Authorization can be hard, and this project aims to be simple solution to general authz problems.

racl (rest access control lists)

Motivation

Authorization can be hard, and this project aims to be simple solution to general authz problems. Mainly, provide a standalone binary which can be configured in a simple manner, deployed in a simple manner, and be simple to interface with. In other words, I want to make authorization of generic resources simpler than what is currently out there, and not have to hand roll authorzation per project.

Tools

  • Go
  • sqlc

High Level Design

Taking a note/cue from Hashicorp, the acl's available by racl will be implemented around the notion of "capabilities", which are:

  • c: create
  • r: read
  • u: update
  • d: delete
  • a: admin

Each of the capabilities listed above are a single character, and will be returned as such. The 'a'/admin capability encapsulates all c/r/u/d operations and if is in the acl will allow any operation. For instance, if an acl looks like: ['r', 'a'], then the entity which is attached to said acl will have c/r/u/d capabilities on the referenced resource.

Authentication

One the first startup/connection to a database of the application, an api key and secret will be created. They will be output to a file and be cryptographically strong. Therefore, there will be no need to hash the api key/secret, which will make ther service more performant than storing the secret as a hashed string.

Operations

All operations shall be authenticated

API Design

Create and ACL

By default, the entity which creates a resource will have c/r/u/d/a capabilities, unless otherwise specified.

Create an acl with default capabilities

Request:

" } ">
POST /acl/

{
  "resource": "some resource id",
  "entity": "
   
    "
}

   

Response:

200 OK

{
  "data": {
    "id": "some uuid",
    "resource": "some resource id",
    "entity": "some entity id",
    "capabilities": ["c", "r", "u", "d", "a"]
  }
}

Create an acl and override default capabilities

Request:

", "capabilities: ["r"] } ">
POST /acl/

{
  "resource": "some resource id",
  "entity": "
   
    ",
  "capabilities: ["r"]
}

   

Response:

200 OK

{
  "data": {
    "id": "some uuid",
    "resource": "some resource id",
    "entity": "some entity id",
    "capabilities": ["r"]
  }
}

Updating (or creating) an acl

If you PUT as new resource, then the default will be the admin roles (admin, create, read, update, delete), otherwise, the capabilities provided will be respected. The resourceId MUST be a uuid v4, otherwise a 4XX response will be returned.

Request for resoure which exists:

PUT /acl/{entityId}

{
  "resource": "some resource id",
  "capabilities": ["c", "r", "u"]
}

Response for resource which exists:

200 OK

{
  "data": {
    "resource": "some resource id",
    "entity": "some entity id",
    "capabilities": ["c", "r", "u"]
  },
  "meta": {
    "capabilities": {
      "prev": ["r"]
    }
  }
}

Request for resource which does not exist:

PUT /acl/{entityId}

{
  "resource": "some resource id",
  "capabilities": ["c", "r", "u"]
}

Response for resource which does not exit:

201 Created

{
  "data": {
    "resource": "some resource id",
    "entity": "some entity id",
    "capabilities": ["c", "r", "u"]
  },
  "meta": {
    "capabilities": {
      "prev": []
    }
  }
}

Query an ACL

Return the capabilities of an entity for a given resource

GET /acl/{entityId}?r={resourceId}

200
{
  "data": {
    "capabilities": ["c", "r", "u", "d"]
  }
}

Return if an operation is permitted for an entity on a resource

GET /acl/{entityId}?r={resourceId}&c=u


200
{
  "data": {
    "allowed": true
  }
}  

Remove an acl for an entity

This will only respect the "delete" and "admin" capabilities.

Request to delete an entity attached to a resource:

DELETE /acl/{entityId}

{
  "resource": "some resource id",
}

Response to delete an entity attached to a resource:

200 OK

{
  "data": {
    "entity": "some entity id",
    "resource": "some resource id"
  }
}

Remove a resource

This operation also removes all the reference entity acl's.

Request to delete a resource

DELETE /resource/{resourceId}

Response to delete a resource

200 OK

{
  "data": {
    "resource": "some resource id",
  }
}
Owner
Brent Soles
Fullstack engineer, lifetime learner. Using: Clojure, Go, GraphQL, React/Vue/Elm, Rust, C/C++.
Brent Soles
Similar Resources

This is a small Go program, which can tell you what processes are actively using a set of files

winuse This is a small Go program, which can tell you what processes are actively using a set of files. It primarily exists to show off how one can bi

Jan 28, 2022

With this small library you can interact with the timev2 API

Library for timev2 With this small library you can interact with the timev2 API.

Jan 28, 2022

Todo-list - In this project using golang and mySql to create todo-list to Add and remove

Todo-list - In this project using golang and mySql to create todo-list to Add and remove

TODO-Fullstack-App-Go-Gin-Postgres-React This fullstack application creates a TODO List Web Page using the Go/Gin/Postgres/React Stack. Starting the a

Apr 7, 2022

Simple-Weather-API - Simple weather api app created using golang and Open Weather API key

Simple-Weather-API - Simple weather api app created using golang and Open Weather API key

Simple Weather API Simple weather api app created using golang and Open Weather

Feb 6, 2022

This project implements a Go client library for the Hipchat API.

Hipchat This project implements a Go client library for the Hipchat API (API version 2 is not supported). Pull requests are welcome as the API is limi

Jan 3, 2023

Display last GitLab project git commit. Page is optimized for an e-paper device.

Display last GitLab project git commit. Page is optimized for an e-paper device.

git-on-epaper A gitlab webhook for push notifications on a project. The webhook serves a HTML that shows the last push on the project with the followi

Dec 12, 2022

A project template for a weather client in Go

A project template for a weather client in Go

Sep 17, 2022

Handle any SQS use case, monitor any queue. Reusable for any project! Invoke in a goroutine to process SQS messages.

GOSQS This package is intended to be a Go SQS listener that can be imported and invoked as a goroutine handled by the life cycle of your service. It's

Dec 22, 2021

GitHub Actions demo for a monorepo Go project

GitHub Actions demo for a monorepo Go project The purpose of this repository is to demonstrate using a GitHub action as a pull request status check in

Oct 31, 2021
This is a Golang wrapper for working with TMDb API. It aims to support version 3.
This is a Golang wrapper for working with TMDb API. It aims to support version 3.

This is a Golang wrapper for working with TMDb API. It aims to support version 3. An API Key is required. To register for one, head over to themoviedb

Dec 27, 2022
aws credential solution by Golang
aws credential solution by Golang

goCred Aws credential solution by Golang (Works on Linux, Arm, and Windows) v0.3 Detection of unauthorized access Locks access in case of repeated una

Oct 23, 2021
Dynamodb-expire-non-latest - Dynamodb spike to find best solution to set expire on old records

Goal, expire non-latest records User (identified by IP address), adds record A,

Jan 5, 2022
Gophercises-quiz-one - Working solution of Gophercises Quiz 1 Course

Gophercises Quiz 1 Working Solution Description Create a program that will read

Feb 2, 2022
A very simple local client-server calculator project built using Cobra and socket programming, written in Go.

Golculator Introduction A very simple local client-server calculator project built using Cobra and socket programming, written in Go. Setup and run Fi

Apr 3, 2022
A note taking app, that you can draw in, syncs to the cloud, and is on most platforms!

About NotDraw About · How to contribute · How to run · Trello · FAQ This is achived because I dont want to work on it anymore Structure Codebase Descr

Jul 11, 2022
InkCaller is an API to call Ink. Each new call is independent and can be executing concurrently

inkcaller This library InkCaller is an API to call Ink. Each new call is independent and can be executing concurrently. A call will force the ink stat

Feb 8, 2022
A simple project for demonstrating Temporal with the Go SDK
A simple project for demonstrating Temporal with the Go SDK

Temporal Go Project Template This is a simple project for demonstrating Temporal

Dec 19, 2021
Automate all the tasks you can do in NeteaseCloudMusic

Fuck163MusicTasks 自动完成网易云音乐人任务并领取云豆 说白了就是白嫖网易云年费黑胶 ✨ 特性 web/Android 双平台每日签到 音乐人每日签到(登录音乐人中心) 自动发布动态(音乐人每日任务) 自动回复粉丝评论(音乐人每日任务) 自动恢复粉丝私信(音乐人每日任务) 自动领取已

Jan 5, 2023
This repository shows how can we use `AWS Lambda` to build serverless applications in golang.

Serverless Api in Go with AWS Lambda Here we are going to use AWS Lambda to build serverless applications in golang. Prerequisites You’ll need an AWS

Nov 3, 2021