Documentation
¶
Index ¶
- Constants
- Variables
- type AccessEntry
- type Activity
- type ActivityConfig
- type AdditionalAppeal
- type Appeal
- func (a *Appeal) AdvanceApproval(policy *Policy) error
- func (a *Appeal) ApplyPolicy(p *Policy) error
- func (a *Appeal) Approve() error
- func (a *Appeal) Cancel()
- func (a *Appeal) Compare(old *Appeal, actor string) ([]*DiffItem, error)
- func (a *Appeal) GetApproval(identifier string) *Approval
- func (a *Appeal) GetApprovalByIndex(index int) *Approval
- func (a *Appeal) GetDuration() (time.Duration, error)
- func (a *Appeal) GetNextPendingApproval() *Approval
- func (a *Appeal) Init(policy *Policy)
- func (a *Appeal) IsDurationEmpty() bool
- func (a *Appeal) Reject()
- func (a *Appeal) SetDefaults()
- func (a Appeal) ToGrant() (*Grant, error)
- func (a *Appeal) ToMap() (map[string]interface{}, error)
- type AppealConfig
- type AppealDurationOption
- type AppealMetadataSource
- type AppealOptions
- type Approval
- type ApprovalAction
- type ApprovalActionType
- type ApprovalStepStrategy
- type Approver
- type Comment
- type Condition
- type Crypto
- type Decryptor
- type DiffItem
- type DormancyCheckCriteria
- type Encryptor
- type Event
- type Grant
- type GrantSource
- type GrantStatus
- type IAMClient
- type IAMConfig
- type IAMManager
- type IAMProviderType
- type ListActivitiesFilter
- type ListAppealsFilter
- type ListApprovalsFilter
- type ListAuditLogFilter
- type ListCommentsFilter
- type ListEventsFilter
- type ListGrantsFilter
- type ListProviderActivitiesFilter
- type ListResourcesFilter
- type MapResourceAccess
- type MatchCondition
- type Notification
- type NotificationMessage
- type NotificationMessages
- type Policy
- type PolicyAppealConfig
- type PolicyConfig
- type Provider
- type ProviderConfig
- type ProviderParameter
- type ProviderType
- type Question
- type Requirement
- type RequirementTrigger
- type Resource
- type ResourceConfig
- type ResourceIdentifier
- type Resources
- type RevokeGrantsFilter
- type Role
- type SensitiveConfig
- type SensitiveInformation
- type Step
Constants ¶
View Source
const ( AppealActionNameApprove = "approve" AppealActionNameReject = "reject" AppealStatusPending = "pending" AppealStatusCanceled = "canceled" AppealStatusApproved = "approved" AppealStatusRejected = "rejected" SystemActorName = "system" DefaultAppealAccountType = "user" PermanentDurationLabel = "Permanent" ExpirationDateReasonFromAppeal = "Expiration date is set based on the appeal options" ReservedDetailsKeyProviderParameters = "__provider_parameters" ReservedDetailsKeyPolicyQuestions = "__policy_questions" ReservedDetailsKeyPolicyMetadata = "__policy_metadata" )
View Source
const ( ApprovalStatusPending = "pending" ApprovalStatusBlocked = "blocked" ApprovalStatusSkipped = "skipped" ApprovalStatusApproved = "approved" ApprovalStatusRejected = "rejected" )
View Source
const ( GrantStatusActive GrantStatus = "active" GrantStatusInactive GrantStatus = "inactive" GrantSourceAppeal GrantSource = "appeal" GrantSourceImport GrantSource = "import" GrantExpirationReasonDormant = "grant/access hasn't been used for a while" GrantExpirationReasonRestored = "grant restored with new duration" )
View Source
const ( NotificationTypeExpirationReminder = "ExpirationReminder" NotificationTypeAppealApproved = "AppealApproved" NotificationTypeOnBehalfAppealApproved = "OnBehalfAppealApproved" NotificationTypeAppealRejected = "AppealRejected" NotificationTypeAccessRevoked = "AccessRevoked" NotificationTypeApproverNotification = "ApproverNotification" NotificationTypeGrantOwnerChanged = "GrantOwnerChanged" NotificationTypeUnusedGrant = "UnusedGrant" NotificationTypeNewComment = "NewComment" NotificationTypePendingApprovalsReminder = "PendingApprovalsReminder" )
View Source
const ( ProviderTypeBigQuery = "bigquery" ProviderTypeMetabase = "metabase" ProviderTypeGrafana = "grafana" ProviderTypeTableau = "tableau" ProviderTypeGCloudIAM = "gcloud_iam" ProviderTypeNoOp = "noop" ProviderTypeGCS = "gcs" ProviderTypePolicyTag = "dataplex" ProviderTypeShield = "shield" ProviderTypeGitlab = "gitlab" ProviderTypeGate = "gate" )
View Source
const (
ApproversKeyResource = "$resource"
)
View Source
const (
TraceIDKey = "trace_id"
)
Variables ¶
View Source
var ( ErrFailedToGetApprovers = errors.New("failed to get approvers") ErrApproversNotFound = errors.New("approvers not found") ErrUnexpectedApproverType = errors.New("unexpected approver type") ErrInvalidApproverValue = errors.New("approver value is not a valid email") )
View Source
var ( ErrDuplicateActiveGrant = errors.New("grant already exists") ErrInvalidGrantRestoreParams = errors.New("invalid grant restore parameters") )
View Source
var (
ErrInvalidConditionField = errors.New("unable to parse condition's field")
)
Functions ¶
This section is empty.
Types ¶
type AccessEntry ¶
func (AccessEntry) ToGrant ¶
func (ae AccessEntry) ToGrant(resource Resource) Grant
type Activity ¶
type Activity struct {
ID string `json:"id" yaml:"id"`
ProviderID string `json:"provider_id" yaml:"provider_id"`
ResourceID string `json:"resource_id" yaml:"resource_id"`
ProviderActivityID string `json:"provider_activity_id" yaml:"provider_activity_id"`
AccountType string `json:"account_type" yaml:"account_type"`
AccountID string `json:"account_id" yaml:"account_id"`
Timestamp time.Time `json:"timestamp" yaml:"timestamp"`
Authorizations []string `json:"authorizations" yaml:"authorizations"`
RelatedPermissions []string `json:"related_permissions" yaml:"related_permissions"`
Type string `json:"type" yaml:"type"`
Metadata map[string]interface{} `json:"metadata" yaml:"metadata"`
CreatedAt time.Time `json:"created_at" yaml:"created_at"`
Provider *Provider `json:"provider,omitempty" yaml:"provider,omitempty"`
Resource *Resource `json:"resource,omitempty" yaml:"resource,omitempty"`
}
type ActivityConfig ¶ added in v0.7.5
type AdditionalAppeal ¶
type AdditionalAppeal struct {
Resource *ResourceIdentifier `json:"resource" yaml:"resource" validate:"required"`
Role string `json:"role" yaml:"role" validate:"required"`
Options *AppealOptions `json:"options" yaml:"options"`
Policy *PolicyConfig `json:"policy" yaml:"policy"`
}
type Appeal ¶
type Appeal struct {
ID string `json:"id" yaml:"id"`
ResourceID string `json:"resource_id" yaml:"resource_id"`
PolicyID string `json:"policy_id" yaml:"policy_id"`
PolicyVersion uint `json:"policy_version" yaml:"policy_version"`
Status string `json:"status" yaml:"status"`
AccountID string `json:"account_id" yaml:"account_id"`
AccountType string `json:"account_type" yaml:"account_type" default:"user"`
CreatedBy string `json:"created_by" yaml:"created_by"`
Creator interface{} `json:"creator" yaml:"creator"`
Role string `json:"role" yaml:"role"`
Permissions []string `json:"permissions" yaml:"permissions"`
Options *AppealOptions `json:"options" yaml:"options"`
Details map[string]interface{} `json:"details" yaml:"details"`
Labels map[string]string `json:"labels" yaml:"labels"`
Description string `json:"description" yaml:"description"`
Policy *Policy `json:"-" yaml:"-"`
Resource *Resource `json:"resource,omitempty" yaml:"resource,omitempty"`
Approvals []*Approval `json:"approvals,omitempty" yaml:"approvals,omitempty"`
Grant *Grant `json:"grant,omitempty" yaml:"grant,omitempty"`
Revision uint `json:"revision,omitempty" yaml:"revision,omitempty"`
CreatedAt time.Time `json:"created_at,omitempty" yaml:"created_at,omitempty"`
UpdatedAt time.Time `json:"updated_at,omitempty" yaml:"updated_at,omitempty"`
}
Appeal struct
func (*Appeal) AdvanceApproval ¶
func (*Appeal) ApplyPolicy ¶
func (*Appeal) GetApproval ¶
GetApproval returns an approval within the appeal. If the ID is provided, it will return the approval with the given ID. If the name is provided, it will return the approval with the given name AND !is_stale.
func (*Appeal) GetApprovalByIndex ¶ added in v0.11.2
func (*Appeal) GetNextPendingApproval ¶
func (*Appeal) IsDurationEmpty ¶
func (*Appeal) SetDefaults ¶
func (a *Appeal) SetDefaults()
type AppealConfig ¶
type AppealConfig struct {
AllowPermanentAccess bool `json:"allow_permanent_access" yaml:"allow_permanent_access"`
AllowActiveAccessExtensionIn string `json:"allow_active_access_extension_in" yaml:"allow_active_access_extension_in" validate:"required"`
}
AppealConfig is the policy configuration of the appeal
type AppealDurationOption ¶
type AppealDurationOption struct {
// Name of the duration
// Ex: 1 Day, 3 Days, Permanent
Name string `json:"name" yaml:"name" validate:"required"`
// Value of the actual duration
// Ex: 24h, 72h, 0h
// `0h` is reserved for permanent access
Value string `json:"value" yaml:"value" validate:"required"`
}
type AppealMetadataSource ¶ added in v0.10.0
type AppealMetadataSource struct {
Name string `json:"name" yaml:"name"`
Description string `json:"description,omitempty" yaml:"description,omitempty"`
Type string `json:"type" yaml:"type"`
Config interface{} `json:"config,omitempty" yaml:"config,omitempty"`
Value interface{} `json:"value" yaml:"value"`
}
func (*AppealMetadataSource) DecryptConfig ¶ added in v0.10.0
func (c *AppealMetadataSource) DecryptConfig(dec Decryptor) error
func (*AppealMetadataSource) EncryptConfig ¶ added in v0.10.0
func (c *AppealMetadataSource) EncryptConfig(enc Encryptor) error
func (*AppealMetadataSource) EvaluateValue ¶ added in v0.10.0
func (c *AppealMetadataSource) EvaluateValue(params map[string]interface{}) (interface{}, error)
type AppealOptions ¶
type AppealOptions struct {
ExpirationDate *time.Time `json:"expiration_date,omitempty" yaml:"expiration_date,omitempty"`
Duration string `json:"duration" yaml:"duration"`
}
AppealOptions
type Approval ¶
type Approval struct {
ID string `json:"id" yaml:"id"`
Name string `json:"name" yaml:"name"`
Index int `json:"-" yaml:"-"`
AppealID string `json:"appeal_id" yaml:"appeal_id"`
Status string `json:"status" yaml:"status"`
Actor *string `json:"actor" yaml:"actor"`
Reason string `json:"reason,omitempty" yaml:"reason,omitempty"`
PolicyID string `json:"policy_id" yaml:"policy_id"`
PolicyVersion uint `json:"policy_version" yaml:"policy_version"`
Approvers []string `json:"approvers,omitempty" yaml:"approvers,omitempty"`
Appeal *Appeal `json:"appeal,omitempty" yaml:"appeal,omitempty"`
IsStale bool `json:"is_stale,omitempty" yaml:"is_stale,omitempty"`
AppealRevision uint `json:"appeal_revision" yaml:"appeal_revision"`
CreatedAt time.Time `json:"created_at,omitempty" yaml:"created_at,omitempty"`
UpdatedAt time.Time `json:"updated_at,omitempty" yaml:"updated_at,omitempty"`
}
func (*Approval) IsExistingApprover ¶ added in v0.12.0
func (*Approval) IsManualApproval ¶
type ApprovalAction ¶
type ApprovalAction struct {
AppealID string `validate:"required" json:"appeal_id"`
ApprovalName string `validate:"required" json:"approval_name"`
Actor string `validate:"email" json:"actor"`
Action string `validate:"required,oneof=approve reject" json:"action"`
Reason string `json:"reason"`
}
func (ApprovalAction) Validate ¶ added in v0.8.0
func (a ApprovalAction) Validate() error
type ApprovalActionType ¶
type ApprovalActionType string
const ( ApprovalActionApprove ApprovalActionType = "approve" ApprovalActionReject ApprovalActionType = "reject" )
type ApprovalStepStrategy ¶
type ApprovalStepStrategy string
const ( ApprovalStepStrategyAuto ApprovalStepStrategy = "auto" ApprovalStepStrategyManual ApprovalStepStrategy = "manual" )
type Approver ¶
type Approver struct {
ID string `json:"id" yaml:"id"`
ApprovalID string `json:"approval_id" yaml:"approval_id"`
