opa

package
v0.0.0-...-d1e9850 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Dec 18, 2024 License: Apache-2.0 Imports: 19 Imported by: 1

README

OPA decision engine

policy.go

This file is generated from policy/*.rego.

The generation is done using go-bindata, from go generate. Run this from components/authz-service:

$ go generate ./...
$ # no output on success

It requires that go-bindata is installed.

TODO (sr): ensure this works properly in habitat and studio env. Other projects also use go-bindata, IIRC.

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func Asset

func Asset(name string) ([]byte, error)

Asset loads and returns the asset for the given name. It returns an error if the asset could not be found or could not be loaded.

func AssetDir

func AssetDir(name string) ([]string, error)

AssetDir returns the file names below a certain directory embedded in the file by go-bindata. For example if you run go-bindata on data/... and data contains the following hierarchy:

data/
  foo.txt
  img/
    a.png
    b.png

then AssetDir("data") would return []string{"foo.txt", "img"} AssetDir("data/img") would return []string{"a.png", "b.png"} AssetDir("foo.txt") and AssetDir("notexist") would return an error AssetDir("") will return []string{"data"}.

func AssetInfo

func AssetInfo(name string) (os.FileInfo, error)

AssetInfo loads and returns the asset info for the given name. It returns an error if the asset could not be found or could not be loaded.

func AssetNames

func AssetNames() []string

AssetNames returns the names of the assets.

func MustAsset

func MustAsset(name string) []byte

MustAsset is like Asset but panics when Asset would return an error. It simplifies safe initialization of global variables.

func RestoreAsset

func RestoreAsset(dir, name string) error

RestoreAsset restores an asset under the given directory

func RestoreAssets

func RestoreAssets(dir, name string) error

RestoreAssets restores an asset under the given directory recursively

Types

type EvaluationError

type EvaluationError struct {
	// contains filtered or unexported fields
}

EvaluationError is returned when a query evaluation returns an error.

func (*EvaluationError) Error

func (e *EvaluationError) Error() string

type OptFunc

type OptFunc func(*State)

OptFunc is the type of functional options to be passed to New()

func WithModules

func WithModules(mods map[string]*ast.Module) OptFunc

WithModules allows for injecting an OPA policy via opa.New() for engine initialization.

type State

type State struct {
	// contains filtered or unexported fields
}

State wraps the state of OPA we need to track

func New

func New(ctx context.Context, l logger.Logger, opts ...OptFunc) (*State, error)

New initializes a fresh OPA state, using the default, hardcoded OPA policy from policy/authz*.rego unless overridden via an opa.OptFunc.

func (*State) DumpData

func (s *State) DumpData(ctx context.Context) error

DumpData is a bit fast-and-loose when it comes to error checking; it's not meant to be used in production. Anywhere you have an OPA engine struct (i.e. `State`), you can use either one of these on it and it'll log the store contents.

func (*State) FilterAuthorizedPairs

func (s *State) FilterAuthorizedPairs(
	ctx context.Context,
	subjects engine.Subjects,
	pairs []engine.Pair,
) ([]engine.Pair, error)

FilterAuthorizedPairs passes the pairs into OPA, lets it take care of the filtering, and returns the result (sub)list

func (*State) FilterAuthorizedProjects

func (s *State) FilterAuthorizedProjects(
	ctx context.Context, subjects engine.Subjects) ([]string, error)

FilterAuthorizedProjects passes the pairs of all action/resources into OPA, lets it take care of the filtering, and returns the projects associated with the resulting (sub)list.

func (*State) ProjectsAuthorized

func (s *State) ProjectsAuthorized(
	ctx context.Context,
	subjects engine.Subjects,
	action engine.Action,
	resource engine.Resource,
	projects engine.Projects) ([]string, error)

ProjectsAuthorized evaluates whether a given [subject, resource, action, projects] tuple is authorized and returns the list of associated allowed projects from the set of requested projects passed in.

func (*State) SetPolicies

func (s *State) SetPolicies(
	ctx context.Context, policyMap map[string]interface{},
	roleMap map[string]interface{}) error

SetPolicies replaces OPA's data with a new set of policies and roles and resets the partial evaluation cache

type UnexpectedResultExpressionError

type UnexpectedResultExpressionError struct {
	// contains filtered or unexported fields
}

UnexpectedResultExpressionError is returned when one of the result sets expressions can't be made sense of

func (*UnexpectedResultExpressionError) Error

type UnexpectedResultSetError

type UnexpectedResultSetError struct {
	// contains filtered or unexported fields
}

UnexpectedResultSetError is returned when the result set of an OPA query can't be made sense of

func (*UnexpectedResultSetError) Error

func (e *UnexpectedResultSetError) Error() string

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL