access

Documentation

Overview

Package access provides a simple way to manage access to resources, with a policy-based approach. It usses a simple policy language to define access rules, and URNs to express user, group and resources.

Index

• Constants
• Variables
• func Is(u *urn.URN, i ResourceIdentifier) bool
• func WithNoop(ctx context.Context, t *testing.T, access pb.AccessServer, ...)
• type Access
• type Accessor
• type Action
  • func (a Action) String() string
• type Actions
• type Client
  • func NewClient(conn *grpc.ClientConn, opts ...Opt) (*Client, error)
  • func (c *Client) Check(ctx context.Context, principal, resource, action string) (bool, error)
• type Condition
• type Conditions
• type Effect
• type Matcher
• type Opt
• type Partition
• type Partitions
  • func (p Partitions) Add(partition Partition)
• type Policer
• type Policy
  • func DefaultPolicy() *Policy
  • func (p *Policy) UnmarshalJSON(data []byte) error
  • func (p *Policy) UnmarshalYAML(data []byte) error
• type Region
• type Regions
  • func (r Regions) Add(region Region)
• type Resource
  • func (r Resource) String() string
  • func (r Resource) URN() (*urn.URN, error)
• type ResourceIdentifier
• type Resources
• type Rule
• type Rules
• type Service
• type Services
  • func (s Services) Add(service Service)
• type UnimplementedAccessor
  • func (u *UnimplementedAccessor) Allow(principal *urn.URN, ressource *urn.URN, action Action) (bool, error)

Constants

const DefaultVersion = "2023-03-28"

DefaultVersion

Variables

var DefaultPartitions = Partitions{
	"cloud": true,
}

DefaultPartitions is the default list of partitions.

var DefaultRegions = Regions{
	"eu-central-1": true,
}

DefaultRegions is the default list of regions.

var DefaultServices = Services{
	// contains filtered or unexported fields
}

DefaultServices is the default list of services.

var GroupResourceIdentifier = func(u *urn.URN) bool {
	return u.Service == defaultAccessService && strings.HasPrefix(u.Resource.String(), "groups")
}

GroupResourceIdentifier is the identifier for a group.

var IdentityBasedMatcher = func(l *urn.URN, r *urn.URN) bool {
	return (l.Namespace == r.Namespace || (l.Namespace == urn.Wildcard && r.Namespace == urn.Wildcard) || (l.Namespace == urn.Empty && r.Namespace == urn.Empty) || r.Namespace == urn.Wildcard || r.Namespace == urn.Empty) &&
		(l.Partition == r.Partition || (l.Partition == urn.Wildcard && r.Partition == urn.Wildcard) || (l.Partition == urn.Empty && r.Partition == urn.Empty) || r.Partition == urn.Wildcard || r.Partition == urn.Empty) &&
		(l.Service == r.Service || (l.Service == urn.Wildcard && r.Service == urn.Wildcard) || (l.Service == urn.Empty && r.Service == urn.Empty) || r.Service == urn.Wildcard || r.Service == urn.Empty) &&
		(l.Region == r.Region || (l.Region == urn.Wildcard && r.Region == urn.Wildcard) || (l.Region == urn.Empty && r.Region == urn.Empty) || r.Region == urn.Wildcard || r.Region == urn.Empty) &&
		(l.Identifier == r.Identifier || (l.Identifier == urn.Wildcard && r.Identifier == urn.Wildcard) || (l.Identifier == urn.Empty && r.Identifier == urn.Empty) || r.Identifier == urn.Wildcard || r.Identifier == urn.Empty) &&
		(l.Resource == r.Resource || (l.Resource == urn.Wildcard && r.Resource == urn.Wildcard) || (l.Resource == urn.Empty && r.Resource == urn.Empty) || r.Resource == urn.Wildcard || r.Resource == urn.Empty)
}

IdentityBasedMatcher is a matcher that matches the URN based on the identity.

var RoleResourceIdentifier = func(u *urn.URN) bool {
	return u.Service == defaultAccessService && strings.HasPrefix(u.Resource.String(), "roles")
}

RoleResourceIdentifier is the identifier for a role.

var UserResourceIdentifier = func(u *urn.URN) bool {
	return u.Service == defaultAccessService && strings.HasPrefix(u.Resource.String(), "users")
}

UserResourceIdentifier is the identifier for a user.

Functions

func Is

func Is(u *urn.URN, i ResourceIdentifier) bool

Is returns true if the resource matches the identifier.

func WithNoop

func WithNoop(ctx context.Context, t *testing.T, access pb.AccessServer, f func(context.Context, *testing.T, func(context.Context, string) (net.Conn, error)))

WithNoop ...

Types

type Access

type Access interface{}

Client is the interface for the access client.

type Accessor

type Accessor interface {
	// Allow returns true if the user is allowed to perform the action on the resource.
	Allow(ctx context.Context, principal *urn.URN, ressource *urn.URN, action Action) (bool, error)
}

Accessor is the interface to allow or deny access.

type Action

type Action string

Action is the action that the rule applies to.

func (Action) String

func (a Action) String() string

String ...

type Actions

type Actions []Action

Actions is a list of actions.

type Client

type Client struct {
	// contains filtered or unexported fields
}

Client is the access client.

func NewClient

func NewClient(conn *grpc.ClientConn, opts ...Opt) (*Client, error)

NewClient creates a new access client.

func (*Client) Check

func (c *Client) Check(ctx context.Context, principal, resource, action string) (bool, error)

Check is checking the access of a principal to a resource by an action.

type Condition

type Condition struct {
	// Key is the key of the condition.
	Key string `json:"key" yaml:"key"`
	// Value is the value of the condition.
	Value string `json:"value" yaml:"value"`
	// Operator is the operator of the condition.
	Operator string `json:"operator" yaml:"operator"`
}

Condition is a set of key-value pairs that define how a user can access a resource.

type Conditions

type Conditions []Condition

Conditions is a list of conditions.

type Effect

type Effect string

Effect is the effect of the rule, it can be allow or deny.

const Allow Effect = "allow"

Allow effect.

const Deny Effect = "deny"

Deny effect.

type Matcher

type Matcher func(l *urn.URN, r *urn.URN) bool

Matcher is a function that returns true if the URN matches.

type Opt

type Opt func(*Client)

Opt is the option for the access client.

type Partition

type Partition urn.Match

Partition is the partition name of the access service.

type Partitions

type Partitions map[Partition]bool

Partitions is the list of partitions.

func (Partitions) Add

func (p Partitions) Add(partition Partition)

Add adds a partition to the list.

type Policer

type Policer interface {
	// Policies returns the policy for the given user.
	Policies(ctx context.Context, principal *urn.URN) ([]*Policy, error)
}

Policer returns the policy for the given user.

type Policy

type Policy struct {
	// Version is the version of the policy.
	Version string `json:"version" yaml:"version"`
	// ID is the unique identifier of the policy.
	ID string `json:"id" yaml:"id"`
	// Name is the name of the policy.
	Name string `json:"name" yaml:"name"`
	// Description is the description of the policy.
	Description string `json:"description" yaml:"description"`
	// Rules is the list of rules that define how a user can access a resource.
	Rules Rules `json:"rules" yaml:"rules"`
}

Policy is a set of rules that define how a user can access a resource.

func DefaultPolicy

func DefaultPolicy() *Policy

DefaultPolicy returns the default policy.

func (*Policy) UnmarshalJSON

func (p *Policy) UnmarshalJSON(data []byte) error

UnmarshalJSON overwrite own policy with values of the given in policy in JSON format

func (*Policy) UnmarshalYAML

func (p *Policy) UnmarshalYAML(data []byte) error

UnmarshalYAML overwrite own policy with values of the given policy in YAML format.

type Region

type Region urn.Match

Region is the region name of the access service.

type Regions

type Regions map[Region]bool

Regions is the list of regions.

func (Regions) Add

func (r Regions) Add(region Region)

Add adds a region to the list.

type Resource

type Resource string

Resource is the resource that the rule applies to.

func (Resource) String

func (r Resource) String() string

String returns the string representation of the resource.

func (Resource) URN

func (r Resource) URN() (*urn.URN, error)

URN returns the URN representation of the resource.

type ResourceIdentifier

type ResourceIdentifier func(*urn.URN) bool

ResourceIdentifier is the unique identifier of a resource.

type Resources

type Resources []Resource

Resources is a list of resources.

type Rule

type Rule struct {
	// ID is the unique identifier of the rule.
	ID string `json:"id" yaml:"id"`
	// Resources is the list of resources that the rule applies to.
	Resources Resources `json:"resources" yaml:"resources"`
	// Actions is the list of actions that the rule applies to.
	Actions Actions `json:"actions" yaml:"actions"`
	// Effect is the effect of the rule, it can be allow or deny.
	Effect Effect `json:"effect" yaml:"effect"`
	// Conditions is the list of conditions that the rule applies to.
	Conditions Conditions `json:"conditions" yaml:"conditions"`
}

Rule is a set of conditions that define how a user can access a resource.

type Rules

type Rules []Rule

Rules is a list of rules.

type Service

type Service urn.Match

Servide is the service name of the access service.

type Services

type Services map[Service]bool

Services is the list of services.

func (Services) Add

func (s Services) Add(service Service)

Add adds a service to the list.

type UnimplementedAccessor

type UnimplementedAccessor struct{}

UnimplementedAccessor is the default implementation of the Accessor interface.

func (*UnimplementedAccessor) Allow

func (u *UnimplementedAccessor) Allow(principal *urn.URN, ressource *urn.URN, action Action) (bool, error)

Allow returns true if the user is allowed to perform the action on the resource.