Add basic Authorization.

Added basic interface for authorizer implementations. Added default "authorize everything" and "authorize nothing implementations. Added authorization check immediately after authentication check. Added an integration test of authorization at the HTTP level of abstraction.
2025-09-15 06:01:50 +00:00 · 2014-10-16 14:18:16 -07:00
parent 893291d81d
commit 55c2d6bbbb
9 changed files with 433 additions and 4 deletions
--- a/pkg/auth/authorizer/interfaces.go
+++ b/pkg/auth/authorizer/interfaces.go
@@ -0,0 +1,30 @@
+/*
+Copyright 2014 Google Inc. All rights reserved.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package authorizer
+
+// Attributes is an interface used by an Authorizer to get information about a request
+// that is used to make an authorization decision.
+type Attributes interface {
+	// TODO: add attribute getter functions, e.g. GetUserName(), per #1430.
+}
+
+// Authorizer makes an authorization decision based on information gained by making
+// zero or more calls to methods of the Attributes interface.  It returns nil when an action is
+// authorized, otherwise it returns an error.
+type Authorizer interface {
+	Authorize(a Attributes) (err error)
+}