Documentation ¶
Overview ¶
Package perms provides the boundary permissions engine using grants which are tied to IAM Roles within a Scope.
A really useful page to be aware of when looking at ACLs is https://hashicorp.atlassian.net/wiki/spaces/ICU/pages/866976600/API+Actions+and+Permissions speaking of which: TODO: put that chart in public docs.
Anyways, from that page you can see that there are really only a few patterns of ACLs that are ever allowed:
* type=<resource.type>;actions=<action> * id=<resource.id>;actions=<action> * id=<pin>;type=<resource.type>;actions=<action>
and of course a matching scope.
This makes it actually quite simple to perform the ACL checking. Much of ACL construction is thus synthesizing something reasonable from a set of Grants.
Index ¶
Constants ¶
const AnonymousUserId = "u_anon"
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type ACL ¶
type ACL struct {
// contains filtered or unexported fields
}
ACL provides an entry point into the permissions engine for determining if an action is allowed on a resource based on a principal's (user or group) grants.
func (ACL) Allowed ¶
func (a ACL) Allowed(r Resource, aType action.Type, userId string, opt ...Option) (results ACLResults)
Allowed determines if the grants for an ACL allow an action for a resource.
func (ACL) ListPermissions ¶ added in v0.10.4
func (a ACL) ListPermissions(requestedScopes map[string]*scopes.ScopeInfo, requestedType resource.Type, idActions action.ActionSet) []Permission
ListPermissions builds a set of Permissions based on the grants in the ACL. Permissions are determined for the given resource for each of the provided scopes. There must be a grant for a given resource for one of the provided "id actions" or for action.All in order for a Permission to be created for the scope. The set of "id actions" is resource dependant, but will generally include all actions that can be taken on an individual resource.
type ACLResults ¶
type ACLResults struct { AuthenticationFinished bool Authorized bool OutputFields OutputFieldsMap // contains filtered or unexported fields }
ACLResults provides a type for the permission's engine results so that we can pass more detailed information along in the future if we want. It was useful in Vault, may be useful here.
type Grant ¶
type Grant struct { // The set of output fields granted OutputFields OutputFieldsMap // contains filtered or unexported fields }
Grant is a Go representation of a parsed grant
func Parse ¶
Parse parses a grant string. Note that this does not do checking of the validity of IDs and such; that's left for other parts of the system. We may not check at all (e.g. let it be an authz-time failure) or could check after submission to catch errors.
The scope must be the org and project where this grant originated, not the request.
func (Grant) CanonicalString ¶
CanonicalString returns the canonical representation of the grant
func (Grant) MarshalJSON ¶
MarshalJSON provides a custom marshaller for grants
type GrantTuple ¶ added in v0.3.0
GrantTuple is simply a struct that can be reference from other code to return a set of scopes and grants to parse
type Option ¶
type Option func(*options)
Option - how Options are passed as arguments
func WithAccountId ¶
WithAccountId provides an account ID to be used for any templating in grant strings
func WithSkipAnonymousUserRestrictions ¶ added in v0.9.0
WithSkipAnonymousUserRestrictions allows skipping the restrictions on anonymous users, useful when e.g. validating parsed grants where we may not have a user ID yet.
func WithSkipFinalValidation ¶
WithSkipFinalValidation allows skipping the validity step where we ensure we can run a resource described by the grant successfully through the ACL check
func WithUserId ¶
WithUserId provides a user ID to be used for any templating in grant strings
type OutputFieldsMap ¶ added in v0.2.1
OutputFieldsMap is used to store information about allowed output fields in grants
func (OutputFieldsMap) AddFields ¶ added in v0.2.1
func (o OutputFieldsMap) AddFields(input []string) (ret OutputFieldsMap)
AddFields adds the given fields and returns the map.
func (OutputFieldsMap) Fields ¶ added in v0.2.1
func (o OutputFieldsMap) Fields() (ret []string)
Fields returns an alphabetical string slice of the fields in the map
func (OutputFieldsMap) Has ¶ added in v0.2.1
func (o OutputFieldsMap) Has(in string) bool
Has returns true if the value exists; that is, it is directly in the map, or the map contains *
func (OutputFieldsMap) HasAll ¶ added in v0.2.1
func (o OutputFieldsMap) HasAll() bool
func (OutputFieldsMap) SelfOrDefaults ¶ added in v0.2.1
func (o OutputFieldsMap) SelfOrDefaults(userId string) OutputFieldsMap
SelfOrDefaults returns either the fields map itself or the defaults for the given user
type Permission ¶ added in v0.10.4
type Permission struct { ScopeId string // The scope id for which the permission applies. Resource resource.Type Action action.Type ResourceIds []string // Any specific resource ids that have been referred in the grant's `id` field, if applicable. OnlySelf bool // The grant only allows actions against the user's own resources. All bool // We got a wildcard in the grant string's `id` field. }
Permission provides information about the specific resources that a user has been granted access to for a given scope, resource, and action.
type Resource ¶
type Resource struct { // ScopeId is the scope that contains the Resource. ScopeId string `json:"scope_id,omitempty"` // Id is the public id of the resource. Id string `json:"id,omitempty"` // Type of resource. Type resource.Type `json:"type,omitempty"` // Pin if defined would constrain the resource within the collection of the // pin id. Pin string `json:"pin,omitempty"` }
Resource defines something within boundary that requires authorization capabilities. Resources must have a ScopeId.
type Scope ¶
type Scope struct { // Id is the public id of the iam.Scope Id string // Type is the scope's type (org or project) Type scope.Type }
Scope provides an in-memory representation of iam.Scope without the underlying storage references or capabilities.
type UserPermissions ¶ added in v0.10.4
type UserPermissions struct { UserId string Permissions []Permission }
UserPermissions is a set of Permissions for a User.