acl

package
v1.16.4 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Nov 29, 2024 License: MPL-2.0 Imports: 10 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	WildcardName = "*"

	// AnonymousTokenID is the AccessorID of the anonymous token.
	// When logging or displaying to users, use acl.AliasIfAnonymousToken
	// to convert this to AnonymousTokenAlias.
	AnonymousTokenID     = "00000000-0000-0000-0000-000000000002"
	AnonymousTokenAlias  = "anonymous token"
	AnonymousTokenSecret = "anonymous"

	ReservedBuiltinPrefix = "builtin/"
)
View Source 
const (
	WildcardPartitionName = ""
	DefaultPartitionName  = ""
)
View Source 
const (
	PolicyDeny  = "deny"
	PolicyRead  = "read"
	PolicyList  = "list"
	PolicyWrite = "write"
)
View Source 
const (
	ServiceIdentityNameMaxLength = 256
	NodeIdentityNameMaxLength    = 256
	PolicyNameMaxLength          = 128
)
View Source 
const DefaultNamespaceName = "default"

Reviewer Note: This is a little bit strange; one might want it to be "" like partition name However in consul/structs/intention.go we define IntentionDefaultNamespace as 'default' and so we use the same here

Variables

View Source 
var (
	// ErrNotFound indicates there is no matching ACL.
	ErrNotFound = errors.New(errNotFound)

	// ErrRootDenied is returned when attempting to resolve a root ACL.
	ErrRootDenied = errors.New(errRootDenied)

	// ErrDisabled is returned when ACL changes are not permitted since
	// they are disabled.
	ErrDisabled = errors.New(errDisabled)

	// ErrPermissionDenied is returned when an ACL based rejection
	// happens.
	ErrPermissionDenied = PermissionDeniedError{}

	// ErrInvalidParent is returned when a remotely resolve ACL
	// token claims to have a non-root parent
	ErrInvalidParent = errors.New(errInvalidParent)
)

Functions

func ACLResourceNotExistError 

func ACLResourceNotExistError(resourceType string, entMeta EnterpriseMeta) error

func AliasIfAnonymousToken 

func AliasIfAnonymousToken(accessorID string) string

AliasIfAnonymousToken returns the string "anonymous token" if accessorID is acl.AnonymousTokenID. Used for better UX when logging the accessorID.

func EqualNamespaces 

func EqualNamespaces(_, _ string) bool

func EqualPartitions 

func EqualPartitions(_, _ string) bool

func IsDefaultPartition 

func IsDefaultPartition(partition string) bool

func IsErrDisabled 

func IsErrDisabled(err error) bool

IsErrDisabled checks if the given error message is comparable to ErrDisabled.

func IsErrNotFound 

func IsErrNotFound(err error) bool

IsErrNotFound checks if the given error message is comparable to ErrNotFound.

func IsErrPermissionDenied 

func IsErrPermissionDenied(err error) bool

IsErrPermissionDenied checks if the given error message is comparable to ErrPermissionDenied.

func IsErrRootDenied 

func IsErrRootDenied(err error) bool

IsErrRootDenied checks if the given error message is comparable to ErrRootDenied.

func IsValidAuthMethodName 

func IsValidAuthMethodName(name string) bool

IsValidRoleName returns true if the provided name can be used as an ACLAuthMethod Name.

func IsValidNodeIdentityName 

func IsValidNodeIdentityName(name string) bool

IsValidNodeIdentityName returns true if the provided name can be used as an ACLNodeIdentity NodeName. This is more restrictive than standard catalog registration, which basically takes the view that "everything is valid".

func IsValidRoleName 

func IsValidRoleName(name string) bool

IsValidRoleName returns true if the provided name can be used as an ACLRole Name.

func IsValidServiceIdentityName 

func IsValidServiceIdentityName(name string) bool

IsValidServiceIdentityName returns true if the provided name can be used as an ACLServiceIdentity ServiceName. This is more restrictive than standard catalog registration, which basically takes the view that "everything is valid".

func NamespaceOrDefault 

func NamespaceOrDefault(_ string) string

func NormalizeNamespace 

func NormalizeNamespace(_ string) string

func PartitionOrDefault 

func PartitionOrDefault(_ string) string

func RequirePermissionDeniedError 

func RequirePermissionDeniedError(t testing.TB, err error, authz Authorizer, _ *AuthorizerContext, resource Resource, accessLevel AccessLevel, resourceID string)

func RequirePermissionDeniedMessage 

func RequirePermissionDeniedMessage(t testing.TB, msg string, authz interface{}, _ *AuthorizerContext, resource Resource, accessLevel AccessLevel, resourceID string)

func ValidatePolicyName 

func ValidatePolicyName(name string) error

ValidatePolicyName returns nil if the provided name can be used as an ACLPolicy Name otherwise a useful error is returned.

Types

type AccessLevel 

type AccessLevel int
const (
	AccessUnknown AccessLevel = iota
	AccessDeny
	AccessRead
	AccessList
	AccessWrite
)

func AccessLevelFromString 

func AccessLevelFromString(level string) (AccessLevel, error)

func (AccessLevel) String 

func (l AccessLevel) String() string

type AgentRule 

type AgentRule struct {
	Node   string `hcl:",key"`
	Policy string
}

AgentRule represents a rule for working with agent endpoints on nodes with specific name prefixes.

type AllowAuthorizer 

type AllowAuthorizer struct {
	Authorizer
	AccessorID string
}

AllowAuthorizer is a wrapper to expose the *Allowed methods. This and the ToAllowAuthorizer function exist to tide us over until the ResolveResult struct is moved into acl.

func (AllowAuthorizer) ACLReadAllowed 

func (a AllowAuthorizer) ACLReadAllowed(ctx *AuthorizerContext) error

ACLReadAllowed checks for permission to list all the ACLs

func (AllowAuthorizer) ACLWriteAllowed 

func (a AllowAuthorizer) ACLWriteAllowed(ctx *AuthorizerContext) error

ACLWriteAllowed checks for permission to manipulate ACLs

func (AllowAuthorizer) AgentReadAllowed 

func (a AllowAuthorizer) AgentReadAllowed(name string, ctx *AuthorizerContext) error

AgentReadAllowed checks for permission to read from agent endpoints for a given node.

func (AllowAuthorizer) AgentWriteAllowed 

func (a AllowAuthorizer) AgentWriteAllowed(name string, ctx *AuthorizerContext) error

AgentWriteAllowed checks for permission to make changes via agent endpoints for a given node.

func (AllowAuthorizer) EventReadAllowed 

func (a AllowAuthorizer) EventReadAllowed(name string, ctx *AuthorizerContext) error

EventReadAllowed determines if a specific event can be queried.

func (AllowAuthorizer) EventWriteAllowed 

func (a AllowAuthorizer) EventWriteAllowed(name string, ctx *AuthorizerContext) error

EventWriteAllowed determines if a specific event may be fired.

func (AllowAuthorizer) IntentionDefaultAllowAllowed 

func (a AllowAuthorizer) IntentionDefaultAllowAllowed(ctx *AuthorizerContext) error

IntentionDefaultAllowAllowed determines the default authorized behavior when no intentions match a Connect request.

func (AllowAuthorizer) IntentionReadAllowed 

func (a AllowAuthorizer) IntentionReadAllowed(name string, ctx *AuthorizerContext) error

IntentionReadAllowed determines if a specific intention can be read.

func (AllowAuthorizer) IntentionWriteAllowed 

func (a AllowAuthorizer) IntentionWriteAllowed(name string, ctx *AuthorizerContext) error

IntentionWriteAllowed determines if a specific intention can be created, modified, or deleted.

func (AllowAuthorizer) KeyListAllowed 

func (a AllowAuthorizer) KeyListAllowed(name string, ctx *AuthorizerContext) error

KeyListAllowed checks for permission to list keys under a prefix

func (AllowAuthorizer) KeyReadAllowed 

func (a AllowAuthorizer) KeyReadAllowed(name string, ctx *AuthorizerContext) error

KeyReadAllowed checks for permission to read a given key

func (AllowAuthorizer) KeyWriteAllowed 

func (a AllowAuthorizer) KeyWriteAllowed(name string, ctx *AuthorizerContext) error

KeyWriteAllowed checks for permission to write a given key

func (AllowAuthorizer) KeyWritePrefixAllowed 

func (a AllowAuthorizer) KeyWritePrefixAllowed(name string, ctx *AuthorizerContext) error

KeyWritePrefixAllowed checks for permission to write to an entire key prefix. This means there must be no sub-policies that deny a write.

func (AllowAuthorizer) KeyringReadAllowed 

func (a AllowAuthorizer) KeyringReadAllowed(ctx *AuthorizerContext) error

KeyringReadAllowed determines if the encryption keyring used in the gossip layer can be read.

func (AllowAuthorizer) KeyringWriteAllowed 

func (a AllowAuthorizer) KeyringWriteAllowed(ctx *AuthorizerContext) error

KeyringWriteAllowed determines if the keyring can be manipulated

func (AllowAuthorizer) MeshReadAllowed 

func (a AllowAuthorizer) MeshReadAllowed(ctx *AuthorizerContext) error

MeshReadAllowed determines if the read-only Consul mesh functions can be used.

func (AllowAuthorizer) MeshWriteAllowed 

func (a AllowAuthorizer) MeshWriteAllowed(ctx *AuthorizerContext) error

MeshWriteAllowed determines if the state-changing Consul mesh functions can be used.

func (AllowAuthorizer) NodeReadAllAllowed 

func (a AllowAuthorizer) NodeReadAllAllowed(ctx *AuthorizerContext) error

NodeReadAllAllowed checks for permission to read (discover) all nodes.

func (AllowAuthorizer) NodeReadAllowed 

func (a AllowAuthorizer) NodeReadAllowed(name string, ctx *AuthorizerContext) error

NodeReadAllowed checks for permission to read (discover) a given node.

func (AllowAuthorizer) NodeWriteAllowed 

func (a AllowAuthorizer) NodeWriteAllowed(name string, ctx *AuthorizerContext) error

NodeWriteAllowed checks for permission to create or update (register) a given node.

func (AllowAuthorizer) OperatorReadAllowed 

func (a AllowAuthorizer) OperatorReadAllowed(ctx *AuthorizerContext) error

OperatorReadAllowed determines if the read-only Consul operator functions can be used.

func (AllowAuthorizer) OperatorWriteAllowed 

func (a AllowAuthorizer) OperatorWriteAllowed(ctx *AuthorizerContext) error

OperatorWriteAllowed determines if the state-changing Consul operator functions can be used.

func (AllowAuthorizer) PeeringReadAllowed 

func (a AllowAuthorizer) PeeringReadAllowed(ctx *AuthorizerContext) error

PeeringReadAllowed determines if the read-only Consul peering functions can be used.

func (AllowAuthorizer) PeeringWriteAllowed 

func (a AllowAuthorizer) PeeringWriteAllowed(ctx *AuthorizerContext) error

PeeringWriteAllowed determines if the state-changing Consul peering functions can be used.

func (AllowAuthorizer) PreparedQueryReadAllowed 

func (a AllowAuthorizer) PreparedQueryReadAllowed(name string, ctx *AuthorizerContext) error

PreparedQueryReadAllowed determines if a specific prepared query can be read to show its contents (this is not used for execution).

func (AllowAuthorizer) PreparedQueryWriteAllowed 

func (a AllowAuthorizer) PreparedQueryWriteAllowed(name string, ctx *AuthorizerContext) error

PreparedQueryWriteAllowed determines if a specific prepared query can be created, modified, or deleted.

func (AllowAuthorizer) ServiceReadAllAllowed 

func (a AllowAuthorizer) ServiceReadAllAllowed(ctx *AuthorizerContext) error

ServiceReadAllAllowed checks for permission to read all services

func (AllowAuthorizer) ServiceReadAllowed 

func (a AllowAuthorizer) ServiceReadAllowed(name string, ctx *AuthorizerContext) error

ServiceReadAllowed checks for permission to read a given service

func (AllowAuthorizer) ServiceWriteAllowed 

func (a AllowAuthorizer) ServiceWriteAllowed(name string, ctx *AuthorizerContext) error

ServiceWriteAllowed checks for permission to create or update a given service

func (AllowAuthorizer) ServiceWriteAnyAllowed 

func (a AllowAuthorizer) ServiceWriteAnyAllowed(ctx *AuthorizerContext) error

ServiceWriteAnyAllowed checks for write permission on any service

func (AllowAuthorizer) SessionReadAllowed 

func (a AllowAuthorizer) SessionReadAllowed(name string, ctx *AuthorizerContext) error

SessionReadAllowed checks for permission to read sessions for a given node.

func (AllowAuthorizer) SessionWriteAllowed 

func (a AllowAuthorizer) SessionWriteAllowed(name string, ctx *AuthorizerContext) error

SessionWriteAllowed checks for permission to create sessions for a given node.

func (AllowAuthorizer) SnapshotAllowed 

func (a AllowAuthorizer) SnapshotAllowed(ctx *AuthorizerContext) error

SnapshotAllowed checks for permission to take and restore snapshots.

type Authorizer 

type Authorizer interface {
	// ACLRead checks for permission to list all the ACLs
	ACLRead(*AuthorizerContext) EnforcementDecision

	// ACLWrite checks for permission to manipulate ACLs
	ACLWrite(*AuthorizerContext) EnforcementDecision

	// AgentRead checks for permission to read from agent endpoints for a
	// given node.
	AgentRead(string, *AuthorizerContext) EnforcementDecision

	// AgentWrite checks for permission to make changes via agent endpoints
	// for a given node.
	AgentWrite(string, *AuthorizerContext) EnforcementDecision

	// EventRead determines if a specific event can be queried.
	EventRead(string, *AuthorizerContext) EnforcementDecision

	// EventWrite determines if a specific event may be fired.
	EventWrite(string, *AuthorizerContext) EnforcementDecision

	// IntentionDefaultAllow determines the default authorized behavior
	// when no intentions match a Connect request.
	IntentionDefaultAllow(*AuthorizerContext) EnforcementDecision

	// IntentionRead determines if a specific intention can be read.
	IntentionRead(string, *AuthorizerContext) EnforcementDecision

	// IntentionWrite determines if a specific intention can be
	// created, modified, or deleted.
	IntentionWrite(string, *AuthorizerContext) EnforcementDecision

	// KeyList checks for permission to list keys under a prefix
	KeyList(string, *AuthorizerContext) EnforcementDecision

	// KeyRead checks for permission to read a given key
	KeyRead(string, *AuthorizerContext) EnforcementDecision

	// KeyWrite checks for permission to write a given key
	KeyWrite(string, *AuthorizerContext) EnforcementDecision

	// KeyWritePrefix checks for permission to write to an
	// entire key prefix. This means there must be no sub-policies
	// that deny a write.
	KeyWritePrefix(string, *AuthorizerContext) EnforcementDecision

	// KeyringRead determines if the encryption keyring used in
	// the gossip layer can be read.
	KeyringRead(*AuthorizerContext) EnforcementDecision

	// KeyringWrite determines if the keyring can be manipulated
	KeyringWrite(*AuthorizerContext) EnforcementDecision

	// MeshRead determines if the read-only Consul mesh functions
	// can be used.
	MeshRead(*AuthorizerContext) EnforcementDecision

	// MeshWrite determines if the state-changing Consul mesh
	// functions can be used.
	MeshWrite(*AuthorizerContext) EnforcementDecision

	// PeeringRead determines if the read-only Consul peering functions
	// can be used.
	PeeringRead(*AuthorizerContext) EnforcementDecision

	// PeeringWrite determines if the stage-changing Consul peering
	// functions can be used.
	PeeringWrite(*AuthorizerContext) EnforcementDecision

	// NodeRead checks for permission to read (discover) a given node.
	NodeRead(string, *AuthorizerContext) EnforcementDecision

	// NodeReadAll checks for permission to read (discover) all nodes.
	NodeReadAll(*AuthorizerContext) EnforcementDecision

	// NodeWrite checks for permission to create or update (register) a
	// given node.
	NodeWrite(string, *AuthorizerContext) EnforcementDecision

	// OperatorRead determines if the read-only Consul operator functions
	// can be used.
	OperatorRead(*AuthorizerContext) EnforcementDecision

	// OperatorWrite determines if the state-changing Consul operator
	// functions can be used.
	OperatorWrite(*AuthorizerContext) EnforcementDecision

	// PreparedQueryRead determines if a specific prepared query can be read
	// to show its contents (this is not used for execution).
	PreparedQueryRead(string, *AuthorizerContext) EnforcementDecision

	// PreparedQueryWrite determines if a specific prepared query can be
	// created, modified, or deleted.
	PreparedQueryWrite(string, *AuthorizerContext) EnforcementDecision

	// ServiceRead checks for permission to read a given service
	ServiceRead(string, *AuthorizerContext) EnforcementDecision

	// ServiceReadAll checks for permission to read all services
	ServiceReadAll(*AuthorizerContext) EnforcementDecision

	// ServiceWrite checks for permission to create or update a given
	// service
	ServiceWrite(string, *AuthorizerContext) EnforcementDecision

	// ServiceWriteAny checks for write permission on any service
	ServiceWriteAny(*AuthorizerContext) EnforcementDecision

	// SessionRead checks for permission to read sessions for a given node.
	SessionRead(string, *AuthorizerContext) EnforcementDecision

	// SessionWrite checks for permission to create sessions for a given
	// node.
	SessionWrite(string, *AuthorizerContext) EnforcementDecision

	// Snapshot checks for permission to take and restore snapshots.
	Snapshot(*AuthorizerContext) EnforcementDecision

	// ToAllowAuthorizer is needed until we can use ResolveResult in all the places this interface is used.
	ToAllowAuthorizer() AllowAuthorizer
	// contains filtered or unexported methods
}

Authorizer is the interface for policy enforcement.

func AllowAll 

func AllowAll() Authorizer

AllowAll returns an Authorizer that allows all operations

func DenyAll 

func DenyAll() Authorizer

DenyAll returns an Authorizer that denies all operations

func ManageAll 

func ManageAll() Authorizer

ManageAll returns an Authorizer that can manage all resources

func NewAuthorizerFromRules 

func NewAuthorizerFromRules(rules string, conf *Config, meta *EnterprisePolicyMeta) (Authorizer, error)

NewAuthorizerFromRules is a convenience function to invoke NewPolicyFromSource followed by NewPolicyAuthorizer with the parse policy.

func NewPolicyAuthorizer 

func NewPolicyAuthorizer(policies []*Policy, entConfig *Config) (Authorizer, error)

NewPolicyAuthorizer merges the policies and returns an Authorizer that will enforce them

func NewPolicyAuthorizerWithDefaults 

func NewPolicyAuthorizerWithDefaults(defaultAuthz Authorizer, policies []*Policy, entConfig *Config) (Authorizer, error)

NewPolicyAuthorizerWithDefaults will actually created a ChainedAuthorizer with the policies compiled into one Authorizer and the backup policy of the defaultAuthz

func RootAuthorizer 

func RootAuthorizer(id string) Authorizer

RootAuthorizer returns a possible Authorizer if the ID matches a root policy.

TODO: rename this function. While the returned authorizer is used as a root authorizer in some cases, in others it is not. A more appropriate name might be NewAuthorizerFromPolicyName.

type AuthorizerContext 

type AuthorizerContext struct {
	// Peer is the name of the peer that the resource was imported from.
	Peer string
}

AuthorizerContext contains extra information that can be used in the determination of an ACL enforcement decision.

func (*AuthorizerContext) PeerOrEmpty 

func (c *AuthorizerContext) PeerOrEmpty() string

type ChainedAuthorizer 

type ChainedAuthorizer struct {
	// contains filtered or unexported fields
}

ChainedAuthorizer can combine multiple Authorizers into one. Each Authorizer in the chain is asked (in order) for an enforcement decision. The first non-Default decision that is rendered by an Authorizer in the chain will be used as the overall decision of the ChainedAuthorizer

func NewChainedAuthorizer 

func NewChainedAuthorizer(chain []Authorizer) *ChainedAuthorizer

NewChainedAuthorizer creates a ChainedAuthorizer with the provided chain of Authorizers. The slice provided should be in the order of most precedent Authorizer at the beginning and least precedent Authorizer at the end.

func (*ChainedAuthorizer) ACLRead 

func (c *ChainedAuthorizer) ACLRead(entCtx *AuthorizerContext) EnforcementDecision

ACLRead checks for permission to list all the ACLs

func (*ChainedAuthorizer) ACLWrite 

func (c *ChainedAuthorizer) ACLWrite(entCtx *AuthorizerContext) EnforcementDecision

ACLWrite checks for permission to manipulate ACLs

func (*ChainedAuthorizer) AgentRead 

func (c *ChainedAuthorizer) AgentRead(node string, entCtx *AuthorizerContext) EnforcementDecision

AgentRead checks for permission to read from agent endpoints for a given node.

func (*ChainedAuthorizer) AgentWrite 

func (c *ChainedAuthorizer) AgentWrite(node string, entCtx *AuthorizerContext) EnforcementDecision

AgentWrite checks for permission to make changes via agent endpoints for a given node.

func (*ChainedAuthorizer) AuthorizerChain 

func (c *ChainedAuthorizer) AuthorizerChain() []Authorizer

func (*ChainedAuthorizer) EventRead 

func (c *ChainedAuthorizer) EventRead(name string, entCtx *AuthorizerContext) EnforcementDecision

EventRead determines if a specific event can be queried.

func (*ChainedAuthorizer) EventWrite 

func (c *ChainedAuthorizer) EventWrite(name string, entCtx *AuthorizerContext) EnforcementDecision

EventWrite determines if a specific event may be fired.

func (*ChainedAuthorizer) IntentionDefaultAllow 

func (c *ChainedAuthorizer) IntentionDefaultAllow(entCtx *AuthorizerContext) EnforcementDecision

IntentionDefaultAllow determines the default authorized behavior when no intentions match a Connect request.

func (*ChainedAuthorizer) IntentionRead 

func (c *ChainedAuthorizer) IntentionRead(prefix string, entCtx *AuthorizerContext) EnforcementDecision

IntentionRead determines if a specific intention can be read.

func (*ChainedAuthorizer) IntentionWrite 

func (c *ChainedAuthorizer) IntentionWrite(prefix string, entCtx *AuthorizerContext) EnforcementDecision

IntentionWrite determines if a specific intention can be created, modified, or deleted.

func (*ChainedAuthorizer) KeyList 

func (c *ChainedAuthorizer) KeyList(keyPrefix string, entCtx *AuthorizerContext) EnforcementDecision

KeyList checks for permission to list keys under a prefix

func (*ChainedAuthorizer) KeyRead 

func (c *ChainedAuthorizer) KeyRead(key string, entCtx *AuthorizerContext) EnforcementDecision

KeyRead checks for permission to read a given key

func (*ChainedAuthorizer) KeyWrite 

func (c *ChainedAuthorizer) KeyWrite(key string, entCtx *AuthorizerContext) EnforcementDecision

KeyWrite checks for permission to write a given key

func (*ChainedAuthorizer) KeyWritePrefix 

func (c *ChainedAuthorizer) KeyWritePrefix(keyPrefix string, entCtx *AuthorizerContext) EnforcementDecision

KeyWritePrefix checks for permission to write to an entire key prefix. This means there must be no sub-policies that deny a write.

func (*ChainedAuthorizer) KeyringRead 

func (c *ChainedAuthorizer) KeyringRead(entCtx *AuthorizerContext) EnforcementDecision

KeyringRead determines if the encryption keyring used in the gossip layer can be read.

func (*ChainedAuthorizer) KeyringWrite 

func (c *ChainedAuthorizer) KeyringWrite(entCtx *AuthorizerContext) EnforcementDecision

KeyringWrite determines if the keyring can be manipulated

func (*ChainedAuthorizer) MeshRead 

func (c *ChainedAuthorizer) MeshRead(entCtx *AuthorizerContext) EnforcementDecision

MeshRead determines if the read-only Consul mesh functions can be used.

func (*ChainedAuthorizer) MeshWrite 

func (c *ChainedAuthorizer) MeshWrite(entCtx *AuthorizerContext) EnforcementDecision

MeshWrite determines if the state-changing Consul mesh functions can be used.

func (*ChainedAuthorizer) NodeRead 

func (c *ChainedAuthorizer) NodeRead(node string, entCtx *AuthorizerContext) EnforcementDecision

NodeRead checks for permission to read (discover) a given node.

func (*ChainedAuthorizer) NodeReadAll 

func (c *ChainedAuthorizer) NodeReadAll(entCtx *AuthorizerContext) EnforcementDecision

func (*ChainedAuthorizer) NodeWrite 

func (c *ChainedAuthorizer) NodeWrite(node string, entCtx *AuthorizerContext) EnforcementDecision

NodeWrite checks for permission to create or update (register) a given node.

func (*ChainedAuthorizer) OperatorRead 

func (c *ChainedAuthorizer) OperatorRead(entCtx *AuthorizerContext) EnforcementDecision

OperatorRead determines if the read-only Consul operator functions can be used.

func (*ChainedAuthorizer) OperatorWrite 

func (c *ChainedAuthorizer) OperatorWrite(entCtx *AuthorizerContext) EnforcementDecision

OperatorWrite determines if the state-changing Consul operator functions can be used.

func (*ChainedAuthorizer) PeeringRead 

func (c *ChainedAuthorizer) PeeringRead(entCtx *AuthorizerContext) EnforcementDecision

PeeringRead determines if the read-only Consul peering functions can be used.

func (*ChainedAuthorizer) PeeringWrite 

func (c *ChainedAuthorizer) PeeringWrite(entCtx *AuthorizerContext) EnforcementDecision

PeeringWrite determines if the state-changing Consul peering functions can be used.

func (*ChainedAuthorizer) PreparedQueryRead 

func (c *ChainedAuthorizer) PreparedQueryRead(query string, entCtx *AuthorizerContext) EnforcementDecision

PreparedQueryRead determines if a specific prepared query can be read to show its contents (this is not used for execution).

func (*ChainedAuthorizer) PreparedQueryWrite 

func (c *ChainedAuthorizer) PreparedQueryWrite(query string, entCtx *AuthorizerContext) EnforcementDecision

PreparedQueryWrite determines if a specific prepared query can be created, modified, or deleted.

func (*ChainedAuthorizer) ServiceRead 

func (c *ChainedAuthorizer) ServiceRead(name string, entCtx *AuthorizerContext) EnforcementDecision

ServiceRead checks for permission to read a given service

func (*ChainedAuthorizer) ServiceReadAll 

func (c *ChainedAuthorizer) ServiceReadAll(entCtx *AuthorizerContext) EnforcementDecision

func (*ChainedAuthorizer) ServiceWrite 

func (c *ChainedAuthorizer) ServiceWrite(name string, entCtx *AuthorizerContext) EnforcementDecision

ServiceWrite checks for permission to create or update a given service

func (*ChainedAuthorizer) ServiceWriteAny 

func (c *ChainedAuthorizer) ServiceWriteAny(entCtx *AuthorizerContext) EnforcementDecision

ServiceWriteAny checks for write permission on any service

func (*ChainedAuthorizer) SessionRead 

func (c *ChainedAuthorizer) SessionRead(node string, entCtx *AuthorizerContext) EnforcementDecision

SessionRead checks for permission to read sessions for a given node.

func (*ChainedAuthorizer) SessionWrite 

func (c *ChainedAuthorizer) SessionWrite(node string, entCtx *AuthorizerContext) EnforcementDecision

SessionWrite checks for permission to create sessions for a given node.

func (*ChainedAuthorizer) Snapshot 

func (c *ChainedAuthorizer) Snapshot(entCtx *AuthorizerContext) EnforcementDecision

Snapshot checks for permission to take and restore snapshots.

func (*ChainedAuthorizer) ToAllowAuthorizer 

func (c *ChainedAuthorizer) ToAllowAuthorizer() AllowAuthorizer

type Config 

type Config struct {
	// WildcardName is the string that represents a request to authorize a wildcard permission
	WildcardName string

	// embedded enterprise configuration
	EnterpriseConfig
}

Config encapsulates all of the generic configuration parameters used for policy parsing and enforcement

func (*Config) Close 

func (c *Config) Close()

Close will relinquish any resources this Config might be holding on to or managing.

func (*Config) GetWildcardName 

func (c *Config) GetWildcardName() string

GetWildcardName will retrieve the configured wildcard name or provide a default in the case that the config is Nil or the wildcard name is unset.

type EnforcementDecision 

type EnforcementDecision int
const (
	// Deny returned from an Authorizer enforcement method indicates
	// that a corresponding rule was found and that access should be denied
	Deny EnforcementDecision = iota
	// Allow returned from an Authorizer enforcement method indicates
	// that a corresponding rule was found and that access should be allowed
	Allow
	// Default returned from an Authorizer enforcement method indicates
	// that a corresponding rule was not found and that whether access
	// should be granted or denied should be deferred to the default
	// access level
	Default
)

func Enforce 

func Enforce(authz Authorizer, rsc Resource, segment string, access string, ctx *AuthorizerContext) (EnforcementDecision, error)

func (EnforcementDecision) String 

func (d EnforcementDecision) String() string

type EnterpriseConfig 

type EnterpriseConfig struct {
}

func (*EnterpriseConfig) Close 

func (_ *EnterpriseConfig) Close()

type EnterpriseMeta 

type EnterpriseMeta struct{}

EnterpriseMeta stub

func DefaultEnterpriseMeta 

func DefaultEnterpriseMeta() *EnterpriseMeta

func NewEnterpriseMetaWithPartition 

func NewEnterpriseMetaWithPartition(_, _ string) EnterpriseMeta

func WildcardEnterpriseMeta 

func WildcardEnterpriseMeta() *EnterpriseMeta

func (*EnterpriseMeta) AddToHash 

func (m *EnterpriseMeta) AddToHash(_ hash.Hash, _ bool)

func (*EnterpriseMeta) EstimateSize 

func (m *EnterpriseMeta) EstimateSize() int

func (*EnterpriseMeta) FillAuthzContext 

func (_ *EnterpriseMeta) FillAuthzContext(_ *AuthorizerContext)

FillAuthzContext stub

func (*EnterpriseMeta) InDefaultNamespace 

func (m *EnterpriseMeta) InDefaultNamespace() bool

func (*EnterpriseMeta) InDefaultPartition 

func (m *EnterpriseMeta) InDefaultPartition() bool

func (*EnterpriseMeta) IsSame 

func (m *EnterpriseMeta) IsSame(_ *EnterpriseMeta) bool

func (*EnterpriseMeta) LessThan 

func (m *EnterpriseMeta) LessThan(_ *EnterpriseMeta) bool

func (*EnterpriseMeta) Matches 

func (m *EnterpriseMeta) Matches(_ *EnterpriseMeta) bool

func (*EnterpriseMeta) Merge 

func (m *EnterpriseMeta) Merge(_ *EnterpriseMeta)

func (*EnterpriseMeta) MergeNoWildcard 

func (m *EnterpriseMeta) MergeNoWildcard(_ *EnterpriseMeta)

func (*EnterpriseMeta) NamespaceOrDefault 

func (m *EnterpriseMeta) NamespaceOrDefault() string

func (*EnterpriseMeta) NamespaceOrEmpty 

func (m *EnterpriseMeta) NamespaceOrEmpty() string

func (*EnterpriseMeta) Normalize 

func (_ *EnterpriseMeta) Normalize()

func (*EnterpriseMeta) NormalizeNamespace 

func (_ *EnterpriseMeta) NormalizeNamespace()

func (*EnterpriseMeta) NormalizePartition 

func (_ *EnterpriseMeta) NormalizePartition()

func (*EnterpriseMeta) OverridePartition 

func (m *EnterpriseMeta) OverridePartition(_ string)

func (*EnterpriseMeta) PartitionOrDefault 

func (m *EnterpriseMeta) PartitionOrDefault() string

func (*EnterpriseMeta) PartitionOrEmpty 

func (m *EnterpriseMeta) PartitionOrEmpty() string

func (*EnterpriseMeta) ToEnterprisePolicyMeta 

func (m *EnterpriseMeta) ToEnterprisePolicyMeta() *EnterprisePolicyMeta

func (*EnterpriseMeta) UnsetPartition 

func (m *EnterpriseMeta) UnsetPartition()

func (*EnterpriseMeta) WithWildcardNamespace 

func (m *EnterpriseMeta) WithWildcardNamespace() *EnterpriseMeta

type EnterprisePolicyMeta 

type EnterprisePolicyMeta struct{}

EnterprisePolicyMeta stub

type EnterprisePolicyRules 

type EnterprisePolicyRules struct{}

EnterprisePolicyRules stub

func (*EnterprisePolicyRules) Validate 

func (r *EnterprisePolicyRules) Validate(*Config) error

type EnterpriseRule 

type EnterpriseRule struct{}

EnterpriseRule stub

func (*EnterpriseRule) Validate 

func (r *EnterpriseRule) Validate(string, *Config) error

type EventRule 

type EventRule struct {
	Event  string `hcl:",key"`
	Policy string
}

EventRule represents a user event rule.

type ExportFetcher 

type ExportFetcher interface {
	// ExportsForPartition returns the config entry defining exports for a partition
	ExportsForPartition(partition string) ExportedServices
}

type ExportedServices 

type ExportedServices struct {
	// Data is a map of [namespace] -> [service] -> [list of partitions the service is exported to]
	// This includes both the names of typical service instances and their corresponding sidecar proxy
	// instance names. Meaning that if "web" is exported, "web-sidecar-proxy" instances will also be
	// shown as exported.
	Data map[string]map[string][]string
}

type KeyRule 

type KeyRule struct {
	Prefix string `hcl:",key"`
	Policy string

	EnterpriseRule `hcl:",squash"`
}

KeyRule represents a rule for a key

type MockAuthorizer 

type MockAuthorizer struct {
	mock.Mock
}

func (*MockAuthorizer) ACLRead 

func (m *MockAuthorizer) ACLRead(ctx *AuthorizerContext) EnforcementDecision

ACLRead checks for permission to list all the ACLs

func (*MockAuthorizer) ACLWrite 

func (m *MockAuthorizer) ACLWrite(ctx *AuthorizerContext) EnforcementDecision

ACLWrite checks for permission to manipulate ACLs

func (*MockAuthorizer) AgentRead 

func (m *MockAuthorizer) AgentRead(segment string, ctx *AuthorizerContext) EnforcementDecision

AgentRead checks for permission to read from agent endpoints for a given node.

func (*MockAuthorizer) AgentWrite 

func (m *MockAuthorizer) AgentWrite(segment string, ctx *AuthorizerContext) EnforcementDecision

AgentWrite checks for permission to make changes via agent endpoints for a given node.

func (*MockAuthorizer) EventRead 

func (m *MockAuthorizer) EventRead(segment string, ctx *AuthorizerContext) EnforcementDecision

EventRead determines if a specific event can be queried.

func (*MockAuthorizer) EventWrite 

func (m *MockAuthorizer) EventWrite(segment string, ctx *AuthorizerContext) EnforcementDecision

EventWrite determines if a specific event may be fired.

func (*MockAuthorizer) IntentionDefaultAllow 

func (m *MockAuthorizer) IntentionDefaultAllow(ctx *AuthorizerContext) EnforcementDecision

IntentionDefaultAllow determines the default authorized behavior when no intentions match a Connect request.

func (*MockAuthorizer) IntentionRead 

func (m *MockAuthorizer) IntentionRead(segment string, ctx *AuthorizerContext) EnforcementDecision

IntentionRead determines if a specific intention can be read.

func (*MockAuthorizer) IntentionWrite 

func (m *MockAuthorizer) IntentionWrite(segment string, ctx *AuthorizerContext) EnforcementDecision

IntentionWrite determines if a specific intention can be created, modified, or deleted.

func (*MockAuthorizer) KeyList 

func (m *MockAuthorizer) KeyList(segment string, ctx *AuthorizerContext) EnforcementDecision

KeyList checks for permission to list keys under a prefix

func (*MockAuthorizer) KeyRead 

func (m *MockAuthorizer) KeyRead(segment string, ctx *AuthorizerContext) EnforcementDecision

KeyRead checks for permission to read a given key

func (*MockAuthorizer) KeyWrite 

func (m *MockAuthorizer) KeyWrite(segment string, ctx *AuthorizerContext) EnforcementDecision

KeyWrite checks for permission to write a given key

func (*MockAuthorizer) KeyWritePrefix 

func (m *MockAuthorizer) KeyWritePrefix(segment string, ctx *AuthorizerContext) EnforcementDecision

KeyWritePrefix checks for permission to write to an entire key prefix. This means there must be no sub-policies that deny a write.

func (*MockAuthorizer) KeyringRead 

func (m *MockAuthorizer) KeyringRead(ctx *AuthorizerContext) EnforcementDecision

KeyringRead determines if the encryption keyring used in the gossip layer can be read.

func (*MockAuthorizer) KeyringWrite 

func (m *MockAuthorizer) KeyringWrite(ctx *AuthorizerContext) EnforcementDecision

KeyringWrite determines if the keyring can be manipulated

func (*MockAuthorizer) MeshRead 

func (m *MockAuthorizer) MeshRead(ctx *AuthorizerContext) EnforcementDecision

func (*MockAuthorizer) MeshWrite 

func (m *MockAuthorizer) MeshWrite(ctx *AuthorizerContext) EnforcementDecision

func (*MockAuthorizer) NamespaceRead 

func (m *MockAuthorizer) NamespaceRead(s string, ctx *AuthorizerContext) EnforcementDecision

func (*MockAuthorizer) NamespaceWrite 

func (m *MockAuthorizer) NamespaceWrite(s string, ctx *AuthorizerContext) EnforcementDecision

func (*MockAuthorizer) NodeRead 

func (m *MockAuthorizer) NodeRead(segment string, ctx *AuthorizerContext) EnforcementDecision

NodeRead checks for permission to read (discover) a given node.

func (*MockAuthorizer) NodeReadAll 

func (m *MockAuthorizer) NodeReadAll(ctx *AuthorizerContext) EnforcementDecision

func (*MockAuthorizer) NodeWrite 

func (m *MockAuthorizer) NodeWrite(segment string, ctx *AuthorizerContext) EnforcementDecision

NodeWrite checks for permission to create or update (register) a given node.

func (*MockAuthorizer) OperatorRead 

func (m *MockAuthorizer) OperatorRead(ctx *AuthorizerContext) EnforcementDecision

OperatorRead determines if the read-only Consul operator functions can be used. ret := m.Called(segment, ctx)

func (*MockAuthorizer) OperatorWrite 

func (m *MockAuthorizer) OperatorWrite(ctx *AuthorizerContext) EnforcementDecision

OperatorWrite determines if the state-changing Consul operator functions can be used.

func (*MockAuthorizer) PeeringRead 

func (m *MockAuthorizer) PeeringRead(ctx *AuthorizerContext) EnforcementDecision

PeeringRead determines if the read-only Consul peering functions can be used.

func (*MockAuthorizer) PeeringWrite 

func (m *MockAuthorizer) PeeringWrite(ctx *AuthorizerContext) EnforcementDecision

PeeringWrite determines if the state-changing Consul peering functions can be used.

func (*MockAuthorizer) PreparedQueryRead 

func (m *MockAuthorizer) PreparedQueryRead(segment string, ctx *AuthorizerContext) EnforcementDecision

PreparedQueryRead determines if a specific prepared query can be read to show its contents (this is not used for execution).

func (*MockAuthorizer) PreparedQueryWrite 

func (m *MockAuthorizer) PreparedQueryWrite(segment string, ctx *AuthorizerContext) EnforcementDecision

PreparedQueryWrite determines if a specific prepared query can be created, modified, or deleted.

func (*MockAuthorizer) ServiceRead 

func (m *MockAuthorizer) ServiceRead(segment string, ctx *AuthorizerContext) EnforcementDecision

ServiceRead checks for permission to read a given service

func (*MockAuthorizer) ServiceReadAll 

func (m *MockAuthorizer) ServiceReadAll(ctx *AuthorizerContext) EnforcementDecision

func (*MockAuthorizer) ServiceWrite 

func (m *MockAuthorizer) ServiceWrite(segment string, ctx *AuthorizerContext) EnforcementDecision

ServiceWrite checks for permission to create or update a given service

func (*MockAuthorizer) ServiceWriteAny 

func (m *MockAuthorizer) ServiceWriteAny(ctx *AuthorizerContext) EnforcementDecision

ServiceWriteAny checks for service:write on any service

func (*MockAuthorizer) SessionRead 

func (m *MockAuthorizer) SessionRead(segment string, ctx *AuthorizerContext) EnforcementDecision

SessionRead checks for permission to read sessions for a given node.

func (*MockAuthorizer) SessionWrite 

func (m *MockAuthorizer) SessionWrite(segment string, ctx *AuthorizerContext) EnforcementDecision

SessionWrite checks for permission to create sessions for a given node.

func (*MockAuthorizer) Snapshot 

func (m *MockAuthorizer) Snapshot(ctx *AuthorizerContext) EnforcementDecision

Snapshot checks for permission to take and restore snapshots.

func (*MockAuthorizer) ToAllowAuthorizer 

func (p *MockAuthorizer) ToAllowAuthorizer() AllowAuthorizer

type NodeRule 

type NodeRule struct {
	Name   string `hcl:",key"`
	Policy string

	EnterpriseRule `hcl:",squash"`
}

NodeRule represents a rule for a node

type PermissionDeniedError 

type PermissionDeniedError struct {
	Cause string

	// Accessor contains information on the accessor used e.g. "token <GUID>"
	Accessor string
	// Resource (e.g. Service)
	Resource Resource
	// Access level (e.g. Read)
	AccessLevel AccessLevel
	// e.g. "sidecar-proxy-1"
	ResourceID ResourceDescriptor
}

Arguably this should be some sort of union type. The usage of Cause and the rest of the fields is entirely disjoint.

func PermissionDenied 

func PermissionDenied(msg string, args ...interface{}) PermissionDeniedError

func PermissionDeniedByACL 

func PermissionDeniedByACL(authz Authorizer, context *AuthorizerContext, resource Resource, accessLevel AccessLevel, resourceID string) PermissionDeniedError

TODO Extract information from Authorizer

func PermissionDeniedByACLUnnamed 

func PermissionDeniedByACLUnnamed(authz Authorizer, context *AuthorizerContext, resource Resource, accessLevel AccessLevel) PermissionDeniedError

func (PermissionDeniedError) Error 

func (e PermissionDeniedError) Error() string

Initially we may not have attribution information; that will become more complete as we work this change through There are generally three classes of errors 1) Named entities without a context 2) Unnamed entities with a context 3) Completely context free checks (global permissions) 4) Errors that only have a cause (for example bad token)

type Policy 

type Policy struct {
	PolicyRules           `hcl:",squash"`
	EnterprisePolicyRules `hcl:",squash"`
}

Policy is used to represent the policy specified by an ACL configuration.

func MergePolicies 

func MergePolicies(policies []*Policy) *Policy

func NewPolicyFromSource 

func NewPolicyFromSource(rules string, conf *Config, meta *EnterprisePolicyMeta) (*Policy, error)

NewPolicyFromSource is used to parse the specified ACL rules into an intermediary set of policies, before being compiled into the ACL

type PolicyMerger 

type PolicyMerger struct {
	// contains filtered or unexported fields
}

func (*PolicyMerger) Merge 

func (m *PolicyMerger) Merge(policy *Policy)

func (*PolicyMerger) Policy 

func (m *PolicyMerger) Policy() *Policy

Policy outputs the merged policy

type PolicyRules 

type PolicyRules struct {
	ACL                   string               `hcl:"acl,expand"`
	Agents                []*AgentRule         `hcl:"agent,expand"`
	AgentPrefixes         []*AgentRule         `hcl:"agent_prefix,expand"`
	Keys                  []*KeyRule           `hcl:"key,expand"`
	KeyPrefixes           []*KeyRule           `hcl:"key_prefix,expand"`
	Nodes                 []*NodeRule          `hcl:"node,expand"`
	NodePrefixes          []*NodeRule          `hcl:"node_prefix,expand"`
	Services              []*ServiceRule       `hcl:"service,expand"`
	ServicePrefixes       []*ServiceRule       `hcl:"service_prefix,expand"`
	Sessions              []*SessionRule       `hcl:"session,expand"`
	SessionPrefixes       []*SessionRule       `hcl:"session_prefix,expand"`
	Events                []*EventRule         `hcl:"event,expand"`
	EventPrefixes         []*EventRule         `hcl:"event_prefix,expand"`
	PreparedQueries       []*PreparedQueryRule `hcl:"query,expand"`
	PreparedQueryPrefixes []*PreparedQueryRule `hcl:"query_prefix,expand"`
	Keyring               string               `hcl:"keyring"`
	Operator              string               `hcl:"operator"`
	Mesh                  string               `hcl:"mesh"`
	Peering               string               `hcl:"peering"`
}

func (*PolicyRules) Validate 

func (pr *PolicyRules) Validate(conf *Config) error

type PreparedQueryRule 

type PreparedQueryRule struct {
	Prefix string `hcl:",key"`
	Policy string
}

PreparedQueryRule represents a prepared query rule.

type Resource 

type Resource string
const (
	ResourceACL       Resource = "acl"
	ResourceAgent     Resource = "agent"
	ResourceEvent     Resource = "event"
	ResourceIntention Resource = "intention"
	ResourceKey       Resource = "key"
	ResourceKeyring   Resource = "keyring"
	ResourceNode      Resource = "node"
	ResourceOperator  Resource = "operator"
	ResourceMesh      Resource = "mesh"
	ResourceQuery     Resource = "query"
	ResourceService   Resource = "service"
	ResourceSession   Resource = "session"
	ResourcePeering   Resource = "peering"
)

type ResourceDescriptor 

type ResourceDescriptor struct {
	Name string
}

In some sense we really want this to contain an EnterpriseMeta, but this turns out to be a convenient place to hang helper functions off of.

func NewResourceDescriptor 

func NewResourceDescriptor(name string, _ *AuthorizerContext) ResourceDescriptor

func (*ResourceDescriptor) ToString 

func (od *ResourceDescriptor) ToString() string

type ServiceRule 

type ServiceRule struct {
	Name   string `hcl:",key"`
	Policy string

	// Intentions is the policy for intentions where this service is the
	// destination. This may be empty, in which case the Policy determines
	// the intentions policy.
	Intentions string

	EnterpriseRule `hcl:",squash"`
}

ServiceRule represents a policy for a service

type SessionRule 

type SessionRule struct {
	Node   string `hcl:",key"`
	Policy string
}

SessionRule represents a rule for making sessions tied to specific node name prefixes.

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.