Documentation ¶
Overview ¶
Package cedar provides an implementation of the Cedar language authorizer.
Index ¶
Constants ¶
const ( Permit = Effect(true) Forbid = Effect(false) )
Each Policy has a Permit or Forbid effect that is determined during parsing.
const ( Allow = Decision(true) Deny = Decision(false) )
Each authorization results in one of these Decisions.
const DecimalPrecision = 10000
DecimalPrecision is the precision of a Decimal.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Annotations ¶
An Annotations is a map of key, value pairs found in the policy. Annotations have no impact on policy evaluation.
type Boolean ¶
type Boolean bool
A Boolean is a value that is either true or false.
func (Boolean) Cedar ¶
Cedar produces a valid Cedar language representation of the Boolean, e.g. `true`.
func (Boolean) ExplicitMarshalJSON ¶
ExplicitMarshalJSON marshals the Boolean into JSON.
type Decimal ¶
type Decimal int64
A Decimal is a value with both a whole number part and a decimal part of no more than four digits. In Go this is stored as an int64, the precision is defined by the constant DecimalPrecision.
func ParseDecimal ¶
ParseDecimal takes a string representation of a decimal number and converts it into a Decimal type.
func (Decimal) Cedar ¶
Cedar produces a valid Cedar language representation of the Decimal, e.g. `decimal("12.34")`.
func (Decimal) ExplicitMarshalJSON ¶
ExplicitMarshalJSON marshals the Decimal into JSON using the explicit form.
func (Decimal) MarshalJSON ¶
ExplicitMarshalJSON marshals the Decimal into JSON using the implicit form.
func (*Decimal) UnmarshalJSON ¶
type Decision ¶
type Decision bool
A Decision is the result of the authorization.
func (Decision) MarshalJSON ¶
func (*Decision) UnmarshalJSON ¶
type Diagnostic ¶
type Diagnostic struct { Reasons []Reason `json:"reasons,omitempty"` Errors []Error `json:"errors,omitempty"` }
A Diagnostic details the errors and reasons for an authorization decision.
type Effect ¶
type Effect bool
An Effect specifies the intent of the policy, to either permit or forbid any request that matches the scope and conditions specified in the policy.
func (Effect) MarshalJSON ¶
func (*Effect) UnmarshalJSON ¶
type Entities ¶
An Entities is a collection of all the Entities that are needed to evaluate authorization requests. The key is an EntityUID which uniquely identifies the Entity (it must be the same as the UID within the Entity itself.)
func (Entities) MarshalJSON ¶
func (*Entities) UnmarshalJSON ¶
type Entity ¶
type Entity struct { UID EntityUID `json:"uid"` Parents []EntityUID `json:"parents,omitempty"` Attributes Record `json:"attrs"` }
An Entity defines the parents and attributes for an EntityUID.
type EntityUID ¶
An EntityUID is the identifier for a principal, action, or resource.
func NewEntityUID ¶
func (EntityUID) Cedar ¶
Cedar produces a valid Cedar language representation of the EntityUID, e.g. `Type::"id"`.
func (EntityUID) ExplicitMarshalJSON ¶
ExplicitMarshalJSON marshals the EntityUID into JSON using the explicit form.
func (EntityUID) MarshalJSON ¶
ExplicitMarshalJSON marshals the EntityUID into JSON using the implicit form.
func (EntityUID) String ¶
String produces a string representation of the EntityUID, e.g. `Type::"id"`.
func (*EntityUID) UnmarshalJSON ¶
type Error ¶
type Error struct { Policy int `json:"policy"` Position Position `json:"position"` Message string `json:"message"` }
An Error details the Policy index within a PolicySet, the Position within the text document, and the resulting error message.
type IPAddr ¶
An IPAddr is value that represents an IP address. It can be either IPv4 or IPv6. The value can represent an individual address or a range of addresses.
func ParseIPAddr ¶
ParseIPAddr takes a string representation of an IP address and converts it into an IPAddr type.
func (IPAddr) Cedar ¶
Cedar produces a valid Cedar language representation of the IPAddr, e.g. `ip("127.0.0.1")`.
func (IPAddr) ExplicitMarshalJSON ¶
ExplicitMarshalJSON marshals the IPAddr into JSON using the explicit form.
func (IPAddr) MarshalJSON ¶
ExplicitMarshalJSON marshals the IPAddr into JSON using the implicit form.
func (*IPAddr) UnmarshalJSON ¶
type Long ¶
type Long int64
A Long is a whole number without decimals that can range from -9223372036854775808 to 9223372036854775807.
func (Long) ExplicitMarshalJSON ¶
ExplicitMarshalJSON marshals the Long into JSON.
type Policy ¶
type Policy struct { Position Position // location within the policy text document Annotations Annotations // annotations found for this policy Effect Effect // the effect of this policy // contains filtered or unexported fields }
A Policy is the parsed form of a single Cedar language policy statement. It includes the following elements, a Position, Annotations, and an Effect.
type PolicySet ¶
type PolicySet []Policy
A PolicySet is a slice of policies.
func NewPolicySet ¶
NewPolicySet will create a PolicySet from the given text document with the given file name used in Position data. If there is an error parsing the document, it will be returned.
func (PolicySet) IsAuthorized ¶
func (p PolicySet) IsAuthorized(entities Entities, req Request) (Decision, Diagnostic)
IsAuthorized uses the combination of the PolicySet and Entities to determine if the given Request to determine Decision and Diagnostic.
type Position ¶
type Position struct { Filename string // filename, if any Offset int // byte offset, starting at 0 Line int // line number, starting at 1 Column int // column number, starting at 1 (character count per line) }
A Position describes an arbitrary source position including the file, line, and column location.
type Reason ¶
A Reason details the Policy index within a PolicySet, and the Position within the text document.
type Record ¶
A Record is a collection of attributes. Each attribute consists of a name and an associated value. Names are simple strings. Values can be of any type.
func (Record) Cedar ¶
Cedar produces a valid Cedar language representation of the Record, e.g. `{"a":1,"b":2,"c":3}`.
func (Record) ExplicitMarshalJSON ¶
ExplicitMarshalJSON marshals the Record into JSON, the marshaller uses the explicit JSON form for all the values in the Record.
func (Record) MarshalJSON ¶
MarshalJSON marshals the Record into JSON, the marshaller uses the explicit JSON form for all the values in the Record.
func (Record) String ¶
String produces a string representation of the Record, e.g. `{"a":1,"b":2,"c":3}`.
func (*Record) UnmarshalJSON ¶
type Request ¶
type Request struct { Principal EntityUID `json:"principal"` Action EntityUID `json:"action"` Resource EntityUID `json:"resource"` Context Record `json:"context"` }
A Request is the Principal, Action, Resource, and Context portion of an authorization request.
type Set ¶
type Set []Value
A Set is a collection of elements that can be of the same or different types.
func (Set) ExplicitMarshalJSON ¶
ExplicitMarshalJSON marshals the Set into JSON, the marshaller uses the explicit JSON form for all the values in the Set.
func (Set) MarshalJSON ¶
MarshalJSON marshals the Set into JSON, the marshaller uses the explicit JSON form for all the values in the Set.
func (*Set) UnmarshalJSON ¶
type String ¶
type String string
A String is a sequence of characters consisting of letters, numbers, or symbols.
func (String) Cedar ¶
Cedar produces a valid Cedar language representation of the String, e.g. `"hello"`.
func (String) ExplicitMarshalJSON ¶
ExplicitMarshalJSON marshals the String into JSON.
type Value ¶
type Value interface { // String produces a string representation of the Value. String() string // Cedar produces a valid Cedar language representation of the Value. Cedar() string // ExplicitMarshalJSON marshals the Value into JSON using the explicit (if // applicable) JSON form, which is necessary for marshalling values within // Sets or Records where the type is not defined. ExplicitMarshalJSON() ([]byte, error) // contains filtered or unexported methods }