Documentation
¶
Overview ¶
Package authz handles all things authorization, policing who (subjects) can do what (actions) on what (resources).
Index ¶
- Variables
- func AddSkipAuthz(ctx context.Context) context.Context
- func AddSubjectToContext(ctx context.Context, subj Subject) context.Context
- func NewAllowAllAuthorizer() *allowAllAuthorizer
- func SkipAuthz(ctx context.Context) bool
- type AccessRequest
- type Action
- type Authorizer
- func (a *Authorizer) Authorize(ctx context.Context, action Action, req *AccessRequest, ...) (Subject, error)
- func (a *Authorizer) CanAccess(ctx context.Context, action Action, req *AccessRequest) bool
- func (a *Authorizer) RegisterOrganizationResolver(kind resource.Kind, resolver OrganizationResolver)
- func (a *Authorizer) RegisterWorkspaceResolver(kind resource.Kind, resolver WorkspaceResolver)
- type CanAccessOption
- type Interface
- type OrganizationResolver
- type Role
- type Subject
- type Superuser
- type WorkspacePermission
- type WorkspacePolicy
- type WorkspacePolicyGetter
- type WorkspaceResolver
Constants ¶
This section is empty.
Variables ¶
var ( // OrganizationMinPermissions are permissions granted to all team // members within an organization. OrganizationMinPermissions = Role{ // contains filtered or unexported fields } // WorkspaceReadRole is scoped to a workspace and permits read-only actions // on the workspace. WorkspaceReadRole = Role{ // contains filtered or unexported fields } // WorkspacePlanRole is scoped to a workspace and permits creating plans on // the workspace. WorkspacePlanRole = Role{ // contains filtered or unexported fields } // WorkspaceWriteRole is scoped to a workspace and permits write actions on // the workspace. WorkspaceWriteRole = Role{ // contains filtered or unexported fields } // WorkspaceAdminRole is scoped to a workspace and permits management of the // workspace. WorkspaceAdminRole = Role{ // contains filtered or unexported fields } // WorkspaceManagerRole is scoped to an organization and permits management // of workspaces. WorkspaceManagerRole = Role{ // contains filtered or unexported fields } // VCSManagerRole is scoped to an organization and permits management of VCS // providers. VCSManagerRole = Role{ // contains filtered or unexported fields } // RegistryManagerRole is scoped to an organization and permits management // of registry of modules and providers RegistryManagerRole = Role{ // contains filtered or unexported fields } )
Functions ¶
func AddSkipAuthz ¶
AddSkipAuthz adds to the context an instruction to skip authorization. Authorizers should obey this instruction using SkipAuthz
func AddSubjectToContext ¶
AddSubjectToContext adds a subject to a context
func NewAllowAllAuthorizer ¶
func NewAllowAllAuthorizer() *allowAllAuthorizer
Types ¶
type AccessRequest ¶
type AccessRequest struct {
// Organization name to which access is being requested.
Organization string
// ID of resource to which access is being requested. If nil then the action
// is being requested on the organization.
ID *resource.ID
// WorkspacePolicy specifies workspace-specific permissions for the resource
// specified by ID. Only non-nil if ID refers to a workspace.
WorkspacePolicy *WorkspacePolicy
}
AccessRequest is a request for access to either an organization or an individual resource.
func (*AccessRequest) LogValue ¶
func (r *AccessRequest) LogValue() slog.Value
type Action ¶
type Action int
Action identifies an action a subject carries out on a resource for authorization purposes.
const ( WatchAction Action = iota CreateOrganizationAction UpdateOrganizationAction GetOrganizationAction ListOrganizationsAction GetEntitlementsAction DeleteOrganizationAction CreateVCSProviderAction GetVCSProviderAction ListVCSProvidersAction DeleteVCSProviderAction CreateAgentPoolAction UpdateAgentPoolAction ListAgentPoolsAction GetAgentPoolAction DeleteAgentPoolAction CreateAgentTokenAction ListAgentTokensAction GetAgentTokenAction DeleteAgentTokenAction ListRunnersAction WatchRunnersAction CreateOrganizationTokenAction DeleteOrganizationTokenAction CreateRunTokenAction CreateTeamTokenAction GetTeamTokenAction DeleteTeamTokenAction CreateModuleAction CreateModuleVersionAction UpdateModuleAction ListModulesAction GetModuleAction DeleteModuleAction DeleteModuleVersionAction CreateWorkspaceVariableAction UpdateWorkspaceVariableAction ListWorkspaceVariablesAction GetWorkspaceVariableAction DeleteWorkspaceVariableAction CreateVariableSetAction UpdateVariableSetAction ListVariableSetsAction GetVariableSetAction DeleteVariableSetAction CreateVariableSetVariableAction UpdateVariableSetVariableAction GetVariableSetVariableAction DeleteVariableSetVariableAction AddVariableToSetAction RemoveVariableFromSetAction ApplyVariableSetToWorkspacesAction DeleteVariableSetFromWorkspacesAction GetRunAction ListRunsAction ApplyRunAction CreateRunAction DiscardRunAction DeleteRunAction CancelRunAction ForceCancelRunAction EnqueuePlanAction PutChunkAction TailLogsAction GetPlanFileAction UploadPlanFileAction GetLockFileAction UploadLockFileAction ListWorkspacesAction GetWorkspaceAction CreateWorkspaceAction DeleteWorkspaceAction SetWorkspacePermissionAction UnsetWorkspacePermissionAction UpdateWorkspaceAction ListTagsAction DeleteTagsAction TagWorkspacesAction AddTagsAction RemoveTagsAction ListWorkspaceTags LockWorkspaceAction UnlockWorkspaceAction ForceUnlockWorkspaceAction CreateStateVersionAction ListStateVersionsAction GetStateVersionAction DeleteStateVersionAction RollbackStateVersionAction UploadStateAction DownloadStateAction GetStateVersionOutputAction CreateConfigurationVersionAction ListConfigurationVersionsAction GetConfigurationVersionAction DownloadConfigurationVersionAction DeleteConfigurationVersionAction CreateUserAction ListUsersAction GetUserAction DeleteUserAction CreateTeamAction UpdateTeamAction GetTeamAction ListTeamsAction DeleteTeamAction AddTeamMembershipAction RemoveTeamMembershipAction CreateNotificationConfigurationAction UpdateNotificationConfigurationAction ListNotificationConfigurationsAction GetNotificationConfigurationAction DeleteNotificationConfigurationAction CreateGithubAppAction UpdateGithubAppAction GetGithubAppAction ListGithubAppsAction DeleteGithubAppAction CreateGithubAppInstallAction DeleteGithubAppInstallAction )
type Authorizer ¶
type Authorizer struct {
logr.Logger
WorkspacePolicyGetter
// contains filtered or unexported fields
}
Authorizer intermediates authorization between subjects (entities requesting access) and resources (the entities to which access is being requested).
func NewAuthorizer ¶
func NewAuthorizer(logger logr.Logger) *Authorizer
func (*Authorizer) Authorize ¶
func (a *Authorizer) Authorize(ctx context.Context, action Action, req *AccessRequest, opts ...CanAccessOption) (Subject, error)
Authorize determines whether the subject can carry out an action on a resource. The subject is expected to be contained within the context. If the access request is nil then it's assumed the request is for access to the entire site (the highest level).
func (*Authorizer) CanAccess ¶
func (a *Authorizer) CanAccess(ctx context.Context, action Action, req *AccessRequest) bool
CanAccess is a helper to boil down an access request to a true/false decision, with any error encountered interpreted as false.
func (*Authorizer) RegisterOrganizationResolver ¶
func (a *Authorizer) RegisterOrganizationResolver(kind resource.Kind, resolver OrganizationResolver)
RegisterOrganizationResolver registers with the authorizer the ability to resolve access requests for a specific resource kind to the name of the organization the resource belongs to.
This is necessary because authorization is determined not only on resource ID but on the name of the organization the resource belongs to.
func (*Authorizer) RegisterWorkspaceResolver ¶
func (a *Authorizer) RegisterWorkspaceResolver(kind resource.Kind, resolver WorkspaceResolver)
RegisterWorkspaceResolver registers with the authorizer the ability to resolve access requests for a specific resource kind to the workspace ID the resource belongs to.
This is necessary because authorization is often determined based on workspace ID, and not the ID of a run, state version, etc.
type CanAccessOption ¶
type CanAccessOption func(*canAccessConfig)
func WithoutErrorLogging ¶
func WithoutErrorLogging() CanAccessOption
WithoutErrorLogging disables logging an unauthorized error. This can be useful if just checking if a user can do something.
type Interface ¶
type Interface interface {
Authorize(ctx context.Context, action Action, req *AccessRequest, opts ...CanAccessOption) (Subject, error)
CanAccess(ctx context.Context, action Action, req *AccessRequest) bool
}
Interface provides an interface for services to use to permit swapping out the authorizer for tests.
type OrganizationResolver ¶
OrganizationResolver takes the ID of a resource and returns the name of the organization it belongs to.
type Role ¶
type Role struct {
// contains filtered or unexported fields
}
Role is a set of permitted actions
func WorkspaceRoleFromString ¶
type Subject ¶
type Subject interface {
CanAccess(action Action, req *AccessRequest) bool
String() string
}
Subject is an entity that carries out actions on resources.
type Superuser ¶
type Superuser struct {
Username string
}
Superuser is a subject with unlimited privileges.
type WorkspacePermission ¶
WorkspacePermission binds a role to a team.
type WorkspacePolicy ¶
type WorkspacePolicy struct {
Permissions []WorkspacePermission
// Whether workspace permits its state to be consumed by all workspaces in
// the organization.
GlobalRemoteState bool
}
WorkspacePolicy binds workspace permissions to a workspace
Source Files