AuthorizationEngine is the SPI for a ReBAC authorization backend. All decision methods (Check, BatchCheck, ListObjects) are fail-closed at the call site: callers must treat a non-nil error as a deny and never as an allow. Identifiers follow OpenFGA conventions ("type:id", relation names, usersets "
| 111 | // |
| 112 | // Implementations are expected to be safe for concurrent use. |
| 113 | type AuthorizationEngine interface { |
| 114 | // Check reports whether user is related to object via relation. Optional |
| 115 | // contextual tuples are evaluated for this call only and are not persisted. |
| 116 | // Returns (false, err) on engine error; callers must fail closed. |
| 117 | Check(ctx context.Context, user, relation, object string, ctxTuples ...ContextualTuple) (bool, error) |
| 118 | |
| 119 | // BatchCheck evaluates multiple CheckRequests. The returned slice is |
| 120 | // positionally aligned with the input: result[i] answers requests[i]. An |
| 121 | // error indicates a whole-batch failure; callers must fail closed for every |
| 122 | // request in the batch. |
| 123 | BatchCheck(ctx context.Context, requests []CheckRequest) ([]CheckResult, error) |
| 124 | |
| 125 | // ListObjects returns the IDs of objects of type objType to which user is |
| 126 | // related via relation. This is the RAG/pre-filter primitive and is an |
| 127 | // expensive enumeration surface — callers must paginate, cap, and |
| 128 | // rate-limit. Returned IDs are fully qualified ("document:1"). |
| 129 | ListObjects(ctx context.Context, user, relation, objType string) ([]string, error) |
| 130 | |
| 131 | // ListUsers returns the fully qualified user IDs (e.g. "user:alice") of type |
| 132 | // userType that have relation on object. It is the inverse of ListObjects: |
| 133 | // "who can access this object?". This is a powerful enumeration surface that |
| 134 | // reveals the access graph — callers must admin-gate, cap and audit. Returned |
| 135 | // users are fully qualified ("user:alice"). |
| 136 | ListUsers(ctx context.Context, object, relation, userType string) ([]string, error) |
| 137 | |
| 138 | // Expand returns the OpenFGA relationship/userset tree for (relation, object) |
| 139 | // rendered as a JSON string. This is the explainability/"why" primitive: it |
| 140 | // shows how a relation resolves (direct assignments, usersets, computed |
| 141 | // relations). It reveals the access graph and must be admin-gated. |
| 142 | Expand(ctx context.Context, relation, object string) (string, error) |
| 143 | |
| 144 | // WriteTuples persists the given relationship tuples. It is additive; |
| 145 | // duplicate writes may error depending on the backend. |
| 146 | WriteTuples(ctx context.Context, tuples []TupleKey) error |
| 147 | |
| 148 | // DeleteTuples removes the given relationship tuples. Deleting a |
| 149 | // non-existent tuple may error depending on the backend. |
| 150 | DeleteTuples(ctx context.Context, tuples []TupleKey) error |
| 151 | |
| 152 | // ReadTuples returns a page of persisted tuples matching the filter, plus a |
| 153 | // continuation token. It is an enumeration surface — always paginate. |
| 154 | ReadTuples(ctx context.Context, filter ReadTuplesFilter) (*ReadTuplesResult, error) |
| 155 | |
| 156 | // WriteModel installs a new authorization model from its DSL form and |
| 157 | // returns the backend-assigned model ID. Writing a model is powerful (a |
| 158 | // single edit can re-grant broadly) and must be admin-gated, audited, and |
| 159 | // staged by callers. |
| 160 | WriteModel(ctx context.Context, dsl string) (string, error) |
| 161 | |
| 162 | // ReadModel returns the currently active authorization model: its |
| 163 | // backend-assigned id and its DSL rendering. |
| 164 | ReadModel(ctx context.Context) (id string, dsl string, err error) |
| 165 | |
| 166 | // TypeRelations returns, for every object type in the active model, the |
| 167 | // relation names defined on it (type -> sorted relation names). Types with |
| 168 | // no relations are omitted. It powers "list everything this subject can |
| 169 | // access" enumeration. Returns ErrNoModel (wrapped) when no model has been |
| 170 | // written yet. |
no outgoing calls
no test coverage detected