rbac

package
v0.0.0-...-1fccfa7 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jun 1, 2024 License: Apache-2.0 Imports: 15 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	CommonRole roleKind = iota
	AnonymousRole
	AuthenticatedRole
	ContextRole
	BypassRole
)
View Source 
const (
	RuleResourceType = "corteza::generic:rbac-rule"
)

Variables

This section is empty.

Functions

func ContextToSession 

func ContextToSession(ctx context.Context) *session

func Global 

func Global() *service

Global returns global RBAC service

func NewService 

func NewService(logger *zap.Logger, s rbacRulesStore) (svc *service)

NewService initializes service{} struct

service{} struct preloads, checks, grants and flushes privileges to and from store It acts as a caching layer

func NewSession 

func NewSession(ctx context.Context, i auth.Identifiable) *session

func ParamsToSession 

func ParamsToSession(ctx context.Context, user uint64, roles ...uint64) *session

func ParseResourceID 

func ParseResourceID(r string) (string, []uint64)

func ResourceComponent 

func ResourceComponent(r string) string

func ResourceType 

func ResourceType(r string) string

ResourceType extracts 1st part of the resource

ns::cmp:res/c returns ns::cmp:res ns::cmp:res/ returns ns::cmp:res ns::cmp:res returns ns::cmp:res

func SetGlobal 

func SetGlobal(svc *service)

SetGlobal re-sets global service

Types

type Access 

type Access int
const (
	// Allow - Operation over a resource is allowed
	Allow Access = 1

	// Deny - Operation over a resource is denied
	Deny Access = 0

	// Inherit - Operation over a resource is not defined, inherit
	Inherit Access = -1
)

func Allowed 

func Allowed() Access

func Denied 

func Denied() Access

func (Access) MarshalJSON 

func (a Access) MarshalJSON() ([]byte, error)

func (Access) String 

func (a Access) String() string

func (*Access) UnmarshalJSON 

func (a *Access) UnmarshalJSON(data []byte) error

type CheckAccessFunc 

type CheckAccessFunc func() Access

CheckAccessFunc function.

type EffectiveSet 

type EffectiveSet []effective

func (*EffectiveSet) Push 

func (ee *EffectiveSet) Push(res, op string, allow bool)

type Resource 

type Resource interface {
	RbacResource() string
}

func NewResource 

func NewResource(s string) Resource

NewResource constructs untyped resource from the given string

This is a utility method that should not be used for standard permission checking and granting it's intended to be used for testing end permission evaluation where we do not have access to the resource struct

type Role 

type Role struct {
	// contains filtered or unexported fields
}

role information, adapted for the needs of RBAC package

func MakeContextRole 

func MakeContextRole(id uint64, handle string, fn ctxRoleCheckFn, tt ...string) *Role

type RoleSettings 

type RoleSettings struct {
	Bypass        []uint64
	Authenticated []uint64
	Anonymous     []uint64
}

type Rule 

type Rule struct {
	RoleID    uint64 `json:"roleID,string"`
	Resource  string `json:"resource"`
	Operation string `json:"operation"`
	Access    Access `json:"access,string"`
	// contains filtered or unexported fields
}

func AllowRule 

func AllowRule(id uint64, r, o string) *Rule

AllowRule helper func to create allow rule

func DenyRule 

func DenyRule(id uint64, r, o string) *Rule

DenyRule helper func to create deny rule

func InheritRule 

func InheritRule(id uint64, r, o string) *Rule

InheritRule helper func to create inherit rule

func (Rule) GetID 

func (r Rule) GetID() uint64

func (*Rule) GetValue 

func (u *Rule) GetValue(name string, pos uint) (v any, err error)

func (*Rule) SetValue 

func (u *Rule) SetValue(name string, pos uint, v any) (err error)

func (Rule) String 

func (r Rule) String() string

type RuleFilter 

type RuleFilter struct {
	Limit uint
}

RuleFilter is a dummy struct to satisfy store codegen

type RuleSet 

type RuleSet []*Rule

func (RuleSet) FilterAccess 

func (set RuleSet) FilterAccess(a Access) (out RuleSet)

func (RuleSet) FilterOperation 

func (set RuleSet) FilterOperation(op string) (out RuleSet)

func (RuleSet) FilterResource 

func (set RuleSet) FilterResource(rr ...Resource) (out RuleSet)

FilterResource returns rules that match given list of resources Wildcards are not used!

Note that empty resource list will return ALL rules!

func (RuleSet) Len 

func (set RuleSet) Len() int

func (RuleSet) Less 

func (set RuleSet) Less(i, j int) bool

func (RuleSet) Swap 

func (set RuleSet) Swap(i, j int)

type ServiceAllowAll 

type ServiceAllowAll struct{}

ServiceAllowAll constructs not-for-production RBAC service

func (ServiceAllowAll) Can 

func (ServiceAllowAll) Can(Session, string, Resource) bool

func (ServiceAllowAll) Check 

func (ServiceAllowAll) Check([]uint64, string, Resource) (v Access)

func (ServiceAllowAll) CloneRulesByRoleID 

func (ServiceAllowAll) CloneRulesByRoleID(context.Context, uint64, ...uint64) error

func (ServiceAllowAll) FindRulesByRoleID 

func (ServiceAllowAll) FindRulesByRoleID(uint64) (rr RuleSet)

func (ServiceAllowAll) Grant 

func (ServiceAllowAll) Grant(context.Context, ...*Rule) error

func (ServiceAllowAll) Trace 

func (ServiceAllowAll) Trace(Session, string, Resource) *Trace

type Session 

type Session interface {
	// Identity of the subject
	Identity() uint64

	// Roles returns all subject's roles for the session
	Roles() []uint64

	// Context used for expr evaluation
	Context() context.Context
}

Security/RBAC session

type Trace 

type Trace struct {
	Resource   string        `json:"resource"`
	Operation  string        `json:"operation"`
	Access     Access        `json:"access"`
	Roles      slice.UInt64s `json:"roles"`
	Rules      []*Rule       `json:"rules,omitempty"`
	Resolution resolution    `json:"resolution,omitempty"`
}

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.