rbac

package
v0.38.0-rc7 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Nov 4, 2024 License: Apache-2.0 Imports: 24 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

View Source 
var AuthZProvider authz.AuthZProviderType[RBACAuthZ]

AuthZProvider is the authz registry for RBAC.

View Source 
var ErrGlobalAssignedLocally = errors.New("a global-only permission cannot be assigned to a local scope")

ErrGlobalAssignedLocally occurs when an attempt is made to assign a role with a global-only permission using a non-global scope. nolint:lll

View Source 
var UnimplementedError = status.Error(codes.Unimplemented, stubUnimplementedMessage)

UnimplementedError is the error returned for unimplemented functions.

Functions

func AddGroupAssignmentsTx 

func AddGroupAssignmentsTx(ctx context.Context, idb bun.IDB, groups []*rbacv1.GroupRoleAssignment,
) error

AddGroupAssignmentsTx adds a role assignment to a group while inside a transaction.

func AddRoleAssignments 

func AddRoleAssignments(ctx context.Context, groups []*rbacv1.GroupRoleAssignment,
	users []*rbacv1.UserRoleAssignment,
) error

AddRoleAssignments adds the specified role assignments to users or groups.

func CheckForPermission 

func CheckForPermission(
	ctx context.Context, subject string, curUser *model.User,
	workspaceID *model.AccessScopeID, permission rbacv1.PermissionType,
	options ...CheckForPermissionOptionsFunc,
) (permErr error, err error)

CheckForPermission checks if the user has the given permission on the given subject and logs the result unless logging is disabled.

func GetAllRolesQuery 

func GetAllRolesQuery(results *[]Role, excludeGlobalOnly bool) *bun.SelectQuery

GetAllRolesQuery builds the bun query for summarizing roles.

func GetAssignedRoles 

func GetAssignedRoles(ctx context.Context, curUser model.UserID) ([]int32, error)

GetAssignedRoles returns the roles that a user is currently assigned.

func GetGroupsFromUsersTx 

func GetGroupsFromUsersTx(ctx context.Context, idb bun.IDB, users []*rbacv1.UserRoleAssignment) (
	[]*rbacv1.GroupRoleAssignment, error,
)

GetGroupsFromUsersTx retrieves the group ids belonging to users while inside a transaction.

func GetPermissionSummary 

func GetPermissionSummary(
	ctx context.Context, userID model.UserID,
) (map[*Role][]*RoleAssignment, error)

GetPermissionSummary retrieves a list of all roles a user is assigned to along with what scopes that roles are assigned to.

func GetRolesByIDs 

func GetRolesByIDs(ctx context.Context, ids ...int32,
) ([]*rbacv1.RoleWithAssignments, error)

GetRolesByIDs returns a set of roles and their assignments from the DB.

func GetUsersAndGroupMembershipOnWorkspace 

func GetUsersAndGroupMembershipOnWorkspace(
	ctx context.Context, workspaceID int,
) ([]model.User, []model.GroupMembership, error)

GetUsersAndGroupMembershipOnWorkspace gets all users assigned to the workspace and what groups they are in that are assigned to the workspace.

func PermittedScopes 

func PermittedScopes(
	ctx context.Context, curUser model.User, requestedScope model.AccessScopeID,
	permission rbacv1.PermissionType,
) (model.AccessScopeSet, error)

PermittedScopes returns a set of scopes that the user has the given permission on.

func RemoveGroupAssignmentsTx 

func RemoveGroupAssignmentsTx(ctx context.Context, idb bun.IDB,
	groups []*rbacv1.GroupRoleAssignment,
) error

RemoveGroupAssignmentsTx removes role assignments from groups while inside a transaction.

func RemoveRoleAssignments 

func RemoveRoleAssignments(ctx context.Context, groups []*rbacv1.GroupRoleAssignment,
	users []*rbacv1.UserRoleAssignment,
) error

RemoveRoleAssignments removes the specified role assignments from groups or users.

func UpdateUsersTimestampTx 

func UpdateUsersTimestampTx(ctx context.Context, idb bun.IDB,
	users []*rbacv1.UserRoleAssignment,
) error

UpdateUsersTimestampTx updates the user modified_at field to the present time.

Types

type CheckForPermissionOptions 

type CheckForPermissionOptions struct {
	LogResult bool
}

CheckForPermissionOptions represents the options for CheckForPermission.

type CheckForPermissionOptionsFunc 

type CheckForPermissionOptionsFunc func(*CheckForPermissionOptions)

CheckForPermissionOptionsFunc is a function type for defining options for CheckForPermission.

func EnablePermissionCheckLogging 

func EnablePermissionCheckLogging(flag bool) CheckForPermissionOptionsFunc

EnablePermissionCheckLogging enables or disables rbac audit logging for CheckForPermissons.

type Permission 

type Permission struct {
	bun.BaseModel `bun:"table:permissions"`

	ID     int    `bun:"id,pk"`
	Name   string `bun:"name"`
	Global bool   `bun:"global_only"`
}

Permission represents a Permission as it's stored in the database.

func UserPermissionsForScope 

func UserPermissionsForScope(ctx context.Context, uid model.UserID, workspaceID int,
) ([]Permission, error)

UserPermissionsForScope finds what permissions a user has on a give scope. Passing a workspaceID of zero signals to only check for globally-assigned roles.

func (*Permission) Proto 

func (p *Permission) Proto() *rbacv1.Permission

Proto turns a permission into its rbac representation.

func (*Permission) ScopeTypeMask 

func (p *Permission) ScopeTypeMask() *rbacv1.ScopeTypeMask

ScopeTypeMask returns a mask of allowed scope types for this permission.

type PermissionAssignment 

type PermissionAssignment struct {
	bun.BaseModel `bun:"table:permission_assignments"`

	PermissionID int `bun:",pk"`
	RoleID       int `bun:",pk"`

	Permission *Permission `bun:"rel:belongs-to,join:permission_id=id"`
	Role       *Role       `bun:"rel:belongs-to,join:role_id=id"`
}

PermissionAssignment contains the database representation of a PermissionAssignment as well as the Permission itself and the Role it is assigned to.

type Permissions 

type Permissions []Permission

Permissions is a list of permissions.

func (Permissions) IDs 

func (p Permissions) IDs() []int

IDs plucks the ids out of the permissions and returns them.

func (Permissions) Proto 

func (p Permissions) Proto() []*rbacv1.Permission

Proto turns a Permissions object into a list of rbac representations.

func (Permissions) ScopeTypeMask 

func (p Permissions) ScopeTypeMask() *rbacv1.ScopeTypeMask

ScopeTypeMask returns a rolled-up mask of allowed scope types.

type RBACAPIServer 

type RBACAPIServer interface {
	GetPermissionsSummary(context.Context, *apiv1.GetPermissionsSummaryRequest) (
		*apiv1.GetPermissionsSummaryResponse, error)
	GetGroupsAndUsersAssignedToWorkspace(
		context.Context, *apiv1.GetGroupsAndUsersAssignedToWorkspaceRequest,
	) (*apiv1.GetGroupsAndUsersAssignedToWorkspaceResponse, error)
	GetRolesByID(context.Context, *apiv1.GetRolesByIDRequest) (
		*apiv1.GetRolesByIDResponse, error)
	GetRolesAssignedToUser(context.Context, *apiv1.GetRolesAssignedToUserRequest) (
		*apiv1.GetRolesAssignedToUserResponse, error)
	GetRolesAssignedToGroup(context.Context, *apiv1.GetRolesAssignedToGroupRequest) (
		*apiv1.GetRolesAssignedToGroupResponse, error)
	SearchRolesAssignableToScope(context.Context, *apiv1.SearchRolesAssignableToScopeRequest) (
		*apiv1.SearchRolesAssignableToScopeResponse, error)
	ListRoles(context.Context, *apiv1.ListRolesRequest) (
		*apiv1.ListRolesResponse, error)
	AssignRoles(context.Context, *apiv1.AssignRolesRequest) (
		*apiv1.AssignRolesResponse, error)
	RemoveAssignments(context.Context, *apiv1.RemoveAssignmentsRequest) (
		*apiv1.RemoveAssignmentsResponse, error)
	AssignWorkspaceAdminToUserTx(
		ctx context.Context, idb bun.IDB, workspaceID int, userID model.UserID,
	) error
}

RBACAPIServer is the interface for all functions in RBAC.

type RBACAPIServerImpl 

type RBACAPIServerImpl struct{}

RBACAPIServerImpl contains the RBAC implementation of RBACAPIServer.

func (*RBACAPIServerImpl) AssignRoles 

func (a *RBACAPIServerImpl) AssignRoles(ctx context.Context, req *apiv1.AssignRolesRequest,
) (resp *apiv1.AssignRolesResponse, err error)

AssignRoles grants the specified users or groups a particular role.

func (*RBACAPIServerImpl) AssignWorkspaceAdminToUserTx 

func (a *RBACAPIServerImpl) AssignWorkspaceAdminToUserTx(
	ctx context.Context, idb bun.IDB, workspaceID int, userID model.UserID,
) (err error)

AssignWorkspaceAdminToUserTx assigns workspace admin to a given user.

func (*RBACAPIServerImpl) GetGroupsAndUsersAssignedToWorkspace 

func (a *RBACAPIServerImpl) GetGroupsAndUsersAssignedToWorkspace(
	ctx context.Context, req *apiv1.GetGroupsAndUsersAssignedToWorkspaceRequest,
) (resp *apiv1.GetGroupsAndUsersAssignedToWorkspaceResponse, err error)

GetGroupsAndUsersAssignedToWorkspace gets groups and users assigned to a given workspace along with roles assigned.

func (*RBACAPIServerImpl) GetPermissionsSummary 

func (a *RBACAPIServerImpl) GetPermissionsSummary(
	ctx context.Context, req *apiv1.GetPermissionsSummaryRequest,
) (resp *apiv1.GetPermissionsSummaryResponse, err error)

GetPermissionsSummary gets a permission overview for the currently logged in user.

func (*RBACAPIServerImpl) GetRolesAssignedToGroup 

func (a *RBACAPIServerImpl) GetRolesAssignedToGroup(ctx context.Context,
	req *apiv1.GetRolesAssignedToGroupRequest) (resp *apiv1.GetRolesAssignedToGroupResponse,
	err error,
)

GetRolesAssignedToGroup gets the roles belonging to a group.

func (*RBACAPIServerImpl) GetRolesAssignedToUser 

func (a *RBACAPIServerImpl) GetRolesAssignedToUser(ctx context.Context,
	req *apiv1.GetRolesAssignedToUserRequest,
) (resp *apiv1.GetRolesAssignedToUserResponse, err error)

GetRolesAssignedToUser retrieves all the roles assigned to the user or to the groups the user belongs in.

func (*RBACAPIServerImpl) GetRolesByID 

func (a *RBACAPIServerImpl) GetRolesByID(ctx context.Context, req *apiv1.GetRolesByIDRequest,
) (resp *apiv1.GetRolesByIDResponse, err error)

GetRolesByID searches for roles that fulfill the criteria given by the user.

func (*RBACAPIServerImpl) ListRoles 

func (a *RBACAPIServerImpl) ListRoles(ctx context.Context, req *apiv1.ListRolesRequest,
) (resp *apiv1.ListRolesResponse, err error)

ListRoles returns all roles.

func (*RBACAPIServerImpl) RemoveAssignments 

func (a *RBACAPIServerImpl) RemoveAssignments(ctx context.Context,
	req *apiv1.RemoveAssignmentsRequest,
) (resp *apiv1.RemoveAssignmentsResponse, err error)

RemoveAssignments removes the specified users or groups from a role.

func (*RBACAPIServerImpl) SearchRolesAssignableToScope 

func (a *RBACAPIServerImpl) SearchRolesAssignableToScope(ctx context.Context,
	req *apiv1.SearchRolesAssignableToScopeRequest) (_ *apiv1.SearchRolesAssignableToScopeResponse,
	err error,
)

SearchRolesAssignableToScope looks for roles we can add to the scope.

type RBACAPIServerWrapper 

type RBACAPIServerWrapper struct{}

RBACAPIServerWrapper is a struct that implements RBACAPIServer.

func (*RBACAPIServerWrapper) AssignRoles 

func (s *RBACAPIServerWrapper) AssignRoles(ctx context.Context, req *apiv1.AssignRolesRequest) (
	*apiv1.AssignRolesResponse, error,
)

AssignRoles is a wrapper the same function the RBACAPIServer interface.

func (*RBACAPIServerWrapper) AssignWorkspaceAdminToUserTx 

func (s *RBACAPIServerWrapper) AssignWorkspaceAdminToUserTx(
	ctx context.Context, idb bun.IDB, workspaceID int, userID model.UserID,
) error

AssignWorkspaceAdminToUserTx is a wrapper the same function the RBACAPIServer interface.

func (*RBACAPIServerWrapper) GetGroupsAndUsersAssignedToWorkspace 

func (s *RBACAPIServerWrapper) GetGroupsAndUsersAssignedToWorkspace(
	ctx context.Context, req *apiv1.GetGroupsAndUsersAssignedToWorkspaceRequest,
) (*apiv1.GetGroupsAndUsersAssignedToWorkspaceResponse, error)

GetGroupsAndUsersAssignedToWorkspace is a wrapper the same function the RBACAPIServer interface.

func (*RBACAPIServerWrapper) GetPermissionsSummary 

func (s *RBACAPIServerWrapper) GetPermissionsSummary(
	ctx context.Context, req *apiv1.GetPermissionsSummaryRequest,
) (*apiv1.GetPermissionsSummaryResponse, error)

GetPermissionsSummary is a wrapper the same function the RBACAPIServer interface.

func (*RBACAPIServerWrapper) GetRolesAssignedToGroup 

func (s *RBACAPIServerWrapper) GetRolesAssignedToGroup(ctx context.Context,
	req *apiv1.GetRolesAssignedToGroupRequest,
) (*apiv1.GetRolesAssignedToGroupResponse, error)

GetRolesAssignedToGroup is a wrapper the same function the RBACAPIServer interface.

func (*RBACAPIServerWrapper) GetRolesAssignedToUser 

func (s *RBACAPIServerWrapper) GetRolesAssignedToUser(ctx context.Context,
	req *apiv1.GetRolesAssignedToUserRequest,
) (*apiv1.GetRolesAssignedToUserResponse, error)

GetRolesAssignedToUser is a wrapper the same function the RBACAPIServer interface.

func (*RBACAPIServerWrapper) GetRolesByID 

func (s *RBACAPIServerWrapper) GetRolesByID(ctx context.Context, req *apiv1.GetRolesByIDRequest) (
	resp *apiv1.GetRolesByIDResponse, err error,
)

GetRolesByID is a wrapper the same function the RBACAPIServer interface.

func (*RBACAPIServerWrapper) ListRoles 

func (s *RBACAPIServerWrapper) ListRoles(ctx context.Context, req *apiv1.ListRolesRequest) (
	*apiv1.ListRolesResponse, error,
)

ListRoles is a wrapper the same function the RBACAPIServer interface.

func (*RBACAPIServerWrapper) RemoveAssignments 

func (s *RBACAPIServerWrapper) RemoveAssignments(ctx context.Context,
	req *apiv1.RemoveAssignmentsRequest,
) (*apiv1.RemoveAssignmentsResponse, error)

RemoveAssignments is a wrapper the same function the RBACAPIServer interface.

func (*RBACAPIServerWrapper) SearchRolesAssignableToScope 

func (s *RBACAPIServerWrapper) SearchRolesAssignableToScope(
	ctx context.Context,
	req *apiv1.SearchRolesAssignableToScopeRequest,
) (*apiv1.SearchRolesAssignableToScopeResponse, error)

SearchRolesAssignableToScope is a wrapper the same function the RBACAPIServer interface.

type RBACAuthZ 

type RBACAuthZ interface {

	// CanGetRoles checks if a user has access to certain roles.
	// Should usually be allowed.
	// POST /api/v1/roles/search/by-ids
	CanGetRoles(ctx context.Context, curUser model.User, roleIDs []int32) error

	// FilterRolesQuery filters a role search to show only what a user can access.
	// POST /api/v1/roles/search
	// ListRoles
	FilterRolesQuery(ctx context.Context, curUser model.User, query *bun.SelectQuery) (
		*bun.SelectQuery, error)

	// CanGetUserRoles checks if a user can get another user's assigned roles.
	// GET /api/v1/roles/search/by-user/{user_id}
	// GetRolesAssignedToUser()
	CanGetUserRoles(ctx context.Context, curUser model.User, userID int32) error

	// CanGetGroupRoles checks if a user can get the roles assigned to a group.
	// GET /api/v1/roles/search/by-group/{group_id}
	// GetRolesAssignedToGroup()
	CanGetGroupRoles(ctx context.Context, curUser model.User, groupID int32) error

	// CanSearchScope checks if a user can search a scope for roles.
	// POST /api/v1/roles/search/by-assignability
	// SearchRolesAssignableToScope()
	CanSearchScope(ctx context.Context, curUser model.User, workspaceID *int32) error

	// CanGetWorkspaceMembership checks if a user can get membership on a workspace.
	CanGetWorkspaceMembership(
		ctx context.Context, curUser model.User, workspaceID int32,
	) error

	// CanAssignRoles checks if a user has the assign roles permission
	// POST /api/v1/roles/add-assignments
	// AssignRoles()
	// AssignWorkspaceAdminToUserTx()
	CanAssignRoles(ctx context.Context,
		curUser model.User,
		groupRoleAssignments []*rbacv1.GroupRoleAssignment,
		userRoleAssignments []*rbacv1.UserRoleAssignment) error

	// CanRemoveRoles checks if a user has the assign roles permission
	// POST /api/v1/roles/remove-assignments
	// RemoveAssignments
	CanRemoveRoles(ctx context.Context,
		curUser model.User,
		groupRoleAssignments []*rbacv1.GroupRoleAssignment,
		userRoleAssignments []*rbacv1.UserRoleAssignment) error
}

RBACAuthZ describes authz methods for RBAC.

type RBACAuthZBasic 

type RBACAuthZBasic struct{}

RBACAuthZBasic is basic OSS controls.

func (*RBACAuthZBasic) CanAssignRoles 

func (a *RBACAuthZBasic) CanAssignRoles(
	ctx context.Context,
	curUser model.User,
	groupRoleAssignments []*rbacv1.GroupRoleAssignment,
	userRoleAssignments []*rbacv1.UserRoleAssignment,
) error

CanAssignRoles returns nil if a user has admin privileges.

func (*RBACAuthZBasic) CanGetGroupRoles 

func (a *RBACAuthZBasic) CanGetGroupRoles(ctx context.Context, curUser model.User,
	groupID int32,
) error

CanGetGroupRoles always returns nil.

func (*RBACAuthZBasic) CanGetRoles 

func (a *RBACAuthZBasic) CanGetRoles(ctx context.Context, curUser model.User,
	roleIDs []int32,
) error

CanGetRoles always returns nil.

func (*RBACAuthZBasic) CanGetUserRoles 

func (a *RBACAuthZBasic) CanGetUserRoles(ctx context.Context, curUser model.User,
	userID int32,
) error

CanGetUserRoles always returns nil.

func (*RBACAuthZBasic) CanGetWorkspaceMembership 

func (a *RBACAuthZBasic) CanGetWorkspaceMembership(
	ctx context.Context, curUser model.User, workspaceID int32,
) error

CanGetWorkspaceMembership always a nil error.

func (*RBACAuthZBasic) CanRemoveRoles 

func (a *RBACAuthZBasic) CanRemoveRoles(
	ctx context.Context,
	curUser model.User,
	groupRoleAssignments []*rbacv1.GroupRoleAssignment,
	userRoleAssignments []*rbacv1.UserRoleAssignment,
) error

CanRemoveRoles always returns nil.

func (*RBACAuthZBasic) CanSearchScope 

func (a *RBACAuthZBasic) CanSearchScope(ctx context.Context, curUser model.User,
	workspaceID *int32,
) error

CanSearchScope always returns nil.

func (*RBACAuthZBasic) FilterRolesQuery 

func (a *RBACAuthZBasic) FilterRolesQuery(ctx context.Context, curUser model.User,
	query *bun.SelectQuery) (
	*bun.SelectQuery, error,
)

FilterRolesQuery always returns the original query and a nil error.

type RBACAuthZPermissive 

type RBACAuthZPermissive struct{}

RBACAuthZPermissive is the permission implementation.

func (*RBACAuthZPermissive) CanAssignRoles 

func (p *RBACAuthZPermissive) CanAssignRoles(
	ctx context.Context, curUser model.User, groupRoleAssignments []*rbacv1.GroupRoleAssignment,
	userRoleAssignments []*rbacv1.UserRoleAssignment,
) error

CanAssignRoles calls RBAC authz but enforces basic authz.

func (*RBACAuthZPermissive) CanGetGroupRoles 

func (p *RBACAuthZPermissive) CanGetGroupRoles(
	ctx context.Context, curUser model.User, groupID int32,
) error

CanGetGroupRoles calls RBAC authz but enforces basic authz.

func (*RBACAuthZPermissive) CanGetRoles 

func (p *RBACAuthZPermissive) CanGetRoles(
	ctx context.Context, curUser model.User, roleIDs []int32,
) error

CanGetRoles calls RBAC authz but enforces basic authz.

func (*RBACAuthZPermissive) CanGetUserRoles 

func (p *RBACAuthZPermissive) CanGetUserRoles(
	ctx context.Context, curUser model.User, userID int32,
) error

CanGetUserRoles calls RBAC authz but enforces basic authz.

func (*RBACAuthZPermissive) CanGetWorkspaceMembership 

func (p *RBACAuthZPermissive) CanGetWorkspaceMembership(
	ctx context.Context, curUser model.User, workspaceID int32,
) error

CanGetWorkspaceMembership calls RBAC authz but enforces basic authz.

func (*RBACAuthZPermissive) CanRemoveRoles 

func (p *RBACAuthZPermissive) CanRemoveRoles(
	ctx context.Context, curUser model.User, groupRoleAssignments []*rbacv1.GroupRoleAssignment,
	userRoleAssignments []*rbacv1.UserRoleAssignment,
) error

CanRemoveRoles calls RBAC authz but enforces basic authz.

func (*RBACAuthZPermissive) CanSearchScope 

func (p *RBACAuthZPermissive) CanSearchScope(
	ctx context.Context, curUser model.User, workspaceID *int32,
) error

CanSearchScope calls RBAC authz but enforces basic authz.

func (*RBACAuthZPermissive) FilterRolesQuery 

func (p *RBACAuthZPermissive) FilterRolesQuery(
	ctx context.Context, curUser model.User, query *bun.SelectQuery,
) (*bun.SelectQuery, error)

FilterRolesQuery calls RBAC authz but enforces basic authz.

type RBACAuthZRBAC 

type RBACAuthZRBAC struct{}

RBACAuthZRBAC is RBAC controls.

func (*RBACAuthZRBAC) CanAssignRoles 

func (a *RBACAuthZRBAC) CanAssignRoles(
	ctx context.Context,
	curUser model.User,
	groupRoleAssignments []*rbacv1.GroupRoleAssignment,
	userRoleAssignments []*rbacv1.UserRoleAssignment,
) (err error)

CanAssignRoles checks if a user can assign roles.

func (*RBACAuthZRBAC) CanGetGroupRoles 

func (a *RBACAuthZRBAC) CanGetGroupRoles(ctx context.Context, curUser model.User,
	groupID int32,
) (err error)

CanGetGroupRoles checks if the user can access a specific group's roles.

func (*RBACAuthZRBAC) CanGetRoles 

func (a *RBACAuthZRBAC) CanGetRoles(ctx context.Context, curUser model.User,
	roleIDs []int32,
) (err error)

CanGetRoles checks if a user can get all the roles specified.

func (*RBACAuthZRBAC) CanGetUserRoles 

func (a *RBACAuthZRBAC) CanGetUserRoles(ctx context.Context, curUser model.User,
	userID int32,
) (err error)

CanGetUserRoles checks if the user can access a specific user's roles.

func (*RBACAuthZRBAC) CanGetWorkspaceMembership 

func (a *RBACAuthZRBAC) CanGetWorkspaceMembership(
	ctx context.Context, curUser model.User, workspaceID int32,
) (err error)

CanGetWorkspaceMembership checks if a user can get membership on a workspace.

func (*RBACAuthZRBAC) CanRemoveRoles 

func (a *RBACAuthZRBAC) CanRemoveRoles(
	ctx context.Context,
	curUser model.User,
	groupRoleAssignments []*rbacv1.GroupRoleAssignment,
	userRoleAssignments []*rbacv1.UserRoleAssignment,
) error

CanRemoveRoles checks if a user can remove roles.

func (*RBACAuthZRBAC) CanSearchScope 

func (a *RBACAuthZRBAC) CanSearchScope(ctx context.Context, curUser model.User,
	workspaceID *int32,
) (err error)

CanSearchScope checks if a user can search for roles on a specific scope.

func (*RBACAuthZRBAC) FilterRolesQuery 

func (a *RBACAuthZRBAC) FilterRolesQuery(ctx context.Context, curUser model.User,
	query *bun.SelectQuery) (
	selectQury *bun.SelectQuery, err error,
)

FilterRolesQuery filters for roles that the user has access to.

type Role 

type Role struct {
	bun.BaseModel `bun:"table:roles,alias:roles"`

	ID              int               `bun:"id,pk,autoincrement" json:"id"`
	Name            string            `bun:"role_name,notnull" json:"name"`
	Created         time.Time         `bun:"created_at,notnull" json:"created"`
	Permissions     []Permission      `bun:"m2m:permission_assignments,join:Role=Permission"`
	RoleAssignments []*RoleAssignment `bun:"rel:has-many,join:id=role_id"`
}

Role contains the database representation of a Role, along with the Permissions and RoleAssignments the Role references.

func GetAllRoles 

func GetAllRoles(ctx context.Context, excludeGlobalOnly bool, offset, limit int,
) ([]Role, int32, error)

GetAllRoles pulls back a summary of all roles from the database and paginates them.

func GetRolesAssignedToGroupsTx 

func GetRolesAssignedToGroupsTx(ctx context.Context, idb bun.IDB, ids ...int32) ([]Role, error)

GetRolesAssignedToGroupsTx returns the set of roles assigned to a set of groups.

func GetRolesWithAssignmentsOnWorkspace 

func GetRolesWithAssignmentsOnWorkspace(ctx context.Context, workspaceID int) ([]Role, error)

GetRolesWithAssignmentsOnWorkspace gets all roles assigned to the workspace and what assignments they have on the workspace.

func PaginateAndCountRoles 

func PaginateAndCountRoles(ctx context.Context, results *[]Role, query *bun.SelectQuery, offset,
	limit int,
) ([]Role, int32, error)

PaginateAndCountRoles executes the bun query with pagination and with a count of results.

func (*Role) Proto 

func (r *Role) Proto() *rbacv1.Role

Proto converts a Role into a rbacv1.Role.

func (*Role) ProtoRoleWithAssignments 

func (r *Role) ProtoRoleWithAssignments() *rbacv1.RoleWithAssignments

ProtoRoleWithAssignments converts a Role into a RoleWithAssignments.

type RoleAssignment 

type RoleAssignment struct {
	bun.BaseModel `bun:"table:role_assignments,alias:role_assignments"`

	GroupID int `bun:"group_id,pk" json:"group_id"`
	RoleID  int `bun:"role_id,pk" json:"role_id"`
	ScopeID int `bun:"scope_id,pk" json:"scope_id"`

	Role  *Role                `bun:"rel:belongs-to,join:role_id=id"`
	Group *model.Group         `bun:"rel:has-one,join:group_id=id"`
	Scope *RoleAssignmentScope `bun:"rel:has-one,join:scope_id=id"`
}

RoleAssignment contains the database representation of RoleAssignment along with the Role, Group, and Scope that the RoleAssignment references.

type RoleAssignmentScope 

type RoleAssignmentScope struct {
	bun.BaseModel `bun:"table:role_assignment_scopes"`

	ID          int           `bun:"id,pk,autoincrement" json:"id"`
	WorkspaceID sql.NullInt32 `bun:"scope_workspace_id"  json:"workspace_id"`
}

RoleAssignmentScope represents a RoleAssignmentScope as it's stored in the database.

type RoleAssignments 

type RoleAssignments []*RoleAssignment

RoleAssignments is a list of RoleAssignment.

func (RoleAssignments) Proto 

func (ra RoleAssignments) Proto() ([]*rbacv1.UserRoleAssignment, []*rbacv1.GroupRoleAssignment)

Proto converts a RoleAssignment into UserRoleAssignnments and GroupRoleAssignments.

type Roles 

type Roles []Role

Roles is a list of Role.

func (Roles) Proto 

func (rs Roles) Proto() []*rbacv1.RoleWithAssignments

Proto converts Roles to a list of RoleWithAssignments.

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.