access

package module
v0.9.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Dec 8, 2025 License: MIT Imports: 21 Imported by: 3

README

access

Go library for role-based access control (RBAC) with domain-specific permission management. Built on Casbin.

Overview

Manages user permissions and roles across multiple domains or tenants. Supports PostgreSQL and Google Cloud Spanner as persistence backends.

Features

  • Role-based access control (RBAC)
  • Multi-domain/tenant support with global domain option
  • Resource-specific permissions
  • User, role, and permission management APIs
  • HTTP handlers for REST endpoints
  • Role migration and bootstrapping

Installation

go get github.com/cccteam/access

Core Concepts

  • Domain: Tenant or organizational unit for permission isolation
  • User: Individual with assigned roles
  • Role: Named collection of permissions
  • Permission: Action that can be performed (create, read, update, delete)
  • Resource: Object or entity that permissions apply to

Database Adapters

PostgreSQL
connConfig, _ := pgx.ParseConfig("postgresql://user:pass@localhost/db")
adapter := access.NewPostgresAdapter(connConfig, "database_name", "casbin_rule")
Google Cloud Spanner
adapter := access.NewSpannerAdapter("projects/myproject/instances/myinstance/databases/mydb", "casbin_rule")

Quick Start

package main

import (
    "context"
    "log"
    
    "github.com/cccteam/access"
    "github.com/cccteam/ccc/accesstypes"
    "github.com/jackc/pgx/v5"
)

func main() {
    // Configure PostgreSQL connection
    connConfig, _ := pgx.ParseConfig("postgresql://user:pass@localhost/db")
    
    // Create adapters and domains implementation
    adapter := access.NewPostgresAdapter(connConfig, "mydb", "casbin_rule")
    domains := &MyDomainsImpl{} // Implement the Domains interface
    
    client, err := access.New(domains, adapter)
    if err != nil {
        log.Fatal(err)
    }
    
    ctx := context.Background()
    mgr := client.UserManager()
    
    // Create role and grant permissions
    mgr.AddRole(ctx, "tenant1", "admin")
    mgr.AddRolePermissions(ctx, "tenant1", "admin", "create", "read", "update", "delete")
    
    // Assign role to user
    mgr.AddUserRoles(ctx, "tenant1", "john.doe", "admin")
    
    // Check permissions
    err = client.RequireAll(ctx, "john.doe", "tenant1", "read", "write")
}
Implementing Domains Interface

Implement the Domains interface for domain validation:

type MyDomainsImpl struct {}

func (d *MyDomainsImpl) DomainIDs(ctx context.Context) ([]string, error) {
    return []string{"tenant1", "tenant2", "tenant3"}, nil
}

func (d *MyDomainsImpl) DomainExists(ctx context.Context, domainID string) (bool, error) {
    // Check domain existence in your system
    return true, nil
}

API Usage

Permission Checking
// Check all permissions
err := client.RequireAll(ctx, user, domain, "read", "write", "delete")

// Check resource-specific permissions
ok, missing, err := client.RequireResources(ctx, user, domain, "read", "resource1", "resource2")
User Management
mgr := client.UserManager()

userAccess, err := mgr.User(ctx, "john.doe", "tenant1")
allUsers, err := mgr.Users(ctx, "tenant1")
roles, err := mgr.UserRoles(ctx, "john.doe", "tenant1")
permissions, err := mgr.UserPermissions(ctx, "john.doe", "tenant1")

mgr.AddUserRoles(ctx, "tenant1", "john.doe", "admin", "editor")
mgr.DeleteUserRoles(ctx, "tenant1", "john.doe", "editor")
Role Management
mgr.AddRole(ctx, "tenant1", "moderator")
deleted, err := mgr.DeleteRole(ctx, "tenant1", "moderator")

roles, err := mgr.Roles(ctx, "tenant1")
exists := mgr.RoleExists(ctx, "tenant1", "admin")

users, err := mgr.RoleUsers(ctx, "tenant1", "admin")
mgr.AddRoleUsers(ctx, "tenant1", "admin", "user1", "user2")
mgr.DeleteRoleUsers(ctx, "tenant1", "admin", "user1")
Permission Management
// Domain-specific permissions
mgr.AddRolePermissions(ctx, "tenant1", "admin", "create", "delete")
mgr.DeleteRolePermissions(ctx, "tenant1", "admin", "delete")
mgr.DeleteAllRolePermissions(ctx, "tenant1", "admin")

// Resource-specific permissions
mgr.AddRolePermissionResources(ctx, "tenant1", "editor", "read", "document1", "document2")
mgr.DeleteRolePermissionResources(ctx, "tenant1", "editor", "read", "document1")

permissions, err := mgr.RolePermissions(ctx, "tenant1", "admin")

HTTP Handlers

import "github.com/go-playground/validator/v10"

validate := validator.New()
logHandler := func(handler func(w http.ResponseWriter, r *http.Request) error) http.HandlerFunc {
    return func(w http.ResponseWriter, r *http.Request) {
        if err := handler(w, r); err != nil {
            // Handle error
        }
    }
}

handlers := client.Handlers(validate, logHandler)

http.HandleFunc("/roles", handlers.Roles())
http.HandleFunc("/roles/add", handlers.AddRole())
http.HandleFunc("/users", handlers.Users())
http.HandleFunc("/user", handlers.User())

Role Migration

MigrateRoles automates role and permission setup across all domains. Use for initial setup, deployment automation, and permission updates.

Usage
import (
    "context"
    
    "github.com/cccteam/access"
    "github.com/cccteam/ccc/accesstypes"
    "github.com/cccteam/ccc/resource"
)

func migrateRoles(client *access.Client, store *resource.Collection) error {
    ctx := context.Background()
    
    roleConfig := &access.RoleConfig{
        Roles: []*access.Role{
            {
                Name: "Editor",
                Permissions: map[accesstypes.Permission][]accesstypes.Resource{
                    "read":   {"documents", "images", "files"},
                    "create": {"documents", "images"},
                    "update": {"documents", "images"},
                },
            },
            {
                Name: "Viewer",
                Permissions: map[accesstypes.Permission][]accesstypes.Resource{
                    "read": {"documents", "images", "files"},
                },
            },
            {
                Name: "Moderator",
                Permissions: map[accesstypes.Permission][]accesstypes.Resource{
                    "read":   {"documents", "images", "files", "users"},
                    "update": {"documents", "users"},
                    "delete": {"documents"},
                },
            },
        },
    }
    
    return access.MigrateRoles(ctx, client.UserManager(), store, roleConfig)
}
Behavior
  • Automatically adds "Administrator" role with all permissions
  • Applies roles across all domains (global and domain-specific)
  • Creates missing roles and adds missing permissions
  • Removes permissions not in configuration
  • Removes roles not in configuration
  • Validates resources and permissions against resource store
  • Prevents update permissions on immutable resources

Note: Safe to run multiple times - applies changes only when state differs from configuration. Modifies input config by appending Administrator role.

JSON Configuration
{
  "roles": [
    {
      "Name": "Editor",
      "Permissions": {
        "read": ["documents", "images"],
        "create": ["documents", "images"],
        "update": ["documents", "images"]
      }
    },
    {
      "Name": "Viewer",
      "Permissions": {
        "read": ["documents", "images"]
      }
    }
  ]
}

data, _ := os.ReadFile("roles.json")
var config access.RoleConfig
json.Unmarshal(data, &config)
access.MigrateRoles(ctx, client.UserManager(), store, &config)

License

See LICENSE file.

Created and maintained by the CCC team.

Documentation

Overview

Package access implements tools to manage access to resources.

Package access is a generated GoMock package.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func MigrateRoles added in v0.5.0 

func MigrateRoles(ctx context.Context, client UserManager, store *resource.Collection, roleConfig *RoleConfig) error

MigrateRoles applies role configuration across all domains. Adds missing roles and permissions, removes extras, and includes Administrator role with all permissions.

Types

type Adapter added in v0.1.3 

type Adapter interface {
	// NewAdapter returns a casbin persistence adapter.
	NewAdapter() (persist.Adapter, error)
}

Adapter creates casbin persistence adapters.

type Client 

type Client struct {
	// contains filtered or unexported fields
}

Client is the main access control client for permission checking and user management.

func New 

func New(domains Domains, adapter Adapter) (*Client, error)

New creates a new Client with specified domains and adapter. Errors if user manager initialization fails.

func (*Client) Handlers 

func (c *Client) Handlers(logHandler LogHandler) Handlers

Handlers returns the Handlers for enforcing access control

func (*Client) RequireAll 

func (c *Client) RequireAll(ctx context.Context, username accesstypes.User, domain accesstypes.Domain, perms ...accesstypes.Permission) error

RequireAll checks if user has all permissions in domain. Errors if domain invalid or user lacks permissions.

func (*Client) RequireResources added in v0.3.0 

func (c *Client) RequireResources(
	ctx context.Context, username accesstypes.User, domain accesstypes.Domain, perm accesstypes.Permission, resources ...accesstypes.Resource,
) (bool, []accesstypes.Resource, error)

RequireResources checks if user has permission for resources in domain. Returns ok=true if all accessible, ok=false with missing resources otherwise. Errors if domain invalid.

func (*Client) UserManager 

func (c *Client) UserManager() UserManager

UserManager returns the UserManager for managing users, roles, and permissions.

type Controller added in v0.1.1 

type Controller interface {
	// RequireAll checks if user has all specified permissions in domain.
	RequireAll(ctx context.Context, user accesstypes.User, domain accesstypes.Domain, permissions ...accesstypes.Permission) error

	// RequireResources checks if user has permission for resources in domain.
	// Returns ok=true if all resources are accessible, ok=false with missing resources otherwise.
	RequireResources(
		ctx context.Context, username accesstypes.User, domain accesstypes.Domain, perm accesstypes.Permission, resources ...accesstypes.Resource,
	) (ok bool, missing []accesstypes.Resource, err error)

	// UserManager returns the UserManager for managing users, roles, and permissions.
	UserManager() UserManager

	// Handlers returns HTTP handlers for access management with validation and logging.
	Handlers(handler LogHandler) Handlers
}

Controller is the main interface for access control operations.

type Domains 

type Domains interface {
	// DomainIDs returns all domain IDs.
	DomainIDs(ctx context.Context) ([]string, error)

	// DomainExists returns true if domain ID exists.
	DomainExists(ctx context.Context, domain string) (bool, error)
}

Domains manages domain queries and validation.

type HandlerClient 

type HandlerClient struct {
	// contains filtered or unexported fields
}

HandlerClient implements Handlers for access management.

func (*HandlerClient) AddRole 

func (a *HandlerClient) AddRole() http.HandlerFunc

AddRole is the handler to add a new role to the system

Permissions Required: AddRole

func (*HandlerClient) AddRolePermissions 

func (a *HandlerClient) AddRolePermissions() http.HandlerFunc

AddRolePermissions is the handler to assign permissions to a given role

Permissions Required: AddRolePermissions

func (*HandlerClient) AddRoleUsers 

func (a *HandlerClient) AddRoleUsers() http.HandlerFunc

AddRoleUsers is the handler to assign a role to a list of users

Permissions Required: AddRoleUsers

func (*HandlerClient) DeleteRole 

func (a *HandlerClient) DeleteRole() http.HandlerFunc

DeleteRole is the handler to delete a role

Permissions Required: DeleteRole

func (*HandlerClient) DeleteRolePermissions 

func (a *HandlerClient) DeleteRolePermissions() http.HandlerFunc

DeleteRolePermissions is the handler to remove permissions from a role

Permissions Required: DeleteRolePermissions

func (*HandlerClient) DeleteRoleUsers 

func (a *HandlerClient) DeleteRoleUsers() http.HandlerFunc

DeleteRoleUsers is the handler to delete a list of users from a given role

Permissions Required: DeleteRoleUsers

func (*HandlerClient) RolePermissions 

func (a *HandlerClient) RolePermissions() http.HandlerFunc

RolePermissions is the handler to the list of permissions for a given role

Permissions Required: ListRolePermissions

func (*HandlerClient) RoleUsers 

func (a *HandlerClient) RoleUsers() http.HandlerFunc

RoleUsers is the handler to the list of users for a given role

Permissions Required: ListRoleUsers

func (*HandlerClient) Roles 

func (a *HandlerClient) Roles() http.HandlerFunc

Roles is the handler to get the list of roles in the system for a given domain

Permissions Required: ListRoles

func (*HandlerClient) User 

func (a *HandlerClient) User() http.HandlerFunc

User is the handler to get a user

Permissions Required: ViewUsers

func (*HandlerClient) Users 

func (a *HandlerClient) Users() http.HandlerFunc

Users is the handler to get the list of users in the system

Permissions Required: ViewUsers

type Handlers 

type Handlers interface {
	AddRole() http.HandlerFunc
	AddRolePermissions() http.HandlerFunc
	AddRoleUsers() http.HandlerFunc
	DeleteRole() http.HandlerFunc
	DeleteRolePermissions() http.HandlerFunc
	DeleteRoleUsers() http.HandlerFunc
	RolePermissions() http.HandlerFunc
	Roles() http.HandlerFunc
	RoleUsers() http.HandlerFunc
	User() http.HandlerFunc
	Users() http.HandlerFunc
}

