domain

package
v0.11.2 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jun 20, 2024 License: Apache-2.0 Imports: 15 Imported by: 0

Documentation

Index

Constants

View Source
const (
	AppealActionNameApprove = "approve"
	AppealActionNameReject  = "reject"

	AppealStatusPending  = "pending"
	AppealStatusCanceled = "canceled"
	AppealStatusApproved = "approved"
	AppealStatusRejected = "rejected"

	SystemActorName = "system"

	DefaultAppealAccountType = "user"
	PermanentDurationLabel   = "Permanent"

	ExpirationDateReasonFromAppeal = "Expiration date is set based on the appeal options"

	ReservedDetailsKeyProviderParameters = "__provider_parameters"
	ReservedDetailsKeyPolicyQuestions    = "__policy_questions"
	ReservedDetailsKeyPolicyMetadata     = "__policy_metadata"
)
View Source
const (
	ApprovalStatusPending  = "pending"
	ApprovalStatusBlocked  = "blocked"
	ApprovalStatusSkipped  = "skipped"
	ApprovalStatusApproved = "approved"
	ApprovalStatusRejected = "rejected"
)
View Source
const (
	GrantStatusActive   GrantStatus = "active"
	GrantStatusInactive GrantStatus = "inactive"

	GrantSourceAppeal GrantSource = "appeal"
	GrantSourceImport GrantSource = "import"

	GrantExpirationReasonDormant  = "grant/access hasn't been used for a while"
	GrantExpirationReasonRestored = "grant restored with new duration"
)
View Source
const (
	NotificationTypeExpirationReminder       = "ExpirationReminder"
	NotificationTypeAppealApproved           = "AppealApproved"
	NotificationTypeOnBehalfAppealApproved   = "OnBehalfAppealApproved"
	NotificationTypeAppealRejected           = "AppealRejected"
	NotificationTypeAccessRevoked            = "AccessRevoked"
	NotificationTypeApproverNotification     = "ApproverNotification"
	NotificationTypeGrantOwnerChanged        = "GrantOwnerChanged"
	NotificationTypeUnusedGrant              = "UnusedGrant"
	NotificationTypeNewComment               = "NewComment"
	NotificationTypePendingApprovalsReminder = "PendingApprovalsReminder"
)
View Source
const (
	ProviderTypeBigQuery  = "bigquery"
	ProviderTypeMetabase  = "metabase"
	ProviderTypeGrafana   = "grafana"
	ProviderTypeTableau   = "tableau"
	ProviderTypeGCloudIAM = "gcloud_iam"
	ProviderTypeNoOp      = "noop"
	ProviderTypeGCS       = "gcs"
	ProviderTypePolicyTag = "dataplex"
	ProviderTypeShield    = "shield"
	ProviderTypeGitlab    = "gitlab"
)
View Source
const (
	ApproversKeyResource = "$resource"
)
View Source
const (
	TraceIDKey = "trace_id"
)

Variables

View Source
var (
	ErrFailedToGetApprovers   = errors.New("failed to get approvers")
	ErrApproversNotFound      = errors.New("approvers not found")
	ErrUnexpectedApproverType = errors.New("unexpected approver type")
	ErrInvalidApproverValue   = errors.New("approver value is not a valid email")
)
View Source
var (
	ErrDuplicateActiveGrant      = errors.New("grant already exists")
	ErrInvalidGrantRestoreParams = errors.New("invalid grant restore parameters")
)
View Source
var (
	ErrInvalidConditionField = errors.New("unable to parse condition's field")
)

Functions

This section is empty.

Types

type AccessEntry

type AccessEntry struct {
	AccountID   string
	AccountType string
	Permission  string
}

func (AccessEntry) ToGrant

func (ae AccessEntry) ToGrant(resource Resource) Grant

type Activity

type Activity struct {
	ID                 string                 `json:"id" yaml:"id"`
	ProviderID         string                 `json:"provider_id" yaml:"provider_id"`
	ResourceID         string                 `json:"resource_id" yaml:"resource_id"`
	ProviderActivityID string                 `json:"provider_activity_id" yaml:"provider_activity_id"`
	AccountType        string                 `json:"account_type" yaml:"account_type"`
	AccountID          string                 `json:"account_id" yaml:"account_id"`
	Timestamp          time.Time              `json:"timestamp" yaml:"timestamp"`
	Authorizations     []string               `json:"authorizations" yaml:"authorizations"`
	RelatedPermissions []string               `json:"related_permissions" yaml:"related_permissions"`
	Type               string                 `json:"type" yaml:"type"`
	Metadata           map[string]interface{} `json:"metadata" yaml:"metadata"`
	CreatedAt          time.Time              `json:"created_at" yaml:"created_at"`

	Provider *Provider `json:"provider,omitempty" yaml:"provider,omitempty"`
	Resource *Resource `json:"resource,omitempty" yaml:"resource,omitempty"`
}

type ActivityConfig added in v0.7.5

type ActivityConfig struct {
	Source  string
	Options map[string]interface{}
}

type AdditionalAppeal

type AdditionalAppeal struct {
	Resource *ResourceIdentifier `json:"resource" yaml:"resource"  validate:"required"`
	Role     string              `json:"role" yaml:"role" validate:"required"`
	Options  *AppealOptions      `json:"options" yaml:"options"`
	Policy   *PolicyConfig       `json:"policy" yaml:"policy"`
}

type Appeal

type Appeal struct {
	ID            string                 `json:"id" yaml:"id"`
	ResourceID    string                 `json:"resource_id" yaml:"resource_id"`
	PolicyID      string                 `json:"policy_id" yaml:"policy_id"`
	PolicyVersion uint                   `json:"policy_version" yaml:"policy_version"`
	Status        string                 `json:"status" yaml:"status"`
	AccountID     string                 `json:"account_id" yaml:"account_id"`
	AccountType   string                 `json:"account_type" yaml:"account_type" default:"user"`
	CreatedBy     string                 `json:"created_by" yaml:"created_by"`
	Creator       interface{}            `json:"creator" yaml:"creator"`
	Role          string                 `json:"role" yaml:"role"`
	Permissions   []string               `json:"permissions" yaml:"permissions"`
	Options       *AppealOptions         `json:"options" yaml:"options"`
	Details       map[string]interface{} `json:"details" yaml:"details"`
	Labels        map[string]string      `json:"labels" yaml:"labels"`
	Description   string                 `json:"description" yaml:"description"`

	Policy    *Policy     `json:"-" yaml:"-"`
	Resource  *Resource   `json:"resource,omitempty" yaml:"resource,omitempty"`
	Approvals []*Approval `json:"approvals,omitempty" yaml:"approvals,omitempty"`
	Grant     *Grant      `json:"grant,omitempty" yaml:"grant,omitempty"`

	Revision uint `json:"revision,omitempty" yaml:"revision,omitempty"`

	CreatedAt time.Time `json:"created_at,omitempty" yaml:"created_at,omitempty"`
	UpdatedAt time.Time `json:"updated_at,omitempty" yaml:"updated_at,omitempty"`
}

Appeal struct

func (*Appeal) AdvanceApproval

func (a *Appeal) AdvanceApproval(policy *Policy) error

func (*Appeal) ApplyPolicy

func (a *Appeal) ApplyPolicy(p *Policy) error

func (*Appeal) Approve

func (a *Appeal) Approve() error

func (*Appeal) Cancel

func (a *Appeal) Cancel()

func (*Appeal) Compare added in v0.11.2

func (a *Appeal) Compare(old *Appeal, actor string) ([]*DiffItem, error)

func (*Appeal) GetApproval

func (a *Appeal) GetApproval(identifier string) *Approval

GetApproval returns an approval within the appeal. If the ID is provided, it will return the approval with the given ID. If the name is provided, it will return the approval with the given name AND !is_stale.

func (*Appeal) GetApprovalByIndex added in v0.11.2

func (a *Appeal) GetApprovalByIndex(index int) *Approval

func (*Appeal) GetDuration

func (a *Appeal) GetDuration() (time.Duration, error)

func (*Appeal) GetNextPendingApproval

func (a *Appeal) GetNextPendingApproval() *Approval

func (*Appeal) Init

func (a *Appeal) Init(policy *Policy)

func (*Appeal) IsDurationEmpty

func (a *Appeal) IsDurationEmpty() bool

func (*Appeal) Reject

func (a *Appeal) Reject()

func (*Appeal) SetDefaults

func (a *Appeal) SetDefaults()

func (Appeal) ToGrant

func (a Appeal) ToGrant() (*Grant, error)

func (*Appeal) ToMap added in v0.10.0

func (a *Appeal) ToMap() (map[string]interface{}, error)

type AppealConfig

type AppealConfig struct {
	AllowPermanentAccess         bool   `json:"allow_permanent_access" yaml:"allow_permanent_access"`
	AllowActiveAccessExtensionIn string `json:"allow_active_access_extension_in" yaml:"allow_active_access_extension_in" validate:"required"`
}

AppealConfig is the policy configuration of the appeal

type AppealDurationOption

type AppealDurationOption struct {
	// Name of the duration
	// Ex: 1 Day, 3 Days, Permanent
	Name string `json:"name" yaml:"name" validate:"required"`
	// Value of the actual duration
	// Ex: 24h, 72h, 0h
	// `0h` is reserved for permanent access
	Value string `json:"value" yaml:"value" validate:"required"`
}

type AppealMetadataSource added in v0.10.0

type AppealMetadataSource struct {
	Name        string      `json:"name" yaml:"name"`
	Description string      `json:"description,omitempty" yaml:"description,omitempty"`
	Type        string      `json:"type" yaml:"type"`
	Config      interface{} `json:"config,omitempty" yaml:"config,omitempty"`
	Value       interface{} `json:"value" yaml:"value"`
}

func (*AppealMetadataSource) DecryptConfig added in v0.10.0

func (c *AppealMetadataSource) DecryptConfig(dec Decryptor) error

func (*AppealMetadataSource) EncryptConfig added in v0.10.0

func (c *AppealMetadataSource) EncryptConfig(enc Encryptor) error

func (*AppealMetadataSource) EvaluateValue added in v0.10.0

func (c *AppealMetadataSource) EvaluateValue(params map[string]interface{}) (interface{}, error)

type AppealOptions

type AppealOptions struct {
	ExpirationDate *time.Time `json:"expiration_date,omitempty" yaml:"expiration_date,omitempty"`
	Duration       string     `json:"duration" yaml:"duration"`
}

AppealOptions

type Approval

type Approval struct {
	ID            string  `json:"id" yaml:"id"`
	Name          string  `json:"name" yaml:"name"`
	Index         int     `json:"-" yaml:"-"`
	AppealID      string  `json:"appeal_id" yaml:"appeal_id"`
	Status        string  `json:"status" yaml:"status"`
	Actor         *string `json:"actor" yaml:"actor"`
	Reason        string  `json:"reason,omitempty" yaml:"reason,omitempty"`
	PolicyID      string  `json:"policy_id" yaml:"policy_id"`
	PolicyVersion uint    `json:"policy_version" yaml:"policy_version"`

	Approvers []string `json:"approvers,omitempty" yaml:"approvers,omitempty"`
	Appeal    *Appeal  `json:"appeal,omitempty" yaml:"appeal,omitempty"`

	IsStale        bool `json:"is_stale,omitempty" yaml:"is_stale,omitempty"`
	AppealRevision uint `json:"appeal_revision" yaml:"appeal_revision"`

	CreatedAt time.Time `json:"created_at,omitempty" yaml:"created_at,omitempty"`
	UpdatedAt time.Time `json:"updated_at,omitempty" yaml:"updated_at,omitempty"`
}

func (*Approval) Approve

func (a *Approval) Approve()

func (*Approval) IsManualApproval

func (a *Approval) IsManualApproval() bool

func (*Approval) Reject

func (a *Approval) Reject()

func (*Approval) Skip

func (a *Approval) Skip()

type ApprovalAction

type ApprovalAction struct {
	AppealID     string `validate:"required" json:"appeal_id"`
	ApprovalName string `validate:"required" json:"approval_name"`
	Actor        string `validate:"email" json:"actor"`
	Action       string `validate:"required,oneof=approve reject" json:"action"`
	Reason       string `json:"reason"`
}

func (ApprovalAction) Validate added in v0.8.0

func (a ApprovalAction) Validate() error

type ApprovalActionType

type ApprovalActionType string
const (
	ApprovalActionApprove ApprovalActionType = "approve"
	ApprovalActionReject  ApprovalActionType = "reject"
)

type ApprovalStepStrategy

type ApprovalStepStrategy string
const (
	ApprovalStepStrategyAuto   ApprovalStepStrategy = "auto"
	ApprovalStepStrategyManual ApprovalStepStrategy = "manual"
)

type Approver

type Approver struct {
	ID         string `json:"id" yaml:"id"`
	ApprovalID string `json:"approval_id" yaml:"approval_id"`
	AppealID   string `json:"appeal_id" yaml:"appeal_id"`
	Email      string `json:"email" yaml:"email"`

	CreatedAt time.Time `json:"created_at,omitempty" yaml:"created_at,omitempty"`
	UpdatedAt time.Time `json:"updated_at,omitempty" yaml:"updated_at,omitempty"`
}

type Comment added in v0.10.0

type Comment struct {
	ID         string    `json:"id" yaml:"id"`
	ParentType string    `json:"parent_type" yaml:"parent_type"`
	ParentID   string    `json:"parent_id" yaml:"parent_id"`
	CreatedBy  string    `json:"created_by" yaml:"created_by"`
	Body       string    `json:"body" yaml:"body"`
	CreatedAt  time.Time `json:"created_at,omitempty" yaml:"created_at,omitempty"`
	UpdatedAt  time.Time `json:"updated_at,omitempty" yaml:"updated_at,omitempty"`
}

type Condition

type Condition struct {
	Field string          `json:"field" yaml:"field" validate:"required"`
	Match *MatchCondition `json:"match" yaml:"match" validate:"required"`
}

Condition gets evaluated to determine the approval step resolution whether it is success or failed

func (*Condition) IsMatch

func (c *Condition) IsMatch(a *Appeal) (bool, error)

type Crypto

type Crypto interface {
	Encryptor
	Decryptor
}

Crypto is for encrypting a plain text into an encrypted string and vice versa

type Decryptor

type Decryptor interface {
	Decrypt(string) (string, error)
}

Decryptor does decrypt an encrypted text into a plain text

type DiffItem added in v0.11.2

type DiffItem struct {
	Op       string `json:"op"`
	Actor    string `json:"actor"`
	Path     string `json:"path"`
	OldValue any    `json:"old_value,omitempty"`
	NewValue any    `json:"new_value,omitempty"`
}

type DormancyCheckCriteria added in v0.7.5

type DormancyCheckCriteria struct {
	ProviderID     string
	Period         time.Duration
	RetainDuration time.Duration
	DryRun         bool
}

func (DormancyCheckCriteria) Validate added in v0.7.5

func (c DormancyCheckCriteria) Validate() error

type Encryptor

type Encryptor interface {
	Encrypt(string) (string, error)
}

Encryptor does encrypt a plain text into an encrypted text

type Event added in v0.11.0

type Event struct {
	ParentType string         `json:"parent_type"`
	ParentID   string         `json:"parent_id"`
	Timestamp  time.Time      `json:"timestamp"`
	Type       string         `json:"type"`
	Actor      string         `json:"actor"`
	Data       map[string]any `json:"data"`
}

func (*Event) FromAuditLog added in v0.11.0

func (e *Event) FromAuditLog(l *audit.Log) error

type Grant

type Grant struct {
	ID                      string      `json:"id" yaml:"id"`
	Status                  GrantStatus `json:"status" yaml:"status"`
	StatusInProvider        GrantStatus `json:"status_in_provider" yaml:"status_in_provider"`
	AccountID               string      `json:"account_id" yaml:"account_id"`
	AccountType             string      `json:"account_type" yaml:"account_type"`
	ResourceID              string      `json:"resource_id" yaml:"resource_id"`
	Role                    string      `json:"role" yaml:"role"`
	Permissions             []string    `json:"permissions" yaml:"permissions"`
	IsPermanent             bool        `json:"is_permanent" yaml:"is_permanent"`
	ExpirationDate          *time.Time  `json:"expiration_date" yaml:"expiration_date"`
	RequestedExpirationDate *time.Time  `json:"requested_expiration_date,omitempty" yaml:"requested_expiration_date,omitempty"`
	ExpirationDateReason    string      `json:"expiration_date_reason,omitempty" yaml:"expiration_date_reason,omitempty"`
	AppealID                string      `json:"appeal_id" yaml:"appeal_id"`
	Source                  GrantSource `json:"source" yaml:"source"`
	RevokedBy               string      `json:"revoked_by,omitempty" yaml:"revoked_by,omitempty"`
	RevokedAt               *time.Time  `json:"revoked_at,omitempty" yaml:"revoked_at,omitempty"`
	RevokeReason            string      `json:"revoke_reason,omitempty" yaml:"revoke_reason,omitempty"`
	RestoredBy              string      `json:"restored_by,omitempty" yaml:"restored_by,omitempty"`
	RestoredAt              *time.Time  `json:"restored_at,omitempty" yaml:"restored_at,omitempty"`
	RestoreReason           string      `json:"restore_reason,omitempty" yaml:"restore_reason,omitempty"`
	CreatedBy               string      `json:"created_by" yaml:"created_by"` // Deprecated: use Owner instead
	Owner                   string      `json:"owner" yaml:"owner"`
	CreatedAt               time.Time   `json:"created_at" yaml:"created_at"`
	UpdatedAt               time.Time   `json:"updated_at" yaml:"updated_at"`

	Resource   *Resource   `json:"resource,omitempty" yaml:"resource,omitempty"`
	Appeal     *Appeal     `json:"appeal,omitempty" yaml:"appeal,omitempty"`
	Activities []*Activity `json:"activities,omitempty" yaml:"activities,omitempty"`
}

func (*Grant) GetPermissions

func (g *Grant) GetPermissions() []string

func (Grant) IsEligibleForExtension

func (g Grant) IsEligibleForExtension(extensionDurationRule time.Duration) bool

func (Grant) PermissionsKey

func (g Grant) PermissionsKey() string

func (*Grant) Restore added in v0.11.0

func (g *Grant) Restore(actor, reason string) error

func (*Grant) Revoke

func (g *Grant) Revoke(actor, reason string) error

type GrantSource

type GrantSource string

type GrantStatus

type GrantStatus string

type IAMClient

type IAMClient interface {
	GetUser(id string) (interface{}, error)
}

IAMClient interface

type IAMConfig

type IAMConfig struct {
	Provider IAMProviderType   `json:"provider" yaml:"provider" validate:"required,oneof=http shield"`
	Config   interface{}       `json:"config" yaml:"config" validate:"required"`
	Schema   map[string]string `json:"schema" yaml:"schema"`
}

type IAMManager

type IAMManager interface {
	ParseConfig(*IAMConfig) (SensitiveConfig, error)
	GetClient(SensitiveConfig) (IAMClient, error)
}

type IAMProviderType

type IAMProviderType string
const (
	IAMProviderTypeShield IAMProviderType = "shield"
	IAMProviderTypeHTTP   IAMProviderType = "http"
)

type ListActivitiesFilter added in v0.7.5

type ListActivitiesFilter struct {
	ProviderID          string
	ResourceIDs         []string
	ResourceIdentifiers []ResourceIdentifier
	AccountIDs          []string
	TimestampGte        *time.Time
	TimestampLte        *time.Time
	// contains filtered or unexported fields
}

func (*ListActivitiesFilter) GetResources added in v0.7.5

func (f *ListActivitiesFilter) GetResources() []*Resource

func (*ListActivitiesFilter) PopulateResources added in v0.7.5

func (f *ListActivitiesFilter) PopulateResources(resources map[string]*Resource) error

type ListAppealsFilter

type ListAppealsFilter struct {
	Q                         string    `mapstructure:"q" validate:"omitempty"`
	AccountTypes              []string  `mapstructure:"account_types" validate:"omitempty,min=1"`
	CreatedBy                 string    `mapstructure:"created_by" validate:"omitempty,required"`
	AccountID                 string    `mapstructure:"account_id" validate:"omitempty,required"`
	AccountIDs                []string  `mapstructure:"account_ids" validate:"omitempty,required"`
	ResourceID                string    `mapstructure:"resource_id" validate:"omitempty,required"`
	Role                      string    `mapstructure:"role" validate:"omitempty,required"`
	Statuses                  []string  `mapstructure:"statuses" validate:"omitempty,min=1"`
	ExpirationDateLessThan    time.Time `mapstructure:"expiration_date_lt" validate:"omitempty,required"`
	ExpirationDateGreaterThan time.Time `mapstructure:"expiration_date_gt" validate:"omitempty,required"`
	ProviderTypes             []string  `mapstructure:"provider_types" validate:"omitempty,min=1"`
	ProviderURNs              []string  `mapstructure:"provider_urns" validate:"omitempty,min=1"`
	ResourceTypes             []string  `mapstructure:"resource_types" validate:"omitempty,min=1"`
	ResourceURNs              []string  `mapstructure:"resource_urns" validate:"omitempty,min=1"`
	OrderBy                   []string  `mapstructure:"order_by" validate:"omitempty,min=1"`
	Size                      int       `mapstructure:"size" validate:"omitempty"`
	Offset                    int       `mapstructure:"offset" validate:"omitempty"`
}

type ListApprovalsFilter

type ListApprovalsFilter struct {
	Q              string   `mapstructure:"q" validate:"omitempty"`
	AccountID      string   `mapstructure:"account_id" validate:"omitempty,required"`
	AccountTypes   []string `mapstructure:"account_types" validate:"omitempty,min=1"`
	ResourceTypes  []string `mapstructure:"resource_types" validate:"omitempty,min=1"`
	CreatedBy      string   `mapstructure:"created_by" validate:"omitempty,required"`
	Statuses       []string `mapstructure:"statuses" validate:"omitempty,min=1"`
	OrderBy        []string `mapstructure:"order_by" validate:"omitempty,min=1"`
	Size           int      `mapstructure:"size" validate:"omitempty"`
	Offset         int      `mapstructure:"offset" validate:"omitempty"`
	AppealStatuses []string `mapstructure:"appeal_statuses" validate:"omitempty,min=1"`
	Stale          bool     `mapstructure:"stale" validate:"omitempty"`
}

type ListAuditLogFilter added in v0.11.0

type ListAuditLogFilter struct {
	Actions  []string
	AppealID string
}

type ListCommentsFilter added in v0.10.0

type ListCommentsFilter struct {
	ParentType string
	ParentID   string
	OrderBy    []string
}

type ListEventsFilter added in v0.11.0

type ListEventsFilter struct {
	Types      []string
	ParentType string
	ParentID   string
}

type ListGrantsFilter

type ListGrantsFilter struct {
	Statuses                  []string
	AccountIDs                []string
	AccountTypes              []string
	ResourceIDs               []string
	Roles                     []string
	Permissions               []string
	ProviderTypes             []string
	ProviderURNs              []string
	ResourceTypes             []string
	ResourceURNs              []string
	CreatedBy                 string
	Owner                     string
	OrderBy                   []string
	ExpirationDateLessThan    time.Time
	ExpirationDateGreaterThan time.Time
	IsPermanent               *bool
	CreatedAtLte              time.Time
	Size                      int    `mapstructure:"size" validate:"omitempty"`
	Offset                    int    `mapstructure:"offset" validate:"omitempty"`
	Q                         string `mapstructure:"q" validate:"omitempty"`
}

type ListProviderActivitiesFilter

type ListProviderActivitiesFilter struct {
	ProviderIDs  []string
	ResourceIDs  []string
	AccountIDs   []string
	Types        []string
	TimestampGte *time.Time
	TimestampLte *time.Time
}

type ListResourcesFilter

type ListResourcesFilter struct {
	IDs           []string          `mapstructure:"ids" validate:"omitempty,min=1"`
	IsDeleted     bool              `mapstructure:"is_deleted" validate:"omitempty"`
	ProviderType  string            `mapstructure:"provider_type" validate:"omitempty"`
	ProviderURN   string            `mapstructure:"provider_urn" validate:"omitempty"`
	Name          string            `mapstructure:"name" validate:"omitempty"`
	ResourceURN   string            `mapstructure:"urn" validate:"omitempty"`
	ResourceType  string            `mapstructure:"type" validate:"omitempty"`
	ResourceURNs  []string          `mapstructure:"urns" validate:"omitempty"`
	ResourceTypes []string          `mapstructure:"types" validate:"omitempty"`
	Details       map[string]string `mapstructure:"details"`
	Size          uint32            `mapstructure:"size" validate:"omitempty"`
	Offset        uint32            `mapstructure:"offset" validate:"omitempty"`
	OrderBy       []string          `mapstructure:"order_by" validate:"omitempty"`
	Q             string            `mapstructure:"q" validate:"omitempty"`
}

type MapResourceAccess

type MapResourceAccess map[string][]AccessEntry

MapResourceAccess is list of UserAccess grouped by resource urn

type MatchCondition

type MatchCondition struct {
	Eq interface{} `json:"eq" yaml:"eq"`
}

MatchCondition is for determining the requirement of the condition

type Notification

type Notification struct {
	User    string
	Message NotificationMessage

	Labels map[string]string
}

type NotificationMessage

type NotificationMessage struct {
	Type      string
	Variables map[string]interface{}
}

type NotificationMessages

type NotificationMessages struct {
	ExpirationReminder       string `mapstructure:"expiration_reminder"`
	AppealApproved           string `mapstructure:"appeal_approved"`
	AppealRejected           string `mapstructure:"appeal_rejected"`
	AccessRevoked            string `mapstructure:"access_revoked"`
	ApproverNotification     string `mapstructure:"approver_notification"`
	OthersAppealApproved     string `mapstructure:"others_appeal_approved"`
	GrantOwnerChanged        string `mapstructure:"grant_owner_changed"`
	UnusedGrant              string `mapstructure:"unused_grant"`
	NewComment               string `mapstructure:"new_comment"`
	PendingApprovalsReminder string `mapstructure:"pending_approvals_reminder"`
}

type Policy

type Policy struct {
	ID           string              `json:"id" yaml:"id" validate:"required"`
	Version      uint                `json:"version" yaml:"version" validate:"required"`
	Description  string              `json:"description" yaml:"description"`
	Steps        []*Step             `json:"steps" yaml:"steps" validate:"required,min=1,dive"`
	AppealConfig *PolicyAppealConfig `json:"appeal" yaml:"appeal" validate:"omitempty,dive"`
	Requirements []*Requirement      `json:"requirements,omitempty" yaml:"requirements,omitempty" validate:"omitempty,min=1,dive"`
	Labels       map[string]string   `json:"labels,omitempty" yaml:"labels,omitempty"`
	IAM          *IAMConfig          `json:"iam,omitempty" yaml:"iam,omitempty" validate:"omitempty,dive"`
	CreatedAt    time.Time           `json:"created_at,omitempty" yaml:"created_at,omitempty"`
	UpdatedAt    time.Time           `json:"updated_at,omitempty" yaml:"updated_at,omitempty"`
}

Policy is the approval policy configuration

func (*Policy) HasAppealMetadataSources added in v0.10.0

func (p *Policy) HasAppealMetadataSources() bool

func (*Policy) HasIAMConfig

func (p *Policy) HasIAMConfig() bool

func (*Policy) RemoveSensitiveValues added in v0.10.0

func (p *Policy) RemoveSensitiveValues()

type PolicyAppealConfig

type PolicyAppealConfig struct {
	DurationOptions              []AppealDurationOption `json:"duration_options" yaml:"duration_options" validate:"omitempty,min=1,dive"`
	AllowOnBehalf                bool                   `json:"allow_on_behalf" yaml:"allow_on_behalf"`
	AllowPermanentAccess         bool                   `json:"allow_permanent_access" yaml:"allow_permanent_access"`
	AllowActiveAccessExtensionIn string                 `json:"allow_active_access_extension_in" yaml:"allow_active_access_extension_in"`
	Questions                    []Question             `json:"questions" yaml:"questions"`
	// AllowCreatorDetailsFailure is a flag that lets the appeal creation to continue when the request to the identity
	// provider (Policy.IAM) fails. If this is set to true and request to the identity provider fails (4xx or 5xx), the
	// value of `creator` field in the appeal will be nil.
	// Note: any expression that tries to access `$appeal.creator.*` is still evaluated as usual, it might need to have
	// proper nil checking to avoid accessing nil value.
	AllowCreatorDetailsFailure bool                             `json:"allow_creator_details_failure" yaml:"allow_creator_details_failure"`
	MetadataSources            map[string]*AppealMetadataSource `json:"metadata_sources,omitempty" yaml:"metadata_sources,omitempty"`
}

type PolicyConfig

type PolicyConfig struct {
	ID      string `json:"id" yaml:"id" validate:"required"`
	Version int    `json:"version" yaml:"version" validate:"required"`
}

PolicyConfig is the configuration that defines which policy is being used in the provider

type Provider

type Provider struct {
	ID        string          `json:"id" yaml:"id"`
	Type      string          `json:"type" yaml:"type"`
	URN       string          `json:"urn" yaml:"urn"`
	Config    *ProviderConfig `json:"config" yaml:"config"`
	CreatedAt time.Time       `json:"created_at,omitempty" yaml:"created_at,omitempty"`
	UpdatedAt time.Time       `json:"updated_at,omitempty" yaml:"updated_at,omitempty"`
}

type ProviderConfig

type ProviderConfig struct {
	Type                string               `json:"type" yaml:"type" validate:"required,oneof=google_bigquery metabase grafana tableau gcloud_iam noop gcs"`
	URN                 string               `json:"urn" yaml:"urn" validate:"required"`
	AllowedAccountTypes []string             `json:"allowed_account_types" yaml:"allowed_account_types" validate:"omitempty,min=1"`
	Labels              map[string]string    `json:"labels,omitempty" yaml:"labels,omitempty"`
	Credentials         interface{}          `json:"credentials,omitempty" yaml:"credentials" validate:"required"`
	Appeal              *AppealConfig        `json:"appeal,omitempty" yaml:"appeal,omitempty" validate:"required"`
	Resources           []*ResourceConfig    `json:"resources" yaml:"resources" validate:"required"`
	Parameters          []*ProviderParameter `json:"parameters,omitempty" yaml:"parameters,omitempty"`
	Activity            *ActivityConfig      `json:"activity,omitempty" yaml:"activity,omitempty"`
}

func (ProviderConfig) GetFilterForResourceType added in v0.7.8

func (pc ProviderConfig) GetFilterForResourceType(resourceType string) string

func (ProviderConfig) GetResourceTypes

func (pc ProviderConfig) GetResourceTypes() (resourceTypes []string)

type ProviderParameter

type ProviderParameter struct {
	Key         string `json:"key" yaml:"key" validate:"required"`
	Label       string `json:"label" yaml:"label" validate:"required"`
	Required    bool   `json:"required" yaml:"required" validate:"required"`
	Description string `json:"description" yaml:"description"`
}

type ProviderType

type ProviderType struct {
	Name          string   `json:"name" yaml:"name"`
	ResourceTypes []string `json:"resource_types" yaml:"resource_types"`
}

type Question

type Question struct {
	Key         string `json:"key" yaml:"key"`
	Question    string `json:"question" yaml:"question"`
	Required    bool   `json:"required" yaml:"required"`
	Description string `json:"description" yaml:"description"`
}

type Requirement

type Requirement struct {
	On      *RequirementTrigger `json:"on" yaml:"on" validate:"required"`
	Appeals []*AdditionalAppeal `json:"appeals" yaml:"appeals" validate:"required,min=1,dive"`
}

type RequirementTrigger

type RequirementTrigger struct {
	ProviderType string `` /* 137-byte string literal not displayed */
	ProviderURN  string `` /* 136-byte string literal not displayed */
	ResourceType string `` /* 137-byte string literal not displayed */
	ResourceURN  string `` /* 136-byte string literal not displayed */
	Role         string `` /* 128-byte string literal not displayed */
	// Deprecated: use Expression instead
	Conditions []*Condition `` /* 134-byte string literal not displayed */
	Expression string       `` /* 134-byte string literal not displayed */
}

func (*RequirementTrigger) IsMatch

func (r *RequirementTrigger) IsMatch(a *Appeal) (bool, error)

type Resource

type Resource struct {
	ID           string                 `json:"id" yaml:"id"`
	ProviderType string                 `json:"provider_type" yaml:"provider_type"`
	ProviderURN  string                 `json:"provider_urn" yaml:"provider_urn"`
	Type         string                 `json:"type" yaml:"type"`
	URN          string                 `json:"urn" yaml:"urn"`
	Name         string                 `json:"name" yaml:"name"`
	Details      map[string]interface{} `json:"details" yaml:"details"`
	Labels       map[string]string      `json:"labels,omitempty" yaml:"labels,omitempty"`
	CreatedAt    time.Time              `json:"created_at,omitempty" yaml:"created_at,omitempty"`
	UpdatedAt    time.Time              `json:"updated_at,omitempty" yaml:"updated_at,omitempty"`
	IsDeleted    bool                   `json:"is_deleted,omitempty" yaml:"is_deleted,omitempty"`
	ParentID     *string                `json:"parent_id,omitempty" yaml:"parent_id,omitempty"`
	Children     []*Resource            `json:"children,omitempty" yaml:"children,omitempty"`
	GlobalURN    string                 `json:"global_urn" yaml:"global_urn"`
}

Resource struct

func (*Resource) GetFlattened

func (r *Resource) GetFlattened() []*Resource

type ResourceConfig

type ResourceConfig struct {
	Type   string        `json:"type" yaml:"type" validate:"required"`
	Filter string        `json:"filter" yaml:"filter"`
	Policy *PolicyConfig `json:"policy" yaml:"policy"`
	Roles  []*Role       `json:"roles" yaml:"roles" validate:"required"`
}

ResourceConfig is the configuration for a resource type within a provider

type ResourceIdentifier

type ResourceIdentifier struct {
	ProviderType string `json:"provider_type" yaml:"provider_type" validate:"required_with=ProviderURN Type URN"`
	ProviderURN  string `json:"provider_urn" yaml:"provider_urn" validate:"required_with=ProviderType Type URN"`
	Type         string `json:"type" yaml:"type" validate:"required_with=ProviderType ProviderURN URN"`
	URN          string `json:"urn" yaml:"urn" validate:"required_with=ProviderType ProviderURN Type"`
	ID           string `json:"id" yaml:"id" validate:"required_without_all=ProviderType ProviderURN Type URN"`
}

type Resources

type Resources []*Resource

func (Resources) ToMap

func (r Resources) ToMap() map[string]*Resource

type RevokeGrantsFilter

type RevokeGrantsFilter struct {
	AccountIDs    []string `validate:"omitempty,required"`
	ProviderTypes []string `validate:"omitempty,min=1"`
	ProviderURNs  []string `validate:"omitempty,min=1"`
	ResourceTypes []string `validate:"omitempty,min=1"`
	ResourceURNs  []string `validate:"omitempty,min=1"`
}

type Role

type Role struct {
	ID          string        `json:"id" yaml:"id" validate:"required"`
	Name        string        `json:"name" yaml:"name" validate:"required"`
	Description string        `json:"description,omitempty" yaml:"description"`
	Permissions []interface{} `json:"permissions" yaml:"permissions" validate:"required"`
}

Role is the configuration to define a role and mapping the permissions in the provider

func (Role) GetOrderedPermissions

func (r Role) GetOrderedPermissions() []string

GetOrderedPermissions returns the permissions as a string slice

type SensitiveConfig

type SensitiveConfig interface {
	SensitiveInformation
	Validate() error
}

type SensitiveInformation

type SensitiveInformation interface {
	Encrypt() error
	Decrypt() error
}

type Step

type Step struct {
	// Name used as the step identifier
	Name string `json:"name" yaml:"name" validate:"required"`

	// Description tells more details about the step
	Description string `json:"description" yaml:"description"`

	// AllowFailed lets the approval flow continue to the next step even the current step is rejected.
	// If the last step has AllowFailed equal to true, and it's getting rejected,
	// the appeal status will resolve as approved or success.
	AllowFailed bool `json:"allow_failed" yaml:"allow_failed"`

	// When is an Expression that determines whether the step should be evaluated or it can be skipped at the beginning.
	// If it evaluates to be falsy, the step will automatically skipped. Otherwise, step become pending/blocked (normal).
	//
	// Accessible parameters:
	// $appeal = Appeal object
	When string `json:"when,omitempty" yaml:"when,omitempty"`

	// Strategy defines if the step requires manual approval or not
	Strategy ApprovalStepStrategy `json:"strategy" yaml:"strategy" validate:"required,oneof=auto manual"`

	// RejectionReason message fills `Approval.Reason` if the approval step gets rejected based on `ApproveIf` expression.
	RejectionReason string `json:"rejection_reason" yaml:"rejection_reason"`

	// Approvers is an Expression that if the evaluation returns string or []string that contains email address of the approvers.
	// If human approval (manual) is required, use this field.
	//
	// Accessible parameters:
	// $appeal = Appeal object
	Approvers []string `json:"approvers,omitempty" yaml:"approvers,omitempty" validate:"required_if=Strategy manual,omitempty,min=1"`

	// ApproveIf is an Expression to determines the resolution of the step. If automatic approval is needed for the step,
	// use this field.
	//
	// Accessible parameters:
	// $appeal = Appeal object
	ApproveIf string `json:"approve_if,omitempty" yaml:"approve_if,omitempty" validate:"required_if=Strategy auto"`
}

Step is an individual process within an approval flow

func (Step) ResolveApprovers

func (s Step) ResolveApprovers(a *Appeal) ([]string, error)

func (Step) ToApproval

func (s Step) ToApproval(a *Appeal, p *Policy, index int) (*Approval, error)

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL