opa

package

v0.0.0-...-0490640 Latest Latest Go to latest Published: May 16, 2019 License: Apache-2.0 Imports: 18 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/athmakuru/chef-automate

Links

Open Source Insights

README ¶

OPA decision engine

`policy.go`

This file is generated from policy/*.rego.

The generation is done using go-bindata, from go generate. Run this from components/authz-service:

$ go generate ./...
$ # no output on success

It requires that go-bindata is installed.

TODO (sr): ensure this works properly in habitat and studio env. Other projects also use go-bindata, IIRC.

Documentation ¶

Index ¶

func Asset(name string) ([]byte, error)
func AssetDir(name string) ([]string, error)
func AssetInfo(name string) (os.FileInfo, error)
func AssetNames() []string
func MustAsset(name string) []byte
func RestoreAsset(dir, name string) error
func RestoreAssets(dir, name string) error
type ErrEvaluation
- func (e *ErrEvaluation) Error() string
type ErrUnexpectedResultExpression
- func (e *ErrUnexpectedResultExpression) Error() string
type ErrUnexpectedResultSet
- func (e *ErrUnexpectedResultSet) Error() string
type OptFunc
- func WithModules(mods map[string]*ast.Module) OptFunc
type State
- func New(ctx context.Context, l logger.Logger, opts ...OptFunc) (*State, error)

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func Asset ¶

func Asset(name string) ([]byte, error)

Asset loads and returns the asset for the given name. It returns an error if the asset could not be found or could not be loaded.

func AssetDir ¶

func AssetDir(name string) ([]string, error)

AssetDir returns the file names below a certain directory embedded in the file by go-bindata. For example if you run go-bindata on data/... and data contains the following hierarchy:

data/
  foo.txt
  img/
    a.png
    b.png

then AssetDir("data") would return []string{"foo.txt", "img"} AssetDir("data/img") would return []string{"a.png", "b.png"} AssetDir("foo.txt") and AssetDir("notexist") would return an error AssetDir("") will return []string{"data"}.

func AssetInfo ¶

func AssetInfo(name string) (os.FileInfo, error)

AssetInfo loads and returns the asset info for the given name. It returns an error if the asset could not be found or could not be loaded.

func AssetNames ¶

func AssetNames() []string

AssetNames returns the names of the assets.

func MustAsset ¶

func MustAsset(name string) []byte

MustAsset is like Asset but panics when Asset would return an error. It simplifies safe initialization of global variables.

func RestoreAsset ¶

func RestoreAsset(dir, name string) error

RestoreAsset restores an asset under the given directory

func RestoreAssets ¶

func RestoreAssets(dir, name string) error

RestoreAssets restores an asset under the given directory recursively

Types ¶

type ErrEvaluation ¶

type ErrEvaluation struct {
	// contains filtered or unexported fields
}

ErrEvaluation is returned when a query evaluation returns an error.

func (*ErrEvaluation) Error ¶

func (e *ErrEvaluation) Error() string

type ErrUnexpectedResultExpression ¶

type ErrUnexpectedResultExpression struct {
	// contains filtered or unexported fields
}

ErrUnexpectedResultExpression is returned when one of the result sets expressions can't be made sense of

func (*ErrUnexpectedResultExpression) Error ¶

func (e *ErrUnexpectedResultExpression) Error() string

type ErrUnexpectedResultSet ¶

type ErrUnexpectedResultSet struct {
	// contains filtered or unexported fields
}

ErrUnexpectedResultSet is returned when the result set of an OPA query can't be made sense of

func (*ErrUnexpectedResultSet) Error ¶

func (e *ErrUnexpectedResultSet) Error() string

type OptFunc ¶

type OptFunc func(*State)

OptFunc is the type of functional options to be passed to New()

func WithModules ¶

func WithModules(mods map[string]*ast.Module) OptFunc

WithModules allows for injecting an OPA policy via opa.New() for engine initialization.

type State ¶

type State struct {
	// contains filtered or unexported fields
}

State wraps the state of OPA we need to track

func New ¶

func New(ctx context.Context, l logger.Logger, opts ...OptFunc) (*State, error)

New initializes a fresh OPA state, using the default, hardcoded OPA policy from policy/authz*.rego unless overridden via an opa.OptFunc.

func (*State) DumpData ¶

func (s *State) DumpData(ctx context.Context) error

DumpData is a bit fast-and-loose when it comes to error checking; it's not meant to be used in production

func (*State) FilterAuthorizedPairs ¶

func (s *State) FilterAuthorizedPairs(
	ctx context.Context,
	subjects engine.Subjects,
	pairs []engine.Pair) ([]engine.Pair, error)

FilterAuthorizedPairs passes the pairs into OPA, lets it take care of the filtering, and returns the result (sub)list

func (*State) IsAuthorized ¶

func (s *State) IsAuthorized(
	ctx context.Context,
	subjects engine.Subjects,
	action engine.Action,
	resource engine.Resource) (bool, error)

IsAuthorized evaluates whether a given [subject, resource, action] tuple is authorized given the service's state

func (*State) ListProjectMappings ¶

func (s *State) ListProjectMappings(ctx context.Context) (map[string][]engine.Rule, error)

ListProjectMappings returns a map of all the rules for each projectID.

func (*State) RulesForProject ¶

func (s *State) RulesForProject(
	ctx context.Context,
	projectID string) ([]engine.Rule, error)

Note(sr) Right now, it doesn't seem like this was doing much more than retrieving data from OPA's store. However, that's fine -- we'll need those mapping rules in OPA's store for other things (most likely), so retrieving them from there is a decent approximation of our approach.

func (*State) SetPolicies ¶

func (s *State) SetPolicies(ctx context.Context, policies map[string]interface{}) error

SetPolicies replaces OPA's data with a new set of policies, and resets the partial evaluation cache

func (*State) V2FilterAuthorizedPairs ¶

func (s *State) V2FilterAuthorizedPairs(
	ctx context.Context,
	subjects engine.Subjects,
	pairs []engine.Pair) ([]engine.Pair, error)

V2FilterAuthorizedPairs passes the pairs into OPA, lets it take care of the filtering, and returns the result (sub)list

func (*State) V2FilterAuthorizedProjects ¶

func (s *State) V2FilterAuthorizedProjects(
	ctx context.Context,
	subjects engine.Subjects,
	pairs []engine.Pair) ([]string, error)

V2FilterAuthorizedProjects passes the pairs of all action/resources into OPA, lets it take care of the filtering, and returns the projects associated with the resulting (sub)list.

func (*State) V2IsAuthorized ¶

func (s *State) V2IsAuthorized(
	ctx context.Context,
	subjects engine.Subjects,
	action engine.Action,
	resource engine.Resource) (bool, error)

V2IsAuthorized evaluates whether a given [subject, resource, action] tuple is authorized given the service's state

func (*State) V2ProjectsAuthorized ¶

func (s *State) V2ProjectsAuthorized(
	ctx context.Context,
	subjects engine.Subjects,
	action engine.Action,
	resource engine.Resource,
	projects engine.Projects) ([]string, error)

V2ProjectsAuthorized evaluates whether a given [subject, resource, action, projects] tuple is authorized and returns the list of associated allowed projects from the set of requested projects passed in.

func (*State) V2SetPolicies ¶

func (s *State) V2SetPolicies(
	ctx context.Context, policyMap map[string]interface{},
	roleMap map[string]interface{}, ruleMap map[string][]interface{}) error

Spike TODO: Can we have a separate method for just setting the rule mappings? OR does the entire OPA store have to be re-evaluated at once. IF that's true, should we have the same OPA instance in general for rules?

V2SetPolicies replaces OPA's data with a new set of policies and roles, and resets the partial evaluation cache for v2

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL