MCPcopy Index your code
hub / github.com/ory/ladon

github.com/ory/ladon @v1.3.0 sqlite

repository ↗ · DeepWiki ↗ · release v1.3.0 ↗
180 symbols 421 edges 40 files 118 documented · 66% 1 cross-repo links
README

ORY Ladon - Policy-based Access Control

Join the chat at https://www.ory.sh/chat Join newsletter

Build Status Coverage Status Go Report Card GoDoc

Ladon is the serpent dragon protecting your resources.

Ladon is a library written in Go for access control policies, similar to Role Based Access Control or Access Control Lists. In contrast to ACL and RBAC you get fine-grained access control with the ability to answer questions in complex environments such as multi-tenant or distributed applications and large organizations. Ladon is inspired by AWS IAM Policies.

Ladon officially ships with an exemplary in-memory storage implementations. Community-supported adapters are available for CockroachDB.

Ladon is now considered stable.


ORY builds solutions for better internet security and accessibility. We have a couple more projects you might enjoy:

  • Hydra, a security-first open source OAuth2 and OpenID Connect server for new and existing infrastructures that uses Ladon for access control.
  • ORY Editor, an extensible, modern WYSI editor for the web written in React.
  • Fosite, an extensible security first OAuth 2.0 and OpenID Connect SDK for Go.
  • Dockertest: Write better integration tests with dockertest!

Table of Contents

Ladon utilizes ory-am/dockertest for tests. Please refer to ory-am/dockertest for more information of how to setup testing environment.

Installation

This library works with Go 1.11+.

export GO111MODULE=on
go get github.com/ory/ladon

Ladon uses semantic versioning and versions beginning with zero (0.1.2) might introduce backwards compatibility breaks with each minor version.

Concepts

Ladon is an access control library that answers the question:

Who is able to do what on something given some context

  • Who: An arbitrary unique subject name, for example "ken" or "printer-service.mydomain.com".
  • Able: The effect which can be either "allow" or "deny".
  • What: An arbitrary action name, for example "delete", "create" or "scoped:action:something".
  • Something: An arbitrary unique resource name, for example "something", "resources.articles.1234" or some uniform resource name like "urn:isbn:3827370191".
  • Context: The current context containing information about the environment such as the IP Address, request date, the resource owner name, the department ken is working in or any other information you want to pass along. (optional)

To decide what the answer is, Ladon uses policy documents which can be represented as JSON

{
  "description": "One policy to rule them all.",
  "subjects": ["users:<peter|ken>", "users:maria", "groups:admins"],
  "actions" : ["delete", "<create|update>"],
  "effect": "allow",
  "resources": [
    "resources:articles:<.*>",
    "resources:printer"
  ],
  "conditions": {
    "remoteIP": {
        "type": "CIDRCondition",
        "options": {
            "cidr": "192.168.0.1/16"
        }
    }
  }
}

and can answer access requests that look like:

{
  "subject": "users:peter",
  "action" : "delete",
  "resource": "resources:articles:ladon-introduction",
  "context": {
    "remoteIP": "192.168.0.5"
  }
}

However, Ladon does not come with a HTTP or server implementation. It does not restrict JSON either. We believe that it is your job to decide if you want to use Protobuf, RESTful, HTTP, AMQP, or some other protocol. It's up to you to write the server!

The following example should give you an idea what a RESTful flow could look like. Initially we create a policy by POSTing it to an artificial HTTP endpoint:

> curl \
      -X POST \
      -H "Content-Type: application/json" \
      -d@- \
      "https://my-ladon-implementation.localhost/policies" <<EOF
        {
          "description": "One policy to rule them all.",
          "subjects": ["users:<peter|ken>", "users:maria", "groups:admins"],
          "actions" : ["delete", "<create|update>"],
          "effect": "allow",
          "resources": [
            "resources:articles:<.*>",
            "resources:printer"
          ],
          "conditions": {
            "remoteIP": {
                "type": "CIDRCondition",
                "options": {
                    "cidr": "192.168.0.1/16"
                }
            }
          }
        }
  EOF

Then we test if "peter" (ip: "192.168.0.5") is allowed to "delete" the "ladon-introduction" article:

> curl \
      -X POST \
      -H "Content-Type: application/json" \
      -d@- \
      "https://my-ladon-implementation.localhost/warden" <<EOF
        {
          "subject": "users:peter",
          "action" : "delete",
          "resource": "resources:articles:ladon-introduction",
          "context": {
            "remoteIP": "192.168.0.5"
          }
        }
  EOF

{
    "allowed": true
}

Usage

We already discussed two essential parts of Ladon: policies and access control requests. Let's take a closer look at those two.

Policies

Policies are the basis for access control decisions. Think of them as a set of rules. In this library, policies are abstracted as the ladon.Policy interface, and Ladon comes with a standard implementation of this interface which is ladon.DefaultPolicy. Creating such a policy could look like:

import "github.com/ory/ladon"

var pol = &ladon.DefaultPolicy{
    // A required unique identifier. Used primarily for database retrieval.
    ID: "68819e5a-738b-41ec-b03c-b58a1b19d043",

    // A optional human readable description.
    Description: "something humanly readable",

    // A subject can be an user or a service. It is the "who" in "who is allowed to do what on something".
    // As you can see here, you can use regular expressions inside < >.
    Subjects: []string{"max", "peter", "<zac|ken>"},

    // Which resources this policy affects.
    // Again, you can put regular expressions in inside < >.
    Resources: []string{
            "myrn:some.domain.com:resource:123", "myrn:some.domain.com:resource:345",
            "myrn:something:foo:<.+>", "myrn:some.domain.com:resource:<(?!protected).*>",
            "myrn:some.domain.com:resource:<[[:digit:]]+>",
        },

    // Which actions this policy affects. Supports RegExp
    // Again, you can put regular expressions in inside < >.
    Actions: []string{"<create|delete>", "get"},

    // Should access be allowed or denied?
    // Note: If multiple policies match an access request, ladon.DenyAccess will always override ladon.AllowAccess
    // and thus deny access.
    Effect: ladon.AllowAccess,

    // Under which conditions this policy is "active".
    Conditions: ladon.Conditions{
        // In this example, the policy is only "active" when the requested subject is the owner of the resource as well.
        "resourceOwner": &ladon.EqualsSubjectCondition{},

        // Additionally, the policy will only match if the requests remote ip address matches address range 127.0.0.1/32
        "remoteIPAddress": &ladon.CIDRCondition{
            CIDR: "127.0.0.1/32",
        },
    },
}

Conditions

Conditions are functions returning true or false given a context. Because conditions implement logic, they must be programmed. Adding conditions to a policy consist of two parts, a key name and an implementation of ladon.Condition:

// StringEqualCondition is an exemplary condition.
type StringEqualCondition struct {
    Equals string `json:"equals"`
}

// Fulfills returns true if the given value is a string and is the
// same as in StringEqualCondition.Equals
func (c *StringEqualCondition) Fulfills(value interface{}, _ *ladon.Request) bool {
    s, ok := value.(string)

    return ok && s == c.Equals
}

// GetName returns the condition's name.
func (c *StringEqualCondition) GetName() string {
    return "StringEqualCondition"
}

var pol = &ladon.DefaultPolicy{
    // ...
    Conditions: ladon.Conditions{
        "some-arbitrary-key": &StringEqualCondition{
            Equals: "the-value-should-be-this"
        }
    },
}

The default implementation of Policy supports JSON un-/marshalling. In JSON, this policy would look like:

{
  "conditions": {
    "some-arbitrary-key": {
        "type": "StringEqualCondition",
        "options": {
            "equals": "the-value-should-be-this"
        }
    }
  }
}

As you can see, type is the value that StringEqualCondition.GetName() is returning and options is used to set the value of StringEqualCondition.Equals.

This condition is fulfilled by (we will cover the warden in the next section)

var err = warden.IsAllowed(&ladon.Request{
    // ...
    Context: ladon.Context{
        "some-arbitrary-key": "the-value-should-be-this",
    },
}

but not by

var err = warden.IsAllowed(&ladon.Request{
    // ...
    Context: ladon.Context{
        "some-arbitrary-key": "some other value",
    },
}

and neither by:

var err = warden.IsAllowed(&ladon.Request{
    // ...
    Context: ladon.Context{
        "same value but other key": "the-value-should-be-this",
    },
}

Ladon ships with a couple of default conditions:

CIDR Condition

The CIDR condition matches CIDR IP Ranges. Using this condition would look like this in JSON:

{
    "conditions": {
        "remoteIPAddress": {
            "type": "CIDRCondition",
            "options": {
                "cidr": "192.168.0.1/16"
            }
        }
    }
}

and in Go:

var pol = &ladon.DefaultPolicy{
    Conditions: ladon.Conditions{
        "remoteIPAddress": &ladon.CIDRCondition{
            CIDR: "192.168.0.1/16",
        },
    },
}

In this case, we expect that the context of an access request contains a field "remoteIpAddress" matching the CIDR "192.168.0.1/16", for example "192.168.0.5".

String Equal Condition

Checks if the value passed in the access request's context is identical with the string that was given initially

var pol = &ladon.DefaultPolicy{
    Conditions: ladon.Conditions{
        "some-arbitrary-key": &ladon.StringEqualCondition{
            Equals: "the-value-should-be-this"
        }
    },
}

and would match in the following case:

var err = warden.IsAllowed(&ladon.Request{
    // ...
    Context: ladon.Context{
         "some-arbitrary-key": "the-value-should-be-this",
    },
}
Boolean Condition

Checks if the boolean value passed in the access request's context is identical with the expected boolean value in the policy

var pol = &ladon.DefaultPolicy{
    Conditions: ladon.Conditions{
        "some-arbitrary-key": &ladon.BooleanCondition{
            BooleanValue: true,
        }
    },
}

and would match in the following case:

var err = warden.IsAllowed(&ladon.Request{
    // ...
    Context: ladon.Context{
        "some-arbitrary-key": true,
    },
})

This condition type is particularly useful if you need to assert a policy dynamically on resources for multiple subjects. For example, consider if you wanted to enforce policy that only allows individuals that own a resource to view that resource. You'd have to be able to create a Ladon policy that permits access to every resource for every subject that enters your system.

With the Boolean Condition type, you can use conditional logic at runtime to create a match for a policy's condition.

String Match Condition

Checks if the value passed in the access request's conte

Extension points exported contracts — how you extend this code

Condition (Interface)
Condition either do or do not fulfill an access request. [7 implementers]
condition.go
Manager (Interface)
Manager is responsible for managing and persisting policies. [3 implementers]
manager.go
AuditLogger (Interface)
AuditLogger tracks denied and granted authorizations. [2 implementers]
audit_logger.go
Warden (Interface)
Warden is responsible for deciding if subject s can perform action a on resource r with context c. [1 implementers]
warden.go
Metric (Interface)
Metric is used to expose metrics about authz [1 implementers]
metric.go
Policy (Interface)
Policy represent a policy model. [1 implementers]
policy.go
ManagerMigrator (Interface)
(no doc)
manager_migrator.go

Core symbols most depended-on inside this repo

GetID
called by 24
policy.go
FindRequestCandidates
called by 10
manager.go
Get
called by 9
manager.go
Create
called by 8
manager.go
GetName
called by 8
condition.go
metric
called by 7
ladon.go
IsAllowed
called by 7
ladon.go
GetAll
called by 5
manager.go

Shape

Method 111
Function 38
Struct 20
Interface 8
TypeAlias 3

Languages

Go100%

Modules by API surface

policy.go27 symbols
manager_mock_test.go20 symbols
manager/memory/manager_memory.go11 symbols
manager.go9 symbols
condition.go8 symbols
ladon.go7 symbols
errors.go7 symbols
policy_test.go6 symbols
manager_helper_test.go6 symbols
metric_noop.go5 symbols
metric.go5 symbols
matcher_regexp.go5 symbols

Used by 1 indexed graphs manifest dependencies, hub-wide

Dependencies from manifests, versioned

github.com/dlclark/regexp2v1.2.0 · 1×
github.com/golang/mockv1.6.0 · 1×
github.com/ory/paginationv0.0.1 · 1×
github.com/pborman/uuidv1.2.0 · 1×
github.com/pmezard/go-difflibv1.0.0 · 1×

For agents

$ claude mcp add ladon \
  -- python -m otcore.mcp_server <graph>

⬇ download graph artifact