abac/sql_policy_engine.go

package abac

type SQLPolicyEngine struct {
    store *SQLiteStore
}

func NewSQLPolicyEngine(store *SQLiteStore) *SQLPolicyEngine {
    return &SQLPolicyEngine{store: store}
}

func (e *SQLPolicyEngine) EvaluatePolicy(userID, resourceID, action string) (PolicyDecision, error) {
    userAttributes, err := e.store.GetUserAttributes(userID)
    if err != nil {
        return Deny, err
    }

    resourceAttributes, err := e.store.GetResourceAttributes(resourceID)
    if err != nil {
        return Deny, err
    }

    rows, err := e.store.db.Query(`
        SELECT effect, condition_attribute_key, condition_attribute_value, condition_attribute_type
        FROM policies
        WHERE action = ?;
    `, action)
    if err != nil {
        return Deny, err
    }
    defer rows.Close()

    var allowPolicyFound bool = false
    for rows.Next() {
        var effect string
        var conditionAttributeKey string
        var conditionAttributeValue string
        var conditionAttributeType string

        err = rows.Scan(&effect, &conditionAttributeKey, &conditionAttributeValue)
        if err != nil {
            return Deny, err
        }

        var hasAttribute bool = false
        if conditionAttributeType == "user" {
            hasAttribute = checkAttributes(userAttributes, conditionAttributeKey, conditionAttributeValue)
        } else if conditionAttributeType == "resource" {
            hasAttribute = checkAttributes(resourceAttributes, conditionAttributeKey, conditionAttributeValue)
        }

        if effect == "Deny" && hasAttribute {
            return Deny, nil
        } else if effect == "Allow" && hasAttribute {
            allowPolicyFound = true
        }
    }

    if allowPolicyFound {
        return Allow, nil
    }

    return Deny, nil
}

func checkAttributes(attributes []Attribute, key, value string) bool {
    for _, attribute := range attributes {
        if attribute.Key == key && attribute.Value == value {
            return true
        }
    }

    return false
}
feat: Initial implementation of an attribute based authentication system 2024-12-26 06:43:25 +00:00			`package abac`

			`type SQLPolicyEngine struct {`
			`store *SQLiteStore`
			`}`

			`func NewSQLPolicyEngine(store SQLiteStore) SQLPolicyEngine {`
			`return &SQLPolicyEngine{store: store}`
			`}`

			`func (e *SQLPolicyEngine) EvaluatePolicy(userID, resourceID, action string) (PolicyDecision, error) {`
			`userAttributes, err := e.store.GetUserAttributes(userID)`
			`if err != nil {`
			`return Deny, err`
			`}`

			`resourceAttributes, err := e.store.GetResourceAttributes(resourceID)`
			`if err != nil {`
			`return Deny, err`
			`}`

			rows, err := e.store.db.Query(`
			`SELECT effect, condition_attribute_key, condition_attribute_value, condition_attribute_type`
			`FROM policies`
			`WHERE action = ?;`
			`, action)
			`if err != nil {`
			`return Deny, err`
			`}`
			`defer rows.Close()`

			`var allowPolicyFound bool = false`
			`for rows.Next() {`
			`var effect string`
			`var conditionAttributeKey string`
			`var conditionAttributeValue string`
			`var conditionAttributeType string`

			`err = rows.Scan(&effect, &conditionAttributeKey, &conditionAttributeValue)`
			`if err != nil {`
			`return Deny, err`
			`}`

			`var hasAttribute bool = false`
			`if conditionAttributeType == "user" {`
			`hasAttribute = checkAttributes(userAttributes, conditionAttributeKey, conditionAttributeValue)`
			`} else if conditionAttributeType == "resource" {`
			`hasAttribute = checkAttributes(resourceAttributes, conditionAttributeKey, conditionAttributeValue)`
			`}`

			`if effect == "Deny" && hasAttribute {`
			`return Deny, nil`
			`} else if effect == "Allow" && hasAttribute {`
			`allowPolicyFound = true`
			`}`
			`}`

			`if allowPolicyFound {`
			`return Allow, nil`
			`}`

			`return Deny, nil`
			`}`

			`func checkAttributes(attributes []Attribute, key, value string) bool {`
			`for _, attribute := range attributes {`
			`if attribute.Key == key && attribute.Value == value {`
			`return true`
			`}`
			`}`

			`return false`
			`}`