AuthZClient
The application, acting as a Policy Enforcement Point (PEP), enforces policies defined by the Policy Decision Point (PDP). The Permguard Go SDK facilitates communication with the Permguard PDP.
This communication occurs through the AuthZClient, a component that provides a straightforward interface for interacting with the Permguard AuthZServer.
The Basic Structure of an Authorization Request
A standard authorization request is composed of the following key elements:
// Create a new Permguard client
azClient := permguard.NewAZClient(
permguard.WithEndpoint("localhost", 9094),
)
// Create a new authorization request
req := azreq.NewAZAtomicRequestBuilder(273165098782, "fd1ac44e4afa4fc4beec622494d3175a",
"amy.smith@acmecorp.com", "PharmaAuthZFlow::Platform::Subscription", "PharmaAuthZFlow::Platform::Action::create")
// Check the authorization
decsion, _, _ := azClient.Check(req)
if decsion {
fmt.Println("✅ Authorization Permitted")
} else {
fmt.Println("❌ Authorization Denied")
}Perform an Atomic Authorization Request
An atomic authorization request can be performed using the AuthZClient by creating a new client instance and invoking the Check method.
// Create a new Permguard client
azClient := permguard.NewAZClient(
permguard.WithEndpoint("localhost", 9094),
)
// Create the Principal
principal := azreq.NewPrincipalBuilder("amy.smith@acmecorp.com").Build()
// Create the entities
entities := []map[string]any{
{
"uid": map[string]any{
"type": "PharmaAuthZFlow::Platform::BranchInfo",
"id": "subscription",
},
"attrs": map[string]any{
"active": true,
},
"parents": []any{},
},
}
// Create a new authorization request
req := azreq.NewAZAtomicRequestBuilder(273165098782, "fd1ac44e4afa4fc4beec622494d3175a",
"amy.smith@acmecorp.com", "PharmaAuthZFlow::Platform::Subscription", "PharmaAuthZFlow::Platform::Action::create").
// RequestID
WithRequestID("1234").
// Principal
WithPrincipal(principal).
// Entities
WithEntitiesItems(azreq.CedarEntityKind, entities).
// Subject
WithSubjectType(azreq.UserType).
WithSubjectSource("keycloack").
WithSubjectProperty("isSuperUser", true).
// Resource
WithResourceID("e3a786fd07e24bfa95ba4341d3695ae8").
WithResourceProperty("isEnabled", true).
// Action
WithActionProperty("isEnabled", true).
WithContextProperty("time", "2025-01-23T16:17:46+00:00").
WithContextProperty("isSubscriptionActive", true).
Build()
// Check the authorization
decsion, response, _ := azClient.Check(req)
if decsion {
fmt.Println("✅ Authorization Permitted")
} else {
fmt.Println("❌ Authorization Denied")
if response.Context.ReasonAdmin != nil {
fmt.Printf("-> Reason Admin: %s\n", response.Context.ReasonAdmin.Message)
}
if response.Context.ReasonUser != nil {
fmt.Printf("-> Reason User: %s\n", response.Context.ReasonUser.Message)
}
for _, eval := range response.Evaluations {
if eval.Context.ReasonUser != nil {
fmt.Printf("-> Reason Admin: %s\n", eval.Context.ReasonAdmin.Message)
fmt.Printf("-> Reason User: %s\n", eval.Context.ReasonUser.Message)
}
}
}Perform a Composed Authorization Request
To perform a composed authorization request using the AuthZClient, you need to create a new client and call the Check method.
This type of request is designed for scenarios requiring greater control over the authorization request creation, as well as cases where multiple evaluations must be executed within a single request.
// Create a new Permguard client
azClient := permguard.NewAZClient(
permguard.WithEndpoint("localhost", 9094),
)
// Create a new subject
subject := azreq.NewSubjectBuilder("amy.smith@acmecorp.com").
WithType(azreq.UserType).
WithSource("keycloack").
WithProperty("isSuperUser", true).
Build()
// Create a new resource
resource := azreq.NewResourceBuilder("PharmaAuthZFlow::Platform::Subscription").
WithID("e3a786fd07e24bfa95ba4341d3695ae8").
WithProperty("isEnabled", true).
Build()
// Create ations
actionView := azreq.NewActionBuilder("PharmaAuthZFlow::Platform::Action::create").
WithProperty("isEnabled", true).
Build()
actionCreate := azreq.NewActionBuilder("PharmaAuthZFlow::Platform::Action::create").
WithProperty("isEnabled", true).
Build()
// Create a new Context
context := azreq.NewContextBuilder().
WithProperty("time", "2025-01-23T16:17:46+00:00").
WithProperty("isSubscriptionActive", true).
Build()
// Create evaluations
evaluationView := azreq.NewEvaluationBuilder(subject, resource, actionView).
WithRequestID("1234").
WithContext(context).
Build()
evaluationCreate := azreq.NewEvaluationBuilder(subject, resource, actionCreate).
WithRequestID("7890").
WithContext(context).
Build()
// Create the Principal
principal := azreq.NewPrincipalBuilder("amy.smith@acmecorp.com").Build()
// Create the entities
entities := []map[string]any{
{
"uid": map[string]any{
"type": "PharmaAuthZFlow::Platform::BranchInfo",
"id": "subscription",
},
"attrs": map[string]any{
"active": true,
},
"parents": []any{},
},
}
// Create a new authorization request
req := azreq.NewAZRequestBuilder(273165098782, "fd1ac44e4afa4fc4beec622494d3175a").
WithPrincipal(principal).
WithEntitiesItems(azreq.CedarEntityKind, entities).
WithEvaluation(evaluationView).
WithEvaluation(evaluationCreate).
Build()
// Check the authorization
decsion, response, _ := azClient.Check(req)
if decsion {
fmt.Println("✅ Authorization Permitted")
} else {
fmt.Println("❌ Authorization Denied")
if response.Context.ReasonAdmin != nil {
fmt.Printf("-> Reason Admin: %s\n", response.Context.ReasonAdmin.Message)
}
if response.Context.ReasonUser != nil {
fmt.Printf("-> Reason User: %s\n", response.Context.ReasonUser.Message)
}
for _, eval := range response.Evaluations {
if eval.Context.ReasonUser != nil {
fmt.Printf("-> Reason Admin: %s\n", eval.Context.ReasonAdmin.Message)
fmt.Printf("-> Reason User: %s\n", eval.Context.ReasonUser.Message)
}
}
}