resource. Ex: "2", "YYxUSd7ik", "test-datasource"
	ID string
}

Resource represents a resource in Grafana.

func (*Resource) Scope 

func (r *Resource) Scope() string

type ServiceEvaluationResult 

type ServiceEvaluationResult struct {
	// ServiceCall indicates if the call was made by a service (access policy) identity
	// False indicates an on-behalf-of call (delegated permissions), user permissions should be checked.
	ServiceCall bool
	// Allowed indicates if the permission check passed. This does not imply that the user is allowed,
	// only that the service has the required permissions (itself or acting on behalf of a user)
	// If false, the caller should reject the request immediately.
	// If true, the caller can proceed to check user permissions as needed.
	Allowed bool
	// Permissions lists the permissions present in the token used for the check
	Permissions []string
}

ServiceEvaluationResult contains the result of a service permission check along with debug information

func CheckServicePermissions 

func CheckServicePermissions(authInfo types.AuthInfo, group, resource, verb string) ServiceEvaluationResult

TL;DR: CheckServicePermissions should only be used when user permissions are checked later in the flow. If the service is allowed, the caller can proceed to check user permissions as needed. If the service is not allowed, the caller should reject the request immediately. Prefer using the authz.Client directly, it handles both service and user permissions in one call.

AuthInfo always holds service info, and optionally user info (service vs. on-behalf-of calls). While service permissions are directly checkable from AuthInfo, user permissions require an AuthZ service call which is not done here.

CheckServicePermissions verifies if the service has the required permissions for an action: - For direct service calls (access policy), it checks the service's own permissions. - For calls made on behalf of a user (on-behalf-of), it checks the service's delegated permissions.

type TimestampZookie 

type TimestampZookie struct {
	// contains filtered or unexported fields
}

Zookie implementation based on a timestamp

func NewTimestampZookie 

func NewTimestampZookie(ts int64) *TimestampZookie

NewTimestampZookie creates a new TimestampZookie with the given timestamp in milliseconds.

func (*TimestampZookie) IsFresherThan 

func (t *TimestampZookie) IsFresherThan(d time.Time) bool

Source Files

View all Source files

Directories

Path Synopsis
proto
v1
Package authzv1 is a reverse proxy.
 Package authzv1 is a reverse proxy.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.