Authorizer Client
AuthorizerClient
is the low-level interface that talks to the Aserto authorization API.
It can be used on its own to make authorization requests or, more commonly, it can be used to create authorization
middleware.
Create a Client
import (
"log"
"github.com/aserto-dev/go-aserto"
"github.com/aserto-dev/go-aserto/az"
)
...
azClient, err := az.New(
aserto.WithAPIKeyAuth("<Aserto authorizer API key"),
aserto.WithTenantID("<Aserto tenant ID>"),
)
if err != nil {
log.Fatal("Failed to create authorizer client:", err)
}
defer azClient.Close()
Make Authorization Calls
Using an authorizer client we can call the Is() API to check if a user is authorized
to perform an operation.
import (
"context"
"fmt"
"log"
"google.golang.org/protobuf/types/known/structpb"
"github.com/aserto-dev/go-authorizer/aserto/authorizer/v2"
"github.com/aserto-dev/go-authorizer/aserto/authorizer/v2/api"
)
...
ctx := context.Background()
// Information about the resource being accessed can be sent
// to the authorizer as a JSON object.
resource, err := structpb.NewStruct(map[string]any{
"id": "aprils@acmecorp.com",
})
if err != nil {
log.Fatalf("failed to create resource: %v", err)
}
result, err := azClient.Is(ctx, &authorizer.IsRequest{
IdentityContext: &api.IdentityContext{ // The user performing the operation.
Type: api.IdentityType_IDENTITY_TYPE_SUB,
Identity: "username",
},
PolicyContext: &api.PolicyContext{
Path: "peoplefinder.PUT.api.users.__id", // Policy module to evaluate.
Decisions: []string{"allowed"}, // Policy rules to evaluate.
},
ResourceContext: resource,
PolicyInstance: &api.PolicyInstance {
Name: "<policy name>",
},
})
if err != nil {
log.Fatal("Failed to call authorizer:", err)
}
// Check the authorizer's decision.
for _, decision := range result.Decisions {
if decision.Decision == "allowed" {
if decision.Is {
fmt.Println("Access granted")
} else {
fmt.Println("Access denied")
}
}
}
We can similarly call the DecisionTree() and
Query() APIs.