AppealID string `json:"appeal_id" yaml:"appeal_id"`
Email string `json:"email" yaml:"email"`
CreatedAt time.Time `json:"created_at,omitempty" yaml:"created_at,omitempty"`
UpdatedAt time.Time `json:"updated_at,omitempty" yaml:"updated_at,omitempty"`
}
type Comment ¶ added in v0.10.0
type Comment struct {
ID string `json:"id" yaml:"id"`
ParentType string `json:"parent_type" yaml:"parent_type"`
ParentID string `json:"parent_id" yaml:"parent_id"`
CreatedBy string `json:"created_by" yaml:"created_by"`
Body string `json:"body" yaml:"body"`
CreatedAt time.Time `json:"created_at,omitempty" yaml:"created_at,omitempty"`
UpdatedAt time.Time `json:"updated_at,omitempty" yaml:"updated_at,omitempty"`
}
type Condition ¶
type Condition struct {
Field string `json:"field" yaml:"field" validate:"required"`
Match *MatchCondition `json:"match" yaml:"match" validate:"required"`
}
Condition gets evaluated to determine the approval step resolution whether it is success or failed
type DormancyCheckCriteria ¶ added in v0.7.5
type DormancyCheckCriteria struct {
ProviderID string
Period time.Duration
RetainDuration time.Duration
DryRun bool
}
func (DormancyCheckCriteria) Validate ¶ added in v0.7.5
func (c DormancyCheckCriteria) Validate() error
type Event ¶ added in v0.11.0
type Grant ¶
type Grant struct {
ID string `json:"id" yaml:"id"`
Status GrantStatus `json:"status" yaml:"status"`
StatusInProvider GrantStatus `json:"status_in_provider" yaml:"status_in_provider"`
AccountID string `json:"account_id" yaml:"account_id"`
AccountType string `json:"account_type" yaml:"account_type"`
ResourceID string `json:"resource_id" yaml:"resource_id"`
Role string `json:"role" yaml:"role"`
Permissions []string `json:"permissions" yaml:"permissions"`
IsPermanent bool `json:"is_permanent" yaml:"is_permanent"`
ExpirationDate *time.Time `json:"expiration_date" yaml:"expiration_date"`
RequestedExpirationDate *time.Time `json:"requested_expiration_date,omitempty" yaml:"requested_expiration_date,omitempty"`
ExpirationDateReason string `json:"expiration_date_reason,omitempty" yaml:"expiration_date_reason,omitempty"`
AppealID string `json:"appeal_id" yaml:"appeal_id"`
Source GrantSource `json:"source" yaml:"source"`
RevokedBy string `json:"revoked_by,omitempty" yaml:"revoked_by,omitempty"`
RevokedAt *time.Time `json:"revoked_at,omitempty" yaml:"revoked_at,omitempty"`
RevokeReason string `json:"revoke_reason,omitempty" yaml:"revoke_reason,omitempty"`
RestoredBy string `json:"restored_by,omitempty" yaml:"restored_by,omitempty"`
RestoredAt *time.Time `json:"restored_at,omitempty" yaml:"restored_at,omitempty"`
RestoreReason string `json:"restore_reason,omitempty" yaml:"restore_reason,omitempty"`
CreatedBy string `json:"created_by" yaml:"created_by"` // Deprecated: use Owner instead
Owner string `json:"owner" yaml:"owner"`
CreatedAt time.Time `json:"created_at" yaml:"created_at"`
UpdatedAt time.Time `json:"updated_at" yaml:"updated_at"`
Resource *Resource `json:"resource,omitempty" yaml:"resource,omitempty"`
Appeal *Appeal `json:"appeal,omitempty" yaml:"appeal,omitempty"`
Activities []*Activity `json:"activities,omitempty" yaml:"activities,omitempty"`
}
func (*Grant) GetPermissions ¶
func (Grant) IsEligibleForExtension ¶
func (Grant) PermissionsKey ¶
type GrantSource ¶
type GrantSource string
type GrantStatus ¶
type GrantStatus string
type IAMConfig ¶
type IAMConfig struct {
Provider IAMProviderType `json:"provider" yaml:"provider" validate:"required,oneof=http shield"`
Config interface{} `json:"config" yaml:"config" validate:"required"`
Schema map[string]string `json:"schema" yaml:"schema"`
}
type IAMManager ¶
type IAMManager interface {
ParseConfig(*IAMConfig) (SensitiveConfig, error)
GetClient(SensitiveConfig) (IAMClient, error)
}
type IAMProviderType ¶
type IAMProviderType string
const ( IAMProviderTypeShield IAMProviderType = "shield" IAMProviderTypeHTTP IAMProviderType = "http" )
type ListActivitiesFilter ¶ added in v0.7.5
type ListActivitiesFilter struct {
ProviderID string
ResourceIDs []string
ResourceIdentifiers []ResourceIdentifier
AccountIDs []string
TimestampGte *time.Time
TimestampLte *time.Time
// contains filtered or unexported fields
}
func (*ListActivitiesFilter) GetResources ¶ added in v0.7.5
func (f *ListActivitiesFilter) GetResources() []*Resource
func (*ListActivitiesFilter) PopulateResources ¶ added in v0.7.5
func (f *ListActivitiesFilter) PopulateResources(resources map[string]*Resource) error
type ListAppealsFilter ¶
type ListAppealsFilter struct {
Q string `mapstructure:"q" validate:"omitempty"`
AccountTypes []string `mapstructure:"account_types" validate:"omitempty,min=1"`
CreatedBy string `mapstructure:"created_by" validate:"omitempty,required"`
AccountID string `mapstructure:"account_id" validate:"omitempty,required"`
AccountIDs []string `mapstructure:"account_ids" validate:"omitempty,required"`
ResourceID string `mapstructure:"resource_id" validate:"omitempty,required"`
Role string `mapstructure:"role" validate:"omitempty,required"`
Statuses []string `mapstructure:"statuses" validate:"omitempty,min=1"`
ExpirationDateLessThan time.Time `mapstructure:"expiration_date_lt" validate:"omitempty,required"`
ExpirationDateGreaterThan time.Time `mapstructure:"expiration_date_gt" validate:"omitempty,required"`
ProviderTypes []string `mapstructure:"provider_types" validate:"omitempty,min=1"`
ProviderURNs []string `mapstructure:"provider_urns" validate:"omitempty,min=1"`
ResourceTypes []string `mapstructure:"resource_types" validate:"omitempty,min=1"`
ResourceURNs []string `mapstructure:"resource_urns" validate:"omitempty,min=1"`
OrderBy []string `mapstructure:"order_by" validate:"omitempty,min=1"`
Size int `mapstructure:"size" validate:"omitempty"`
Offset int `mapstructure:"offset" validate:"omitempty"`
}
type ListApprovalsFilter ¶
type ListApprovalsFilter struct {
Q string `mapstructure:"q" validate:"omitempty"`
AccountID string `mapstructure:"account_id" validate:"omitempty,required"`
AccountTypes []string `mapstructure:"account_types" validate:"omitempty,min=1"`
ResourceTypes []string `mapstructure:"resource_types" validate:"omitempty,min=1"`
CreatedBy string `mapstructure:"created_by" validate:"omitempty,required"`
Statuses []string `mapstructure:"statuses" validate:"omitempty,min=1"`
OrderBy []string `mapstructure:"order_by" validate:"omitempty,min=1"`
Size int `mapstructure:"size" validate:"omitempty"`
Offset int `mapstructure:"offset" validate:"omitempty"`
AppealStatuses []string `mapstructure:"appeal_statuses" validate:"omitempty,min=1"`
Stale bool `mapstructure:"stale" validate:"omitempty"`
}
type ListAuditLogFilter ¶ added in v0.11.0
type ListCommentsFilter ¶ added in v0.10.0
type ListEventsFilter ¶ added in v0.11.0
type ListGrantsFilter ¶
type ListGrantsFilter struct {
Statuses []string
AccountIDs []string
AccountTypes []string
ResourceIDs []string
Roles []string
Permissions []string
ProviderTypes []string
ProviderURNs []string
ResourceTypes []string
ResourceURNs []string
CreatedBy string
Owner string
OrderBy []string
ExpirationDateLessThan time.Time
ExpirationDateGreaterThan time.Time
IsPermanent *bool
CreatedAtLte time.Time
Size int `mapstructure:"size" validate:"omitempty"`
Offset int `mapstructure:"offset" validate:"omitempty"`
Q string `mapstructure:"q" validate:"omitempty"`
}
type ListResourcesFilter ¶
type ListResourcesFilter struct {
IDs []string `mapstructure:"ids" validate:"omitempty,min=1"`
IsDeleted bool `mapstructure:"is_deleted" validate:"omitempty"`
ProviderType string `mapstructure:"provider_type" validate:"omitempty"`
ProviderURN string `mapstructure:"provider_urn" validate:"omitempty"`
Name string `mapstructure:"name" validate:"omitempty"`
ResourceURN string `mapstructure:"urn" validate:"omitempty"`
ResourceType string `mapstructure:"type" validate:"omitempty"`
ResourceURNs []string `mapstructure:"urns" validate:"omitempty"`
ResourceTypes []string `mapstructure:"types" validate:"omitempty"`
Details map[string]string `mapstructure:"details"`
Size uint32 `mapstructure:"size" validate:"omitempty"`
Offset uint32 `mapstructure:"offset" validate:"omitempty"`
OrderBy []string `mapstructure:"order_by" validate:"omitempty"`
Q string `mapstructure:"q" validate:"omitempty"`
}
type MapResourceAccess ¶
type MapResourceAccess map[string][]AccessEntry
MapResourceAccess is list of UserAccess grouped by resource urn
type MatchCondition ¶
type MatchCondition struct {
Eq interface{} `json:"eq" yaml:"eq"`
}
MatchCondition is for determining the requirement of the condition
type Notification ¶
type Notification struct {
User string
Message NotificationMessage
Labels map[string]string
}
type NotificationMessage ¶
type NotificationMessages ¶
type NotificationMessages struct {
ExpirationReminder string `mapstructure:"expiration_reminder"`
AppealApproved string `mapstructure:"appeal_approved"`
AppealRejected string `mapstructure:"appeal_rejected"`
AccessRevoked string `mapstructure:"access_revoked"`
ApproverNotification string `mapstructure:"approver_notification"`
OthersAppealApproved string `mapstructure:"others_appeal_approved"`
GrantOwnerChanged string `mapstructure:"grant_owner_changed"`
UnusedGrant string `mapstructure:"unused_grant"`
NewComment string `mapstructure:"new_comment"`
PendingApprovalsReminder string `mapstructure:"pending_approvals_reminder"`
}
type Policy ¶
type Policy struct {
ID string `json:"id" yaml:"id" validate:"required"`
Version uint `json:"version" yaml:"version" validate:"required"`
Description string `json:"description" yaml:"description"`
Steps []*Step `json:"steps" yaml:"steps" validate:"required,min=1,dive"`
AppealConfig *PolicyAppealConfig `json:"appeal" yaml:"appeal" validate:"omitempty,dive"`
Requirements []*Requirement `json:"requirements,omitempty" yaml:"requirements,omitempty" validate:"omitempty,min=1,dive"`
Labels map[string]string `json:"labels,omitempty" yaml:"labels,omitempty"`
IAM *IAMConfig `json:"iam,omitempty" yaml:"iam,omitempty" validate:"omitempty,dive"`
CreatedAt time.Time `json:"created_at,omitempty" yaml:"created_at,omitempty"`
UpdatedAt time.Time `json:"updated_at,omitempty" yaml:"updated_at,omitempty"`
}
Policy is the approval policy configuration
func (*Policy) HasAppealMetadataSources ¶ added in v0.10.0
func (*Policy) HasIAMConfig ¶
func (*Policy) RemoveSensitiveValues ¶ added in v0.10.0
func (p *Policy) RemoveSensitiveValues()
type PolicyAppealConfig ¶
type PolicyAppealConfig struct {
DurationOptions []AppealDurationOption `json:"duration_options" yaml:"duration_options" validate:"omitempty,min=1,dive"`
AllowOnBehalf bool `json:"allow_on_behalf" yaml:"allow_on_behalf"`
AllowPermanentAccess bool `json:"allow_permanent_access" yaml:"allow_permanent_access"`
AllowActiveAccessExtensionIn string `json:"allow_active_access_extension_in" yaml:"allow_active_access_extension_in"`
Questions []Question `json:"questions" yaml:"questions"`
// AllowCreatorDetailsFailure is a flag that lets the appeal creation to continue when the request to the identity
// provider (Policy.IAM) fails. If this is set to true and request to the identity provider fails (4xx or 5xx), the
// value of `creator` field in the appeal will be nil.
// Note: any expression that tries to access `$appeal.creator.*` is still evaluated as usual, it might need to have
// proper nil checking to avoid accessing nil value.
AllowCreatorDetailsFailure bool `json:"allow_creator_details_failure" yaml:"allow_creator_details_failure"`
MetadataSources map[string]*AppealMetadataSource `json:"metadata_sources,omitempty" yaml:"metadata_sources,omitempty"`
}
type PolicyConfig ¶
type PolicyConfig struct {
ID string `json:"id" yaml:"id" validate:"required"`
Version int `json:"version" yaml:"version" validate:"required"`
}
PolicyConfig is the configuration that defines which policy is being used in the provider
type Provider ¶
type Provider struct {
ID string `json:"id" yaml:"id"`
Type string `json:"type" yaml:"type"`
URN string `json:"urn" yaml:"urn"`
Config *ProviderConfig `json:"config" yaml:"config"`
CreatedAt time.Time `json:"created_at,omitempty" yaml:"created_at,omitempty"`
UpdatedAt time.Time `json:"updated_at,omitempty" yaml:"updated_at,omitempty"`
}
type ProviderConfig ¶
type ProviderConfig struct {
Type string `json:"type" yaml:"type" validate:"required,oneof=google_bigquery metabase grafana tableau gcloud_iam noop gcs"`
URN string `json:"urn" yaml:"urn" validate:"required"`
AllowedAccountTypes []string `json:"allowed_account_types" yaml:"allowed_account_types" validate:"omitempty,min=1"`
Labels map[string]string `json:"labels,omitempty" yaml:"labels,omitempty"`
Credentials interface{} `json:"credentials,omitempty" yaml:"credentials" validate:"required"`
Appeal *AppealConfig `json:"appeal,omitempty" yaml:"appeal,omitempty" validate:"required"`
Resources []*ResourceConfig `json:"resources" yaml:"resources" validate:"required"`
Parameters []*ProviderParameter `json:"parameters,omitempty" yaml:"parameters,omitempty"`
Activity *ActivityConfig `json:"activity,omitempty" yaml:"activity,omitempty"`
}
func (ProviderConfig) GetFilterForResourceType ¶ added in v0.7.8
func (pc ProviderConfig) GetFilterForResourceType(resourceType string) string
func (ProviderConfig) GetResourceTypes ¶
func (pc ProviderConfig) GetResourceTypes() (resourceTypes []string)
type ProviderParameter ¶
type ProviderType ¶
type Requirement ¶
type Requirement struct {
On *RequirementTrigger `json:"on" yaml:"on" validate:"required"`
Appeals []*AdditionalAppeal `json:"appeals" yaml:"appeals" validate:"required,min=1,dive"`
}
type RequirementTrigger ¶
type RequirementTrigger struct {
ProviderType string `` /* 137-byte string literal not displayed */
ProviderURN string `` /* 136-byte string literal not displayed */
ResourceType string `` /* 137-byte string literal not displayed */
ResourceURN string `` /* 136-byte string literal not displayed */
Role string `` /* 128-byte string literal not displayed */
// Deprecated: use Expression instead
Conditions []*Condition `` /* 134-byte string literal not displayed */
Expression string `` /* 134-byte string literal not displayed */
}
type Resource ¶
type Resource struct {
ID string `json:"id" yaml:"id"`
ProviderType string `json:"provider_type" yaml:"provider_type"`
ProviderURN string `json:"provider_urn" yaml:"provider_urn"`
Type string `json:"type" yaml:"type"`
URN string `json:"urn" yaml:"urn"`
Name string `json:"name" yaml:"name"`
Details map[string]interface{} `json:"details" yaml:"details"`
Labels map[string]string `json:"labels,omitempty" yaml:"labels,omitempty"`
CreatedAt time.Time `json:"created_at,omitempty" yaml:"created_at,omitempty"`
UpdatedAt time.Time `json:"updated_at,omitempty" yaml:"updated_at,omitempty"`
IsDeleted bool `json:"is_deleted,omitempty" yaml:"is_deleted,omitempty"`
ParentID *string `json:"parent_id,omitempty" yaml:"parent_id,omitempty"`
Children []*Resource `json:"children,omitempty" yaml:"children,omitempty"`
GlobalURN string `json:"global_urn" yaml:"global_urn"`
}
Resource struct
func (*Resource) GetFlattened ¶
type ResourceConfig ¶
type ResourceConfig struct {
Type string `json:"type" yaml:"type" validate:"required"`
Filter string `json:"filter" yaml:"filter"`
Policy *PolicyConfig `json:"policy" yaml:"policy"`
Roles []*Role `json:"roles" yaml:"roles" validate:"required"`
}
ResourceConfig is the configuration for a resource type within a provider
type ResourceIdentifier ¶
type ResourceIdentifier struct {
ProviderType string `json:"provider_type" yaml:"provider_type" validate:"required_with=ProviderURN Type URN"`
ProviderURN string `json:"provider_urn" yaml:"provider_urn" validate:"required_with=ProviderType Type URN"`
Type string `json:"type" yaml:"type" validate:"required_with=ProviderType ProviderURN URN"`
URN string `json:"urn" yaml:"urn" validate:"required_with=ProviderType ProviderURN Type"`
ID string `json:"id" yaml:"id" validate:"required_without_all=ProviderType ProviderURN Type URN"`
}
type RevokeGrantsFilter ¶
type Role ¶
type Role struct {
ID string `json:"id" yaml:"id" validate:"required"`
Name string `json:"name" yaml:"name" validate:"required"`
Description string `json:"description,omitempty" yaml:"description"`
Permissions []interface{} `json:"permissions" yaml:"permissions" validate:"required"`
}
Role is the configuration to define a role and mapping the permissions in the provider
func (Role) GetOrderedPermissions ¶
GetOrderedPermissions returns the permissions as a string slice
type SensitiveConfig ¶
type SensitiveConfig interface {
SensitiveInformation
Validate() error
}
type SensitiveInformation ¶
type Step ¶
type Step struct {
// Name used as the step identifier
Name string `json:"name" yaml:"name" validate:"required"`
// Description tells more details about the step
Description string `json:"description" yaml:"description"`
// AllowFailed lets the approval flow continue to the next step even the current step is rejected.
// If the last step has AllowFailed equal to true, and it's getting rejected,
// the appeal status will resolve as approved or success.
AllowFailed bool `json:"allow_failed" yaml:"allow_failed"`
// When is an Expression that determines whether the step should be evaluated or it can be skipped at the beginning.
// If it evaluates to be falsy, the step will automatically skipped. Otherwise, step become pending/blocked (normal).
//
// Accessible parameters:
// $appeal = Appeal object
When string `json:"when,omitempty" yaml:"when,omitempty"`
// Strategy defines if the step requires manual approval or not
Strategy ApprovalStepStrategy `json:"strategy" yaml:"strategy" validate:"required,oneof=auto manual"`
// RejectionReason message fills `Approval.Reason` if the approval step gets rejected based on `ApproveIf` expression.
RejectionReason string `json:"rejection_reason" yaml:"rejection_reason"`
// Approvers is an Expression that if the evaluation returns string or []string that contains email address of the approvers.
// If human approval (manual) is required, use this field.
//
// Accessible parameters:
// $appeal = Appeal object
Approvers []string `json:"approvers,omitempty" yaml:"approvers,omitempty" validate:"required_if=Strategy manual,omitempty,min=1"`
// ApproveIf is an Expression to determines the resolution of the step. If automatic approval is needed for the step,
// use this field.
//
// Accessible parameters:
// $appeal = Appeal object
ApproveIf string `json:"approve_if,omitempty" yaml:"approve_if,omitempty" validate:"required_if=Strategy auto"`
}
Step is an individual process within an approval flow
Source Files
Click to show internal directories.
Click to hide internal directories.