Documentation ¶
Overview ¶
Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved. Licensed under the Universal Permissive License (UPL) Version 1.0 as shown at http://oss.oracle.com/licenses/upl.
Index ¶
- Variables
- func AddPolicyToResourceExpressionCache(resourceToPolicyMap *ResourceToPolicyMap, resourceExpression string, ...)
- func CallCustomerFunction(cf *pms.Function, request *ext.CustomerFunctionRequest) (interface{}, error)
- func CallCustomerFunctionViaDelegator(delegatorUrl string, cf *pms.Function, request *ext.CustomerFunctionRequest) (interface{}, error)
- func DeletePolicyFromResourceExpressionCache(resourceToPolicyMap *ResourceToPolicyMap, resourceExpression string, ...)
- func NewFromFile(fileLoc string, isWatch bool) (adsapi.PolicyEvaluator, error)
- func ReverseString(s string) string
- type BasePolicyCacheData
- type FuncResult
- type FuncResultCache
- type InternalEvaluator
- type PolicyCacheData
- func (p *PolicyCacheData) AddPolicyToCache(policy *pms.Policy, condition *govaluate.EvaluableExpression)
- func (p *PolicyCacheData) DeletePolicyFromCache(policyID string)
- func (p *PolicyCacheData) GetRelatedPolicyMap(subjectPrincipals []string, resource string, matchResource bool) map[string]*pms.Policy
- type PolicyEvalImpl
- func (p *PolicyEvalImpl) AddFunctionInRuntimeCache(cf *pms.Function)
- func (p *PolicyEvalImpl) AddPolicyInRuntimeCache(serviceName string, policy *pms.Policy)
- func (p *PolicyEvalImpl) AddRolePolicyInRuntimeCache(serviceName string, rolepolicy *pms.RolePolicy)
- func (p *PolicyEvalImpl) AddServiceInRuntimeCache(service *pms.Service)
- func (p *PolicyEvalImpl) AssertToken(ctx *adsapi.RequestContext) error
- func (p *PolicyEvalImpl) CleanExpiredFunctionResult()
- func (p *PolicyEvalImpl) DeleteFunctionInRuntimeCache(funcName string)
- func (p *PolicyEvalImpl) DeletePolicyInRuntimeCache(serviceName string, policyID string)
- func (p *PolicyEvalImpl) DeleteRolePolicyInRuntimeCache(serviceName string, rolePolicyID string)
- func (p *PolicyEvalImpl) Diagnose(ctx adsapi.RequestContext) (*adsapi.EvaluationResult, error)
- func (p *PolicyEvalImpl) Discover(ctx ads.RequestContext) (bool, ads.Reason, error)
- func (p *PolicyEvalImpl) GetAllGrantedPermissions(ctx adsapi.RequestContext) ([]pms.Permission, error)
- func (p *PolicyEvalImpl) GetAllGrantedRoles(ctx adsapi.RequestContext) ([]string, error)
- func (p *PolicyEvalImpl) InternalIsAllowed(ctx *adsapi.RequestContext, evaluationResult *adsapi.EvaluationResult) (bool, adsapi.Reason, error)
- func (p *PolicyEvalImpl) IsAllowed(ctx adsapi.RequestContext) (bool, adsapi.Reason, error)
- func (p *PolicyEvalImpl) Refresh() error
- func (p *PolicyEvalImpl) SetAsserterFunc(f func(ctx *adsapi.RequestContext) error)
- func (p *PolicyEvalImpl) StopWatch()
- type Request2Delegator
- type ResourceToPolicyMap
- type Role
- type RolePolicyCacheData
- func (p *RolePolicyCacheData) AddRolePolicyToCache(policy *pms.RolePolicy, condition *govaluate.EvaluableExpression)
- func (p *RolePolicyCacheData) DeleteRolePolicyFromCache(policyID string)
- func (p *RolePolicyCacheData) GetRelatedRolePolicyMap(subjectPrincipals []string, resource string) map[string]*pms.RolePolicy
- type RuntimePolicyStore
- type RuntimeService
- type TokenAsserter
Constants ¶
This section is empty.
Variables ¶
var All_Pattern = regexp.MustCompile(`^\^?\.\*\$?$`)
var Prefix_Pattern = regexp.MustCompile(`^\^?[\w/]+\.\*\$?$`)
Patterns used to match resource expression. Now support prefix, suffix and all three patterns.
var Suffix_Pattern = regexp.MustCompile(`^\^?\.\*[\w/]+\$?$`)
Functions ¶
func AddPolicyToResourceExpressionCache ¶
func AddPolicyToResourceExpressionCache(resourceToPolicyMap *ResourceToPolicyMap, resourceExpression string, policyID string)
func CallCustomerFunction ¶
func CallCustomerFunction(cf *pms.Function, request *ext.CustomerFunctionRequest) (interface{}, error)
func CallCustomerFunctionViaDelegator ¶
func DeletePolicyFromResourceExpressionCache ¶
func DeletePolicyFromResourceExpressionCache(resourceToPolicyMap *ResourceToPolicyMap, resourceExpression string, policyID string)
Types ¶
type BasePolicyCacheData ¶
type BasePolicyCacheData struct { /* In current cache, we don't distinguish andPrincipals and orPrincipals. If one principal occured in one policy, we will use this principal as key to index this policy. That mean after quiried all related policies, need further match operation to verify the policy */ //{principal:ResourceToPolicyMap} PrincipalToPolicies map[string]*ResourceToPolicyMap //No principal defined in policy, mean match any principal NilPrincipalToPolicies *ResourceToPolicyMap Conditions map[string]*govaluate.EvaluableExpression }
type FuncResultCache ¶
type FuncResultCache struct { sync.RWMutex Results map[string]FuncResult }
func (*FuncResultCache) AddToCache ¶
func (frc *FuncResultCache) AddToCache(key string, cf *pms.Function, result interface{})
func (*FuncResultCache) CleanExpiredResult ¶
func (frc *FuncResultCache) CleanExpiredResult()
func (*FuncResultCache) DeleteFromCache ¶
func (frc *FuncResultCache) DeleteFromCache(funcName string)
func (*FuncResultCache) ReadFromCache ¶
func (frc *FuncResultCache) ReadFromCache(key string, cf *pms.Function) interface{}
type InternalEvaluator ¶
type InternalEvaluator interface { adsapi.PolicyEvaluator TokenAsserter }
func New ¶
func New(configFile string) (InternalEvaluator, error)
New creates a policy evaluator based on the given configuration file
func NewFromConfig ¶
func NewFromConfig(conf *cfg.Config) (InternalEvaluator, error)
NewFromConfig creates a policy evaluator based on the given configuration file
func NewWithStore ¶
func NewWithStore(conf *cfg.Config, s pms.PolicyStoreManagerADS) (InternalEvaluator, error)
NewWithStore creates a policy evaluator with policy store
type PolicyCacheData ¶
type PolicyCacheData struct { BasePolicyCacheData PolicyMap map[string]*pms.Policy }
func NewPolicyCacheData ¶
func NewPolicyCacheData() (p *PolicyCacheData)
func (*PolicyCacheData) AddPolicyToCache ¶
func (p *PolicyCacheData) AddPolicyToCache(policy *pms.Policy, condition *govaluate.EvaluableExpression)
func (*PolicyCacheData) DeletePolicyFromCache ¶
func (p *PolicyCacheData) DeletePolicyFromCache(policyID string)
type PolicyEvalImpl ¶
type PolicyEvalImpl struct { RuntimePolicyStore *RuntimePolicyStore //This is runtime policy store Store pms.PolicyStoreManagerADS AsserterFunc func(ctx *adsapi.RequestContext) error }
func (*PolicyEvalImpl) AddFunctionInRuntimeCache ¶
func (p *PolicyEvalImpl) AddFunctionInRuntimeCache(cf *pms.Function)
func (*PolicyEvalImpl) AddPolicyInRuntimeCache ¶
func (p *PolicyEvalImpl) AddPolicyInRuntimeCache(serviceName string, policy *pms.Policy)
func (*PolicyEvalImpl) AddRolePolicyInRuntimeCache ¶
func (p *PolicyEvalImpl) AddRolePolicyInRuntimeCache(serviceName string, rolepolicy *pms.RolePolicy)
func (*PolicyEvalImpl) AddServiceInRuntimeCache ¶
func (p *PolicyEvalImpl) AddServiceInRuntimeCache(service *pms.Service)
func (*PolicyEvalImpl) AssertToken ¶
func (p *PolicyEvalImpl) AssertToken(ctx *adsapi.RequestContext) error
func (*PolicyEvalImpl) CleanExpiredFunctionResult ¶
func (p *PolicyEvalImpl) CleanExpiredFunctionResult()
func (*PolicyEvalImpl) DeleteFunctionInRuntimeCache ¶
func (p *PolicyEvalImpl) DeleteFunctionInRuntimeCache(funcName string)
func (*PolicyEvalImpl) DeletePolicyInRuntimeCache ¶
func (p *PolicyEvalImpl) DeletePolicyInRuntimeCache(serviceName string, policyID string)
func (*PolicyEvalImpl) DeleteRolePolicyInRuntimeCache ¶
func (p *PolicyEvalImpl) DeleteRolePolicyInRuntimeCache(serviceName string, rolePolicyID string)
func (*PolicyEvalImpl) Diagnose ¶
func (p *PolicyEvalImpl) Diagnose(ctx adsapi.RequestContext) (*adsapi.EvaluationResult, error)
Return all the policies related to a subject
func (*PolicyEvalImpl) Discover ¶
func (p *PolicyEvalImpl) Discover(ctx ads.RequestContext) (bool, ads.Reason, error)
func (*PolicyEvalImpl) GetAllGrantedPermissions ¶
func (p *PolicyEvalImpl) GetAllGrantedPermissions(ctx adsapi.RequestContext) ([]pms.Permission, error)
Limitations: This function only calculate granted permissions with resource, will not calculate granted permissions with resource expression.
func (*PolicyEvalImpl) GetAllGrantedRoles ¶
func (p *PolicyEvalImpl) GetAllGrantedRoles(ctx adsapi.RequestContext) ([]string, error)
func (*PolicyEvalImpl) InternalIsAllowed ¶
func (p *PolicyEvalImpl) InternalIsAllowed(ctx *adsapi.RequestContext, evaluationResult *adsapi.EvaluationResult) (bool, adsapi.Reason, error)
func (*PolicyEvalImpl) IsAllowed ¶
func (p *PolicyEvalImpl) IsAllowed(ctx adsapi.RequestContext) (bool, adsapi.Reason, error)
func (*PolicyEvalImpl) Refresh ¶
func (p *PolicyEvalImpl) Refresh() error
func (*PolicyEvalImpl) SetAsserterFunc ¶
func (p *PolicyEvalImpl) SetAsserterFunc(f func(ctx *adsapi.RequestContext) error)
func (*PolicyEvalImpl) StopWatch ¶
func (p *PolicyEvalImpl) StopWatch()
StopWatch stops watching policy store. After stopping watching, policy changes will not be updated automatically
type Request2Delegator ¶
type Request2Delegator struct { Function *pms.Function `json:"function"` Request *ext.CustomerFunctionRequest `json:"request"` }
type ResourceToPolicyMap ¶
type ResourceToPolicyMap struct { //{resource:{policyID: bool}} ResourceToPolicies map[string]map[string]bool PrefixResourceExpressionTree *radix.Tree SuffixResourceExpressionTree *radix.Tree //{resourceExpression:{policyID: bool}} //This map contains the resource expressions not match prefix, suffix and all patterns. //That mean the incoming resource in isAllowed need match these resource expressions one by one. ResourceExpressionToPolicies map[string]map[string]bool //resources/resExpressions could be empty, which means any resource //Also use this map to store the ".*" resourceexpression policy. which also //means any resource. NilResourceToPolicies map[string]bool }
type Role ¶
type RolePolicyCacheData ¶
type RolePolicyCacheData struct { BasePolicyCacheData PolicyMap map[string]*pms.RolePolicy }
func NewRolePolicyCacheData ¶
func NewRolePolicyCacheData() (p *RolePolicyCacheData)
func (*RolePolicyCacheData) AddRolePolicyToCache ¶
func (p *RolePolicyCacheData) AddRolePolicyToCache(policy *pms.RolePolicy, condition *govaluate.EvaluableExpression)
func (*RolePolicyCacheData) DeleteRolePolicyFromCache ¶
func (p *RolePolicyCacheData) DeleteRolePolicyFromCache(policyID string)
func (*RolePolicyCacheData) GetRelatedRolePolicyMap ¶
func (p *RolePolicyCacheData) GetRelatedRolePolicyMap(subjectPrincipals []string, resource string) map[string]*pms.RolePolicy
type RuntimePolicyStore ¶
type RuntimePolicyStore struct { sync.RWMutex Functions map[string]govaluate.ExpressionFunction RuntimeServices map[string]*RuntimeService FunctionResultCache *FuncResultCache FuncSvcEndpoint string //endpoint in sphinx side to call external customer function }
func NewRuntimePolicyStore ¶
func NewRuntimePolicyStore() *RuntimePolicyStore
type RuntimeService ¶
type RuntimeService struct { sync.RWMutex Name string Type string PoliciesCache *PolicyCacheData RolePoliciesCache *RolePolicyCacheData Functions map[string]govaluate.ExpressionFunction }
func NewRuntimeService ¶
func NewRuntimeService() *RuntimeService
func (*RuntimeService) GetRelatedPolicyMap ¶
func (*RuntimeService) GetRelatedRolePolicyMap ¶
func (svc *RuntimeService) GetRelatedRolePolicyMap(subjectPrincipals []string, resource string) map[string]*pms.RolePolicy
type TokenAsserter ¶
type TokenAsserter interface { // set asserter func for policy evaluator SetAsserterFunc(f func(ctx *adsapi.RequestContext) error) // AssertToken assert token and generate subject to represent the identity AssertToken(ctx *adsapi.RequestContext) error }