Authorize is the intended function to be used outside this package. It returns `nil` if the subject is authorized to perform the action on the object. If an error is returned, the authorization is denied.
(ctx context.Context, subject Subject, action policy.Action, object Object)
| 413 | // the object. |
| 414 | // If an error is returned, the authorization is denied. |
| 415 | func (a RegoAuthorizer) Authorize(ctx context.Context, subject Subject, action policy.Action, object Object) error { |
| 416 | if a.strict { |
| 417 | if err := object.ValidAction(action); err != nil { |
| 418 | return xerrors.Errorf("strict authz check: %w", err) |
| 419 | } |
| 420 | } |
| 421 | |
| 422 | start := time.Now() |
| 423 | ctx, span := tracing.StartSpan(ctx, |
| 424 | trace.WithTimestamp(start), // Reuse the time.Now for metric and trace |
| 425 | rbacTraceAttributes(subject, action, object.Type, |
| 426 | // For authorizing a single object, this data is useful to know how |
| 427 | // complex our objects are getting. |
| 428 | attribute.Int("object_num_groups", len(object.ACLGroupList)), |
| 429 | attribute.Int("object_num_users", len(object.ACLUserList)), |
| 430 | ), |
| 431 | ) |
| 432 | defer span.End() |
| 433 | |
| 434 | err := a.authorize(ctx, subject, action, object) |
| 435 | authorized := err == nil |
| 436 | span.SetAttributes(attribute.Bool("authorized", authorized)) |
| 437 | |
| 438 | dur := time.Since(start) |
| 439 | if !authorized { |
| 440 | a.authorizeHist.WithLabelValues("false").Observe(dur.Seconds()) |
| 441 | return err |
| 442 | } |
| 443 | |
| 444 | a.authorizeHist.WithLabelValues("true").Observe(dur.Seconds()) |
| 445 | return nil |
| 446 | } |
| 447 | |
| 448 | // authorize is the internal function that does the actual authorization. |
| 449 | // It is a different function so the exported one can add tracing + metrics. |
nothing calls this directly
no test coverage detected