Affected by GO-2022-0270 and 1 other vulnerabilities

GO-2022-0270: Insufficient Granularity of Access Control in github.com/google/exposure-notifications-verification-server

GO-2022-0798: Privilege escalation in rbac in github.com/google/exposure-notifications-verification-server

rbac

package

v0.19.2 Latest Latest Go to latest Published: Jan 9, 2021 License: Apache-2.0 Imports: 3 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/google/exposure-notifications-verification-server

Links

Open Source Insights

Documentation ¶

Overview ¶

Package rbac implements authorization.

Index ¶

Variables
func Can(given Permission, target Permission) bool
func PermissionNames(p Permission) []string
type Permission

Constants ¶

This section is empty.

Variables ¶

View Source

var (
	// PermissionsMap is the list of permissions mapped to their name and
	// description.
	PermissionMap = map[Permission][2]string{
		AuditRead:      {"AuditRead", "read event and audit logs"},
		APIKeyRead:     {"APIKeyRead", "view information about API keys, including statistics"},
		APIKeyWrite:    {"APIKeyWrite", "create, update, and delete API keys"},
		CodeIssue:      {"CodeIssue", "issue codes"},
		CodeBulkIssue:  {"CodeBulkIssue", "issue codes in bulk, if bulk issue is enabled on the realm"},
		CodeRead:       {"CodeRead", "lookup code status"},
		CodeExpire:     {"CodeExpire", "expire codes"},
		SettingsRead:   {"SettingsRead", "read realm settings"},
		SettingsWrite:  {"SettingsWrite", "update realm settings"},
		StatsRead:      {"StatsRead", "view realm statistics"},
		MobileAppRead:  {"MobileAppRead", "view mobile app information"},
		MobileAppWrite: {"MobileAppWrite", "create, update, and delete mobile apps"},
		UserRead:       {"UserRead", "view user information"},
		UserWrite:      {"UserWrite", "create, update, and delete users"},
	}

	// NamePermissionMap is the map of permission names to their value.
	NamePermissionMap map[string]Permission
)

Functions ¶

func Can ¶

func Can(given Permission, target Permission) bool

Can returns true if the given resource has permission to perform the provided permissions.

func PermissionNames ¶

func PermissionNames(p Permission) []string

PermissionNames returns the list of permissions included in the given permission.

Types ¶

type Permission ¶

type Permission int64

Permission is a granular permission. It is an integer instead of a uint because most database systems lack unsigned integer types.

const (

	// Audit
	AuditRead Permission

	// API keys
	APIKeyRead
	APIKeyWrite

	// Codes
	CodeIssue
	CodeBulkIssue
	CodeRead
	CodeExpire

	// Realm settings
	SettingsRead
	SettingsWrite

	// Realm statistics
	StatsRead

	// Mobile apps
	MobileAppRead
	MobileAppWrite

	// Users
	UserRead
	UserWrite
)

const (
	// LegacyRealmUser is a quick reference to the old "user" permissions.
	LegacyRealmUser Permission = CodeIssue | CodeBulkIssue | CodeRead | CodeExpire

	// LegacyRealmAdmin is a quick reference to the old "realm admin" permissions.
	LegacyRealmAdmin Permission = AuditRead |
		APIKeyRead | APIKeyWrite |
		CodeIssue | CodeBulkIssue | CodeRead | CodeExpire |
		SettingsRead | SettingsWrite |
		StatsRead |
		MobileAppRead | MobileAppWrite |
		UserRead | UserWrite
)

func AddImplied ¶ added in v0.19.1

func AddImplied(target Permission) Permission

AddImplied adds any missing implied permissions.

func CompileAndAuthorize ¶

func CompileAndAuthorize(actorPermission Permission, toUpdate []Permission) (Permission, error)

CompileAndAuthorize compiles a new permission bit from the given toUpdate permissions. It verifies that the calling permission has a superset of all provided permissions (to prevent privilege escalation).

func ImpliedBy ¶

func ImpliedBy(permission Permission) []Permission

ImpliedBy returns any permissions that cause this permission to be added automatically. The return may be nil.

func (Permission) Description ¶

func (p Permission) Description() (string, error)

Description returns the description

func (Permission) Implied ¶

func (p Permission) Implied() []Permission

Implied returns the additional implied permissions, if any.

func (Permission) String ¶

func (p Permission) String() string

String implements stringer.

func (Permission) Value ¶

func (p Permission) Value() (driver.Value, error)

Value returns the permissions value as an integer for sql drivers.

Source Files ¶

View all Source files

rbac.go

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL