Documentation ¶
Index ¶
- Constants
- Variables
- func CanAssignRole(roles []string, assignedRole string) bool
- func ChangeRoleSet(from []string, to []string) (added []string, removed []string)
- func Filter[O Objecter](ctx context.Context, auth Authorizer, subjID string, subjRoles []string, ...) ([]O, error)
- func IsOrgRole(roleName string) (string, bool)
- func RoleMember() string
- func RoleOrgAdmin(organizationID uuid.UUID) string
- func RoleOrgMember(organizationID uuid.UUID) string
- func RoleOwner() string
- func RoleTemplateAdmin() string
- func RoleUserAdmin() string
- type Action
- type Authorizer
- type Object
- type Objecter
- type PartialAuthorizer
- type Permission
- type PreparedAuthorized
- type RegoAuthorizer
- func (a RegoAuthorizer) Authorize(ctx context.Context, subjectID string, roles []Role, action Action, ...) error
- func (a RegoAuthorizer) ByRoleName(ctx context.Context, subjectID string, roleNames []string, action Action, ...) error
- func (RegoAuthorizer) Prepare(ctx context.Context, subjectID string, roles []Role, action Action, ...) (*PartialAuthorizer, error)
- func (a RegoAuthorizer) PrepareByRoleName(ctx context.Context, subjectID string, roleNames []string, action Action, ...) (PreparedAuthorized, error)
- type Role
- type UnauthorizedError
Constants ¶
const ( ActionCreate = "create" ActionRead = "read" ActionUpdate = "update" ActionDelete = "delete" )
const WildcardSymbol = "*"
Variables ¶
var ( // ResourceWorkspace CRUD. Org + User owner // create/delete = make or delete workspaces // read = access workspace // update = edit workspace variables ResourceWorkspace = Object{ Type: "workspace", } // ResourceWorkspaceExecution CRUD. Org + User owner // create = workspace remote execution // read = ? // update = ? // delete = ? ResourceWorkspaceExecution = Object{ Type: "workspace_execution", } // ResourceAuditLog // read = access audit log ResourceAuditLog = Object{ Type: "audit_log", } // ResourceTemplate CRUD. Org owner only. // create/delete = Make or delete a new template // update = Update the template, make new template versions // read = read the template and all versions associated ResourceTemplate = Object{ Type: "template", } ResourceFile = Object{ Type: "file", } ResourceProvisionerDaemon = Object{ Type: "provisioner_daemon", } // ResourceOrganization CRUD. Has an org owner on all but 'create'. // create/delete = make or delete organizations // read = view org information (Can add user owner for read) // update = ?? ResourceOrganization = Object{ Type: "organization", } // ResourceRoleAssignment might be expanded later to allow more granular permissions // to modifying roles. For now, this covers all possible roles, so having this permission // allows granting/deleting **ALL** roles. // Never has an owner or org. // create = Assign roles // update = ?? // read = View available roles to assign // delete = Remove role ResourceRoleAssignment = Object{ Type: "assign_role", } // ResourceOrgRoleAssignment is just like ResourceRoleAssignment but for organization roles. ResourceOrgRoleAssignment = Object{ Type: "assign_org_role", } // ResourceAPIKey is owned by a user. // create = Create a new api key for user // update = ?? // read = View api key // delete = Delete api key ResourceAPIKey = Object{ Type: "api_key", } // ResourceUser is the user in the 'users' table. // ResourceUser never has any owners or in an org, as it's site wide. // create/delete = make or delete a new user. // read = view all 'user' table data // update = update all 'user' table data ResourceUser = Object{ Type: "user", } // ResourceUserData is any data associated with a user. A user has control // over their data (profile, password, etc). So this resource has an owner. ResourceUserData = Object{ Type: "user_data", } // ResourceOrganizationMember is a user's membership in an organization. // Has ONLY an organization owner. // create/delete = Create/delete member from org. // update = Update organization member // read = View member ResourceOrganizationMember = Object{ Type: "organization_member", } // ResourceWildcard represents all resource types ResourceWildcard = Object{ Type: WildcardSymbol, } // ResourceLicense is the license in the 'licenses' table. // ResourceLicense is site wide. // create/delete = add or remove license from site. // read = view license claims // update = not applicable; licenses are immutable ResourceLicense = Object{ Type: "license", } )
Resources are just typed objects. Making resources this way allows directly passing them into an Authorize function and use the chaining api.
Functions ¶
func CanAssignRole ¶ added in v0.8.5
CanAssignRole is a helper function that returns true if the user can assign the specified role. This also can be used for removing a role. This is a simple implementation for now.
func ChangeRoleSet ¶ added in v0.6.0
ChangeRoleSet is a helper function that finds the difference of 2 sets of roles. When setting a user's new roles, it is equivalent to adding and removing roles. This set determines the changes, so that the appropriate RBAC checks can be applied using "ActionCreate" and "ActionDelete" for "added" and "removed" roles respectively.
func Filter ¶ added in v0.6.0
func Filter[O Objecter](ctx context.Context, auth Authorizer, subjID string, subjRoles []string, action Action, objects []O) ([]O, error)
Filter takes in a list of objects, and will filter the list removing all the elements the subject does not have permission for. All objects must be of the same type.
func RoleMember ¶
func RoleMember() string
func RoleOrgAdmin ¶
func RoleOrgMember ¶
func RoleTemplateAdmin ¶ added in v0.8.6
func RoleTemplateAdmin() string
func RoleUserAdmin ¶ added in v0.8.6
func RoleUserAdmin() string
Types ¶
type Authorizer ¶ added in v0.5.10
type Object ¶
type Object struct { Owner string `json:"owner"` // OrgID specifies which org the object is a part of. OrgID string `json:"org_owner"` // Type is "workspace", "project", "app", etc Type string `json:"type"` }
Object is used to create objects for authz checks when you have none in hand to run the check on. An example is if you want to list all workspaces, you can create a Object that represents the set of workspaces you are trying to get access too. Do not export this type, as it can be created from a resource type constant.
func (Object) RBACObject ¶ added in v0.6.0
type Objecter ¶ added in v0.6.0
type Objecter interface {
RBACObject() Object
}
Objecter returns the RBAC object for itself.
type PartialAuthorizer ¶ added in v0.8.6
type PartialAuthorizer struct {
// contains filtered or unexported fields
}
type Permission ¶
type Permission struct { // Negate makes this a negative permission Negate bool `json:"negate"` ResourceType string `json:"resource_type"` Action Action `json:"action"` }
Permission is the format passed into the rego.
type PreparedAuthorized ¶ added in v0.8.6
type RegoAuthorizer ¶
type RegoAuthorizer struct {
// contains filtered or unexported fields
}
RegoAuthorizer will use a prepared rego query for performing authorize()
func NewAuthorizer ¶
func NewAuthorizer() (*RegoAuthorizer, error)
func (RegoAuthorizer) Authorize ¶
func (a RegoAuthorizer) Authorize(ctx context.Context, subjectID string, roles []Role, action Action, object Object) error
Authorize allows passing in custom Roles. This is really helpful for unit testing, as we can create custom roles to exercise edge cases.
func (RegoAuthorizer) ByRoleName ¶ added in v0.5.10
func (a RegoAuthorizer) ByRoleName(ctx context.Context, subjectID string, roleNames []string, action Action, object Object) error
ByRoleName will expand all roleNames into roles before calling Authorize(). This is the function intended to be used outside this package. The role is fetched from the builtin map located in memory.
func (RegoAuthorizer) Prepare ¶ added in v0.8.6
func (RegoAuthorizer) Prepare(ctx context.Context, subjectID string, roles []Role, action Action, objectType string) (*PartialAuthorizer, error)
Prepare will partially execute the rego policy leaving the object fields unknown (except for the type). This will vastly speed up performance if batch authorization on the same type of objects is needed.
func (RegoAuthorizer) PrepareByRoleName ¶ added in v0.8.6
func (a RegoAuthorizer) PrepareByRoleName(ctx context.Context, subjectID string, roleNames []string, action Action, objectType string) (PreparedAuthorized, error)
type Role ¶
type Role struct { Name string `json:"name"` // DisplayName is used for UI purposes. If the role has no display name, // that means the UI should never display it. DisplayName string `json:"display_name"` Site []Permission `json:"site"` // Org is a map of orgid to permissions. We represent orgid as a string. // We scope the organizations in the role so we can easily combine all the // roles. Org map[string][]Permission `json:"org"` User []Permission `json:"user"` }
Role is a set of permissions at multiple levels: - Site level permissions apply EVERYWHERE - Org level permissions apply to EVERYTHING in a given ORG - User level permissions are the lowest This is the type passed into the rego as a json payload. Users of this package should instead **only** use the role names, and this package will expand the role names into their json payloads.
func OrganizationRoles ¶ added in v0.5.4
OrganizationRoles lists all roles that can be applied to an organization user in the given organization. This is the list of available roles, and specific to an organization.
This should be a list in a database, but until then we build the list from the builtins.
func RoleByName ¶ added in v0.5.2
RoleByName returns the permissions associated with a given role name. This allows just the role names to be stored and expanded when required.
func RolesByNames ¶ added in v0.8.6
type UnauthorizedError ¶
type UnauthorizedError struct {
// contains filtered or unexported fields
}
UnauthorizedError is the error type for authorization errors
func ForbiddenWithInternal ¶
func ForbiddenWithInternal(internal error, input map[string]interface{}, output rego.ResultSet) *UnauthorizedError
ForbiddenWithInternal creates a new error that will return a simple "forbidden" to the client, logging internally the more detailed message provided.
func (UnauthorizedError) Error ¶
func (UnauthorizedError) Error() string
Error implements the error interface.
func (*UnauthorizedError) Input ¶
func (e *UnauthorizedError) Input() map[string]interface{}
func (*UnauthorizedError) Internal ¶
func (e *UnauthorizedError) Internal() error
Internal allows the internal error message to be logged.
func (*UnauthorizedError) Output ¶
func (e *UnauthorizedError) Output() rego.ResultSet
Output contains the results of the Rego query for debugging.