domain

package
v0.7.5-alpha.5 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Aug 14, 2023 License: Apache-2.0 Imports: 11 Imported by: 0

Documentation

Index

Constants

View Source
const (
	AppealActionNameApprove = "approve"
	AppealActionNameReject  = "reject"

	AppealStatusPending  = "pending"
	AppealStatusCanceled = "canceled"
	AppealStatusApproved = "approved"
	AppealStatusRejected = "rejected"

	SystemActorName = "system"

	DefaultAppealAccountType = "user"
	PermanentDurationLabel   = "Permanent"

	ExpirationDateReasonFromAppeal = "Expiration date is set based on the appeal options"
)
View Source
const (
	ApprovalStatusPending  = "pending"
	ApprovalStatusBlocked  = "blocked"
	ApprovalStatusSkipped  = "skipped"
	ApprovalStatusApproved = "approved"
	ApprovalStatusRejected = "rejected"
)
View Source
const (
	NotificationTypeExpirationReminder     = "ExpirationReminder"
	NotificationTypeAppealApproved         = "AppealApproved"
	NotificationTypeOnBehalfAppealApproved = "OnBehalfAppealApproved"
	NotificationTypeAppealRejected         = "AppealRejected"
	NotificationTypeAccessRevoked          = "AccessRevoked"
	NotificationTypeApproverNotification   = "ApproverNotification"
	NotificationTypeGrantOwnerChanged      = "GrantOwnerChanged"
)
View Source
const (
	// ProviderTypeBigQuery is the type name for BigQuery provider
	ProviderTypeBigQuery = "bigquery"
	// ProviderTypeMetabase is the type name for Metabase provider
	ProviderTypeMetabase = "metabase"
	// ProviderTypeGrafana is the type name for Grafana provider
	ProviderTypeGrafana = "grafana"
	// ProviderTypeTableau is the type name for Tableau provider
	ProviderTypeTableau = "tableau"
	// ProviderTypeGCloudIAM is the type name for Google Cloud IAM provider
	ProviderTypeGCloudIAM = "gcloud_iam"
	// ProviderTypeNoOp is the type name for No-Op provider
	ProviderTypeNoOp = "noop"
	//  ProviderTypeGCS is the type name for Google Cloud Storage provider
	ProviderTypeGCS = "gcs"
	// ProviderTypePolicyTag is the type name for Dataplex
	ProviderTypePolicyTag = "dataplex"
	//  ProviderTypeShield is the type name for Shield auth layer provider
	ProviderTypeShield = "shield"
)
View Source
const (
	ApproversKeyResource = "$resource"
)

Variables

View Source
var (
	ErrApproverInvalidType = errors.New("invalid approver type, expected an email string or array of email string")
)
View Source
var (
	ErrInvalidConditionField = errors.New("unable to parse condition's field")
)

Functions

This section is empty.

Types

type AccessEntry

type AccessEntry struct {
	AccountID   string
	AccountType string
	Permission  string
}

func (AccessEntry) ToGrant

func (ae AccessEntry) ToGrant(resource Resource) Grant

type Activity

type Activity struct {
	ID                 string                 `json:"id" yaml:"id"`
	ProviderID         string                 `json:"provider_id" yaml:"provider_id"`
	ResourceID         string                 `json:"resource_id" yaml:"resource_id"`
	ProviderActivityID string                 `json:"provider_activity_id" yaml:"provider_activity_id"`
	AccountType        string                 `json:"account_type" yaml:"account_type"`
	AccountID          string                 `json:"account_id" yaml:"account_id"`
	Timestamp          time.Time              `json:"timestamp" yaml:"timestamp"`
	Authorizations     []string               `json:"authorizations" yaml:"authorizations"`
	RelatedPermissions []string               `json:"related_permissions" yaml:"related_permissions"`
	Type               string                 `json:"type" yaml:"type"`
	Metadata           map[string]interface{} `json:"metadata" yaml:"metadata"`
	CreatedAt          time.Time              `json:"created_at" yaml:"created_at"`

	Provider *Provider `json:"provider,omitempty" yaml:"provider,omitempty"`
	Resource *Resource `json:"resource,omitempty" yaml:"resource,omitempty"`
}

type AdditionalAppeal

type AdditionalAppeal struct {
	Resource *ResourceIdentifier `json:"resource" yaml:"resource"  validate:"required"`
	Role     string              `json:"role" yaml:"role" validate:"required"`
	Options  *AppealOptions      `json:"options" yaml:"options"`
	Policy   *PolicyConfig       `json:"policy" yaml:"policy"`
}

type Appeal

type Appeal struct {
	ID            string                 `json:"id" yaml:"id"`
	ResourceID    string                 `json:"resource_id" yaml:"resource_id"`
	PolicyID      string                 `json:"policy_id" yaml:"policy_id"`
	PolicyVersion uint                   `json:"policy_version" yaml:"policy_version"`
	Status        string                 `json:"status" yaml:"status"`
	AccountID     string                 `json:"account_id" yaml:"account_id"`
	AccountType   string                 `json:"account_type" yaml:"account_type" default:"user"`
	CreatedBy     string                 `json:"created_by" yaml:"created_by"`
	Creator       interface{}            `json:"creator" yaml:"creator"`
	Role          string                 `json:"role" yaml:"role"`
	Permissions   []string               `json:"permissions" yaml:"permissions"`
	Options       *AppealOptions         `json:"options" yaml:"options"`
	Details       map[string]interface{} `json:"details" yaml:"details"`
	Labels        map[string]string      `json:"labels" yaml:"labels"`
	Description   string                 `json:"description" yaml:"description"`

	Policy    *Policy     `json:"-" yaml:"-"`
	Resource  *Resource   `json:"resource,omitempty" yaml:"resource,omitempty"`
	Approvals []*Approval `json:"approvals,omitempty" yaml:"approvals,omitempty"`
	Grant     *Grant      `json:"grant,omitempty" yaml:"grant,omitempty"`

	CreatedAt time.Time `json:"created_at,omitempty" yaml:"created_at,omitempty"`
	UpdatedAt time.Time `json:"updated_at,omitempty" yaml:"updated_at,omitempty"`
}

Appeal struct

func (*Appeal) AdvanceApproval

func (a *Appeal) AdvanceApproval(policy *Policy) error

func (*Appeal) ApplyPolicy

func (a *Appeal) ApplyPolicy(p *Policy) error

func (*Appeal) Approve

func (a *Appeal) Approve() error

func (*Appeal) Cancel

func (a *Appeal) Cancel()

func (*Appeal) GetApproval

func (a *Appeal) GetApproval(id string) *Approval

func (*Appeal) GetDuration

func (a *Appeal) GetDuration() (time.Duration, error)

func (*Appeal) GetNextPendingApproval

func (a *Appeal) GetNextPendingApproval() *Approval

func (*Appeal) Init

func (a *Appeal) Init(policy *Policy)

func (*Appeal) IsDurationEmpty

func (a *Appeal) IsDurationEmpty() bool

func (*Appeal) Reject

func (a *Appeal) Reject()

func (*Appeal) SetDefaults

func (a *Appeal) SetDefaults()

func (Appeal) ToGrant

func (a Appeal) ToGrant() (*Grant, error)

type AppealConfig

type AppealConfig struct {
	AllowPermanentAccess         bool   `json:"allow_permanent_access" yaml:"allow_permanent_access"`
	AllowActiveAccessExtensionIn string `json:"allow_active_access_extension_in" yaml:"allow_active_access_extension_in" validate:"required"`
}

AppealConfig is the policy configuration of the appeal

type AppealDurationOption

type AppealDurationOption struct {
	// Name of the duration
	// Ex: 1 Day, 3 Days, Permanent
	Name string `json:"name" yaml:"name" validate:"required"`
	// Value of the actual duration
	// Ex: 24h, 72h, 0h
	// `0h` is reserved for permanent access
	Value string `json:"value" yaml:"value" validate:"required"`
}

type AppealOptions

type AppealOptions struct {
	ExpirationDate *time.Time `json:"expiration_date,omitempty" yaml:"expiration_date,omitempty"`
	Duration       string     `json:"duration" yaml:"duration"`
}

AppealOptions

type Approval

type Approval struct {
	ID            string  `json:"id" yaml:"id"`
	Name          string  `json:"name" yaml:"name"`
	Index         int     `json:"-" yaml:"-"`
	AppealID      string  `json:"appeal_id" yaml:"appeal_id"`
	Status        string  `json:"status" yaml:"status"`
	Actor         *string `json:"actor" yaml:"actor"`
	Reason        string  `json:"reason,omitempty" yaml:"reason,omitempty"`
	PolicyID      string  `json:"policy_id" yaml:"policy_id"`
	PolicyVersion uint    `json:"policy_version" yaml:"policy_version"`

	Approvers []string `json:"approvers,omitempty" yaml:"approvers,omitempty"`
	Appeal    *Appeal  `json:"appeal,omitempty" yaml:"appeal,omitempty"`

	CreatedAt time.Time `json:"created_at,omitempty" yaml:"created_at,omitempty"`
	UpdatedAt time.Time `json:"updated_at,omitempty" yaml:"updated_at,omitempty"`
}

func (*Approval) Approve

func (a *Approval) Approve()

func (*Approval) IsManualApproval

func (a *Approval) IsManualApproval() bool

func (*Approval) Reject

func (a *Approval) Reject()

func (*Approval) Skip

func (a *Approval) Skip()

type ApprovalAction

type ApprovalAction struct {
	AppealID     string `validate:"required" json:"appeal_id"`
	ApprovalName string `validate:"required" json:"approval_name"`
	Actor        string `validate:"email" json:"actor"`
	Action       string `validate:"required,oneof=approve reject" json:"action"`
	Reason       string `json:"reason"`
}

type ApprovalActionType

type ApprovalActionType string
const (
	ApprovalActionApprove ApprovalActionType = "approve"
	ApprovalActionReject  ApprovalActionType = "reject"
)

type ApprovalStepStrategy

type ApprovalStepStrategy string
const (
	ApprovalStepStrategyAuto   ApprovalStepStrategy = "auto"
	ApprovalStepStrategyManual ApprovalStepStrategy = "manual"
)

type Approver

type Approver struct {
	ID         string `json:"id" yaml:"id"`
	ApprovalID string `json:"approval_id" yaml:"approval_id"`
	AppealID   string `json:"appeal_id" yaml:"appeal_id"`
	Email      string `json:"email" yaml:"email"`

	CreatedAt time.Time `json:"created_at,omitempty" yaml:"created_at,omitempty"`
	UpdatedAt time.Time `json:"updated_at,omitempty" yaml:"updated_at,omitempty"`
}

type Condition

type Condition struct {
	Field string          `json:"field" yaml:"field" validate:"required"`
	Match *MatchCondition `json:"match" yaml:"match" validate:"required"`
}

Condition gets evaluated to determine the approval step resolution whether it is success or failed

func (*Condition) IsMatch

func (c *Condition) IsMatch(a *Appeal) (bool, error)

type Crypto

type Crypto interface {
	Encryptor
	Decryptor
}

Crypto is for encrypting a plain text into an encrypted string and vice versa

type Decryptor

type Decryptor interface {
	Decrypt(string) (string, error)
}

Decryptor does decrypt an encrypted text into a plain text

type Encryptor

type Encryptor interface {
	Encrypt(string) (string, error)
}

Encryptor does encrypt a plain text into an encrypted text

type Grant

type Grant struct {
	ID                      string      `json:"id" yaml:"id"`
	Status                  GrantStatus `json:"status" yaml:"status"`
	StatusInProvider        GrantStatus `json:"status_in_provider" yaml:"status_in_provider"`
	AccountID               string      `json:"account_id" yaml:"account_id"`
	AccountType             string      `json:"account_type" yaml:"account_type"`
	ResourceID              string      `json:"resource_id" yaml:"resource_id"`
	Role                    string      `json:"role" yaml:"role"`
	Permissions             []string    `json:"permissions" yaml:"permissions"`
	IsPermanent             bool        `json:"is_permanent" yaml:"is_permanent"`
	ExpirationDate          *time.Time  `json:"expiration_date" yaml:"expiration_date"`
	RequestedExpirationDate *time.Time  `json:"requested_expiration_date,omitempty" yaml:"requested_expiration_date,omitempty"`
	ExpirationDateReason    string      `json:"expiration_date_reason,omitempty" yaml:"expiration_date_reason,omitempty"`
	AppealID                string      `json:"appeal_id" yaml:"appeal_id"`
	Source                  GrantSource `json:"source" yaml:"source"`
	RevokedBy               string      `json:"revoked_by,omitempty" yaml:"revoked_by,omitempty"`
	RevokedAt               *time.Time  `json:"revoked_at,omitempty" yaml:"revoked_at,omitempty"`
	RevokeReason            string      `json:"revoke_reason,omitempty" yaml:"revoke_reason,omitempty"`
	CreatedBy               string      `json:"created_by" yaml:"created_by"` // Deprecated: use Owner instead
	Owner                   string      `json:"owner" yaml:"owner"`
	CreatedAt               time.Time   `json:"created_at" yaml:"created_at"`
	UpdatedAt               time.Time   `json:"updated_at" yaml:"updated_at"`

	Resource *Resource `json:"resource,omitempty" yaml:"resource,omitempty"`
	Appeal   *Appeal   `json:"appeal,omitempty" yaml:"appeal,omitempty"`
}

func (*Grant) GetPermissions

func (g *Grant) GetPermissions() []string

func (Grant) IsEligibleForExtension

func (g Grant) IsEligibleForExtension(extensionDurationRule time.Duration) bool

func (Grant) PermissionsKey

func (g Grant) PermissionsKey() string

func (*Grant) Revoke

func (g *Grant) Revoke(actor, reason string) error

type GrantSource

type GrantSource string
const (
	GrantSourceAppeal GrantSource = "appeal"
	GrantSourceImport GrantSource = "import"
)

type GrantStatus

type GrantStatus string
const (
	GrantStatusActive   GrantStatus = "active"
	GrantStatusInactive GrantStatus = "inactive"
)

type IAMClient

type IAMClient interface {
	GetUser(id string) (interface{}, error)
}

IAMClient interface

type IAMConfig

type IAMConfig struct {
	Provider IAMProviderType   `json:"provider" yaml:"provider" validate:"required,oneof=http shield"`
	Config   interface{}       `json:"config" yaml:"config" validate:"required"`
	Schema   map[string]string `json:"schema" yaml:"schema"`
}

type IAMManager

type IAMManager interface {
	ParseConfig(*IAMConfig) (SensitiveConfig, error)
	GetClient(SensitiveConfig) (IAMClient, error)
}

type IAMProviderType

type IAMProviderType string
const (
	IAMProviderTypeShield IAMProviderType = "shield"
	IAMProviderTypeHTTP   IAMProviderType = "http"
)

type ImportActivitiesFilter

type ImportActivitiesFilter struct {
	ProviderID   string
	ResourceIDs  []string
	AccountIDs   []string
	TimestampGte *time.Time
	TimestampLte *time.Time
	// contains filtered or unexported fields
}

func (*ImportActivitiesFilter) GetResources

func (f *ImportActivitiesFilter) GetResources() []*Resource

func (*ImportActivitiesFilter) PopulateResources

func (f *ImportActivitiesFilter) PopulateResources(resources map[string]*Resource) error

type ListAppealsFilter

type ListAppealsFilter struct {
	CreatedBy                 string    `mapstructure:"created_by" validate:"omitempty,required"`
	AccountID                 string    `mapstructure:"account_id" validate:"omitempty,required"`
	AccountIDs                []string  `mapstructure:"account_ids" validate:"omitempty,required"`
	ResourceID                string    `mapstructure:"resource_id" validate:"omitempty,required"`
	Role                      string    `mapstructure:"role" validate:"omitempty,required"`
	Statuses                  []string  `mapstructure:"statuses" validate:"omitempty,min=1"`
	ExpirationDateLessThan    time.Time `mapstructure:"expiration_date_lt" validate:"omitempty,required"`
	ExpirationDateGreaterThan time.Time `mapstructure:"expiration_date_gt" validate:"omitempty,required"`
	ProviderTypes             []string  `mapstructure:"provider_types" validate:"omitempty,min=1"`
	ProviderURNs              []string  `mapstructure:"provider_urns" validate:"omitempty,min=1"`
	ResourceTypes             []string  `mapstructure:"resource_types" validate:"omitempty,min=1"`
	ResourceURNs              []string  `mapstructure:"resource_urns" validate:"omitempty,min=1"`
	OrderBy                   []string  `mapstructure:"order_by" validate:"omitempty,min=1"`
}

type ListApprovalsFilter

type ListApprovalsFilter struct {
	Q              string   `mapstructure:"q" validate:"omitempty"`
	AccountID      string   `mapstructure:"account_id" validate:"omitempty,required"`
	AccountTypes   []string `mapstructure:"account_types" validate:"omitempty,min=1"`
	ResourceTypes  []string `mapstructure:"resource_types" validate:"omitempty,min=1"`
	CreatedBy      string   `mapstructure:"created_by" validate:"omitempty,required"`
	Statuses       []string `mapstructure:"statuses" validate:"omitempty,min=1"`
	OrderBy        []string `mapstructure:"order_by" validate:"omitempty,min=1"`
	Size           int      `mapstructure:"size" validate:"omitempty"`
	Offset         int      `mapstructure:"offset" validate:"omitempty"`
	AppealStatuses []string `mapstructure:"appeal_statuses" validate:"omitempty,min=1"`
}

type ListGrantsFilter

type ListGrantsFilter struct {
	Statuses                  []string
	AccountIDs                []string
	AccountTypes              []string
	ResourceIDs               []string
	Roles                     []string
	Permissions               []string
	ProviderTypes             []string
	ProviderURNs              []string
	ResourceTypes             []string
	ResourceURNs              []string
	CreatedBy                 string
	Owner                     string
	OrderBy                   []string
	ExpirationDateLessThan    time.Time
	ExpirationDateGreaterThan time.Time
	IsPermanent               *bool
}

type ListProviderActivitiesFilter

type ListProviderActivitiesFilter struct {
	ProviderIDs  []string
	ResourceIDs  []string
	AccountIDs   []string
	Types        []string
	TimestampGte *time.Time
	TimestampLte *time.Time
}

type ListResourcesFilter

type ListResourcesFilter struct {
	IDs           []string          `mapstructure:"ids" validate:"omitempty,min=1"`
	IsDeleted     bool              `mapstructure:"is_deleted" validate:"omitempty"`
	ProviderType  string            `mapstructure:"provider_type" validate:"omitempty"`
	ProviderURN   string            `mapstructure:"provider_urn" validate:"omitempty"`
	Name          string            `mapstructure:"name" validate:"omitempty"`
	ResourceURN   string            `mapstructure:"urn" validate:"omitempty"`
	ResourceType  string            `mapstructure:"type" validate:"omitempty"`
	ResourceURNs  []string          `mapstructure:"urns" validate:"omitempty"`
	ResourceTypes []string          `mapstructure:"types" validate:"omitempty"`
	Details       map[string]string `mapstructure:"details"`
}

type MapResourceAccess

type MapResourceAccess map[string][]AccessEntry

MapResourceAccess is list of UserAccess grouped by resource urn

type MatchCondition

type MatchCondition struct {
	Eq interface{} `json:"eq" yaml:"eq"`
}

MatchCondition is for determining the requirement of the condition

type Notification

type Notification struct {
	User    string
	Message NotificationMessage

	Labels map[string]string
}

type NotificationMessage

type NotificationMessage struct {
	Type      string
	Variables map[string]interface{}
}

type NotificationMessages

type NotificationMessages struct {
	ExpirationReminder   string `mapstructure:"expiration_reminder"`
	AppealApproved       string `mapstructure:"appeal_approved"`
	AppealRejected       string `mapstructure:"appeal_rejected"`
	AccessRevoked        string `mapstructure:"access_revoked"`
	ApproverNotification string `mapstructure:"approver_notification"`
	OthersAppealApproved string `mapstructure:"others_appeal_approved"`
	GrantOwnerChanged    string `mapstructure:"grant_owner_changed"`
}

type Policy

type Policy struct {
	ID           string              `json:"id" yaml:"id" validate:"required"`
	Version      uint                `json:"version" yaml:"version" validate:"required"`
	Description  string              `json:"description" yaml:"description"`
	Steps        []*Step             `json:"steps" yaml:"steps" validate:"required,min=1,dive"`
	AppealConfig *PolicyAppealConfig `json:"appeal_config" yaml:"appeal_config" validate:"omitempty,dive"`
	Requirements []*Requirement      `json:"requirements,omitempty" yaml:"requirements,omitempty" validate:"omitempty,min=1,dive"`
	Labels       map[string]string   `json:"labels,omitempty" yaml:"labels,omitempty"`
	IAM          *IAMConfig          `json:"iam,omitempty" yaml:"iam,omitempty" validate:"omitempty,dive"`
	CreatedAt    time.Time           `json:"created_at,omitempty" yaml:"created_at,omitempty"`
	UpdatedAt    time.Time           `json:"updated_at,omitempty" yaml:"updated_at,omitempty"`
}

Policy is the approval policy configuration

func (*Policy) HasIAMConfig

func (p *Policy) HasIAMConfig() bool

type PolicyAppealConfig

type PolicyAppealConfig struct {
	DurationOptions              []AppealDurationOption `json:"duration_options" yaml:"duration_options" validate:"omitempty,min=1,dive"`
	AllowOnBehalf                bool                   `json:"allow_on_behalf" yaml:"allow_on_behalf"`
	AllowPermanentAccess         bool                   `json:"allow_permanent_access" yaml:"allow_permanent_access"`
	AllowActiveAccessExtensionIn string                 `json:"allow_active_access_extension_in" yaml:"allow_active_access_extension_in"`
	Questions                    []Question             `json:"questions" yaml:"questions"`
	// AllowCreatorDetailsFailure is a flag that lets the appeal creation to continue when the request to the identity
	// provider (Policy.IAM) fails. If this is set to true and request to the identity provider fails (4xx or 5xx), the
	// value of `creator` field in the appeal will be nil.
	// Note: any expression that tries to access `$appeal.creator.*` is still evaluated as usual, it might need to have
	// proper nil checking to avoid accessing nil value.
	AllowCreatorDetailsFailure bool `json:"allow_creator_details_failure" yaml:"allow_creator_details_failure"`
}

type PolicyConfig

type PolicyConfig struct {
	ID      string `json:"id" yaml:"id" validate:"required"`
	Version int    `json:"version" yaml:"version" validate:"required"`
}

PolicyConfig is the configuration that defines which policy is being used in the provider

type Provider

type Provider struct {
	ID        string          `json:"id" yaml:"id"`
	Type      string          `json:"type" yaml:"type"`
	URN       string          `json:"urn" yaml:"urn"`
	Config    *ProviderConfig `json:"config" yaml:"config"`
	CreatedAt time.Time       `json:"created_at,omitempty" yaml:"created_at,omitempty"`
	UpdatedAt time.Time       `json:"updated_at,omitempty" yaml:"updated_at,omitempty"`
}

Provider domain structure

type ProviderConfig

type ProviderConfig struct {
	Type                string               `json:"type" yaml:"type" validate:"required,oneof=google_bigquery metabase grafana tableau gcloud_iam noop gcs"`
	URN                 string               `json:"urn" yaml:"urn" validate:"required"`
	AllowedAccountTypes []string             `json:"allowed_account_types" yaml:"allowed_account_types" validate:"omitempty,min=1"`
	Labels              map[string]string    `json:"labels,omitempty" yaml:"labels,omitempty"`
	Credentials         interface{}          `json:"credentials,omitempty" yaml:"credentials" validate:"required"`
	Appeal              *AppealConfig        `json:"appeal,omitempty" yaml:"appeal,omitempty" validate:"required"`
	Resources           []*ResourceConfig    `json:"resources" yaml:"resources" validate:"required"`
	Parameters          []*ProviderParameter `json:"parameters,omitempty" yaml:"parameters,omitempty"`
}

ProviderConfig is the configuration for a data provider

func (ProviderConfig) GetResourceTypes

func (pc ProviderConfig) GetResourceTypes() (resourceTypes []string)

type ProviderParameter

type ProviderParameter struct {
	Key         string `json:"key" yaml:"key" validate:"required"`
	Label       string `json:"label" yaml:"label" validate:"required"`
	Required    bool   `json:"required" yaml:"required" validate:"required"`
	Description string `json:"description" yaml:"description"`
}

type ProviderType

type ProviderType struct {
	Name          string   `json:"name" yaml:"name"`
	ResourceTypes []string `json:"resource_types" yaml:"resource_types"`
}

type Question

type Question struct {
	Key         string `json:"key" yaml:"key"`
	Question    string `json:"question" yaml:"question"`
	Required    bool   `json:"required" yaml:"required"`
	Description string `json:"description" yaml:"description"`
}

type Requirement

type Requirement struct {
	On      *RequirementTrigger `json:"on" yaml:"on" validate:"required"`
	Appeals []*AdditionalAppeal `json:"appeals" yaml:"appeals" validate:"required,min=1,dive"`
}

type RequirementTrigger

type RequirementTrigger struct {
	ProviderType string `` /* 137-byte string literal not displayed */
	ProviderURN  string `` /* 136-byte string literal not displayed */
	ResourceType string `` /* 137-byte string literal not displayed */
	ResourceURN  string `` /* 136-byte string literal not displayed */
	Role         string `` /* 128-byte string literal not displayed */
	// Deprecated: use Expression instead
	Conditions []*Condition `` /* 134-byte string literal not displayed */
	Expression string       `` /* 134-byte string literal not displayed */
}

func (*RequirementTrigger) IsMatch

func (r *RequirementTrigger) IsMatch(a *Appeal) (bool, error)

type Resource

type Resource struct {
	ID           string                 `json:"id" yaml:"id"`
	ProviderType string                 `json:"provider_type" yaml:"provider_type"`
	ProviderURN  string                 `json:"provider_urn" yaml:"provider_urn"`
	Type         string                 `json:"type" yaml:"type"`
	URN          string                 `json:"urn" yaml:"urn"`
	Name         string                 `json:"name" yaml:"name"`
	Details      map[string]interface{} `json:"details" yaml:"details"`
	Labels       map[string]string      `json:"labels,omitempty" yaml:"labels,omitempty"`
	CreatedAt    time.Time              `json:"created_at,omitempty" yaml:"created_at,omitempty"`
	UpdatedAt    time.Time              `json:"updated_at,omitempty" yaml:"updated_at,omitempty"`
	IsDeleted    bool                   `json:"is_deleted,omitempty" yaml:"is_deleted,omitempty"`
	ParentID     *string                `json:"parent_id,omitempty" yaml:"parent_id,omitempty"`
	Children     []*Resource            `json:"children,omitempty" yaml:"children,omitempty"`
}

Resource struct

func (*Resource) GetFlattened

func (r *Resource) GetFlattened() []*Resource

type ResourceConfig

type ResourceConfig struct {
	Type   string        `json:"type" yaml:"type" validate:"required"`
	Filter string        `json:"filter" yaml:"filter"`
	Policy *PolicyConfig `json:"policy" yaml:"policy"`
	Roles  []*Role       `json:"roles" yaml:"roles" validate:"required"`
}

ResourceConfig is the configuration for a resource type within a provider

type ResourceIdentifier

type ResourceIdentifier struct {
	ProviderType string `json:"provider_type" yaml:"provider_type" validate:"required_with=ProviderURN Type URN"`
	ProviderURN  string `json:"provider_urn" yaml:"provider_urn" validate:"required_with=ProviderType Type URN"`
	Type         string `json:"type" yaml:"type" validate:"required_with=ProviderType ProviderURN URN"`
	URN          string `json:"urn" yaml:"urn" validate:"required_with=ProviderType ProviderURN Type"`
	ID           string `json:"id" yaml:"id" validate:"required_without_all=ProviderType ProviderURN Type URN"`
}

type Resources

type Resources []*Resource

func (Resources) ToMap

func (r Resources) ToMap() map[string]*Resource

type RevokeGrantsFilter

type RevokeGrantsFilter struct {
	AccountIDs    []string `validate:"omitempty,required"`
	ProviderTypes []string `validate:"omitempty,min=1"`
	ProviderURNs  []string `validate:"omitempty,min=1"`
	ResourceTypes []string `validate:"omitempty,min=1"`
	ResourceURNs  []string `validate:"omitempty,min=1"`
}

type Role

type Role struct {
	ID          string        `json:"id" yaml:"id" validate:"required"`
	Name        string        `json:"name" yaml:"name" validate:"required"`
	Description string        `json:"description,omitempty" yaml:"description"`
	Permissions []interface{} `json:"permissions" yaml:"permissions" validate:"required"`
}

Role is the configuration to define a role and mapping the permissions in the provider

func (Role) GetOrderedPermissions

func (r Role) GetOrderedPermissions() []string

GetOrderedPermissions returns the permissions as a string slice

type SensitiveConfig

type SensitiveConfig interface {
	SensitiveInformation
	Validate() error
}

type SensitiveInformation

type SensitiveInformation interface {
	Encrypt() error
	Decrypt() error
}

type Step

type Step struct {
	// Name used as the step identifier
	Name string `json:"name" yaml:"name" validate:"required"`

	// Description tells more details about the step
	Description string `json:"description" yaml:"description"`

	// AllowFailed lets the approval flow continue to the next step even the current step is rejected.
	// If the last step has AllowFailed equal to true, and it's getting rejected,
	// the appeal status will resolve as approved or success.
	AllowFailed bool `json:"allow_failed" yaml:"allow_failed"`

	// When is an Expression that determines whether the step should be evaluated or it can be skipped at the beginning.
	// If it evaluates to be falsy, the step will automatically skipped. Otherwise, step become pending/blocked (normal).
	//
	// Accessible parameters:
	// $appeal = Appeal object
	When string `json:"when,omitempty" yaml:"when,omitempty"`

	// Strategy defines if the step requires manual approval or not
	Strategy ApprovalStepStrategy `json:"strategy" yaml:"strategy" validate:"required,oneof=auto manual"`

	// RejectionReason message fills `Approval.Reason` if the approval step gets rejected based on `ApproveIf` expression.
	RejectionReason string `json:"rejection_reason" yaml:"rejection_reason"`

	// Approvers is an Expression that if the evaluation returns string or []string that contains email address of the approvers.
	// If human approval (manual) is required, use this field.
	//
	// Accessible parameters:
	// $appeal = Appeal object
	Approvers []string `json:"approvers,omitempty" yaml:"approvers,omitempty" validate:"required_if=Strategy manual,omitempty,min=1"`

	// ApproveIf is an Expression to determines the resolution of the step. If automatic approval is needed for the step,
	// use this field.
	//
	// Accessible parameters:
	// $appeal = Appeal object
	ApproveIf string `json:"approve_if,omitempty" yaml:"approve_if,omitempty" validate:"required_if=Strategy auto"`
}

Step is an individual process within an approval flow

func (Step) ResolveApprovers

func (s Step) ResolveApprovers(a *Appeal) ([]string, error)

func (Step) ToApproval

func (s Step) ToApproval(a *Appeal, p *Policy, index int) (*Approval, error)

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL