-
Notifications
You must be signed in to change notification settings - Fork 0
/
main.go
110 lines (102 loc) · 2.81 KB
/
main.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
package main
import (
"context"
"log"
"os"
"github.com/trevex/zanzigo"
"github.com/trevex/zanzigo/storage/postgres"
)
func main() {
databaseURL := os.Getenv("DATABASE_URL")
// Let's make sure to run migrations
err := postgres.RunMigrations(databaseURL)
if err != nil {
log.Fatalln(err)
}
// And create our storage backend
storage, err := postgres.NewPostgresStorage(databaseURL, postgres.UseFunctions())
if err != nil {
log.Fatalln(err)
}
defer storage.Close()
// Our authorization model:
// - Users can belong to groups.
// - Documents can be nested into folders.
// - Permissions are inherited accordingly...
model, err := zanzigo.NewModel(zanzigo.ObjectMap{
"user": zanzigo.RelationMap{},
"group": zanzigo.RelationMap{
"member": zanzigo.Rule{},
},
"folder": zanzigo.RelationMap{
"owner": zanzigo.Rule{},
"editor": zanzigo.Rule{
InheritIf: "owner",
},
"viewer": zanzigo.Rule{
InheritIf: "editor",
},
},
"doc": zanzigo.RelationMap{
"parent": zanzigo.Rule{},
"owner": zanzigo.Rule{
InheritIf: "owner",
OfType: "folder",
WithRelation: "parent",
},
"editor": zanzigo.AnyOf(
zanzigo.Rule{InheritIf: "owner"},
zanzigo.Rule{
InheritIf: "editor",
OfType: "folder",
WithRelation: "parent",
},
),
"viewer": zanzigo.AnyOf(
zanzigo.Rule{InheritIf: "editor"},
zanzigo.Rule{
InheritIf: "viewer",
OfType: "folder",
WithRelation: "parent",
},
),
},
})
if err != nil {
log.Fatalln(err)
}
ctx := context.Background()
// We add user 'myuser' to the group 'mygroup'
err = storage.Write(ctx, zanzigo.TupleString("group:mygroup#member@user:myuser"))
if err != nil {
log.Fatalln(err)
}
// The document 'mydoc' is in folder 'myfolder'
err = storage.Write(ctx, zanzigo.TupleString("doc:mydoc#parent@folder:myfolder"))
if err != nil {
log.Fatalln(err)
}
// Members of group 'mygroup' are viewers of folder 'myfolder'
err = storage.Write(ctx, zanzigo.TupleString("folder:myfolder#viewer@group:mygroup#member"))
if err != nil {
log.Fatalln(err)
}
// Let's create the resolver and check some permissions
resolver, err := zanzigo.NewResolver(model, storage, 16)
if err != nil {
log.Fatalln(err)
}
// Based on the indirect permission through the group's permissions on the folder,
// the following would return 'true':
result, err := resolver.Check(context.Background(), zanzigo.TupleString("doc:mydoc#viewer@user:myuser"))
if err != nil {
log.Fatalln(err)
}
log.Printf("The user 'myuser' is viewer of doc 'mydoc': %v", result)
// The following should be 'false':
result, err = resolver.Check(context.Background(), zanzigo.TupleString("doc:mydoc#editor@user:myuser"))
if err != nil {
log.Fatalln(err)
}
log.Printf("The user 'myuser' is editor of doc 'mydoc': %v", result)
}