Handlers provides HTTP handlers for managing user roles.

type LogHandler 

type LogHandler func(handler func(w http.ResponseWriter, r *http.Request) error) http.HandlerFunc

LogHandler wraps handlers with logging. Converts error-returning handler to http.HandlerFunc.

type MockController added in v0.1.1 

type MockController struct {
	// contains filtered or unexported fields
}

MockController is a mock of Controller interface.

func NewMockController added in v0.1.1 

func NewMockController(ctrl *gomock.Controller) *MockController

NewMockController creates a new mock instance.

func (*MockController) EXPECT added in v0.1.1 

func (m *MockController) EXPECT() *MockControllerMockRecorder

EXPECT returns an object that allows the caller to indicate expected use.

func (*MockController) Handlers added in v0.1.1 

func (m *MockController) Handlers(handler LogHandler) Handlers

Handlers mocks base method.

func (*MockController) RequireAll added in v0.1.1 

func (m *MockController) RequireAll(ctx context.Context, user accesstypes.User, domain accesstypes.Domain, permissions ...accesstypes.Permission) error

RequireAll mocks base method.

func (*MockController) RequireResources added in v0.3.0 

func (m *MockController) RequireResources(ctx context.Context, username accesstypes.User, domain accesstypes.Domain, perm accesstypes.Permission, resources ...accesstypes.Resource) (bool, []accesstypes.Resource, error)

RequireResources mocks base method.

func (*MockController) UserManager added in v0.1.1 

func (m *MockController) UserManager() UserManager

UserManager mocks base method.

type MockControllerMockRecorder added in v0.1.1 

type MockControllerMockRecorder struct {
	// contains filtered or unexported fields
}

MockControllerMockRecorder is the mock recorder for MockController.

func (*MockControllerMockRecorder) Handlers added in v0.1.1 

func (mr *MockControllerMockRecorder) Handlers(handler any) *gomock.Call

Handlers indicates an expected call of Handlers.

func (*MockControllerMockRecorder) RequireAll added in v0.1.1 

func (mr *MockControllerMockRecorder) RequireAll(ctx, user, domain any, permissions ...any) *gomock.Call

RequireAll indicates an expected call of RequireAll.

func (*MockControllerMockRecorder) RequireResources added in v0.3.0 

func (mr *MockControllerMockRecorder) RequireResources(ctx, username, domain, perm any, resources ...any) *gomock.Call

RequireResources indicates an expected call of RequireResources.

func (*MockControllerMockRecorder) UserManager added in v0.1.1 

func (mr *MockControllerMockRecorder) UserManager() *gomock.Call

UserManager indicates an expected call of UserManager.

type MockDomains 

type MockDomains struct {
	// contains filtered or unexported fields
}

MockDomains is a mock of Domains interface.

func NewMockDomains 

func NewMockDomains(ctrl *gomock.Controller) *MockDomains

NewMockDomains creates a new mock instance.

func (*MockDomains) DomainExists 

func (m *MockDomains) DomainExists(ctx context.Context, domain string) (bool, error)

DomainExists mocks base method.

func (*MockDomains) DomainIDs 

func (m *MockDomains) DomainIDs(ctx context.Context) ([]string, error)

DomainIDs mocks base method.

func (*MockDomains) EXPECT 

func (m *MockDomains) EXPECT() *MockDomainsMockRecorder

EXPECT returns an object that allows the caller to indicate expected use.

type MockDomainsMockRecorder 

type MockDomainsMockRecorder struct {
	// contains filtered or unexported fields
}

MockDomainsMockRecorder is the mock recorder for MockDomains.

func (*MockDomainsMockRecorder) DomainExists 

func (mr *MockDomainsMockRecorder) DomainExists(ctx, domain any) *gomock.Call

DomainExists indicates an expected call of DomainExists.

func (*MockDomainsMockRecorder) DomainIDs 

func (mr *MockDomainsMockRecorder) DomainIDs(ctx any) *gomock.Call

DomainIDs indicates an expected call of DomainIDs.

type MockUserManager 

type MockUserManager struct {
	// contains filtered or unexported fields
}

MockUserManager is a mock of UserManager interface.

func NewMockUserManager 

func NewMockUserManager(ctrl *gomock.Controller) *MockUserManager

NewMockUserManager creates a new mock instance.

func (*MockUserManager) AddRole 

func (m *MockUserManager) AddRole(ctx context.Context, domain accesstypes.Domain, role accesstypes.Role) error

AddRole mocks base method.

func (*MockUserManager) AddRolePermissionResources added in v0.2.0 

func (m *MockUserManager) AddRolePermissionResources(ctx context.Context, domain accesstypes.Domain, role accesstypes.Role, permission accesstypes.Permission, resources ...accesstypes.Resource) error

AddRolePermissionResources mocks base method.

func (*MockUserManager) AddRolePermissions 

func (m *MockUserManager) AddRolePermissions(ctx context.Context, domain accesstypes.Domain, role accesstypes.Role, permissions ...accesstypes.Permission) error

AddRolePermissions mocks base method.

func (*MockUserManager) AddRoleUsers 

func (m *MockUserManager) AddRoleUsers(ctx context.Context, domain accesstypes.Domain, role accesstypes.Role, users ...accesstypes.User) error

AddRoleUsers mocks base method.

func (*MockUserManager) AddUserRoles 

func (m *MockUserManager) AddUserRoles(ctx context.Context, domain accesstypes.Domain, user accesstypes.User, roles ...accesstypes.Role) error

AddUserRoles mocks base method.

func (*MockUserManager) DeleteAllRolePermissions 

func (m *MockUserManager) DeleteAllRolePermissions(ctx context.Context, domain accesstypes.Domain, role accesstypes.Role) error

DeleteAllRolePermissions mocks base method.

func (*MockUserManager) DeleteRole 

func (m *MockUserManager) DeleteRole(ctx context.Context, domain accesstypes.Domain, role accesstypes.Role) (bool, error)

DeleteRole mocks base method.

func (*MockUserManager) DeleteRolePermissionResources added in v0.2.0 

func (m *MockUserManager) DeleteRolePermissionResources(ctx context.Context, domain accesstypes.Domain, role accesstypes.Role, permission accesstypes.Permission, resources ...accesstypes.Resource) error

DeleteRolePermissionResources mocks base method.

func (*MockUserManager) DeleteRolePermissions 

func (m *MockUserManager) DeleteRolePermissions(ctx context.Context, domain accesstypes.Domain, role accesstypes.Role, permissions ...accesstypes.Permission) error

DeleteRolePermissions mocks base method.

func (*MockUserManager) DeleteRoleUsers 

func (m *MockUserManager) DeleteRoleUsers(ctx context.Context, domain accesstypes.Domain, role accesstypes.Role, users ...accesstypes.User) error

DeleteRoleUsers mocks base method.

func (*MockUserManager) DeleteUserRoles added in v0.2.0 

func (m *MockUserManager) DeleteUserRoles(ctx context.Context, domain accesstypes.Domain, user accesstypes.User, roles ...accesstypes.Role) error

DeleteUserRoles mocks base method.

func (*MockUserManager) DomainExists 

func (m *MockUserManager) DomainExists(ctx context.Context, domain accesstypes.Domain) (bool, error)

DomainExists mocks base method.

func (*MockUserManager) Domains 

func (m *MockUserManager) Domains(ctx context.Context) ([]accesstypes.Domain, error)

Domains mocks base method.

func (*MockUserManager) EXPECT 

func (m *MockUserManager) EXPECT() *MockUserManagerMockRecorder

EXPECT returns an object that allows the caller to indicate expected use.

func (*MockUserManager) RoleExists 

func (m *MockUserManager) RoleExists(ctx context.Context, domain accesstypes.Domain, role accesstypes.Role) bool

RoleExists mocks base method.

func (*MockUserManager) RolePermissions 

func (m *MockUserManager) RolePermissions(ctx context.Context, domain accesstypes.Domain, role accesstypes.Role) (accesstypes.RolePermissionCollection, error)

RolePermissions mocks base method.

func (*MockUserManager) RoleUsers 

func (m *MockUserManager) RoleUsers(ctx context.Context, domain accesstypes.Domain, role accesstypes.Role) ([]accesstypes.User, error)

RoleUsers mocks base method.

func (*MockUserManager) Roles 

func (m *MockUserManager) Roles(ctx context.Context, domain accesstypes.Domain) ([]accesstypes.Role, error)

Roles mocks base method.

func (*MockUserManager) User 

func (m *MockUserManager) User(ctx context.Context, user accesstypes.User, domain ...accesstypes.Domain) (*UserAccess, error)

User mocks base method.

func (*MockUserManager) UserPermissions 

func (m *MockUserManager) UserPermissions(ctx context.Context, user accesstypes.User, domain ...accesstypes.Domain) (accesstypes.UserPermissionCollection, error)

UserPermissions mocks base method.

func (*MockUserManager) UserRoles 

func (m *MockUserManager) UserRoles(ctx context.Context, user accesstypes.User, domain ...accesstypes.Domain) (accesstypes.RoleCollection, error)

UserRoles mocks base method.

func (*MockUserManager) Users 

func (m *MockUserManager) Users(ctx context.Context, domain ...accesstypes.Domain) ([]*UserAccess, error)

Users mocks base method.

type MockUserManagerMockRecorder 

type MockUserManagerMockRecorder struct {
	// contains filtered or unexported fields
}

MockUserManagerMockRecorder is the mock recorder for MockUserManager.

func (*MockUserManagerMockRecorder) AddRole 

func (mr *MockUserManagerMockRecorder) AddRole(ctx, domain, role any) *gomock.Call

AddRole indicates an expected call of AddRole.

func (*MockUserManagerMockRecorder) AddRolePermissionResources added in v0.2.0 

func (mr *MockUserManagerMockRecorder) AddRolePermissionResources(ctx, domain, role, permission any, resources ...any) *gomock.Call

AddRolePermissionResources indicates an expected call of AddRolePermissionResources.

func (*MockUserManagerMockRecorder) AddRolePermissions 

func (mr *MockUserManagerMockRecorder) AddRolePermissions(ctx, domain, role any, permissions ...any) *gomock.Call

AddRolePermissions indicates an expected call of AddRolePermissions.

func (*MockUserManagerMockRecorder) AddRoleUsers 

func (mr *MockUserManagerMockRecorder) AddRoleUsers(ctx, domain, role any, users ...any) *gomock.Call

AddRoleUsers indicates an expected call of AddRoleUsers.

func (*MockUserManagerMockRecorder) AddUserRoles 

func (mr *MockUserManagerMockRecorder) AddUserRoles(ctx, domain, user any, roles ...any) *gomock.Call

AddUserRoles indicates an expected call of AddUserRoles.

func (*MockUserManagerMockRecorder) DeleteAllRolePermissions 

func (mr *MockUserManagerMockRecorder) DeleteAllRolePermissions(ctx, domain, role any) *gomock.Call

DeleteAllRolePermissions indicates an expected call of DeleteAllRolePermissions.

func (*MockUserManagerMockRecorder) DeleteRole 

func (mr *MockUserManagerMockRecorder) DeleteRole(ctx, domain, role any) *gomock.Call

DeleteRole indicates an expected call of DeleteRole.

func (*MockUserManagerMockRecorder) DeleteRolePermissionResources added in v0.2.0 

func (mr *MockUserManagerMockRecorder) DeleteRolePermissionResources(ctx, domain, role, permission any, resources ...any) *gomock.Call

DeleteRolePermissionResources indicates an expected call of DeleteRolePermissionResources.

func (*MockUserManagerMockRecorder) DeleteRolePermissions 

func (mr *MockUserManagerMockRecorder) DeleteRolePermissions(ctx, domain, role any, permissions ...any) *gomock.Call

DeleteRolePermissions indicates an expected call of DeleteRolePermissions.

func (*MockUserManagerMockRecorder) DeleteRoleUsers 

func (mr *MockUserManagerMockRecorder) DeleteRoleUsers(ctx, domain, role any, users ...any) *gomock.Call

DeleteRoleUsers indicates an expected call of DeleteRoleUsers.

func (*MockUserManagerMockRecorder) DeleteUserRoles added in v0.2.0 

func (mr *MockUserManagerMockRecorder) DeleteUserRoles(ctx, domain, user any, roles ...any) *gomock.Call

DeleteUserRoles indicates an expected call of DeleteUserRoles.

func (*MockUserManagerMockRecorder) DomainExists 

func (mr *MockUserManagerMockRecorder) DomainExists(ctx, domain any) *gomock.Call

DomainExists indicates an expected call of DomainExists.

func (*MockUserManagerMockRecorder) Domains 

func (mr *MockUserManagerMockRecorder) Domains(ctx any) *gomock.Call

Domains indicates an expected call of Domains.

func (*MockUserManagerMockRecorder) RoleExists 

func (mr *MockUserManagerMockRecorder) RoleExists(ctx, domain, role any) *gomock.Call

RoleExists indicates an expected call of RoleExists.

func (*MockUserManagerMockRecorder) RolePermissions 

func (mr *MockUserManagerMockRecorder) RolePermissions(ctx, domain, role any) *gomock.Call

RolePermissions indicates an expected call of RolePermissions.

func (*MockUserManagerMockRecorder) RoleUsers 

func (mr *MockUserManagerMockRecorder) RoleUsers(ctx, domain, role any) *gomock.Call

RoleUsers indicates an expected call of RoleUsers.

func (*MockUserManagerMockRecorder) Roles 

func (mr *MockUserManagerMockRecorder) Roles(ctx, domain any) *gomock.Call

Roles indicates an expected call of Roles.

func (*MockUserManagerMockRecorder) User 

func (mr *MockUserManagerMockRecorder) User(ctx, user any, domain ...any) *gomock.Call

User indicates an expected call of User.

func (*MockUserManagerMockRecorder) UserPermissions 

func (mr *MockUserManagerMockRecorder) UserPermissions(ctx, user any, domain ...any) *gomock.Call

UserPermissions indicates an expected call of UserPermissions.

func (*MockUserManagerMockRecorder) UserRoles 

func (mr *MockUserManagerMockRecorder) UserRoles(ctx, user any, domain ...any) *gomock.Call

UserRoles indicates an expected call of UserRoles.

func (*MockUserManagerMockRecorder) Users 

func (mr *MockUserManagerMockRecorder) Users(ctx any, domain ...any) *gomock.Call

Users indicates an expected call of Users.

type PermissionsListFunc 

type PermissionsListFunc func() []accesstypes.Permission

PermissionsListFunc returns available permissions.

type PostgresAdapter added in v0.1.3 

type PostgresAdapter struct {
	// contains filtered or unexported fields
}

PostgresAdapter provides PostgreSQL persistence for casbin policies.

func NewPostgresAdapter added in v0.1.3 

func NewPostgresAdapter(connConfig *pgx.ConnConfig, databaseName, tableName string) *PostgresAdapter

NewPostgresAdapter creates PostgreSQL adapter for storing casbin policies.

func (*PostgresAdapter) NewAdapter added in v0.1.3 

func (p *PostgresAdapter) NewAdapter() (persist.Adapter, error)

NewAdapter creates PostgreSQL casbin adapter.

type Role 

type Role struct {
	Name        accesstypes.Role
	Permissions map[accesstypes.Permission][]accesstypes.Resource
}

Role defines role name and permissions mapped to resources.

type RoleConfig added in v0.5.0 

type RoleConfig struct {
	Roles []*Role `json:"roles"`
}

RoleConfig contains roles for migration.

type SpannerAdapter added in v0.1.3 

type SpannerAdapter struct {
	// contains filtered or unexported fields
}

SpannerAdapter provides Spanner persistence for casbin policies.

func NewSpannerAdapter added in v0.1.3 

func NewSpannerAdapter(databaseName, tableName string) *SpannerAdapter

NewSpannerAdapter creates Spanner adapter for storing casbin policies.

func (*SpannerAdapter) NewAdapter added in v0.1.3 

func (s *SpannerAdapter) NewAdapter() (persist.Adapter, error)

NewAdapter creates Spanner casbin adapter. Skips database creation.

type UserAccess 

type UserAccess struct {
	Name        string
	Roles       accesstypes.RoleCollection
	Permissions accesstypes.UserPermissionCollection
}

UserAccess contains user's name, roles by domain, and effective permissions by domain and resource.

type UserManager 

type UserManager interface {
	// AddRoleUsers assigns role to users in domain. Errors if role doesn't exist.
	AddRoleUsers(ctx context.Context, domain accesstypes.Domain, role accesstypes.Role, users ...accesstypes.User) error

	// AddUserRoles assigns roles to user in domain. Errors if any role doesn't exist.
	AddUserRoles(ctx context.Context, domain accesstypes.Domain, user accesstypes.User, roles ...accesstypes.Role) error

	// DeleteRoleUsers removes users from role in domain. Errors if role doesn't exist.
	DeleteRoleUsers(ctx context.Context, domain accesstypes.Domain, role accesstypes.Role, users ...accesstypes.User) error

	// DeleteUserRoles removes role assignments from user in domain.
	DeleteUserRoles(ctx context.Context, domain accesstypes.Domain, user accesstypes.User, roles ...accesstypes.Role) error

	// User returns user's roles and permissions. If domains unspecified, returns all domains.
	User(ctx context.Context, user accesstypes.User, domain ...accesstypes.Domain) (*UserAccess, error)

	// Users returns all users with roles and permissions. If domains unspecified, returns all domains.
	Users(ctx context.Context, domain ...accesstypes.Domain) ([]*UserAccess, error)

	// UserRoles returns user's roles. If domains unspecified, returns all domains.
	UserRoles(ctx context.Context, user accesstypes.User, domain ...accesstypes.Domain) (accesstypes.RoleCollection, error)

	// UserPermissions returns user's effective permissions. If domains unspecified, returns all domains.
	UserPermissions(ctx context.Context, user accesstypes.User, domain ...accesstypes.Domain) (accesstypes.UserPermissionCollection, error)

	// AddRole creates role in domain. Errors if domain doesn't exist or role already exists.
	//
	// Note: Adds internal "noop" user to role for casbin enumeration.
	AddRole(ctx context.Context, domain accesstypes.Domain, role accesstypes.Role) error

	// RoleExists returns true if role exists in domain.
	RoleExists(ctx context.Context, domain accesstypes.Domain, role accesstypes.Role) bool

	// Roles returns all roles in domain. Errors if domain doesn't exist.
	Roles(ctx context.Context, domain accesstypes.Domain) ([]accesstypes.Role, error)

	// DeleteRole removes role from domain. Returns false with error if role has users assigned.
	DeleteRole(ctx context.Context, domain accesstypes.Domain, role accesstypes.Role) (bool, error)

	// AddRolePermissions grants global permissions to role in domain. Errors if role doesn't exist.
	AddRolePermissions(ctx context.Context, domain accesstypes.Domain, role accesstypes.Role, permissions ...accesstypes.Permission) error

	// AddRolePermissionResources grants resource-specific permissions to role in domain. Errors if role doesn't exist.
	AddRolePermissionResources(ctx context.Context, domain accesstypes.Domain, role accesstypes.Role, permission accesstypes.Permission, resources ...accesstypes.Resource) error

	// DeleteRolePermissions removes global permissions from role in domain. Errors if role doesn't exist.
	DeleteRolePermissions(ctx context.Context, domain accesstypes.Domain, role accesstypes.Role, permissions ...accesstypes.Permission) error

	// DeleteRolePermissionResources removes resource-specific permissions from role in domain. Errors if role doesn't exist.
	DeleteRolePermissionResources(ctx context.Context, domain accesstypes.Domain, role accesstypes.Role, permission accesstypes.Permission, resources ...accesstypes.Resource) error

	// DeleteAllRolePermissions removes all permissions from role in domain.
	DeleteAllRolePermissions(ctx context.Context, domain accesstypes.Domain, role accesstypes.Role) error

	// RoleUsers returns users assigned to role in domain. Excludes internal "noop" user.
	RoleUsers(ctx context.Context, domain accesstypes.Domain, role accesstypes.Role) ([]accesstypes.User, error)

	// RolePermissions returns permissions for role in domain as map of permissions to resources. Errors if role doesn't exist.
	RolePermissions(ctx context.Context, domain accesstypes.Domain, role accesstypes.Role) (accesstypes.RolePermissionCollection, error)

	// Domains returns all domains including global domain.
	Domains(ctx context.Context) ([]accesstypes.Domain, error)

	// DomainExists returns true if domain exists. Always true for global domain.
	DomainExists(ctx context.Context, domain accesstypes.Domain) (bool, error)
}

UserManager manages RBAC users, roles, permissions, and domains.

Source Files

View all Source files

Directories

Path Synopsis
Package mock contains the generated mocks for the project.
 Package mock contains the generated mocks for the project.
mock_access
Package mock_access is a generated GoMock package.
 Package mock_access is a generated GoMock package.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.