-
Notifications
You must be signed in to change notification settings - Fork 2
/
rbac.go
67 lines (54 loc) · 3.22 KB
/
rbac.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
// Copyright 2014 Daniel Akiva
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
// http://www.apache.org/licenses/LICENSE-2.0
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package nogo
// Represents a specific capability defined by the system or mode of resource access that can be granted to Principals by way of Role assignment or resource ACLs.
type Permission int
// Represents a user of the system. A principal simply has an ID and 0 or more roles. The principal's authorization is defined by the set of roles associated to the principal.
type Principal interface {
// Returns the ID of the principal. This is generally an ID assigned by the system to uniquely identify the user. Must not return an empty value.
GetId() string
// Returns the security identifier of the principal. This value is used in mapping access controls.
GetSid() string
// Returns a slice of distinct role names granting the principal authorized access to specific system capabilities. May return an empty value.
GetRoleNames() []string
}
// A role is a named set of permissions authorizing a principal access to specific capabilities defined by the system or modes of access to data managed by the system.
type Role interface {
// Returns the unique name of the Role. Must not return an empty value.
GetName() string
// Returns true if this Role is considered an administrator. Administrators are generally a unique case, in that they have access to everything in the system. For the majority of roles, the value returned should be false. This flag is useful when evaluating access to resources. Administrators often have full access to all resources.
IsAdmin() bool
// Returns true if the Role contains the following permission. If IsAdmin returns true, implementations may choose to simply bypass calling this function, allowing admins full access. Returns an error if an error occurs while resolving the permission.
HasPermission(permission Permission) (bool, error)
}
// Creates a new regular role (non admin) with a specific set of permissions
func NewRole(name string, mask Permission) Role {
return &defaultRole{RoleName: name, PermissionMask: mask, Admin: false}
}
// Creates a new admin role. The application may or may not automatically allow an admin every permission, so define a permission mask accordingly.
func NewAdminRole(name string, mask Permission) Role {
return &defaultRole{RoleName: name, PermissionMask: mask, Admin: true}
}
type defaultRole struct {
RoleName string `db:"role_name"`
PermissionMask Permission `db:"permission_mask"`
Admin bool `db:"is_admin"`
}
func (this *defaultRole) GetName() string {
return this.RoleName
}
func (this *defaultRole) IsAdmin() bool {
return this.Admin
}
func (this *defaultRole) HasPermission(permission Permission) (bool, error) {
val := (this.PermissionMask&permission != 0)
return val, nil
}