authz

package
v2.0.0-alpha.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 18, 2021 License: Apache-2.0 Imports: 5 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type MockRoleAssignmentsStore 

type MockRoleAssignmentsStore struct {
	GrantFn      func(context.Context, RoleAssignment) error
	RevokeFn     func(context.Context, RoleAssignment) error
	RevokeManyFn func(context.Context, RoleAssignment) error
	ExistsFn     func(context.Context, RoleAssignment) (bool, error)
}

func (*MockRoleAssignmentsStore) Exists 

func (m *MockRoleAssignmentsStore) Exists(
	ctx context.Context,
	roleAssignment RoleAssignment,
) (bool, error)

func (*MockRoleAssignmentsStore) Grant 

func (m *MockRoleAssignmentsStore) Grant(
	ctx context.Context,
	roleAssignment RoleAssignment,
) error

func (*MockRoleAssignmentsStore) Revoke 

func (m *MockRoleAssignmentsStore) Revoke(
	ctx context.Context,
	roleAssignment RoleAssignment,
) error

func (*MockRoleAssignmentsStore) RevokeMany 

func (m *MockRoleAssignmentsStore) RevokeMany(
	ctx context.Context,
	roleAssignment RoleAssignment,
) error

type PrincipalReference 

type PrincipalReference struct {
	// Type qualifies what kind of principal is referenced by the ID field-- for
	// instance, a User or a ServiceAccount.
	Type PrincipalType `json:"type,omitempty" bson:"type,omitempty"`
	// ID references a principal. The Type qualifies what type of principal that
	// is-- for instance, a User or a ServiceAccount.
	ID string `json:"id,omitempty" bson:"id,omitempty"`
}

PrincipalReference is a reference to any sort of security principal (human user, service account, etc.)

type PrincipalType 

type PrincipalType string

PrincipalType is a type whose values can be used to disambiguate one type of principal from another. For instance, when assigning a Role to a principal via a RoleAssignment, a PrincipalType field is used to indicate whether the value of the PrincipalID field reflects a User ID or a ServiceAccount ID. 

const (
	// PrincipalTypeServiceAccount represents a principal that is a
	// ServiceAccount.
	PrincipalTypeServiceAccount PrincipalType = "SERVICE_ACCOUNT"
	// PrincipalTypeUser represents a principal that is a User.
	PrincipalTypeUser PrincipalType = "USER"
)

type RoleAssignment 

type RoleAssignment struct {
	// Role assigns a Role to the specified principal.
	Role libAuthz.Role `json:"role" bson:"role"`
	// Principal specifies the principal to whom the Role is assigned.
	Principal PrincipalReference `json:"principal" bson:"principal"`
}

RoleAssignment represents the assignment of a Role to a principal such as a User or ServiceAccount.

type RoleAssignmentsService 

type RoleAssignmentsService interface {
	// Grant grants the Role specified by the RoleAssignment to the principal also
	// specified by the RoleAssignment. If the specified principal does not exist,
	// implementations must return a *meta.ErrNotFound error.
	Grant(ctx context.Context, roleAssignment RoleAssignment) error

	// Revoke revokes the Role specified by the RoleAssignment for the principal
	// also specified by the RoleAssignment. If the specified principal does not
	// exist, implementations must return a *meta.ErrNotFound error.
	Revoke(ctx context.Context, roleAssignment RoleAssignment) error
}

RoleAssignmentsService is the specialized interface for managing RoleAssignments. It's decoupled from underlying technology choices (e.g. data store, message bus, etc.) to keep business logic reusable and consistent while the underlying tech stack remains free to change.

func NewRoleAssignmentsService 

func NewRoleAssignmentsService(
	authorizeFn libAuthz.AuthorizeFn,
	usersStore authn.UsersStore,
	serviceAccountsStore authn.ServiceAccountsStore,
	roleAssignmentsStore RoleAssignmentsStore,
) RoleAssignmentsService

NewRoleAssignmentsService returns a specialized interface for managing RoleAssignments.

type RoleAssignmentsStore 

type RoleAssignmentsStore interface {
	// Grant the role specified by the RoleAssignment to the principal specified
	// by the RoleAssignment.
	Grant(context.Context, RoleAssignment) error
	// Revoke the role specified by the RoleAssignment for the principal specified
	// by the RoleAssignment.
	Revoke(context.Context, RoleAssignment) error
	// RevokeMany revokes all RoleAssignments that share ALL properties of the
	// specified RoleAssignment. Properties left unspecified are ignored, i.e.
	// not factored into the match.
	//
	// Example -- revoking all project-level RoleAssignments for a given Project:
	//
	//   err := p.roleAssignmentsStore.RevokeMany(
	// 	  ctx,
	// 	  authz.RoleAssignment{
	// 		  Role: libAuthz.Role{
	// 			  Type:  RoleTypeProject,
	// 			  Scope: projectID,
	// 		  },
	// 	  },
	//   )
	RevokeMany(ctx context.Context, roleAssignment RoleAssignment) error

	// Exists returns a bool indicating whether the specified RoleAssignment
	// exists within the store. Implementations MUST also return true if a
	// RoleAssignment exists in the store that logically "overlaps" the specified
	// RoleAssignment. For instance, when seeking to determine whether a
	// RoleAssignment exists that endows some principal P with Role X having scope
	// Y, and such a RoleAssignment does not exist, but one does that endows that
	// principal P with Role X having GLOBAL SCOPE (*), then true MUST be
	// returned. Implementations MUST also return an error if and only if anything
	// goes wrong. i.e. Errors are never used to communicate that the specified
	// RoleAssignment does not exist in the store. They are only used to convey an
	// actual failure.
	Exists(context.Context, RoleAssignment) (bool, error)
}

RoleAssignmentsStore is an interface for components that implement RoleAssignment persistence concerns.

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.