Affected by GO-2024-3010 and 2 other vulnerabilities

GO-2024-3010: CVE-2024-6984 in github.com/juju/juju

GO-2024-3040: Juju's unprivileged user running on charm node can leak any secret or relation data accessible to the local charm in github.com/juju/juju

GO-2024-3175: Vulnerable juju introspection abstract UNIX domain socket in github.com/juju/juju

permission

package

v0.0.0-...-23dbee4 Latest Latest Go to latest Published: Nov 29, 2024 License: AGPL-3.0 Imports: 4 Imported by: 55

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/juju/juju

Documentation ¶

Index ¶

Variables
func IsEmptyUserAccess(a UserAccess) bool
func ValidateCloudAccess(access Access) error
func ValidateControllerAccess(access Access) error
func ValidateModelAccess(access Access) error
func ValidateOfferAccess(access Access) error
type Access
type AccessChange
type AccessSpec
type ID
- func ParseTagForID(tag names.Tag) (ID, error)
- func (i ID) Validate() error
- func (i ID) ValidateAccess(access Access) error
type ObjectType
- func (o ObjectType) String() string
- func (o ObjectType) Validate() error
type UserAccess
type UserAccessSpec
- func (u UserAccessSpec) Validate() error

Constants ¶

This section is empty.

Variables ¶

View Source

var AllAccessLevels = []Access{
	NoAccess,
	ReadAccess,
	WriteAccess,
	ConsumeAccess,
	AdminAccess,
	LoginAccess,
	AddModelAccess,
	SuperuserAccess,
}

AllAccessLevels is a list of all access levels.

View Source

var EveryoneUserName, _ = user.NewName("everyone@external")

EveryoneUserName represents a special user that is has the base permission level of all external users.

Functions ¶

func IsEmptyUserAccess ¶

func IsEmptyUserAccess(a UserAccess) bool

IsEmptyUserAccess returns true if the passed UserAccess instance is empty.

func ValidateCloudAccess ¶

func ValidateCloudAccess(access Access) error

ValidateCloudAccess returns error if the passed access is not a valid cloud access level.

func ValidateControllerAccess ¶

func ValidateControllerAccess(access Access) error

ValidateControllerAccess returns error if the passed access is not a valid controller access level.

func ValidateModelAccess ¶

func ValidateModelAccess(access Access) error

ValidateModelAccess returns error if the passed access is not a valid model access level.

func ValidateOfferAccess ¶

func ValidateOfferAccess(access Access) error

ValidateOfferAccess returns error if the passed access is not a valid offer access level.

Types ¶

type Access ¶

type Access string

Access represents a level of access.

const (
	// NoAccess allows a user no permissions at all.
	NoAccess Access = ""

	// ReadAccess allows a user to read information about a permission subject,
	// without being able to make any changes.
	ReadAccess Access = "read"

	// WriteAccess allows a user to make changes to a permission subject.
	WriteAccess Access = "write"

	// ConsumeAccess allows a user to consume a permission subject.
	ConsumeAccess Access = "consume"

	// AdminAccess allows a user full control over the subject.
	AdminAccess Access = "admin"

	// LoginAccess allows a user to log-ing into the subject.
	LoginAccess Access = "login"

	// AddModelAccess allows user to add new models in subjects supporting it.
	AddModelAccess Access = "add-model"

	// SuperuserAccess allows user unrestricted permissions in the subject.
	SuperuserAccess Access = "superuser"
)

func (Access) EqualOrGreaterCloudAccessThan ¶

func (a Access) EqualOrGreaterCloudAccessThan(access Access) bool

EqualOrGreaterCloudAccessThan returns true if the current access is equal or greater than the passed in access level.

func (Access) EqualOrGreaterControllerAccessThan ¶

func (a Access) EqualOrGreaterControllerAccessThan(access Access) bool

EqualOrGreaterControllerAccessThan returns true if the current access is equal or greater than the passed in access level.

func (Access) EqualOrGreaterModelAccessThan ¶

func (a Access) EqualOrGreaterModelAccessThan(access Access) bool

EqualOrGreaterModelAccessThan returns true if the current access is equal or greater than the passed in access level.

func (Access) EqualOrGreaterOfferAccessThan ¶

func (a Access) EqualOrGreaterOfferAccessThan(access Access) bool

EqualOrGreaterOfferAccessThan returns true if the current access is equal or greater than the passed in access level.

func (Access) GreaterControllerAccessThan ¶

func (a Access) GreaterControllerAccessThan(access Access) bool

GreaterControllerAccessThan returns true if the current access is greater than the passed in access level.

func (Access) GreaterModelAccessThan ¶

func (a Access) GreaterModelAccessThan(access Access) bool

GreaterModelAccessThan returns true if the current access is greater than the passed in access level.

func (Access) GreaterOfferAccessThan ¶

func (a Access) GreaterOfferAccessThan(access Access) bool

GreaterOfferAccessThan returns true if the current access is greater than the passed in access level.

func (Access) String ¶

func (a Access) String() string

String returns the access level as a string.

func (Access) Validate ¶

func (a Access) Validate() error

Validate returns error if the current is not a valid access level.

type AccessChange ¶

type AccessChange string

AccessChange represents a change in access level.

const (
	// Grant represents a change in access level to grant.
	Grant AccessChange = "grant"

	// Revoke represents a change in access level to revoke.
	Revoke AccessChange = "revoke"
)

type AccessSpec ¶

type AccessSpec struct {
	Target ID
	Access Access
}

AccessSpec defines the attributes that can be set when adding a new access.

func (AccessSpec) EqualOrGreaterThan ¶

func (a AccessSpec) EqualOrGreaterThan(access Access) bool

EqualOrGreaterThan returns true if the current access is equal or greater than the passed in access level.

func (AccessSpec) RevokeAccess ¶

func (a AccessSpec) RevokeAccess() Access

RevokeAccess returns the new access level based on the revoking the current value setting. E.g. revoking SuperuserAccess sets LoginAccess for controllers.

func (AccessSpec) Validate ¶

func (u AccessSpec) Validate() error

Validate validates that the access and target specified in the spec are values allowed together and that the User is not an empty string. If any of these are untrue, a NotValid error is returned.

type ID ¶

type ID struct {
	ObjectType ObjectType
	Key        string
}

ID identifies the object of a permission, its key and type. Keys are names or uuid depending on the type.

func ParseTagForID ¶

func ParseTagForID(tag names.Tag) (ID, error)

ParseTagForID returns an ID of a permission object and must conform to the known object types.

func (ID) Validate ¶

func (i ID) Validate() error

Validate returns an error if the key is empty and/or the ObjectType is not in the list.

func (ID) ValidateAccess ¶

func (i ID) ValidateAccess(access Access) error

ValidateAccess validates the access value is valid for this ID.

type ObjectType ¶

type ObjectType string

ObjectType is the type of the permission object/

const (
	Cloud      ObjectType = "cloud"
	Controller ObjectType = "controller"
	Model      ObjectType = "model"
	Offer      ObjectType = "offer"
)

These values must match the values in the permission_object_type table.

func (ObjectType) String ¶

func (o ObjectType) String() string

String returns the object type as a string.

func (ObjectType) Validate ¶

func (o ObjectType) Validate() error

Validate returns an error if the object type is not in the list of valid object types above.

type UserAccess ¶

type UserAccess struct {
	// UserID is the stored ID of the user.
	UserID string
	// PermissionID is the stored ID of the permission.
	PermissionID string
	// Object is the ID of the object of this access grant.
	Object ID
	// Access represents the level of access subject has over object.
	Access Access
	// CreatedBy is the tag of the user that granted the access.
	CreatedBy user.Name
	// DateCreated is the date the user was created in UTC.
	DateCreated time.Time
	// DisplayName is the name we are showing for this user.
	DisplayName string
	// UserName is the actual username for this access.
	UserName user.Name
}

UserAccess represents a user access to a target whereas the user could represent a remote user or a user across multiple models the user access always represents a single user for a single target. There should be no more than one UserAccess per target/user pair. Many of these fields are storage artifacts but generate them from other fields implies out of band knowledge of other packages.

type UserAccessSpec ¶

type UserAccessSpec struct {
	AccessSpec
	User user.Name
}

UserAccessSpec defines the attributes that can be set when adding a new user access.

func (UserAccessSpec) Validate ¶

func (u UserAccessSpec) Validate() error

Validate validates that the access and target specified in the spec are values allowed together and that the User is not an empty string. If any of these are untrue, a NotValid error is returned.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL