v0.0.0-...-1643d90 Latest Latest

This package is not in the latest version of its module.

Go to latest
Published: Jan 26, 2020 License: UPL-1.0 Imports: 24 Imported by: 0



Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved. Licensed under the Universal Permissive License (UPL) Version 1.0 as shown at http://oss.oracle.com/licenses/upl.



This section is empty.


View Source
var All_Pattern = regexp.MustCompile(`^\^?\.\*\$?$`)
View Source
var Prefix_Pattern = regexp.MustCompile(`^\^?[\w/]+\.\*\$?$`)

Patterns used to match resource expression. Now support prefix, suffix and all three patterns.

View Source
var Suffix_Pattern = regexp.MustCompile(`^\^?\.\*[\w/]+\$?$`)


func AddPolicyToResourceExpressionCache

func AddPolicyToResourceExpressionCache(resourceToPolicyMap *ResourceToPolicyMap, resourceExpression string, policyID string)

func CallCustomerFunction

func CallCustomerFunction(cf *pms.Function, request *ext.CustomerFunctionRequest) (interface{}, error)

func CallCustomerFunctionViaDelegator

func CallCustomerFunctionViaDelegator(delegatorUrl string, cf *pms.Function, request *ext.CustomerFunctionRequest) (interface{}, error)

func DeletePolicyFromResourceExpressionCache

func DeletePolicyFromResourceExpressionCache(resourceToPolicyMap *ResourceToPolicyMap, resourceExpression string, policyID string)

func NewFromFile

func NewFromFile(fileLoc string, isWatch bool) (adsapi.PolicyEvaluator, error)

NewFromFile loads policies from a policy file, and returns an evaluator instance

func ReverseString

func ReverseString(s string) string


type BasePolicyCacheData

type BasePolicyCacheData struct {
		In current cache, we don't distinguish andPrincipals and orPrincipals.
		If one principal occured in one policy, we will use this principal as key to index this policy.
		That mean after quiried all related policies, need further match operation to verify the policy
	PrincipalToPolicies map[string]*ResourceToPolicyMap
	//No principal defined in policy, mean match any principal
	NilPrincipalToPolicies *ResourceToPolicyMap
	Conditions             map[string]*govaluate.EvaluableExpression

type FuncResult

type FuncResult struct {
	Result interface{}
	TTL    int64

type FuncResultCache

type FuncResultCache struct {
	Results map[string]FuncResult

func (*FuncResultCache) AddToCache

func (frc *FuncResultCache) AddToCache(key string, cf *pms.Function, result interface{})

func (*FuncResultCache) CleanExpiredResult

func (frc *FuncResultCache) CleanExpiredResult()

func (*FuncResultCache) DeleteFromCache

func (frc *FuncResultCache) DeleteFromCache(funcName string)

func (*FuncResultCache) ReadFromCache

func (frc *FuncResultCache) ReadFromCache(key string, cf *pms.Function) interface{}

type InternalEvaluator

type InternalEvaluator interface {

func New

func New(configFile string) (InternalEvaluator, error)

New creates a policy evaluator based on the given configuration file

func NewFromConfig

func NewFromConfig(conf *cfg.Config) (InternalEvaluator, error)

NewFromConfig creates a policy evaluator based on the given configuration file

func NewWithStore

func NewWithStore(conf *cfg.Config, s pms.PolicyStoreManagerADS) (InternalEvaluator, error)

NewWithStore creates a policy evaluator with policy store

type PolicyCacheData

type PolicyCacheData struct {
	PolicyMap map[string]*pms.Policy

func NewPolicyCacheData

func NewPolicyCacheData() (p *PolicyCacheData)

func (*PolicyCacheData) AddPolicyToCache

func (p *PolicyCacheData) AddPolicyToCache(policy *pms.Policy, condition *govaluate.EvaluableExpression)

func (*PolicyCacheData) DeletePolicyFromCache

func (p *PolicyCacheData) DeletePolicyFromCache(policyID string)

func (*PolicyCacheData) GetRelatedPolicyMap

func (p *PolicyCacheData) GetRelatedPolicyMap(subjectPrincipals []string, resource string, matchResource bool) map[string]*pms.Policy

type PolicyEvalImpl

type PolicyEvalImpl struct {
	RuntimePolicyStore *RuntimePolicyStore //This is runtime policy store
	Store              pms.PolicyStoreManagerADS
	AsserterFunc       func(ctx *adsapi.RequestContext) error

func (*PolicyEvalImpl) AddFunctionInRuntimeCache

func (p *PolicyEvalImpl) AddFunctionInRuntimeCache(cf *pms.Function)

func (*PolicyEvalImpl) AddPolicyInRuntimeCache

func (p *PolicyEvalImpl) AddPolicyInRuntimeCache(serviceName string, policy *pms.Policy)

func (*PolicyEvalImpl) AddRolePolicyInRuntimeCache

func (p *PolicyEvalImpl) AddRolePolicyInRuntimeCache(serviceName string, rolepolicy *pms.RolePolicy)

func (*PolicyEvalImpl) AddServiceInRuntimeCache

func (p *PolicyEvalImpl) AddServiceInRuntimeCache(service *pms.Service)

func (*PolicyEvalImpl) AssertToken

func (p *PolicyEvalImpl) AssertToken(ctx *adsapi.RequestContext) error

func (*PolicyEvalImpl) CleanExpiredFunctionResult

func (p *PolicyEvalImpl) CleanExpiredFunctionResult()

func (*PolicyEvalImpl) DeleteFunctionInRuntimeCache

func (p *PolicyEvalImpl) DeleteFunctionInRuntimeCache(funcName string)

func (*PolicyEvalImpl) DeletePolicyInRuntimeCache

func (p *PolicyEvalImpl) DeletePolicyInRuntimeCache(serviceName string, policyID string)

func (*PolicyEvalImpl) DeleteRolePolicyInRuntimeCache

func (p *PolicyEvalImpl) DeleteRolePolicyInRuntimeCache(serviceName string, rolePolicyID string)

func (*PolicyEvalImpl) Diagnose

Return all the policies related to a subject

func (*PolicyEvalImpl) Discover

func (p *PolicyEvalImpl) Discover(ctx ads.RequestContext) (bool, ads.Reason, error)

func (*PolicyEvalImpl) GetAllGrantedPermissions

func (p *PolicyEvalImpl) GetAllGrantedPermissions(ctx adsapi.RequestContext) ([]pms.Permission, error)

Limitations: This function only calculate granted permissions with resource, will not calculate granted permissions with resource expression.

func (*PolicyEvalImpl) GetAllGrantedRoles

func (p *PolicyEvalImpl) GetAllGrantedRoles(ctx adsapi.RequestContext) ([]string, error)

func (*PolicyEvalImpl) InternalIsAllowed

func (p *PolicyEvalImpl) InternalIsAllowed(ctx *adsapi.RequestContext, evaluationResult *adsapi.EvaluationResult) (bool, adsapi.Reason, error)

func (*PolicyEvalImpl) IsAllowed

func (p *PolicyEvalImpl) IsAllowed(ctx adsapi.RequestContext) (bool, adsapi.Reason, error)

func (*PolicyEvalImpl) Refresh

func (p *PolicyEvalImpl) Refresh() error

func (*PolicyEvalImpl) SetAsserterFunc

func (p *PolicyEvalImpl) SetAsserterFunc(f func(ctx *adsapi.RequestContext) error)

func (*PolicyEvalImpl) StopWatch

func (p *PolicyEvalImpl) StopWatch()

StopWatch stops watching policy store. After stopping watching, policy changes will not be updated automatically

type Request2Delegator

type Request2Delegator struct {
	Function *pms.Function                `json:"function"`
	Request  *ext.CustomerFunctionRequest `json:"request"`

type ResourceToPolicyMap

type ResourceToPolicyMap struct {
	//{resource:{policyID: bool}}
	ResourceToPolicies           map[string]map[string]bool
	PrefixResourceExpressionTree *radix.Tree
	SuffixResourceExpressionTree *radix.Tree
	//{resourceExpression:{policyID: bool}}
	//This map contains the resource expressions not match prefix, suffix and all patterns.
	//That mean the incoming resource in isAllowed need match these resource expressions one by one.
	ResourceExpressionToPolicies map[string]map[string]bool
	//resources/resExpressions could be empty, which means any resource
	//Also use this map to store the ".*" resourceexpression policy. which also
	//means any resource.
	NilResourceToPolicies map[string]bool

type Role

type Role struct {
	Name               string
	ParentPrincipals   map[string]bool
	ParentRoles        map[string]bool
	ChildRoles         map[string]bool
	DeniedRoles        map[string]bool
	DeniedByRoles      map[string]bool
	DeniedByPrincipals map[string]bool //TODO this could be removed?

type RolePolicyCacheData

type RolePolicyCacheData struct {
	PolicyMap map[string]*pms.RolePolicy

func NewRolePolicyCacheData

func NewRolePolicyCacheData() (p *RolePolicyCacheData)

func (*RolePolicyCacheData) AddRolePolicyToCache

func (p *RolePolicyCacheData) AddRolePolicyToCache(policy *pms.RolePolicy, condition *govaluate.EvaluableExpression)

func (*RolePolicyCacheData) DeleteRolePolicyFromCache

func (p *RolePolicyCacheData) DeleteRolePolicyFromCache(policyID string)

func (*RolePolicyCacheData) GetRelatedRolePolicyMap

func (p *RolePolicyCacheData) GetRelatedRolePolicyMap(subjectPrincipals []string, resource string) map[string]*pms.RolePolicy

type RuntimePolicyStore

type RuntimePolicyStore struct {
	Functions           map[string]govaluate.ExpressionFunction
	RuntimeServices     map[string]*RuntimeService
	FunctionResultCache *FuncResultCache
	FuncSvcEndpoint     string //endpoint in sphinx side to call external customer function

func NewRuntimePolicyStore

func NewRuntimePolicyStore() *RuntimePolicyStore

type RuntimeService

type RuntimeService struct {
	Name              string
	Type              string
	PoliciesCache     *PolicyCacheData
	RolePoliciesCache *RolePolicyCacheData
	Functions         map[string]govaluate.ExpressionFunction

func NewRuntimeService

func NewRuntimeService() *RuntimeService

func (*RuntimeService) GetRelatedPolicyMap

func (svc *RuntimeService) GetRelatedPolicyMap(subjectPrincipals []string, resource string,
	matchResource bool) map[string]*pms.Policy

func (*RuntimeService) GetRelatedRolePolicyMap

func (svc *RuntimeService) GetRelatedRolePolicyMap(subjectPrincipals []string, resource string) map[string]*pms.RolePolicy

type TokenAsserter

type TokenAsserter interface {
	// set asserter func for policy evaluator
	SetAsserterFunc(f func(ctx *adsapi.RequestContext) error)
	// AssertToken assert token and generate subject to represent the identity
	AssertToken(ctx *adsapi.RequestContext) error


Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL