Documentation ¶
Index ¶
- Constants
- Variables
- func Ancestors(p *policyv1.Policy) []namer.ModuleID
- func Dependencies(p *policyv1.Policy) ([]string, []string)
- func DerivedRoleConditionProtoPath(idx int) string
- func DerivedRoleRuleProtoPath(idx int) string
- func ExportVariablesVariableProtoPath() string
- func FindPolicy(src io.Reader, modID namer.ModuleID) (*policyv1.Policy, parser.SourceCtx, error)
- func GetHash(p *policyv1.Policy) uint64
- func GetScope(p *policyv1.Policy) string
- func GetSourceFile(p *policyv1.Policy) string
- func ListActions(p *policyv1.Policy) []string
- func ListExportedDerivedRoles(drp *policyv1.DerivedRoles) []*responsev1.InspectPoliciesResponse_DerivedRole
- func ListPolicySetActions(ps *runtimev1.RunnablePolicySet) []string
- func ListPolicySetDerivedRoles(ps *runtimev1.RunnablePolicySet) []*responsev1.InspectPoliciesResponse_DerivedRole
- func ListPolicySetVariables(ps *runtimev1.RunnablePolicySet) []*responsev1.InspectPoliciesResponse_Variable
- func ListVariables(p *policyv1.Policy) map[string]*responsev1.InspectPoliciesResponse_Variable
- func PrincipalPolicyActionRuleProtoPath(parentIdx, idx int) string
- func PrincipalPolicyRuleProtoPath(idx int) string
- func ReadBinaryPolicy(src io.Reader) (*policyv1.Policy, error)
- func ReadPolicy(src io.Reader) (*policyv1.Policy, error)
- func ReadPolicyFromFile(fsys fs.FS, path string) (*policyv1.Policy, error)
- func ReadPolicyWithSourceContext(fsys fs.FS, path string) (*policyv1.Policy, parser.SourceCtx, error)
- func ReadPolicyWithSourceContextFromReader(src io.Reader) (*policyv1.Policy, parser.SourceCtx, error)
- func RequiredAncestors(p *policyv1.Policy) map[namer.ModuleID]string
- func ResourcePolicyImportDerivedRolesProtoPath(idx int) string
- func ResourcePolicyPrincipalSchemaProtoPath() string
- func ResourcePolicyResourceSchemaProtoPath() string
- func ResourcePolicyRuleProtoPath(idx int) string
- func ResourcePolicyRuleReferencedDerivedRoleProtoPath(ruleIdx, roleIdx int) string
- func SchemaReferences(p *policyv1.Policy) []string
- func Validate(p *policyv1.Policy, sc parser.SourceCtx) error
- func VariablesImportProtoPath(p *policyv1.Policy, idx int) string
- func VariablesLocalProtoPath(p *policyv1.Policy) string
- func WithHash(p *policyv1.Policy) *policyv1.Policy
- func WithMetadata(p *policyv1.Policy, source string, annotations map[string]string, ...) *policyv1.Policy
- func WithSourceAttributes(p *policyv1.Policy, attrs ...SourceAttribute) *policyv1.Policy
- func WithStoreIdentifier(p *policyv1.Policy, storeIdentifier string) *policyv1.Policy
- func WriteBinaryPolicy(dest io.Writer, p *policyv1.Policy) error
- func WritePolicy(dest io.Writer, p *policyv1.Policy) error
- type CompilationUnit
- func (cu *CompilationUnit) AddDefinition(id namer.ModuleID, p *policyv1.Policy, sc parser.SourceCtx)
- func (cu *CompilationUnit) Ancestors() []namer.ModuleID
- func (cu *CompilationUnit) Key() string
- func (cu *CompilationUnit) MainPolicy() *policyv1.Policy
- func (cu *CompilationUnit) MainSourceFile() string
- type Kind
- type SourceAttribute
- type ValidationError
- type Wrapper
Constants ¶
const ( ResourceKindStr = "RESOURCE" PrincipalKindStr = "PRINCIPAL" DerivedRolesKindStr = "DERIVED_ROLES" ExportVariablesKindStr = "EXPORT_VARIABLES" )
Variables ¶
var IgnoreHashFields = map[string]struct{}{
"cerbos.policy.v1.Policy.description": {},
"cerbos.policy.v1.Policy.disabled": {},
"cerbos.policy.v1.Policy.json_schema": {},
"cerbos.policy.v1.Policy.metadata": {},
}
Functions ¶
func Ancestors ¶ added in v0.13.0
Ancestors returns the module IDs of the ancestors of this policy from most recent to oldest.
func Dependencies ¶
Dependencies returns the module names of dependencies of the policy.
func DerivedRoleConditionProtoPath ¶ added in v0.34.0
func DerivedRoleRuleProtoPath ¶ added in v0.34.0
func ExportVariablesVariableProtoPath ¶ added in v0.34.0
func ExportVariablesVariableProtoPath() string
func FindPolicy ¶ added in v0.34.0
FindPolicy finds a policy by ID from the given reader.
func GetSourceFile ¶
GetSourceFile gets the source file name from metadata if it exists.
func ListActions ¶ added in v0.35.0
ListActions returns unique list of actions in a policy.
func ListExportedDerivedRoles ¶ added in v0.37.0
func ListExportedDerivedRoles(drp *policyv1.DerivedRoles) []*responsev1.InspectPoliciesResponse_DerivedRole
ListExportedDerivedRoles returns exported derived roles defined in the given derived roles policy.
func ListPolicySetActions ¶ added in v0.35.0
func ListPolicySetActions(ps *runtimev1.RunnablePolicySet) []string
ListPolicySetActions returns unique list of actions in a policy set.
func ListPolicySetDerivedRoles ¶ added in v0.37.0
func ListPolicySetDerivedRoles(ps *runtimev1.RunnablePolicySet) []*responsev1.InspectPoliciesResponse_DerivedRole
ListPolicySetDerivedRoles returns imported and used derived roles defined in a policy set.
func ListPolicySetVariables ¶ added in v0.37.0
func ListPolicySetVariables(ps *runtimev1.RunnablePolicySet) []*responsev1.InspectPoliciesResponse_Variable
ListPolicySetVariables returns local and exported variables defined in a policy set.
func ListVariables ¶ added in v0.37.0
func ListVariables(p *policyv1.Policy) map[string]*responsev1.InspectPoliciesResponse_Variable
ListVariables returns local and exported variables (not imported ones) defined in a policy.
func PrincipalPolicyActionRuleProtoPath ¶ added in v0.34.0
func PrincipalPolicyRuleProtoPath ¶ added in v0.34.0
func ReadBinaryPolicy ¶ added in v0.9.0
ReadBinaryPolicy reads a policy from binary (protobuf encoding).
func ReadPolicy ¶
ReadPolicy reads a policy from the given reader.
func ReadPolicyFromFile ¶ added in v0.9.0
func ReadPolicyWithSourceContext ¶ added in v0.34.0
func ReadPolicyWithSourceContext(fsys fs.FS, path string) (*policyv1.Policy, parser.SourceCtx, error)
ReadPolicyWithSourceContext reads a policy and returns it along with information about its source.
func ReadPolicyWithSourceContextFromReader ¶ added in v0.34.0
func RequiredAncestors ¶ added in v0.13.0
RequiredAncestors returns the moduleID to FQN mapping of required ancestors of the policy.
func ResourcePolicyImportDerivedRolesProtoPath ¶ added in v0.34.0
func ResourcePolicyPrincipalSchemaProtoPath ¶ added in v0.34.0
func ResourcePolicyPrincipalSchemaProtoPath() string
func ResourcePolicyResourceSchemaProtoPath ¶ added in v0.34.0
func ResourcePolicyResourceSchemaProtoPath() string
func ResourcePolicyRuleProtoPath ¶ added in v0.34.0
func ResourcePolicyRuleReferencedDerivedRoleProtoPath ¶ added in v0.34.0
func SchemaReferences ¶ added in v0.11.0
SchemaReferences returns references to the schemas found in the policy.
func VariablesImportProtoPath ¶ added in v0.34.0
func VariablesLocalProtoPath ¶ added in v0.34.0
func WithHash ¶ added in v0.13.0
WithHash calculates the hash for the policy and adds it to metadata.
func WithMetadata ¶
func WithMetadata(p *policyv1.Policy, source string, annotations map[string]string, storeIdentifier string, sourceAttr ...SourceAttribute) *policyv1.Policy
WithMetadata adds metadata to the policy.
func WithSourceAttributes ¶ added in v0.33.0
func WithSourceAttributes(p *policyv1.Policy, attrs ...SourceAttribute) *policyv1.Policy
WithSourceAttributes adds given source attributes to the policy.
func WithStoreIdentifier ¶ added in v0.13.0
WithStoreIdentifier adds the store identifier to the metadata.
func WriteBinaryPolicy ¶ added in v0.9.0
WriteBinaryPolicy writes a policy as binary (protobuf encoding).
Types ¶
type CompilationUnit ¶
type CompilationUnit struct { Definitions map[namer.ModuleID]*policyv1.Policy SourceContexts map[namer.ModuleID]parser.SourceCtx ModID namer.ModuleID }
CompilationUnit is the set of policies that need to be compiled together. For example, if a resource policy named R imports derived roles named D, the compilation unit will contain both R and D with the ModID field pointing to R because it is the main policy.
func (*CompilationUnit) AddDefinition ¶
func (*CompilationUnit) Ancestors ¶ added in v0.13.0
func (cu *CompilationUnit) Ancestors() []namer.ModuleID
func (*CompilationUnit) Key ¶
func (cu *CompilationUnit) Key() string
Key returns the human readable identifier for the main module.
func (*CompilationUnit) MainPolicy ¶ added in v0.9.0
func (cu *CompilationUnit) MainPolicy() *policyv1.Policy
func (*CompilationUnit) MainSourceFile ¶
func (cu *CompilationUnit) MainSourceFile() string
type Kind ¶
Kind defines the type of policy (resource, principal, derived_roles etc.).
const ( DerivedRolesKind Kind = Kind(policyv1.Kind_KIND_DERIVED_ROLES) ExportVariablesKind Kind = Kind(policyv1.Kind_KIND_EXPORT_VARIABLES) PrincipalKind Kind = Kind(policyv1.Kind_KIND_PRINCIPAL) ResourceKind Kind = Kind(policyv1.Kind_KIND_RESOURCE) )
func KindFromFQN ¶ added in v0.29.0
KindFromFQN returns the kind of policy referred to by the given fully-qualified name.
type SourceAttribute ¶ added in v0.33.0
SourceAttribute holds structured information about the policy from its source.
func SourceDriver ¶ added in v0.33.0
func SourceDriver(driver string) SourceAttribute
SourceDriver creates a source attribute for the storage driver.
func SourceFile ¶ added in v0.33.0
func SourceFile(source string) SourceAttribute
SourceFile creates a source attribute describing the file name of the policy.
func SourceUpdateTS ¶ added in v0.33.0
func SourceUpdateTS(timestamp time.Time) SourceAttribute
SourceUpdateTS creates a source attribute describing the time a policy was updated in a mutable store.
func SourceUpdateTSNow ¶ added in v0.33.0
func SourceUpdateTSNow() SourceAttribute
SourceUpdateTSNow creates a source attribute setting the update time to now.
type ValidationError ¶ added in v0.34.0
func (ValidationError) Error ¶ added in v0.34.0
func (ve ValidationError) Error() string
type Wrapper ¶
type Wrapper struct { *policyv1.Policy FQN string Name string Version string Scope string ID namer.ModuleID Kind Kind }
Wrapper is a convenience layer over the policy definition.
func (Wrapper) Dependencies ¶
func (Wrapper) ToProto ¶ added in v0.38.0
func (w Wrapper) ToProto() *sourcev1.PolicyWrapper