policy-mapper

module
v0.8.3 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Dec 18, 2024 License: Apache-2.0

README

Hexa

Hexa Policy Mapper Project

The Hexa Policy-Mapper Project provides administrative tools and development libraries for provisioning and mapping various policy systems into a common policy format known as IDQL. With Policy Mapper and IDQL, you can manage all your access policies consistently across software providers and cloud systems. The project includes a number of prebuilt integrations (we call them providers) as well as guidance on how to build your own providers.

This project provides:

  • a GoLang SDK which can be used in open source and commercial implementations to leverage this community library.
  • a Hexa CLI command line tool which can be used to provision policies to web accessible policy systems.
  • a GoLang interface (policyprovider.Provider) enabling the development of new policy provisioning providers.

[!Tip] Policy-Orchestrator is available as a sample web server implementation that uses Policy-Mapper.

[!Note] This project is currently under initial development and documentation may be out of date.

Supported Provider Integrations

Policy Mapper supports the following capabilities:

Syntactical Mapping : Policy formats that have a parsable format or language, and can be represented in a "tuple" (subject, action, resource, conditions, scope) are considered "syntactical". Policy-Mapper can map these formats to and from IDQL JSON format. Examples include: IDQL, Cedar, GCP Bind among others. Syntactical Mapping support is provided for:

* Google Bind Policy and Google Conditional Expression Language (CEL)
* AWS Verified Permissions and Cedar policy language including support for CEL

RBAC API Mapping : Some systems do not directly have a policy language but support role or group based access control settings through an API.

Policy Provisioning : Policy Mapper combines a set of Providers that call APIs to retrieve and map access policy as well as be able to set policy.

Policy Validation : IDQL Policies may be validated against a Policy Information Model which specifies entities (subjects, resources), their schema, and how actions may be applied by subject entities against resource entities.

Policy Entity Syntax : New policy syntax is available that may be used in conjunction with Policy Validation. This is also useful when mapping to and from Cedar Policy Language.

Provisioning support is provided for:

Getting Started

Installation

Install go 1.21, clone and build the project as follows:

git clone https://github.com/hexa-org/policy-mapper.git

cd policy-mapper

sh ./build.sh

Hexa CLI Tool

To test the Hexa SDK and or develop using scripts, use the Hexa CLI tool.

To run the Hexa CLI, simply type hexa at the command line once installed.

[!Note] Hexa CLI currently does not support filenames with spaces. Valid example: add gcp --file=my_key.json

Hexa Developer Documentation

To start using the Hexa Mapper SDK in your GoLang project, perform the following get command:

go get github.com/hexa-org/policy-mapper

For more details on how to map or provision policy in either console (shell) form or GoLang, see: Developer documentation.

Provider Documentation

Each provider in the providers directory structure has its own README.md that describes the provider and its capabilities and limitations.

Provider Folder Description Type Support
AWS AVP providers/aws/avpProvider Mapping to/from Cedar Policy language with Get/Set/Reconcile using AVP API Syntactic Map SDK,Console
AWS API Gateway providers/aws/awsapigwProvider Support for the Amazon API Gateway (experimental) RBAC SDK,Console
AWS Cognito providers/aws/cognitoProvider Virtual policy support using Cognito Userpools and Groups RBAC SDK,Console
Azure Provider providers/azure/azureProvider Support for Azure Application Role Policy RBAC SDK,Console
Google Cloud IAP Provider providers/googlecloud/iapProvider Mapping to/from Google Bind policy and IAP support for Google App Engine and GKE Syntactic Map SDK,Console
Open Policy Agent providers/openpolicyagent Integrates with Hexa Policy-OPA and interprets IDQL directly with conditions clause support IDQL Interpreter SDK,Console

Directories

Path Synopsis
api
idp
policyprovider
Package PolicyProvider defines the common structures and interfaces (the API) to be implemented by each platform that Hexa integrates with.
Package PolicyProvider defines the common structures and interfaces (the API) to be implemented by each platform that Hexa integrates with.
cmd
hexa
This code based on contributions from https://github.com/i2-open/i2goSignals with permission
This code based on contributions from https://github.com/i2-open/i2goSignals with permission
mapTool Module
examples
cel
hexaIdql module
mapper
models
formats/awsCedar
Package awsCedar provides parsing and mapping to and from an earlier version of AWS Cedar Policy Language
Package awsCedar provides parsing and mapping to and from an earlier version of AWS Cedar Policy Language
formats/cedar/json
Package json Note: This code is from github.com/cedar-policy/cedar-go and is used under the APL 2.0 license terms.
Package json Note: This code is from github.com/cedar-policy/cedar-go and is used under the APL 2.0 license terms.
policyInfoModel
Package pim (application Policy Information Model) is used by Hexa tools to validate that a policy is valid for a particular application.
Package pim (application Policy Information Model) is used by Hexa tools to validate that a policy is valid for a particular application.
rar
rar/testsupport/tools
Package tools provides utilities for tests.
Package tools provides utilities for tests.
pkg
hexapolicy/types
Package parser is used to parse values that represent entities that are contained within IDQL `PolicyInfo` for `SubjectInfo`, `ActionInfo`, and `Object`.
Package parser is used to parse values that represent entities that are contained within IDQL `PolicyInfo` for `SubjectInfo`, `ActionInfo`, and `Object`.
keysupport
Package keysupport is used to generate self-signed keys for testing purposes.
Package keysupport is used to generate self-signed keys for testing purposes.
providers

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL