164 lines
5.4 KiB
Go
164 lines
5.4 KiB
Go
// Copyright (c) Mainflux
|
|
// SPDX-License-Identifier: Apache-2.0
|
|
|
|
package auth
|
|
|
|
import (
|
|
"context"
|
|
"encoding/json"
|
|
)
|
|
|
|
const (
|
|
TokenKind = "token"
|
|
GroupsKind = "groups"
|
|
ChannelsKind = "channels"
|
|
ThingsKind = "things"
|
|
UsersKind = "users"
|
|
|
|
GroupType = "group"
|
|
ChannelType = "channel"
|
|
ThingType = "thing"
|
|
UserType = "user"
|
|
|
|
OwnerRelation = "owner"
|
|
AdminRelation = "admin"
|
|
EditorRelation = "editor"
|
|
ViewerRelation = "viewer"
|
|
ParentGroupRelation = "parent_group"
|
|
RoleGroupRelation = "role_group"
|
|
GroupRelation = "group"
|
|
|
|
AdministratorPermission = "administrator"
|
|
DeletePermission = "delete"
|
|
EditPermission = "edit"
|
|
ViewPermission = "view"
|
|
SharePermission = "share"
|
|
PublishPermission = "publish"
|
|
SubscribePermission = "subscribe"
|
|
)
|
|
|
|
// PolicyReq represents an argument struct for making a policy related
|
|
// function calls.
|
|
type PolicyReq struct {
|
|
Namespace string `json:",omitempty"`
|
|
Subject string `json:"subject"`
|
|
SubjectType string `json:"subject_type"`
|
|
SubjectKind string `json:"subject_kind"`
|
|
SubjectRelation string `json:",omitempty"`
|
|
Object string `json:"object"`
|
|
ObjectType string `json:"object_type"`
|
|
Relation string `json:"relation"`
|
|
Permission string `json:",omitempty"`
|
|
}
|
|
|
|
func (pr PolicyReq) String() string {
|
|
data, err := json.Marshal(pr)
|
|
if err != nil {
|
|
return ""
|
|
}
|
|
return string(data)
|
|
}
|
|
|
|
type PolicyRes struct {
|
|
Namespace string
|
|
Subject string
|
|
SubjectType string
|
|
SubjectRelation string
|
|
Object string
|
|
ObjectType string
|
|
Relation string
|
|
Permission string
|
|
}
|
|
|
|
type PolicyPage struct {
|
|
Policies []string
|
|
NextPageToken string
|
|
}
|
|
|
|
// Authz represents a authorization service. It exposes
|
|
// functionalities through `auth` to perform authorization.
|
|
type Authz interface {
|
|
// Authorize checks authorization of the given `subject`. Basically,
|
|
// Authorize verifies that Is `subject` allowed to `relation` on
|
|
// `object`. Authorize returns a non-nil error if the subject has
|
|
// no relation on the object (which simply means the operation is
|
|
// denied).
|
|
Authorize(ctx context.Context, pr PolicyReq) error
|
|
|
|
// AddPolicy creates a policy for the given subject, so that, after
|
|
// AddPolicy, `subject` has a `relation` on `object`. Returns a non-nil
|
|
// error in case of failures.
|
|
AddPolicy(ctx context.Context, pr PolicyReq) error
|
|
|
|
// AddPolicies adds new policies for given subjects. This method is
|
|
// only allowed to use as an admin.
|
|
AddPolicies(ctx context.Context, token, object string, subjectIDs, relations []string) error
|
|
|
|
// DeletePolicy removes a policy.
|
|
DeletePolicy(ctx context.Context, pr PolicyReq) error
|
|
|
|
// DeletePolicies deletes policies for given subjects. This method is
|
|
// only allowed to use as an admin.
|
|
DeletePolicies(ctx context.Context, token, object string, subjectIDs, relations []string) error
|
|
|
|
// ListObjects lists policies based on the given PolicyReq structure.
|
|
ListObjects(ctx context.Context, pr PolicyReq, nextPageToken string, limit int32) (PolicyPage, error)
|
|
|
|
// ListAllObjects lists all policies based on the given PolicyReq structure.
|
|
ListAllObjects(ctx context.Context, pr PolicyReq) (PolicyPage, error)
|
|
|
|
// CountPolicies count policies based on the given PolicyReq structure.
|
|
CountObjects(ctx context.Context, pr PolicyReq) (int, error)
|
|
|
|
// ListSubjects lists subjects based on the given PolicyReq structure.
|
|
ListSubjects(ctx context.Context, pr PolicyReq, nextPageToken string, limit int32) (PolicyPage, error)
|
|
|
|
// ListAllSubjects lists all subjects based on the given PolicyReq structure.
|
|
ListAllSubjects(ctx context.Context, pr PolicyReq) (PolicyPage, error)
|
|
|
|
// CountSubjects count policies based on the given PolicyReq structure.
|
|
CountSubjects(ctx context.Context, pr PolicyReq) (int, error)
|
|
}
|
|
|
|
// PolicyAgent facilitates the communication to authorization
|
|
// services and implements Authz functionalities for certain
|
|
// authorization services (e.g. ORY Keto).
|
|
type PolicyAgent interface {
|
|
// CheckPolicy checks if the subject has a relation on the object.
|
|
// It returns a non-nil error if the subject has no relation on
|
|
// the object (which simply means the operation is denied).
|
|
CheckPolicy(ctx context.Context, pr PolicyReq) error
|
|
|
|
// AddPolicy creates a policy for the given subject, so that, after
|
|
// AddPolicy, `subject` has a `relation` on `object`. Returns a non-nil
|
|
// error in case of failures.
|
|
AddPolicy(ctx context.Context, pr PolicyReq) error
|
|
|
|
// AddPolicies creates a Bulk Policies for the given request
|
|
AddPolicies(ctx context.Context, prs []PolicyReq) error
|
|
|
|
// DeletePolicy removes a policy.
|
|
DeletePolicy(ctx context.Context, pr PolicyReq) error
|
|
|
|
// DeletePolicy removes a policy.
|
|
DeletePolicies(ctx context.Context, pr []PolicyReq) error
|
|
|
|
// RetrieveObjects
|
|
RetrieveObjects(ctx context.Context, pr PolicyReq, nextPageToken string, limit int32) ([]PolicyRes, string, error)
|
|
|
|
// RetrieveAllObjects
|
|
RetrieveAllObjects(ctx context.Context, pr PolicyReq) ([]PolicyRes, error)
|
|
|
|
// RetrieveAllObjectsCount
|
|
RetrieveAllObjectsCount(ctx context.Context, pr PolicyReq) (int, error)
|
|
|
|
// RetrieveSubjects
|
|
RetrieveSubjects(ctx context.Context, pr PolicyReq, nextPageToken string, limit int32) ([]PolicyRes, string, error)
|
|
|
|
// RetrieveAllSubjects
|
|
RetrieveAllSubjects(ctx context.Context, pr PolicyReq) ([]PolicyRes, error)
|
|
|
|
// RetrieveAllSubjectsCount
|
|
RetrieveAllSubjectsCount(ctx context.Context, pr PolicyReq) (int, error)
|
|
}
|