Documentation
¶
Index ¶
- func NewRemotePDPClient(endpoint, scope string, cred azcore.TokenCredential, ...) (*remotePDPClient, error)
- type AccessDecision
- type ActionInfo
- type Attributes
- type AuthorizationDecision
- type AuthorizationDecisionResponse
- type AuthorizationRequest
- type CheckAccessErrorResponse
- type EnvironmentInfo
- type RemotePDPClient
- type ResourceInfo
- type RoleAssignment
- type RoleDefinition
- type SubjectAttributes
- type SubjectInfo
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func NewRemotePDPClient ¶
func NewRemotePDPClient(endpoint, scope string, cred azcore.TokenCredential, clientOptions *azcore.ClientOptions) (*remotePDPClient, error)
NewRemotePDPClient returns an implementation of RemotePDPClient endpoint - the fqdn of the regional specific endpoint of PDP scope - the oauth scope required by the PDP server cred - the credential of the client to call the PDP server ClientOptions - the optional settings for a client's pipeline.
Types ¶
type AccessDecision ¶
type AccessDecision string
AccessDecision can be: Allowed, NotAllowed, Denied.
const ( Allowed AccessDecision = "Allowed" NotAllowed AccessDecision = "NotAllowed" Denied AccessDecision = "Denied" // GroupExpansion is the value to be used with ClaimName in SubjectAttributes // This value gives CheckAccess a hint that it needs to retrieve all the groups the principal belongs to // and then give the response based on all group entitlements. // // https://eng.ms/docs/microsoft-security/identity/auth/access-control-managed-identityacmi/azure-authz-data-plane/authz-dataplane-partner-wiki/remotepdp/checkaccess/samples/requestresponse GroupExpansion = `{"groups":"src1"}` )
AccessDecision possible returned values
type ActionInfo ¶
type ActionInfo struct {
Id string `json:"Id"`
IsDataAction bool `json:"IsDataAction,omitempty"`
Attributes `json:"Attributes"`
}
ActionInfo contains an action the query checks whether the subject has access to perform. Example: "Microsoft.Network/virtualNetworks/read"
type Attributes ¶
type Attributes map[string]interface{}
type AuthorizationDecision ¶
type AuthorizationDecision struct {
ActionId string `json:"actionId,omitempty"`
AccessDecision `json:"accessDecision,omitempty"`
IsDataAction bool `json:"isDataAction,omitempty"`
RoleAssignment `json:"roleAssignment,omitempty"`
DenyAssignment RoleDefinition `json:"denyAssignment,omitempty"`
TimeToLiveInMs int `json:"timeToLiveInMs,omitempty"`
}
AuthorizationDecision tells whether the subject can perform the action on the target resource.
type AuthorizationDecisionResponse ¶
type AuthorizationDecisionResponse struct {
Value []AuthorizationDecision `json:"value"`
NextLink string `json:"nextLink"`
}
AuthorizationDecisionResponse contains a paginated list of all decision results In case the list is more than 50, follow NextLink to retrieve the next page.
type AuthorizationRequest ¶
type AuthorizationRequest struct {
Subject SubjectInfo `json:"Subject"`
Actions []ActionInfo `json:"Actions"`
Resource ResourceInfo `json:"Resource"`
Environment EnvironmentInfo `json:"Environment,omitempty"`
CheckClassicAdmins bool `json:"CheckClassicAdmins,omitempty"`
}
AuthorizationRequest represents the payload of the request sent to a PDP server
type CheckAccessErrorResponse ¶
type CheckAccessErrorResponse struct {
StatusCode int `json:"statusCode,omitempty"`
Message string `json:"message,omitempty"`
}
RemotePDPErrorPayload represents the body content when the server returns a non-successful error
type EnvironmentInfo ¶
type EnvironmentInfo struct {
Attributes `json:"Attributes"`
}
type RemotePDPClient ¶
type RemotePDPClient interface {
CheckAccess(context.Context, AuthorizationRequest) (*AuthorizationDecisionResponse, error)
CreateAuthorizationRequest(string, []string, string) (*AuthorizationRequest, error)
}
RemotePDPClient represents the Microsoft Remote PDP API Spec
type ResourceInfo ¶
type ResourceInfo struct {
Id string `json:"Id"`
Attributes `json:"Attributes"`
}
ResourceInfo is the resource path of the target object the query checks whether the subject has access to perform against it.
type RoleAssignment ¶
type RoleAssignment struct {
Id string `json:"id,omitempty"`
RoleDefinitionId string `json:"roleDefinitionId,omitempty"`
PrincipalId string `json:"principalId,omitempty"`
PrincipalType string `json:"principaltype,omitempty"`
Scope string `json:"scope,omitempty"`
Condition string `json:"condition,omitempty"`
ConditionVersion string `json:"conditionVersion,omitempty"`
CanDelegate bool `json:"canDelegate,omitempty"`
DelegatedManagedIdentityResourceId string `json:"deletegatedManagedIdentityResourceId,omitempty"`
Description string `json:"description,omitempty"`
}
type RoleDefinition ¶
type RoleDefinition struct {
Id string `json:"id,omitempty"`
}
type SubjectAttributes ¶
type SubjectAttributes struct {
ObjectId string `json:"ObjectId"`
Groups []string `json:"Groups,omitempty"`
ApplicationId string `json:"ApplicationId,omitempty"`
ApplicationACR string `json:"ApplicationACR,omitempty"`
RoleTemplate []string `json:"RoleTemplate,omitempty"`
TenantId string `json:"tid,omitempty"`
Scope string `json:"Scope,omitempty"`
ResourceId string `json:"ResourceId,omitempty"`
Puid string `json:"puid,omitempty"`
AltSecId string `json:"altsecid,omitempty"`
IdentityProvider string `json:"idp,omitempty"`
Issuer string `json:"iss,omitempty"`
ClaimName string `json:"_claim_names,omitempty"`
}
SubjectAttributes contains the possible attributes to describe the subject of query (i.e. if IT has the access). The ObjectId field is the UUID value of the subject and is required.
type SubjectInfo ¶
type SubjectInfo struct {
Attributes SubjectAttributes `json:"Attributes"`
}
Source Files
Directories