iapProvider

package
v0.7.1 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Sep 25, 2024 License: Apache-2.0 Imports: 17 Imported by: 0

README

Hexa

Google IAP Provider

The Google IAP Provider uses the IDQL to GCP Bind Mapper to enable syntactical bi-directional conversion of Google Bind Policy to IDQL policy. This includes support for conversion of Google Condition Expression Language into IDQL's SCIM style conditions.

Feature Description Platform Support Provider Support
RBAC Support for basic translation of role-based access policy Yes Yes
ABAC Support for attribute conditions Yes Yes
Type Policy is described 'syntactically' in an exportable
format or implied through 'role' based relationships
Syntactic Syntactic Mapper
Attribute Mapping Attribute names in policy can be mapped to platform Yes
Hexa CLI Supported in the Hexa CLI application Yes
Discovery Supports discovery of Policy Application Points Queries IAP Backend and AppEngine services Yes
Get Policies Supports retrieval of all policies from a PAP Yes Yes
Set Policies Supports the ability to apply a set of policies to a PAP Yes
Reconcile Returns the differences between an existing set of policies (e.g. at the source) and another set (updates) Yes

Policy Support Notes

Support includes support for both conversion of IDQL to and from Google Bind Policy format. For information on policies supported see Managing Access to IAP-Secured Resources.

This provider includes IDQL to Bind Policy transformation and Google Conditional Expression Language to IDQL conditions using an AST translator and configurable attribute name mapper.

The following is an example Bind policy:

 {
  "resource_id": "hexa-411616",
  "bindings": [
    {
      "members": [
        "user:gerry@strata.io",
        "user:independentidentity@gmail.com"
      ],
      "role": "roles/iap.httpsResourceAccessor"
    }
  ]
}

The equivalent IDQL Policy is as follows:

{
  "meta": {
    "version": "0.6"
  },
  "subject": {
    "members": [
      "user:gerry@strata.io",
      "user:independentidentity@gmail.com"
    ]
  },
  "actions": [
    {
      "actionUri": "gcp:roles/iap.httpsResourceAccessor"
    }
  ],
  "object": {
    "resource_id": "hexa-411616"
  }
}

Mapping support works by:

  • Converting actions and resources into uris where the first element indicates the originating format (e.g. cedar:);
  • Preserves quotations in original form using escaping (\");
  • The Google CEL AST parser is used to parse Cedar condition expressions (they are the same form)
  • Attribute mapping is configurable in the SDK using the sdk.WithAttributeMap option.

Limitations:

  • Currently Hexa does not support interrogation of platform specific policy schema. This is because in part very few platforms support this feature. It should be noted that AVP does support this via the AVP API. What the mapper does instead is to syntactically convert names (e.g. to be JSON format) while leaving the names unchanged.
  • Not all condition "functions" can be represented in IDQL's SCIM format. This will be extended in the future.

Documentation

Index

Constants

View Source
const ProviderTypeGoogleCloud string = "google_cloud"
View Source
const ProviderTypeGoogleCloudIAP string = "gcp_iap"

Variables

This section is empty.

Functions

This section is empty.

Types

type GoogleClient

type GoogleClient struct {
	HttpClient HTTPClient
	ProjectId  string
}

func (*GoogleClient) GetAppEngineApplications

func (c *GoogleClient) GetAppEngineApplications() ([]policyprovider.ApplicationInfo, error)

func (*GoogleClient) GetBackendApplications

func (c *GoogleClient) GetBackendApplications() ([]policyprovider.ApplicationInfo, error)

func (*GoogleClient) GetBackendPolicy

func (c *GoogleClient) GetBackendPolicy(name, objectId string) ([]iam.Binding, error)

func (*GoogleClient) SetBackendPolicy

func (c *GoogleClient) SetBackendPolicy(name, objectId string, binding *iam.Binding) error

type GoogleProvider

type GoogleProvider struct {
	HttpClientOverride HTTPClient
	GcpMapper          *gcpBind.GooglePolicyMapper
}

func (*GoogleProvider) DiscoverApplications

func (g *GoogleProvider) DiscoverApplications(info policyprovider.IntegrationInfo) (apps []policyprovider.ApplicationInfo, err error)

func (*GoogleProvider) GetPolicyInfo

func (g *GoogleProvider) GetPolicyInfo(integration policyprovider.IntegrationInfo, app policyprovider.ApplicationInfo) (infos []hexapolicy.PolicyInfo, err error)

func (*GoogleProvider) Name

func (g *GoogleProvider) Name() string

func (*GoogleProvider) NewHttpClient

func (g *GoogleProvider) NewHttpClient(key []byte) (HTTPClient, error)

func (*GoogleProvider) Project

func (g *GoogleProvider) Project(key []byte) string

func (*GoogleProvider) SetPolicyInfo

func (g *GoogleProvider) SetPolicyInfo(integration policyprovider.IntegrationInfo, app policyprovider.ApplicationInfo, policyInfos []hexapolicy.PolicyInfo) (int, error)

type HTTPClient

type HTTPClient interface {
	Get(url string) (resp *http.Response, err error)
	Post(url, contentType string, body io.Reader) (resp *http.Response, err error)
}

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL