Documentation ¶
Index ¶
- Constants
- func PolicyCSV(data map[string]string) string
- func ValidatePolicy(policy string) error
- type CasbinEnforcer
- type ClaimsEnforcerFunc
- type Enforcer
- func (e *Enforcer) CreateEnforcerWithRuntimePolicy(project string, policy string) CasbinEnforcer
- func (e *Enforcer) EnableEnforce(s bool)
- func (e *Enforcer) EnableLog(s bool)
- func (e *Enforcer) Enforce(rvals ...any) bool
- func (e *Enforcer) EnforceErr(rvals ...any) error
- func (e *Enforcer) EnforceRuntimePolicy(project string, policy string, rvals ...any) bool
- func (e *Enforcer) EnforceWithCustomEnforcer(enf CasbinEnforcer, rvals ...any) bool
- func (e *Enforcer) LoadPolicy() error
- func (e *Enforcer) RunPolicyLoader(ctx context.Context, onUpdated func(cm *corev1.ConfigMap) error) error
- func (e *Enforcer) SetBuiltinPolicy(policy string) error
- func (e *Enforcer) SetClaimsEnforcerFunc(claimsEnforcer ClaimsEnforcerFunc)
- func (e *Enforcer) SetDefaultRole(roleName string)
- func (e *Enforcer) SetMatchMode(mode string)
- func (e *Enforcer) SetUserPolicy(policy string) error
Constants ¶
const ( ConfigMapPolicyCSVKey = "policy.csv" ConfigMapPolicyDefaultKey = "policy.default" ConfigMapScopesKey = "scopes" ConfigMapMatchModeKey = "policy.matchMode" GlobMatchMode = "glob" RegexMatchMode = "regex" )
Variables ¶
This section is empty.
Functions ¶
func PolicyCSV ¶
PolicyCSV will generate the final policy csv to be used by Argo CD RBAC. It will find entries in the given data that matches the policy key name convention:
policy[.overlay].csv
func ValidatePolicy ¶
ValidatePolicy verifies a policy string is acceptable to casbin
Types ¶
type CasbinEnforcer ¶
type CasbinEnforcer interface { EnableLog(bool) Enforce(rvals ...any) (bool, error) LoadPolicy() error EnableEnforce(bool) AddFunction(name string, function govaluate.ExpressionFunction) GetGroupingPolicy() ([][]string, error) }
CasbinEnforcer represents methods that must be implemented by a Casbin enforces
type ClaimsEnforcerFunc ¶
ClaimsEnforcerFunc is func template to enforce a JWT claims. The subject is replaced
type Enforcer ¶
type Enforcer struct {
// contains filtered or unexported fields
}
Enforcer is a wrapper around an Casbin enforcer that: * is backed by a kubernetes config map * has a predefined RBAC model * supports a built-in policy * supports a user-defined policy * supports a custom JWT claims enforce function
func NewEnforcer ¶
func NewEnforcer(clientset kubernetes.Interface, namespace, configmap string, claimsEnforcer ClaimsEnforcerFunc) *Enforcer
func (*Enforcer) CreateEnforcerWithRuntimePolicy ¶
func (e *Enforcer) CreateEnforcerWithRuntimePolicy(project string, policy string) CasbinEnforcer
CreateEnforcerWithRuntimePolicy creates an enforcer with a policy defined at run-time which augments the built-in and user-defined policy. This allows any explicit denies of the built-in, and user-defined policies to override the run-time policy. Runs normal enforcement if run-time policy is empty.
func (*Enforcer) EnableEnforce ¶
EnableEnforce executes casbin.Enforcer functionality and will invalidate cache if required.
func (*Enforcer) Enforce ¶
Enforce is a wrapper around casbin.Enforce to additionally enforce a default role and a custom claims function
func (*Enforcer) EnforceErr ¶
EnforceErr is a convenience helper to wrap a failed enforcement with a detailed error about the request
func (*Enforcer) EnforceRuntimePolicy ¶
EnforceRuntimePolicy enforces a policy defined at run-time which augments the built-in and user-defined policy. This allows any explicit denies of the built-in, and user-defined policies to override the run-time policy. Runs normal enforcement if run-time policy is empty.
func (*Enforcer) EnforceWithCustomEnforcer ¶
func (e *Enforcer) EnforceWithCustomEnforcer(enf CasbinEnforcer, rvals ...any) bool
EnforceWithCustomEnforcer wraps enforce with an custom enforcer
func (*Enforcer) LoadPolicy ¶
LoadPolicy executes casbin.Enforcer functionality and will invalidate cache if required.
func (*Enforcer) RunPolicyLoader ¶
func (e *Enforcer) RunPolicyLoader(ctx context.Context, onUpdated func(cm *corev1.ConfigMap) error) error
RunPolicyLoader runs the policy loader which watches policy updates from the configmap and reloads them
func (*Enforcer) SetBuiltinPolicy ¶
SetBuiltinPolicy sets a built-in policy, which augments any user defined policies
func (*Enforcer) SetClaimsEnforcerFunc ¶
func (e *Enforcer) SetClaimsEnforcerFunc(claimsEnforcer ClaimsEnforcerFunc)
SetClaimsEnforcerFunc sets a claims enforce function during enforcement. The claims enforce function can extract claims from JWT token and do the proper enforcement based on user, group or any information available in the input parameter list
func (*Enforcer) SetDefaultRole ¶
SetDefaultRole sets a default role to use during enforcement. Will fall back to this role if normal enforcement fails
func (*Enforcer) SetMatchMode ¶
SetMatchMode set match mode on runtime, glob match or regex match
func (*Enforcer) SetUserPolicy ¶
SetUserPolicy sets a user policy, augmenting the built-in policy