Mainflux.mainflux/auth/policies.go

// Copyright (c) Mainflux
// SPDX-License-Identifier: Apache-2.0

package auth

import (
	"context"
)

// PolicyReq represents an argument struct for making a policy related
// function calls.
type PolicyReq struct {
	Subject  string
	Object   string
	Relation string
}

// Authz represents a authorization service. It exposes
// functionalities through `auth` to perform authorization.
type Authz interface {
	// Authorize checks authorization of the given `subject`. Basically,
	// Authorize verifies that Is `subject` allowed to `relation` on
	// `object`. Authorize returns a non-nil error if the subject has
	// no relation on the object (which simply means the operation is
	// denied).
	Authorize(ctx context.Context, pr PolicyReq) error

	// AddPolicy creates a policy for the given subject, so that, after
	// AddPolicy, `subject` has a `relation` on `object`. Returns a non-nil
	// error in case of failures.
	AddPolicy(ctx context.Context, pr PolicyReq) error

	// AddPolicies adds new policies for given subjects. This method is
	// only allowed to use as an admin.
	AddPolicies(ctx context.Context, token, object string, subjectIDs, relations []string) error

	// DeletePolicy removes a policy.
	DeletePolicy(ctx context.Context, pr PolicyReq) error
}

// PolicyAgent facilitates the communication to authorization
// services and implements Authz functionalities for certain
// authorization services (e.g. ORY Keto).
type PolicyAgent interface {
	// CheckPolicy checks if the subject has a relation on the object.
	// It returns a non-nil error if the subject has no relation on
	// the object (which simply means the operation is denied).
	CheckPolicy(ctx context.Context, pr PolicyReq) error

	// AddPolicy creates a policy for the given subject, so that, after
	// AddPolicy, `subject` has a `relation` on `object`. Returns a non-nil
	// error in case of failures.
	AddPolicy(ctx context.Context, pr PolicyReq) error

	// DeletePolicy removes a policy.
	DeletePolicy(ctx context.Context, pr PolicyReq) error
}
MF-1443 - Add policies (#1482) * MF-1443 - add policies Signed-off-by: Burak Sekili <buraksekili@gmail.com> Signed-off-by: dusanb94 <dusan.borovcanin@mainflux.com> * fix users create Signed-off-by: Burak Sekili <buraksekili@gmail.com> Signed-off-by: dusanb94 <dusan.borovcanin@mainflux.com> * MF-1454 - Add Policies for sharing a Thing (#1463) * MF-1454 - Add policies for sharing a Thing Signed-off-by: Burak Sekili <buraksekili@gmail.com> * Add a test case for sharing thing and update mock of AddPolicy Signed-off-by: Burak Sekili <buraksekili@gmail.com> * Update ShareThing parameter naming Signed-off-by: Burak Sekili <buraksekili@gmail.com> Signed-off-by: dusanb94 <dusan.borovcanin@mainflux.com> * MF-1454 - Policy Removal (#1466) * Add DeletePolicy gRPC endpoint in auth package Signed-off-by: Burak Sekili <buraksekili@gmail.com> * Update default admin creation Signed-off-by: Burak Sekili <buraksekili@gmail.com> Signed-off-by: dusanb94 <dusan.borovcanin@mainflux.com> * NOISSUE - Add policy addition endpoint (#1479) * NOISSUE - Add policy addition endpoint Signed-off-by: Burak Sekili <buraksekili@gmail.com> * Update name of the method Signed-off-by: Burak Sekili <buraksekili@gmail.com> remove build tag Signed-off-by: Burak Sekili <buraksekili@gmail.com> Signed-off-by: dusanb94 <dusan.borovcanin@mainflux.com> * NOISSUE - Add tests for AddPolicies (#1480) * NOISSUE - Add tests for adding policy and update authz check Signed-off-by: Burak Sekili <buraksekili@gmail.com> * Add more tests and update request body validation Signed-off-by: Burak Sekili <buraksekili@gmail.com> * Update test case structure and utilize mock prefix for test ids Signed-off-by: Burak Sekili <buraksekili@gmail.com> Signed-off-by: dusanb94 <dusan.borovcanin@mainflux.com> * MF-1454 - Add initial policies for Group access control (#1467) Signed-off-by: Burak Sekili <buraksekili@gmail.com> Signed-off-by: dusanb94 <dusan.borovcanin@mainflux.com> * Resolve PR comments Signed-off-by: dusanb94 <dusan.borovcanin@mainflux.com> Co-authored-by: Author: Burak Sekili <buraksekili@gmail.com> 2021-10-27 00:38:28 +02:00			`// Copyright (c) Mainflux`
			`// SPDX-License-Identifier: Apache-2.0`

			`package auth`

			`import (`
			`"context"`
			`)`

			`// PolicyReq represents an argument struct for making a policy related`
			`// function calls.`
			`type PolicyReq struct {`
			`Subject string`
			`Object string`
			`Relation string`
			`}`

			`// Authz represents a authorization service. It exposes`
			// functionalities through `auth` to perform authorization.
			`type Authz interface {`
			// Authorize checks authorization of the given `subject`. Basically,
			// Authorize verifies that Is `subject` allowed to `relation` on
			// `object`. Authorize returns a non-nil error if the subject has
			`// no relation on the object (which simply means the operation is`
			`// denied).`
			`Authorize(ctx context.Context, pr PolicyReq) error`

			`// AddPolicy creates a policy for the given subject, so that, after`
			// AddPolicy, `subject` has a `relation` on `object`. Returns a non-nil
			`// error in case of failures.`
			`AddPolicy(ctx context.Context, pr PolicyReq) error`

			`// AddPolicies adds new policies for given subjects. This method is`
			`// only allowed to use as an admin.`
			`AddPolicies(ctx context.Context, token, object string, subjectIDs, relations []string) error`

			`// DeletePolicy removes a policy.`
			`DeletePolicy(ctx context.Context, pr PolicyReq) error`
			`}`

			`// PolicyAgent facilitates the communication to authorization`
			`// services and implements Authz functionalities for certain`
			`// authorization services (e.g. ORY Keto).`
			`type PolicyAgent interface {`
			`// CheckPolicy checks if the subject has a relation on the object.`
			`// It returns a non-nil error if the subject has no relation on`
			`// the object (which simply means the operation is denied).`
			`CheckPolicy(ctx context.Context, pr PolicyReq) error`

			`// AddPolicy creates a policy for the given subject, so that, after`
			// AddPolicy, `subject` has a `relation` on `object`. Returns a non-nil
			`// error in case of failures.`
			`AddPolicy(ctx context.Context, pr PolicyReq) error`

			`// DeletePolicy removes a policy.`
			`DeletePolicy(ctx context.Context, pr PolicyReq) error`
			`}`