authz

package
v0.151.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jan 10, 2025 License: Apache-2.0 Imports: 11 Imported by: 0

Documentation

Overview

Authorization package

Index

Constants

View Source
const (
	// Actions
	ActionRead   = "read"
	ActionList   = "list"
	ActionCreate = "create"
	ActionUpdate = "update"
	ActionDelete = "delete"

	// Resources
	ResourceWorkflowContract      = "workflow_contract"
	ResourceCASArtifact           = "cas_artifact"
	ResourceCASBackend            = "cas_backend"
	ResourceReferrer              = "referrer"
	ResourceAvailableIntegration  = "integration_available"
	ResourceRegisteredIntegration = "integration_registered"
	ResourceAttachedIntegration   = "integration_attached"
	ResourceOrgMetric             = "metrics_org"
	ResourceRobotAccount          = "robot_account"
	ResourceWorkflowRun           = "workflow_run"
	ResourceWorkflow              = "workflow"
	UserMembership                = "membership_user"
	Organization                  = "organization"

	// We have for now three roles, viewer, admin and owner
	// The owner of an org
	// The administrator of an org
	// The read only viewer of an org
	// These roles are hierarchical
	// This means that the Owner role inherits all the policies from Admin so from the Viewer Role
	RoleOwner  Role = "role:org:owner"
	RoleAdmin  Role = "role:org:admin"
	RoleViewer Role = "role:org:viewer"
)

Variables

View Source
var (
	// Referrer
	PolicyReferrerRead = &Policy{ResourceReferrer, ActionRead}
	// Artifact
	PolicyArtifactDownload = &Policy{ResourceCASArtifact, ActionRead}
	PolicyArtifactUpload   = &Policy{ResourceCASArtifact, ActionCreate}
	// CAS backend
	PolicyCASBackendList = &Policy{ResourceCASBackend, ActionList}
	// Available integrations
	PolicyAvailableIntegrationList = &Policy{ResourceAvailableIntegration, ActionList}
	PolicyAvailableIntegrationRead = &Policy{ResourceAvailableIntegration, ActionRead}
	// Registered integrations
	PolicyRegisteredIntegrationList = &Policy{ResourceRegisteredIntegration, ActionList}
	PolicyRegisteredIntegrationRead = &Policy{ResourceRegisteredIntegration, ActionRead}
	PolicyRegisteredIntegrationAdd  = &Policy{ResourceRegisteredIntegration, ActionCreate}
	// Attached integrations
	PolicyAttachedIntegrationList   = &Policy{ResourceAttachedIntegration, ActionList}
	PolicyAttachedIntegrationAttach = &Policy{ResourceAttachedIntegration, ActionCreate}
	// Org Metrics
	PolicyOrgMetricsRead = &Policy{ResourceOrgMetric, ActionList}
	// Robot Account
	PolicyRobotAccountList   = &Policy{ResourceRobotAccount, ActionList}
	PolicyRobotAccountCreate = &Policy{ResourceRobotAccount, ActionCreate}
	// Workflow Contract
	PolicyWorkflowContractList   = &Policy{ResourceWorkflowContract, ActionList}
	PolicyWorkflowContractRead   = &Policy{ResourceWorkflowContract, ActionRead}
	PolicyWorkflowContractUpdate = &Policy{ResourceWorkflowContract, ActionUpdate}
	PolicyWorkflowContractCreate = &Policy{ResourceWorkflowContract, ActionCreate}
	// WorkflowRun
	PolicyWorkflowRunList = &Policy{ResourceWorkflowRun, ActionList}
	PolicyWorkflowRunRead = &Policy{ResourceWorkflowRun, ActionRead}
	// Workflow
	PolicyWorkflowList   = &Policy{ResourceWorkflow, ActionList}
	PolicyWorkflowRead   = &Policy{ResourceWorkflow, ActionRead}
	PolicyWorkflowCreate = &Policy{ResourceWorkflow, ActionCreate}

	// User Membership
	PolicyOrganizationRead = &Policy{Organization, ActionRead}
)
View Source
var ServerOperationsMap = map[string][]*Policy{

	"/controlplane.v1.ReferrerService/DiscoverPrivate": {PolicyReferrerRead},

	"/controlplane.v1.CASCredentialsService/Get": {},

	"/controlplane.v1.CASRedirectService/DownloadRedirect": {PolicyArtifactDownload},

	"/controlplane.v1.CASRedirectService/GetDownloadURL": {PolicyArtifactDownload},

	"/controlplane.v1.CASBackendService/List": {PolicyCASBackendList},

	"/controlplane.v1.IntegrationsService/ListAvailable": {PolicyAvailableIntegrationList, PolicyAvailableIntegrationRead},

	"/controlplane.v1.IntegrationsService/ListRegistrations":    {PolicyRegisteredIntegrationList},
	"/controlplane.v1.IntegrationsService/DescribeRegistration": {PolicyRegisteredIntegrationRead},
	"/controlplane.v1.IntegrationsService/Register":             {PolicyRegisteredIntegrationAdd},

	"/controlplane.v1.IntegrationsService/ListAttachments": {PolicyAttachedIntegrationList},
	"/controlplane.v1.IntegrationsService/Attach":          {PolicyAttachedIntegrationAttach},

	"/controlplane.v1.OrgMetricsService/.*": {PolicyOrgMetricsRead},

	"/controlplane.v1.RobotAccountService/List":   {PolicyRobotAccountList},
	"/controlplane.v1.RobotAccountService/Create": {PolicyRobotAccountCreate},

	"/controlplane.v1.WorkflowService/List":   {PolicyWorkflowList},
	"/controlplane.v1.WorkflowService/View":   {PolicyWorkflowRead},
	"/controlplane.v1.WorkflowService/Create": {PolicyWorkflowCreate},

	"/controlplane.v1.WorkflowRunService/List": {PolicyWorkflowRunList},
	"/controlplane.v1.WorkflowRunService/View": {PolicyWorkflowRunRead},

	"/controlplane.v1.WorkflowContractService/List":     {PolicyWorkflowContractList},
	"/controlplane.v1.WorkflowContractService/Describe": {PolicyWorkflowContractRead},
	"/controlplane.v1.WorkflowContractService/Update":   {PolicyWorkflowContractUpdate},
	"/controlplane.v1.WorkflowContractService/Create":   {PolicyWorkflowContractCreate},

	"/controlplane.v1.ContextService/Current": {PolicyOrganizationRead},

	"/controlplane.v1.OrganizationService/Create": {},

	"/controlplane.v1.UserService/ListMemberships": {},

	"/controlplane.v1.UserService/SetCurrentMembership": {},

	"/controlplane.v1.UserService/DeleteMembership": {},
	"/controlplane.v1.AuthService/DeleteAccount":    {},
}

ServerOperationsMap is a map of server operations to the ResourceAction tuples that are required to perform the operation If it contains more than one policy, all of them need to be true

Functions

This section is empty.

Types

type Enforcer

type Enforcer struct {
	*casbin.Enforcer
}

func NewDatabaseEnforcer

func NewDatabaseEnforcer(c *conf.Data_Database) (*Enforcer, error)

NewDatabaseEnforcer creates a new casbin authorization enforcer based on a database backend as policies storage backend

func NewFiletypeEnforcer

func NewFiletypeEnforcer(path string) (*Enforcer, error)

NewFileAdapter creates a new casbin authorization enforcer based on a CSV file as policies storage backend

func (*Enforcer) AddPolicies

func (e *Enforcer) AddPolicies(sub *SubjectAPIToken, policies ...*Policy) error

func (*Enforcer) ClearPolicies

func (e *Enforcer) ClearPolicies(sub *SubjectAPIToken) error

Remove all the policies for the given subject

func (*Enforcer) Enforce

func (e *Enforcer) Enforce(sub string, p *Policy) (bool, error)

type Policy

type Policy struct {
	Resource string
	Action   string
}

resource, action tuple

type Role

type Role string

func (Role) Values

func (Role) Values() (roles []string)

Implements https://pkg.go.dev/entgo.io/ent/schema/field#EnumValues so they can be added to the database schema

type SubjectAPIToken

type SubjectAPIToken struct {
	ID string
}

func (*SubjectAPIToken) String

func (t *SubjectAPIToken) String() string

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL