Documentation ¶
Index ¶
- Constants
- Variables
- type AccessEntry
- type Activity
- type ActivityConfig
- type AdditionalAppeal
- type Appeal
- func (a *Appeal) AdvanceApproval(policy *Policy) error
- func (a *Appeal) ApplyPolicy(p *Policy) error
- func (a *Appeal) Approve() error
- func (a *Appeal) Cancel()
- func (a *Appeal) Compare(old *Appeal, actor string) ([]*DiffItem, error)
- func (a *Appeal) GetApproval(identifier string) *Approval
- func (a *Appeal) GetApprovalByIndex(index int) *Approval
- func (a *Appeal) GetDuration() (time.Duration, error)
- func (a *Appeal) GetNextPendingApproval() *Approval
- func (a *Appeal) Init(policy *Policy)
- func (a *Appeal) IsDurationEmpty() bool
- func (a *Appeal) Reject()
- func (a *Appeal) SetDefaults()
- func (a Appeal) ToGrant() (*Grant, error)
- func (a *Appeal) ToMap() (map[string]interface{}, error)
- type AppealConfig
- type AppealDurationOption
- type AppealMetadataSource
- type AppealOptions
- type Approval
- type ApprovalAction
- type ApprovalActionType
- type ApprovalStepStrategy
- type Approver
- type Comment
- type Condition
- type Crypto
- type Decryptor
- type DiffItem
- type DormancyCheckCriteria
- type Encryptor
- type Event
- type Grant
- func (g *Grant) Compare(old *Grant, actor string) ([]*DiffItem, error)
- func (g *Grant) GetPermissions() []string
- func (g Grant) IsEligibleForExtension(extensionDurationRule time.Duration) bool
- func (g Grant) PermissionsKey() string
- func (g *Grant) Restore(actor, reason string) error
- func (g *Grant) Revoke(actor, reason string) error
- type GrantSource
- type GrantStatus
- type GrantUpdate
- type IAMClient
- type IAMConfig
- type IAMManager
- type IAMProviderType
- type ListActivitiesFilter
- type ListAppealsFilter
- type ListApprovalsFilter
- type ListAuditLogFilter
- type ListCommentsFilter
- type ListEventsFilter
- type ListGrantsFilter
- type ListProviderActivitiesFilter
- type ListResourcesFilter
- type MapResourceAccess
- type MatchCondition
- type Notification
- type NotificationMessage
- type NotificationMessages
- type Policy
- type PolicyAppealConfig
- type PolicyConfig
- type Provider
- type ProviderConfig
- type ProviderParameter
- type ProviderType
- type Question
- type Requirement
- type RequirementTrigger
- type Resource
- type ResourceConfig
- type ResourceIdentifier
- type Resources
- type RevokeGrantsFilter
- type Role
- type SensitiveConfig
- type SensitiveInformation
- type Step
Constants ¶
const ( AppealActionNameApprove = "approve" AppealActionNameReject = "reject" AppealStatusPending = "pending" AppealStatusCanceled = "canceled" AppealStatusApproved = "approved" AppealStatusRejected = "rejected" SystemActorName = "system" DefaultAppealAccountType = "user" PermanentDurationLabel = "Permanent" ExpirationDateReasonFromAppeal = "Expiration date is set based on the appeal options" ReservedDetailsKeyProviderParameters = "__provider_parameters" ReservedDetailsKeyPolicyQuestions = "__policy_questions" ReservedDetailsKeyPolicyMetadata = "__policy_metadata" )
const ( ApprovalStatusPending = "pending" ApprovalStatusBlocked = "blocked" ApprovalStatusSkipped = "skipped" ApprovalStatusApproved = "approved" ApprovalStatusRejected = "rejected" )
const ( GrantStatusActive GrantStatus = "active" GrantStatusInactive GrantStatus = "inactive" GrantSourceAppeal GrantSource = "appeal" GrantSourceImport GrantSource = "import" GrantExpirationReasonDormant = "grant/access hasn't been used for a while" GrantExpirationReasonRestored = "grant restored with new duration" )
const ( NotificationTypeExpirationReminder = "ExpirationReminder" NotificationTypeAppealApproved = "AppealApproved" NotificationTypeOnBehalfAppealApproved = "OnBehalfAppealApproved" NotificationTypeAppealRejected = "AppealRejected" NotificationTypeAccessRevoked = "AccessRevoked" NotificationTypeApproverNotification = "ApproverNotification" NotificationTypeGrantOwnerChanged = "GrantOwnerChanged" NotificationTypeUnusedGrant = "UnusedGrant" NotificationTypeNewComment = "NewComment" NotificationTypePendingApprovalsReminder = "PendingApprovalsReminder" )
const ( ProviderTypeAliCloudIAM = "alicloud_iam" ProviderTypeBigQuery = "bigquery" ProviderTypeMetabase = "metabase" ProviderTypeGrafana = "grafana" ProviderTypeTableau = "tableau" ProviderTypeGCloudIAM = "gcloud_iam" ProviderTypeNoOp = "noop" ProviderTypeGCS = "gcs" ProviderTypePolicyTag = "dataplex" ProviderTypeShield = "shield" ProviderTypeGitlab = "gitlab" ProviderTypeGate = "gate" )
const (
ApproversKeyResource = "$resource"
)
const (
TraceIDKey = "trace_id"
)
Variables ¶
var ( ErrFailedToGetApprovers = errors.New("failed to get approvers") ErrApproversNotFound = errors.New("approvers not found") ErrUnexpectedApproverType = errors.New("unexpected approver type") ErrInvalidApproverValue = errors.New("approver value is not a valid email") )
var ( ErrDuplicateActiveGrant = errors.New("grant already exists") ErrInvalidGrantRestoreParams = errors.New("invalid grant restore parameters") ErrInvalidGrantUpdateRequest = errors.New("invalid grant update request") )
var (
ErrInvalidConditionField = errors.New("unable to parse condition's field")
)
Functions ¶
This section is empty.
Types ¶
type AccessEntry ¶
func (AccessEntry) ToGrant ¶
func (ae AccessEntry) ToGrant(resource Resource) Grant
type Activity ¶
type Activity struct { ID string `json:"id" yaml:"id"` ProviderID string `json:"provider_id" yaml:"provider_id"` ResourceID string `json:"resource_id" yaml:"resource_id"` ProviderActivityID string `json:"provider_activity_id" yaml:"provider_activity_id"` AccountType string `json:"account_type" yaml:"account_type"` AccountID string `json:"account_id" yaml:"account_id"` Timestamp time.Time `json:"timestamp" yaml:"timestamp"` Authorizations []string `json:"authorizations" yaml:"authorizations"` RelatedPermissions []string `json:"related_permissions" yaml:"related_permissions"` Type string `json:"type" yaml:"type"` Metadata map[string]interface{} `json:"metadata" yaml:"metadata"` CreatedAt time.Time `json:"created_at" yaml:"created_at"` Provider *Provider `json:"provider,omitempty" yaml:"provider,omitempty"` Resource *Resource `json:"resource,omitempty" yaml:"resource,omitempty"` }
type ActivityConfig ¶ added in v0.7.5
type AdditionalAppeal ¶
type AdditionalAppeal struct { Resource *ResourceIdentifier `json:"resource" yaml:"resource" validate:"required"` Role string `json:"role" yaml:"role" validate:"required"` Options *AppealOptions `json:"options" yaml:"options"` Policy *PolicyConfig `json:"policy" yaml:"policy"` }
type Appeal ¶
type Appeal struct { ID string `json:"id" yaml:"id"` ResourceID string `json:"resource_id" yaml:"resource_id"` PolicyID string `json:"policy_id" yaml:"policy_id"` PolicyVersion uint `json:"policy_version" yaml:"policy_version"` Status string `json:"status" yaml:"status"` AccountID string `json:"account_id" yaml:"account_id"` AccountType string `json:"account_type" yaml:"account_type" default:"user"` CreatedBy string `json:"created_by" yaml:"created_by"` Creator interface{} `json:"creator" yaml:"creator"` Role string `json:"role" yaml:"role"` Permissions []string `json:"permissions" yaml:"permissions"` Options *AppealOptions `json:"options" yaml:"options"` Details map[string]interface{} `json:"details" yaml:"details"` Labels map[string]string `json:"labels" yaml:"labels"` Description string `json:"description" yaml:"description"` Policy *Policy `json:"-" yaml:"-"` Resource *Resource `json:"resource,omitempty" yaml:"resource,omitempty"` Approvals []*Approval `json:"approvals,omitempty" yaml:"approvals,omitempty"` Grant *Grant `json:"grant,omitempty" yaml:"grant,omitempty"` Revision uint `json:"revision,omitempty" yaml:"revision,omitempty"` CreatedAt time.Time `json:"created_at,omitempty" yaml:"created_at,omitempty"` UpdatedAt time.Time `json:"updated_at,omitempty" yaml:"updated_at,omitempty"` }
Appeal struct
func (*Appeal) AdvanceApproval ¶
func (*Appeal) ApplyPolicy ¶
func (*Appeal) GetApproval ¶
GetApproval returns an approval within the appeal. If the ID is provided, it will return the approval with the given ID. If the name is provided, it will return the approval with the given name AND !is_stale.
func (*Appeal) GetApprovalByIndex ¶ added in v0.11.2
func (*Appeal) GetNextPendingApproval ¶
func (*Appeal) IsDurationEmpty ¶
func (*Appeal) SetDefaults ¶
func (a *Appeal) SetDefaults()
type AppealConfig ¶
type AppealConfig struct { AllowPermanentAccess bool `json:"allow_permanent_access" yaml:"allow_permanent_access"` AllowActiveAccessExtensionIn string `json:"allow_active_access_extension_in" yaml:"allow_active_access_extension_in" validate:"required"` }
AppealConfig is the policy configuration of the appeal
type AppealDurationOption ¶
type AppealDurationOption struct { // Name of the duration // Ex: 1 Day, 3 Days, Permanent Name string `json:"name" yaml:"name" validate:"required"` // Value of the actual duration // Ex: 24h, 72h, 0h // `0h` is reserved for permanent access Value string `json:"value" yaml:"value" validate:"required"` }
type AppealMetadataSource ¶ added in v0.10.0
type AppealMetadataSource struct { Name string `json:"name" yaml:"name"` Description string `json:"description,omitempty" yaml:"description,omitempty"` Type string `json:"type" yaml:"type"` Config interface{} `json:"config,omitempty" yaml:"config,omitempty"` Value interface{} `json:"value" yaml:"value"` }
func (*AppealMetadataSource) DecryptConfig ¶ added in v0.10.0
func (c *AppealMetadataSource) DecryptConfig(dec Decryptor) error
func (*AppealMetadataSource) EncryptConfig ¶ added in v0.10.0
func (c *AppealMetadataSource) EncryptConfig(enc Encryptor) error
func (*AppealMetadataSource) EvaluateValue ¶ added in v0.10.0
func (c *AppealMetadataSource) EvaluateValue(params map[string]interface{}) (interface{}, error)
type AppealOptions ¶
type AppealOptions struct { ExpirationDate *time.Time `json:"expiration_date,omitempty" yaml:"expiration_date,omitempty"` Duration string `json:"duration" yaml:"duration"` }
AppealOptions
type Approval ¶
type Approval struct { ID string `json:"id" yaml:"id"` Name string `json:"name" yaml:"name"` Index int `json:"-" yaml:"-"` AppealID string `json:"appeal_id" yaml:"appeal_id"` Status string `json:"status" yaml:"status"` Actor *string `json:"actor" yaml:"actor"` Reason string `json:"reason,omitempty" yaml:"reason,omitempty"` PolicyID string `json:"policy_id" yaml:"policy_id"` PolicyVersion uint `json:"policy_version" yaml:"policy_version"` Approvers []string `json:"approvers,omitempty" yaml:"approvers,omitempty"` Appeal *Appeal `json:"appeal,omitempty" yaml:"appeal,omitempty"` IsStale bool `json:"is_stale,omitempty" yaml:"is_stale,omitempty"` AppealRevision uint `json:"appeal_revision" yaml:"appeal_revision"` CreatedAt time.Time `json:"created_at,omitempty" yaml:"created_at,omitempty"` UpdatedAt time.Time `json:"updated_at,omitempty" yaml:"updated_at,omitempty"` }
func (*Approval) IsExistingApprover ¶ added in v0.12.0
func (*Approval) IsManualApproval ¶
type ApprovalAction ¶
type ApprovalAction struct { AppealID string `validate:"required" json:"appeal_id"` ApprovalName string `validate:"required" json:"approval_name"` Actor string `validate:"email" json:"actor"` Action string `validate:"required,oneof=approve reject" json:"action"` Reason string `json:"reason"` }
func (ApprovalAction) Validate ¶ added in v0.8.0
func (a ApprovalAction) Validate() error
type ApprovalActionType ¶
type ApprovalActionType string
const ( ApprovalActionApprove ApprovalActionType = "approve" ApprovalActionReject ApprovalActionType = "reject" )
type ApprovalStepStrategy ¶
type ApprovalStepStrategy string
const ( ApprovalStepStrategyAuto ApprovalStepStrategy = "auto" ApprovalStepStrategyManual ApprovalStepStrategy = "manual" )
type Approver ¶
type Approver struct { ID string `json:"id" yaml:"id"` ApprovalID string `json:"approval_id" yaml:"approval_id"` AppealID string `json:"appeal_id" yaml:"appeal_id"` Email string `json:"email" yaml:"email"` CreatedAt time.Time `json:"created_at,omitempty" yaml:"created_at,omitempty"` UpdatedAt time.Time `json:"updated_at,omitempty" yaml:"updated_at,omitempty"` }
type Comment ¶ added in v0.10.0
type Comment struct { ID string `json:"id" yaml:"id"` ParentType string `json:"parent_type" yaml:"parent_type"` ParentID string `json:"parent_id" yaml:"parent_id"` CreatedBy string `json:"created_by" yaml:"created_by"` Body string `json:"body" yaml:"body"` CreatedAt time.Time `json:"created_at,omitempty" yaml:"created_at,omitempty"` UpdatedAt time.Time `json:"updated_at,omitempty" yaml:"updated_at,omitempty"` }
type Condition ¶
type Condition struct { Field string `json:"field" yaml:"field" validate:"required"` Match *MatchCondition `json:"match" yaml:"match" validate:"required"` }
Condition gets evaluated to determine the approval step resolution whether it is success or failed
type DormancyCheckCriteria ¶ added in v0.7.5
type DormancyCheckCriteria struct { ProviderID string Period time.Duration RetainDuration time.Duration DryRun bool }
func (DormancyCheckCriteria) Validate ¶ added in v0.7.5
func (c DormancyCheckCriteria) Validate() error
type Event ¶ added in v0.11.0
type Grant ¶
type Grant struct { ID string `json:"id" yaml:"id"` Status GrantStatus `json:"status" yaml:"status"` StatusInProvider GrantStatus `json:"status_in_provider" yaml:"status_in_provider"` AccountID string `json:"account_id" yaml:"account_id"` AccountType string `json:"account_type" yaml:"account_type"` ResourceID string `json:"resource_id" yaml:"resource_id"` Role string `json:"role" yaml:"role"` Permissions []string `json:"permissions" yaml:"permissions"` IsPermanent bool `json:"is_permanent" yaml:"is_permanent"` ExpirationDate *time.Time `json:"expiration_date" yaml:"expiration_date"` RequestedExpirationDate *time.Time `json:"requested_expiration_date,omitempty" yaml:"requested_expiration_date,omitempty"` ExpirationDateReason string `json:"expiration_date_reason,omitempty" yaml:"expiration_date_reason,omitempty"` AppealID string `json:"appeal_id" yaml:"appeal_id"` Source GrantSource `json:"source" yaml:"source"` RevokedBy string `json:"revoked_by,omitempty" yaml:"revoked_by,omitempty"` RevokedAt *time.Time `json:"revoked_at,omitempty" yaml:"revoked_at,omitempty"` RevokeReason string `json:"revoke_reason,omitempty" yaml:"revoke_reason,omitempty"` RestoredBy string `json:"restored_by,omitempty" yaml:"restored_by,omitempty"` RestoredAt *time.Time `json:"restored_at,omitempty" yaml:"restored_at,omitempty"` RestoreReason string `json:"restore_reason,omitempty" yaml:"restore_reason,omitempty"` CreatedBy string `json:"created_by" yaml:"created_by"` // Deprecated: use Owner instead Owner string `json:"owner" yaml:"owner"` CreatedAt time.Time `json:"created_at" yaml:"created_at"` UpdatedAt time.Time `json:"updated_at" yaml:"updated_at"` Resource *Resource `json:"resource,omitempty" yaml:"resource,omitempty"` Appeal *Appeal `json:"appeal,omitempty" yaml:"appeal,omitempty"` Activities []*Activity `json:"activities,omitempty" yaml:"activities,omitempty"` }
func (*Grant) GetPermissions ¶
func (Grant) IsEligibleForExtension ¶
func (Grant) PermissionsKey ¶
type GrantSource ¶
type GrantSource string
type GrantStatus ¶
type GrantStatus string
type GrantUpdate ¶ added in v0.12.2
type GrantUpdate struct { ID string `json:"id" yaml:"id"` Owner *string `json:"owner,omitempty" yaml:"owner,omitempty"` IsPermanent *bool `json:"is_permanent,omitempty" yaml:"is_permanent,omitempty"` ExpirationDate *time.Time `json:"expiration_date,omitempty" yaml:"expiration_date,omitempty"` ExpirationDateReason *string `json:"expiration_date_reason,omitempty" yaml:"expiration_date_reason,omitempty"` Actor string `json:"actor" yaml:"actor"` }
func (*GrantUpdate) IsUpdatingExpirationDate ¶ added in v0.12.2
func (gu *GrantUpdate) IsUpdatingExpirationDate() bool
func (*GrantUpdate) Validate ¶ added in v0.12.2
func (gu *GrantUpdate) Validate(current Grant) error
type IAMConfig ¶
type IAMConfig struct { Provider IAMProviderType `json:"provider" yaml:"provider" validate:"required,oneof=http shield"` Config interface{} `json:"config" yaml:"config" validate:"required"` Schema map[string]string `json:"schema" yaml:"schema"` }
type IAMManager ¶
type IAMManager interface { ParseConfig(*IAMConfig) (SensitiveConfig, error) GetClient(SensitiveConfig) (IAMClient, error) }
type IAMProviderType ¶
type IAMProviderType string
const ( IAMProviderTypeShield IAMProviderType = "shield" IAMProviderTypeHTTP IAMProviderType = "http" )
type ListActivitiesFilter ¶ added in v0.7.5
type ListActivitiesFilter struct { ProviderID string ResourceIDs []string ResourceIdentifiers []ResourceIdentifier AccountIDs []string TimestampGte *time.Time TimestampLte *time.Time // contains filtered or unexported fields }
func (*ListActivitiesFilter) GetResources ¶ added in v0.7.5
func (f *ListActivitiesFilter) GetResources() []*Resource
func (*ListActivitiesFilter) PopulateResources ¶ added in v0.7.5
func (f *ListActivitiesFilter) PopulateResources(resources map[string]*Resource) error
type ListAppealsFilter ¶
type ListAppealsFilter struct { Q string `mapstructure:"q" validate:"omitempty"` AccountTypes []string `mapstructure:"account_types" validate:"omitempty,min=1"` CreatedBy string `mapstructure:"created_by" validate:"omitempty,required"` AccountID string `mapstructure:"account_id" validate:"omitempty,required"` AccountIDs []string `mapstructure:"account_ids" validate:"omitempty,required"` ResourceID string `mapstructure:"resource_id" validate:"omitempty,required"` Role string `mapstructure:"role" validate:"omitempty,required"` Statuses []string `mapstructure:"statuses" validate:"omitempty,min=1"` ExpirationDateLessThan time.Time `mapstructure:"expiration_date_lt" validate:"omitempty,required"` ExpirationDateGreaterThan time.Time `mapstructure:"expiration_date_gt" validate:"omitempty,required"` ProviderTypes []string `mapstructure:"provider_types" validate:"omitempty,min=1"` ProviderURNs []string `mapstructure:"provider_urns" validate:"omitempty,min=1"` ResourceTypes []string `mapstructure:"resource_types" validate:"omitempty,min=1"` ResourceURNs []string `mapstructure:"resource_urns" validate:"omitempty,min=1"` OrderBy []string `mapstructure:"order_by" validate:"omitempty,min=1"` Size int `mapstructure:"size" validate:"omitempty"` Offset int `mapstructure:"offset" validate:"omitempty"` }
type ListApprovalsFilter ¶
type ListApprovalsFilter struct { Q string `mapstructure:"q" validate:"omitempty"` AccountID string `mapstructure:"account_id" validate:"omitempty,required"` AccountTypes []string `mapstructure:"account_types" validate:"omitempty,min=1"` ResourceTypes []string `mapstructure:"resource_types" validate:"omitempty,min=1"` CreatedBy string `mapstructure:"created_by" validate:"omitempty,required"` Statuses []string `mapstructure:"statuses" validate:"omitempty,min=1"` OrderBy []string `mapstructure:"order_by" validate:"omitempty,min=1"` Size int `mapstructure:"size" validate:"omitempty"` Offset int `mapstructure:"offset" validate:"omitempty"` AppealStatuses []string `mapstructure:"appeal_statuses" validate:"omitempty,min=1"` Stale bool `mapstructure:"stale" validate:"omitempty"` }
type ListAuditLogFilter ¶ added in v0.11.0
type ListCommentsFilter ¶ added in v0.10.0
type ListEventsFilter ¶ added in v0.11.0
type ListGrantsFilter ¶
type ListGrantsFilter struct { Statuses []string AccountIDs []string AccountTypes []string ResourceIDs []string Roles []string Permissions []string ProviderTypes []string ProviderURNs []string ResourceTypes []string ResourceURNs []string CreatedBy string Owner string OrderBy []string ExpirationDateLessThan time.Time ExpirationDateGreaterThan time.Time IsPermanent *bool CreatedAtLte time.Time Size int `mapstructure:"size" validate:"omitempty"` Offset int `mapstructure:"offset" validate:"omitempty"` Q string `mapstructure:"q" validate:"omitempty"` }
type ListResourcesFilter ¶
type ListResourcesFilter struct { IDs []string `mapstructure:"ids" validate:"omitempty,min=1"` IsDeleted bool `mapstructure:"is_deleted" validate:"omitempty"` ProviderType string `mapstructure:"provider_type" validate:"omitempty"` ProviderURN string `mapstructure:"provider_urn" validate:"omitempty"` Name string `mapstructure:"name" validate:"omitempty"` ResourceURN string `mapstructure:"urn" validate:"omitempty"` ResourceType string `mapstructure:"type" validate:"omitempty"` ResourceURNs []string `mapstructure:"urns" validate:"omitempty"` ResourceTypes []string `mapstructure:"types" validate:"omitempty"` Details map[string]string `mapstructure:"details"` Size uint32 `mapstructure:"size" validate:"omitempty"` Offset uint32 `mapstructure:"offset" validate:"omitempty"` OrderBy []string `mapstructure:"order_by" validate:"omitempty"` Q string `mapstructure:"q" validate:"omitempty"` }
type MapResourceAccess ¶
type MapResourceAccess map[string][]AccessEntry
MapResourceAccess is list of UserAccess grouped by resource urn
type MatchCondition ¶
type MatchCondition struct {
Eq interface{} `json:"eq" yaml:"eq"`
}
MatchCondition is for determining the requirement of the condition
type Notification ¶
type Notification struct { User string Message NotificationMessage Labels map[string]string }
type NotificationMessage ¶
type NotificationMessages ¶
type NotificationMessages struct { ExpirationReminder string `mapstructure:"expiration_reminder"` AppealApproved string `mapstructure:"appeal_approved"` AppealRejected string `mapstructure:"appeal_rejected"` AccessRevoked string `mapstructure:"access_revoked"` ApproverNotification string `mapstructure:"approver_notification"` OthersAppealApproved string `mapstructure:"others_appeal_approved"` GrantOwnerChanged string `mapstructure:"grant_owner_changed"` UnusedGrant string `mapstructure:"unused_grant"` NewComment string `mapstructure:"new_comment"` PendingApprovalsReminder string `mapstructure:"pending_approvals_reminder"` }
type Policy ¶
type Policy struct { ID string `json:"id" yaml:"id" validate:"required"` Version uint `json:"version" yaml:"version" validate:"required"` Description string `json:"description" yaml:"description"` Steps []*Step `json:"steps" yaml:"steps" validate:"required,min=1,dive"` AppealConfig *PolicyAppealConfig `json:"appeal" yaml:"appeal" validate:"omitempty,dive"` Requirements []*Requirement `json:"requirements,omitempty" yaml:"requirements,omitempty" validate:"omitempty,min=1,dive"` Labels map[string]string `json:"labels,omitempty" yaml:"labels,omitempty"` IAM *IAMConfig `json:"iam,omitempty" yaml:"iam,omitempty" validate:"omitempty,dive"` CreatedAt time.Time `json:"created_at,omitempty" yaml:"created_at,omitempty"` UpdatedAt time.Time `json:"updated_at,omitempty" yaml:"updated_at,omitempty"` }
Policy is the approval policy configuration
func (*Policy) GetStepByName ¶ added in v0.12.2
func (*Policy) HasAppealMetadataSources ¶ added in v0.10.0
func (*Policy) HasIAMConfig ¶
func (*Policy) RemoveSensitiveValues ¶ added in v0.10.0
func (p *Policy) RemoveSensitiveValues()
type PolicyAppealConfig ¶
type PolicyAppealConfig struct { DurationOptions []AppealDurationOption `json:"duration_options" yaml:"duration_options" validate:"omitempty,min=1,dive"` AllowOnBehalf bool `json:"allow_on_behalf" yaml:"allow_on_behalf"` AllowPermanentAccess bool `json:"allow_permanent_access" yaml:"allow_permanent_access"` AllowActiveAccessExtensionIn string `json:"allow_active_access_extension_in" yaml:"allow_active_access_extension_in"` Questions []Question `json:"questions" yaml:"questions"` // AllowCreatorDetailsFailure is a flag that lets the appeal creation to continue when the request to the identity // provider (Policy.IAM) fails. If this is set to true and request to the identity provider fails (4xx or 5xx), the // value of `creator` field in the appeal will be nil. // Note: any expression that tries to access `$appeal.creator.*` is still evaluated as usual, it might need to have // proper nil checking to avoid accessing nil value. AllowCreatorDetailsFailure bool `json:"allow_creator_details_failure" yaml:"allow_creator_details_failure"` MetadataSources map[string]*AppealMetadataSource `json:"metadata_sources,omitempty" yaml:"metadata_sources,omitempty"` }
type PolicyConfig ¶
type PolicyConfig struct { ID string `json:"id" yaml:"id" validate:"required"` Version int `json:"version" yaml:"version" validate:"required"` }
PolicyConfig is the configuration that defines which policy is being used in the provider
type Provider ¶
type Provider struct { ID string `json:"id" yaml:"id"` Type string `json:"type" yaml:"type"` URN string `json:"urn" yaml:"urn"` Config *ProviderConfig `json:"config" yaml:"config"` CreatedAt time.Time `json:"created_at,omitempty" yaml:"created_at,omitempty"` UpdatedAt time.Time `json:"updated_at,omitempty" yaml:"updated_at,omitempty"` }
type ProviderConfig ¶
type ProviderConfig struct { Type string `json:"type" yaml:"type" validate:"required,oneof=alicloud_iam google_bigquery metabase grafana tableau gcloud_iam noop gcs"` URN string `json:"urn" yaml:"urn" validate:"required"` AllowedAccountTypes []string `json:"allowed_account_types" yaml:"allowed_account_types" validate:"omitempty,min=1"` Labels map[string]string `json:"labels,omitempty" yaml:"labels,omitempty"` Credentials interface{} `json:"credentials,omitempty" yaml:"credentials" validate:"required"` Appeal *AppealConfig `json:"appeal,omitempty" yaml:"appeal,omitempty" validate:"required"` Resources []*ResourceConfig `json:"resources" yaml:"resources" validate:"required"` Parameters []*ProviderParameter `json:"parameters,omitempty" yaml:"parameters,omitempty"` Activity *ActivityConfig `json:"activity,omitempty" yaml:"activity,omitempty"` }
func (ProviderConfig) GetFilterForResourceType ¶ added in v0.7.8
func (pc ProviderConfig) GetFilterForResourceType(resourceType string) string
func (ProviderConfig) GetResourceTypes ¶
func (pc ProviderConfig) GetResourceTypes() (resourceTypes []string)
type ProviderParameter ¶
type ProviderType ¶
type Requirement ¶
type Requirement struct { On *RequirementTrigger `json:"on" yaml:"on" validate:"required"` Appeals []*AdditionalAppeal `json:"appeals" yaml:"appeals" validate:"required,min=1,dive"` }
type RequirementTrigger ¶
type RequirementTrigger struct { ProviderType string `` /* 137-byte string literal not displayed */ ProviderURN string `` /* 136-byte string literal not displayed */ ResourceType string `` /* 137-byte string literal not displayed */ ResourceURN string `` /* 136-byte string literal not displayed */ Role string `` /* 128-byte string literal not displayed */ // Deprecated: use Expression instead Conditions []*Condition `` /* 134-byte string literal not displayed */ Expression string `` /* 134-byte string literal not displayed */ }
type Resource ¶
type Resource struct { ID string `json:"id" yaml:"id"` ProviderType string `json:"provider_type" yaml:"provider_type"` ProviderURN string `json:"provider_urn" yaml:"provider_urn"` Type string `json:"type" yaml:"type"` URN string `json:"urn" yaml:"urn"` Name string `json:"name" yaml:"name"` Details map[string]interface{} `json:"details" yaml:"details"` Labels map[string]string `json:"labels,omitempty" yaml:"labels,omitempty"` CreatedAt time.Time `json:"created_at,omitempty" yaml:"created_at,omitempty"` UpdatedAt time.Time `json:"updated_at,omitempty" yaml:"updated_at,omitempty"` IsDeleted bool `json:"is_deleted,omitempty" yaml:"is_deleted,omitempty"` ParentID *string `json:"parent_id,omitempty" yaml:"parent_id,omitempty"` Children []*Resource `json:"children,omitempty" yaml:"children,omitempty"` GlobalURN string `json:"global_urn" yaml:"global_urn"` }
Resource struct
func (*Resource) GetFlattened ¶
type ResourceConfig ¶
type ResourceConfig struct { Type string `json:"type" yaml:"type" validate:"required"` Filter string `json:"filter" yaml:"filter"` Policy *PolicyConfig `json:"policy" yaml:"policy"` Roles []*Role `json:"roles" yaml:"roles" validate:"required"` }
ResourceConfig is the configuration for a resource type within a provider
type ResourceIdentifier ¶
type ResourceIdentifier struct { ProviderType string `json:"provider_type" yaml:"provider_type" validate:"required_with=ProviderURN Type URN"` ProviderURN string `json:"provider_urn" yaml:"provider_urn" validate:"required_with=ProviderType Type URN"` Type string `json:"type" yaml:"type" validate:"required_with=ProviderType ProviderURN URN"` URN string `json:"urn" yaml:"urn" validate:"required_with=ProviderType ProviderURN Type"` ID string `json:"id" yaml:"id" validate:"required_without_all=ProviderType ProviderURN Type URN"` }
type RevokeGrantsFilter ¶
type Role ¶
type Role struct { ID string `json:"id" yaml:"id" validate:"required"` Name string `json:"name" yaml:"name" validate:"required"` Description string `json:"description,omitempty" yaml:"description"` Permissions []interface{} `json:"permissions" yaml:"permissions" validate:"required"` Type string `json:"type,omitempty" yaml:"type"` // not required to support backward compatible to other provider }
Role is the configuration to define a role and mapping the permissions in the provider
func (Role) GetOrderedPermissions ¶
GetOrderedPermissions returns the permissions as a string slice
type SensitiveConfig ¶
type SensitiveConfig interface { SensitiveInformation Validate() error }
type SensitiveInformation ¶
type Step ¶
type Step struct { // Name used as the step identifier Name string `json:"name" yaml:"name" validate:"required"` // Description tells more details about the step Description string `json:"description" yaml:"description"` // AllowFailed lets the approval flow continue to the next step even the current step is rejected. // If the last step has AllowFailed equal to true, and it's getting rejected, // the appeal status will resolve as approved or success. AllowFailed bool `json:"allow_failed" yaml:"allow_failed"` // When is an Expression that determines whether the step should be evaluated or it can be skipped at the beginning. // If it evaluates to be falsy, the step will automatically skipped. Otherwise, step become pending/blocked (normal). // // Accessible parameters: // $appeal = Appeal object When string `json:"when,omitempty" yaml:"when,omitempty"` // Strategy defines if the step requires manual approval or not Strategy ApprovalStepStrategy `json:"strategy" yaml:"strategy" validate:"required,oneof=auto manual"` // RejectionReason message fills `Approval.Reason` if the approval step gets rejected based on `ApproveIf` expression. RejectionReason string `json:"rejection_reason" yaml:"rejection_reason"` // Approvers is an Expression that if the evaluation returns string or []string that contains email address of the approvers. // If human approval (manual) is required, use this field. // // Accessible parameters: // $appeal = Appeal object Approvers []string `json:"approvers,omitempty" yaml:"approvers,omitempty" validate:"required_if=Strategy manual,omitempty,min=1"` // ApproveIf is an Expression to determines the resolution of the step. If automatic approval is needed for the step, // use this field. // // Accessible parameters: // $appeal = Appeal object ApproveIf string `json:"approve_if,omitempty" yaml:"approve_if,omitempty" validate:"required_if=Strategy auto"` // DontAllowSelfApproval is a boolean flag to detemine if the approver can approve their own request. DontAllowSelfApproval bool `json:"dont_allow_self_approval,omitempty" yaml:"dont_allow_self_approval,omitempty"` }
Step is an individual process within an approval flow