rbac

README

rbac-client-go

A Go client for the cloud.redhat.com RBAC API

Features

This client is an evolving work and generally implements functionality as needed.

• Get permitted access for a principal
• List principals
• List permissions
• View and manage groups
• View and manage policies
• View and manage roles

Usage

A client is created given a base URL and application name. A new http.Client is generated, but can be overriden if needed for a custom Transport, etc.

c := rbac.NewClient("https://foo.bar/api/rbac/v1", "app")

Most operations are a method of the client.

acl, err := c.GetAccess(identity, "")

An AccessList contains a method for testing permissions.

if acl.IsAllowed("chipotle", "burrito_bowl", "order") {
    fmt.Printf("yay!")
}

License

Apache 2.0

See LICENCE to see the full text.

Documentation

Index

• type Access
  • func (a Access) Application() string
  • func (a Access) Resource() string
  • func (a Access) Verb() string
• type AccessList
  • func (l AccessList) IsAllowed(app, res, verb string) bool
• type Client
  • func NewClient(baseURL, application string) Client
  • func (c *Client) GetAccess(ctx context.Context, identity string, username string) (AccessList, error)
• type PaginatedBody
• type PaginationLinks
• type PaginationMeta
• type ResourceDefinition
• type ResourceDefinitionFilter

Types

type Access

type Access struct {
	ResourceDefinitions []ResourceDefinition `json:"resourceDefinitions,omitempty"`
	Permission          string               `json:"permission"`
}

Access represents a permission and an optional resource definition

func (Access) Application

func (a Access) Application() string

Application returns the name of the application in the permission

func (Access) Resource

func (a Access) Resource() string

Resource returns the name of the resource in the permission

func (Access) Verb

func (a Access) Verb() string

Verb returns the verb in the permission

type AccessList

type AccessList []Access

AccessList is a slice of Accesses and is generally used to represent a principal's full set of permissions for an application

func (AccessList) IsAllowed

func (l AccessList) IsAllowed(app, res, verb string) bool

IsAllowed returns whether an action against a resource is allowed by an AccessList taking wildcards into consideration TODO: Take resource definitions into account

type Client

type Client struct {
	HTTPClient  *http.Client
	BaseURL     string
	Application string
}

Client is used for making requests to the RBAC service

func NewClient

func NewClient(baseURL, application string) Client

NewClient returns a Client given an application

func (*Client) GetAccess

func (c *Client) GetAccess(ctx context.Context, identity string, username string) (AccessList, error)

GetAccess returns an AccessList for a principal. When username is empty, the authenticated principal is used.

type PaginatedBody

type PaginatedBody struct {
	Meta  PaginationMeta  `json:"meta"`
	Links PaginationLinks `json:"links"`
	Data  interface{}     `json:"data"`
}

PaginatedBody represents the response body format from the RBAC service

type PaginationLinks

type PaginationLinks struct {
	First    string `json:"first"`
	Next     string `json:"next"`
	Previous string `json:"previous"`
	Last     string `json:"last"`
}

PaginationLinks provides links to additional pages of response data

type PaginationMeta

type PaginationMeta struct {
	Count  int `json:"count"`
	Limit  int `json:"limit"`
	Offset int `json:"offset"`
}

PaginationMeta contains metadata for pagination

type ResourceDefinition

type ResourceDefinition struct {
	Filter ResourceDefinitionFilter `json:"attributeFilter"`
}

ResourceDefinition limits an Access to specific resources

type ResourceDefinitionFilter

type ResourceDefinitionFilter struct {
	Key       string `json:"key"`
	Operation string `json:"operation"`
	Value     string `json:"value"`
}

ResourceDefinitionFilter represents the key/values used for filtering