Documentation ¶
Index ¶
- Constants
- Variables
- func CanAssignRole(expandable ExpandableRoles, assignedRole string) bool
- func ChangeRoleSet(from []string, to []string) (added []string, removed []string)
- func ConfigWithACL() regosql.ConvertConfig
- func ConfigWithoutACL() regosql.ConvertConfig
- func Filter[O Objecter](ctx context.Context, auth Authorizer, subject Subject, action Action, ...) ([]O, error)
- func IsOrgRole(roleName string) (string, bool)
- func IsUnauthorizedError(err error) bool
- func RoleMember() string
- func RoleOrgAdmin(organizationID uuid.UUID) string
- func RoleOrgMember(organizationID uuid.UUID) string
- func RoleOwner() string
- func RoleTemplateAdmin() string
- func RoleUserAdmin() string
- func WithCacheCtx(ctx context.Context) context.Context
- type Action
- type AuthCall
- type AuthorizeFilter
- type Authorizer
- type ExpandableRoles
- type ExpandableScope
- type Object
- func (z Object) All() Object
- func (z Object) Equal(b Object) bool
- func (z Object) InOrg(orgID uuid.UUID) Object
- func (z Object) RBACObject() Object
- func (z Object) WithACLUserList(acl map[string][]Action) Object
- func (z Object) WithGroupACL(groups map[string][]Action) Object
- func (z Object) WithID(id uuid.UUID) Object
- func (z Object) WithIDString(id string) Object
- func (z Object) WithOwner(ownerID string) Object
- type Objecter
- type PartialAuthorizer
- type Permission
- type PreparedAuthorized
- type RegoAuthorizer
- type Role
- type RoleNames
- type Roles
- type Scope
- type ScopeName
- type Subject
- type UnauthorizedError
- func (*UnauthorizedError) As(target interface{}) bool
- func (UnauthorizedError) Error() string
- func (e *UnauthorizedError) Input() map[string]interface{}
- func (e *UnauthorizedError) Internal() error
- func (e *UnauthorizedError) Output() rego.ResultSet
- func (e *UnauthorizedError) SetInternal(err error)
- func (e UnauthorizedError) Unwrap() error
Constants ¶
const WildcardSymbol = "*"
Variables ¶
var ( // ResourceWorkspace CRUD. Org + User owner // create/delete = make or delete workspaces // read = access workspace // update = edit workspace variables ResourceWorkspace = Object{ Type: "workspace", } // ResourceWorkspaceExecution CRUD. Org + User owner // create = workspace remote execution // read = ? // update = ? // delete = ? ResourceWorkspaceExecution = Object{ Type: "workspace_execution", } // ResourceWorkspaceApplicationConnect CRUD. Org + User owner // create = connect to an application // read = ? // update = ? // delete = ? ResourceWorkspaceApplicationConnect = Object{ Type: "application_connect", } // ResourceAuditLog // read = access audit log ResourceAuditLog = Object{ Type: "audit_log", } // ResourceTemplate CRUD. Org owner only. // create/delete = Make or delete a new template // update = Update the template, make new template versions // read = read the template and all versions associated ResourceTemplate = Object{ Type: "template", } // ResourceGroup CRUD. Org admins only. // create/delete = Make or delete a new group. // update = Update the name or members of a group. // read = Read groups and their members. ResourceGroup = Object{ Type: "group", } ResourceFile = Object{ Type: "file", } ResourceProvisionerDaemon = Object{ Type: "provisioner_daemon", } // ResourceOrganization CRUD. Has an org owner on all but 'create'. // create/delete = make or delete organizations // read = view org information (Can add user owner for read) // update = ?? ResourceOrganization = Object{ Type: "organization", } // ResourceRoleAssignment might be expanded later to allow more granular permissions // to modifying roles. For now, this covers all possible roles, so having this permission // allows granting/deleting **ALL** roles. // Never has an owner or org. // create = Assign roles // update = ?? // read = View available roles to assign // delete = Remove role ResourceRoleAssignment = Object{ Type: "assign_role", } // ResourceOrgRoleAssignment is just like ResourceRoleAssignment but for organization roles. ResourceOrgRoleAssignment = Object{ Type: "assign_org_role", } // ResourceAPIKey is owned by a user. // create = Create a new api key for user // update = ?? // read = View api key // delete = Delete api key ResourceAPIKey = Object{ Type: "api_key", } // ResourceUser is the user in the 'users' table. // ResourceUser never has any owners or in an org, as it's site wide. // create/delete = make or delete a new user. // read = view all 'user' table data // update = update all 'user' table data ResourceUser = Object{ Type: "user", } // ResourceUserData is any data associated with a user. A user has control // over their data (profile, password, etc). So this resource has an owner. ResourceUserData = Object{ Type: "user_data", } // ResourceOrganizationMember is a user's membership in an organization. // Has ONLY an organization owner. // create/delete = Create/delete member from org. // update = Update organization member // read = View member ResourceOrganizationMember = Object{ Type: "organization_member", } // ResourceWildcard represents all resource types ResourceWildcard = Object{ Type: WildcardSymbol, } // ResourceLicense is the license in the 'licenses' table. // ResourceLicense is site wide. // create/delete = add or remove license from site. // read = view license claims // update = not applicable; licenses are immutable ResourceLicense = Object{ Type: "license", } // ResourceDeploymentValues ResourceDeploymentValues = Object{ Type: "deployment_config", } ResourceDeploymentStats = Object{ Type: "deployment_stats", } ResourceReplicas = Object{ Type: "replicas", } // ResourceDebugInfo controls access to the debug routes `/api/v2/debug/*`. ResourceDebugInfo = Object{ Type: "debug_info", } // ResourceSystem is a pseudo-resource only used for system-level actions. ResourceSystem = Object{ Type: "system", } )
Resources are just typed objects. Making resources this way allows directly passing them into an Authorize function and use the chaining api.
Functions ¶
func CanAssignRole ¶ added in v0.8.5
func CanAssignRole(expandable ExpandableRoles, assignedRole string) bool
CanAssignRole is a helper function that returns true if the user can assign the specified role. This also can be used for removing a role. This is a simple implementation for now.
func ChangeRoleSet ¶ added in v0.6.0
ChangeRoleSet is a helper function that finds the difference of 2 sets of roles. When setting a user's new roles, it is equivalent to adding and removing roles. This set determines the changes, so that the appropriate RBAC checks can be applied using "ActionCreate" and "ActionDelete" for "added" and "removed" roles respectively.
func ConfigWithACL ¶ added in v0.13.0
func ConfigWithACL() regosql.ConvertConfig
func ConfigWithoutACL ¶ added in v0.13.0
func ConfigWithoutACL() regosql.ConvertConfig
func Filter ¶ added in v0.6.0
func Filter[O Objecter](ctx context.Context, auth Authorizer, subject Subject, action Action, objects []O) ([]O, error)
Filter takes in a list of objects, and will filter the list removing all the elements the subject does not have permission for. All objects must be of the same type.
Ideally the 'CompileToSQL' is used instead for large sets. This cost scales linearly with the number of objects passed in.
func IsUnauthorizedError ¶ added in v0.17.2
IsUnauthorizedError is a convenience function to check if err is UnauthorizedError. It is equivalent to errors.As(err, &UnauthorizedError{}).
func RoleMember ¶
func RoleMember() string
func RoleOrgAdmin ¶
func RoleOrgMember ¶
func RoleTemplateAdmin ¶ added in v0.8.6
func RoleTemplateAdmin() string
func RoleUserAdmin ¶ added in v0.8.6
func RoleUserAdmin() string
Types ¶
type Action ¶
type Action string
Action represents the allowed actions to be done on an object.
func AllActions ¶ added in v0.17.2
func AllActions() []Action
AllActions is a helper function to return all the possible actions types.
type AuthorizeFilter ¶ added in v0.9.3
type AuthorizeFilter interface {
SQLString() string
}
func Compile ¶ added in v0.9.3
func Compile(cfg regosql.ConvertConfig, pa *PartialAuthorizer) (AuthorizeFilter, error)
type Authorizer ¶ added in v0.5.10
type Authorizer interface { Authorize(ctx context.Context, subject Subject, action Action, object Object) error Prepare(ctx context.Context, subject Subject, action Action, objectType string) (PreparedAuthorized, error) }
func Cacher ¶ added in v0.17.2
func Cacher(authz Authorizer) Authorizer
Cacher returns an Authorizer that can use a cache stored on a context to short circuit duplicate calls to the Authorizer. This is useful when multiple calls are made to the Authorizer for the same subject, action, and object. The cache is on each `ctx` and is not shared between requests. If no cache is found on the context, the Authorizer is called as normal.
Cacher is safe for multiple actors.
func NewCachingAuthorizer ¶ added in v0.17.4
func NewCachingAuthorizer(registry prometheus.Registerer) Authorizer
NewCachingAuthorizer returns a new RegoAuthorizer that supports context based caching. To utilize the caching, the context passed to Authorize() must be created with 'WithCacheCtx(ctx)'.
type ExpandableRoles ¶ added in v0.15.3
type ExpandableRoles interface { Expand() ([]Role, error) // Names is for logging and tracing purposes, we want to know the human // names of the expanded roles. Names() []string }
ExpandableRoles is any type that can be expanded into a []Role. This is implemented as an interface so we can have RoleNames for user defined roles, and implement custom ExpandableRoles for system type users (eg autostart/autostop system role). We want a clear divide between the two types of roles so users have no codepath to interact or assign system roles.
Note: We may also want to do the same thing with scopes to allow custom scope support unavailable to the user. Eg: Scope to a single resource.
type ExpandableScope ¶ added in v0.15.3
type Object ¶
type Object struct { // ID is the resource's uuid ID string `json:"id"` Owner string `json:"owner"` // OrgID specifies which org the object is a part of. OrgID string `json:"org_owner"` // Type is "workspace", "project", "app", etc Type string `json:"type"` ACLUserList map[string][]Action ` json:"acl_user_list"` ACLGroupList map[string][]Action ` json:"acl_group_list"` }
Object is used to create objects for authz checks when you have none in hand to run the check on. An example is if you want to list all workspaces, you can create a Object that represents the set of workspaces you are trying to get access too. Do not export this type, as it can be created from a resource type constant.
func (Object) RBACObject ¶ added in v0.6.0
func (Object) WithACLUserList ¶ added in v0.9.9
WithACLUserList adds an ACL list to a given object
func (Object) WithGroupACL ¶ added in v0.9.9
func (Object) WithIDString ¶ added in v0.15.1
type Objecter ¶ added in v0.6.0
type Objecter interface {
RBACObject() Object
}
Objecter returns the RBAC object for itself.
type PartialAuthorizer ¶ added in v0.8.6
type PartialAuthorizer struct {
// contains filtered or unexported fields
}
func (*PartialAuthorizer) Authorize ¶ added in v0.8.6
func (pa *PartialAuthorizer) Authorize(ctx context.Context, object Object) error
func (*PartialAuthorizer) CompileToSQL ¶ added in v0.13.0
func (pa *PartialAuthorizer) CompileToSQL(ctx context.Context, cfg regosql.ConvertConfig) (string, error)
type Permission ¶
type Permission struct { // Negate makes this a negative permission Negate bool `json:"negate"` ResourceType string `json:"resource_type"` Action Action `json:"action"` }
Permission is the format passed into the rego.
func Permissions ¶ added in v0.17.4
func Permissions(perms map[string][]Action) []Permission
Permissions is just a helper function to make building roles that list out resources and actions a bit easier.
type PreparedAuthorized ¶ added in v0.8.6
type RegoAuthorizer ¶
type RegoAuthorizer struct {
// contains filtered or unexported fields
}
RegoAuthorizer will use a prepared rego query for performing authorize()
func NewAuthorizer ¶
func NewAuthorizer(registry prometheus.Registerer) *RegoAuthorizer
func (RegoAuthorizer) Authorize ¶
func (a RegoAuthorizer) Authorize(ctx context.Context, subject Subject, action Action, object Object) error
Authorize is the intended function to be used outside this package. It returns `nil` if the subject is authorized to perform the action on the object. If an error is returned, the authorization is denied.
func (RegoAuthorizer) Prepare ¶ added in v0.8.6
func (a RegoAuthorizer) Prepare(ctx context.Context, subject Subject, action Action, objectType string) (PreparedAuthorized, error)
Prepare will partially execute the rego policy leaving the object fields unknown (except for the type). This will vastly speed up performance if batch authorization on the same type of objects is needed.
type Role ¶
type Role struct { Name string `json:"name"` // DisplayName is used for UI purposes. If the role has no display name, // that means the UI should never display it. DisplayName string `json:"display_name"` Site []Permission `json:"site"` // Org is a map of orgid to permissions. We represent orgid as a string. // We scope the organizations in the role so we can easily combine all the // roles. Org map[string][]Permission `json:"org"` User []Permission `json:"user"` }
Role is a set of permissions at multiple levels: - Site level permissions apply EVERYWHERE - Org level permissions apply to EVERYTHING in a given ORG - User level permissions are the lowest This is the type passed into the rego as a json payload. Users of this package should instead **only** use the role names, and this package will expand the role names into their json payloads.
func OrganizationRoles ¶ added in v0.5.4
OrganizationRoles lists all roles that can be applied to an organization user in the given organization. This is the list of available roles, and specific to an organization.
This should be a list in a database, but until then we build the list from the builtins.
func RoleByName ¶ added in v0.5.2
RoleByName returns the permissions associated with a given role name. This allows just the role names to be stored and expanded when required.
This function is exported so that the Display name can be returned to the api. We should maybe make an exported function that returns just the human-readable content of the Role struct (name + display name).
type RoleNames ¶ added in v0.15.3
type RoleNames []string
RoleNames is a list of user assignable role names. The role names must be in the builtInRoles map. Any non-user assignable roles will generate an error on Expand.
type Scope ¶ added in v0.9.0
Scope acts the exact same as a Role with the addition that is can also apply an AllowIDList. Any resource being checked against a Scope will reject any resource that is not in the AllowIDList. To not use an AllowIDList to reject authorization, use a wildcard for the AllowIDList. Eg: 'AllowIDList: []string{WildcardSymbol}'
func ExpandScope ¶ added in v0.15.1
func WorkspaceAgentScope ¶ added in v0.17.2
WorkspaceAgentScope returns a scope that is the same as ScopeAll but can only affect resources in the allow list. Only a scope is returned as the roles should come from the workspace owner.
type Subject ¶ added in v0.15.3
type Subject struct { ID string Roles ExpandableRoles Groups []string Scope ExpandableScope }
Subject is a struct that contains all the elements of a subject in an rbac authorize.
func (Subject) SafeRoleNames ¶ added in v0.15.3
SafeRoleNames prevent nil pointer dereference.
func (Subject) SafeScopeName ¶ added in v0.15.3
SafeScopeName prevent nil pointer dereference.
type UnauthorizedError ¶
type UnauthorizedError struct {
// contains filtered or unexported fields
}
UnauthorizedError is the error type for authorization errors
func ForbiddenWithInternal ¶
func ForbiddenWithInternal(internal error, subject Subject, action Action, object Object, output rego.ResultSet) *UnauthorizedError
ForbiddenWithInternal creates a new error that will return a simple "forbidden" to the client, logging internally the more detailed message provided.
func (*UnauthorizedError) As ¶ added in v0.17.2
func (*UnauthorizedError) As(target interface{}) bool
As implements the errors.As interface.
func (UnauthorizedError) Error ¶
func (UnauthorizedError) Error() string
Error implements the error interface.
func (*UnauthorizedError) Input ¶
func (e *UnauthorizedError) Input() map[string]interface{}
func (*UnauthorizedError) Internal ¶
func (e *UnauthorizedError) Internal() error
Internal allows the internal error message to be logged.
func (*UnauthorizedError) Output ¶
func (e *UnauthorizedError) Output() rego.ResultSet
Output contains the results of the Rego query for debugging.
func (*UnauthorizedError) SetInternal ¶ added in v0.17.2
func (e *UnauthorizedError) SetInternal(err error)
func (UnauthorizedError) Unwrap ¶ added in v0.17.2
func (e UnauthorizedError) Unwrap() error
Source Files ¶
Directories ¶
Path | Synopsis |
---|---|
Package regosql converts rego queries into SQL WHERE clauses.
|
Package regosql converts rego queries into SQL WHERE clauses. |
sqltypes
Package sqltypes contains the types used to convert rego queries into SQL.
|
Package sqltypes contains the types used to convert rego queries into SQL. |