policy

package
v2.2.4+incompatible Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 1, 2021 License: AGPL-3.0 Imports: 20 Imported by: 0

Documentation

Overview

Package policy provides advanced policy features to fine tune end-user permissions.

Index

Constants

This section is empty.

Variables

View Source 
var (
	// DefaultPolicyGroups provides some sample policies to Admin Users.
	// Note that Name and Description fields are generally i18nized
	// that is why we rather declare here the corresponding message IDs.
	DefaultPolicyGroups = []*idm.PolicyGroup{
		{
			Uuid:          "public-access",
			Name:          "PolicyGroup.PublicAccess.Title",
			Description:   "PolicyGroup.PublicAccess.Description",
			ResourceGroup: idm.PolicyResourceGroup_rest,
			Policies: []*idm.Policy{
				converter.LadonToProtoPolicy(&ladon.DefaultPolicy{
					ID:          "discovery-policy",
					Description: "PolicyGroup.PublicAccess.Rule1",
					Subjects:    []string{"profile:anon"},
					Resources:   []string{"rest:/config/discovery<.*>"},
					Actions:     []string{"GET"},
					Effect:      ladon.AllowAccess,
				}),
				converter.LadonToProtoPolicy(&ladon.DefaultPolicy{
					ID:          "reset-password-policy",
					Description: "PolicyGroup.PublicAccess.Rule2",
					Subjects:    []string{"profile:anon"},
					Resources:   []string{"rest:/auth/reset-password<.*>"},
					Actions:     []string{"PUT", "POST"},
					Effect:      ladon.AllowAccess,
				}),
				converter.LadonToProtoPolicy(&ladon.DefaultPolicy{
					ID:          "frontend-state",
					Description: "PolicyGroup.PublicAccess.Rule3",
					Subjects:    []string{"profile:anon"},
					Resources:   []string{"rest:/frontend/<.*>"},
					Actions:     []string{"GET"},
					Effect:      ladon.AllowAccess,
				}),
				converter.LadonToProtoPolicy(&ladon.DefaultPolicy{
					ID:          "frontend-auth",
					Description: "PolicyGroup.PublicAccess.Rule4",
					Subjects:    []string{"profile:anon"},
					Resources:   []string{"rest:/frontend/session"},
					Actions:     []string{"POST"},
					Effect:      ladon.AllowAccess,
				}),
			},
		},

		{
			Uuid:          "public-access-install",
			Name:          "PolicyGroup.PublicInstall.Title",
			Description:   "PolicyGroup.PublicInstall.Description",
			ResourceGroup: idm.PolicyResourceGroup_rest,
			Policies: []*idm.Policy{
				converter.LadonToProtoPolicy(&ladon.DefaultPolicy{
					ID:          "install-policy",
					Description: "PolicyGroup.PublicInstall.Rule1",
					Subjects:    []string{"profile:anon"},
					Resources:   []string{"rest:/install"},
					Actions:     []string{"GET", "POST"},
					Effect:      ladon.AllowAccess,
				}),
			},
		},

		{
			Uuid:          "rest-apis-default-accesses",
			Name:          "PolicyGroup.LoggedUsers.Title",
			Description:   "PolicyGroup.LoggedUsers.Description",
			ResourceGroup: idm.PolicyResourceGroup_rest,
			Policies: []*idm.Policy{
				converter.LadonToProtoPolicy(&ladon.DefaultPolicy{
					ID:          "admin-default-policy",
					Description: "PolicyGroup.LoggedUsers.Rule1",
					Subjects:    []string{"profile:admin"},
					Resources:   []string{"rest:<.+>"},
					Actions:     []string{"GET", "POST", "DELETE", "PUT", "PATCH"},
					Effect:      ladon.AllowAccess,
				}),
				converter.LadonToProtoPolicy(&ladon.DefaultPolicy{
					ID:          "user-default-policy",
					Description: "PolicyGroup.LoggedUsers.Rule2",
					Subjects:    []string{"profile:standard", "profile:shared"},
					Resources: []string{
						"rest:/user",
						"rest:/user/<.+>",
						"rest:/workspace",
						"rest:/role",
						"rest:/role/<.+>",
						"rest:/graph<.+>",
						"rest:/jobs/user",
						"rest:/jobs/user<.+>",
						"rest:/meta<.+>",
						"rest:/mailer/send",
						"rest:/search/nodes",
						"rest:/share<.+>",
						"rest:/activity<.+>",
						"rest:/changes",
						"rest:/changes<.+>",
						"rest:/tree/create",
						"rest:/tree/delete",
						"rest:/tree/restore",
						"rest:/tree/selection",
						"rest:/tree/stat/<.+>",
						"rest:/tree/stats",
						"rest:/templates",
						"rest:/auth/token/document",
					},
					Actions: []string{"GET", "POST", "DELETE", "PUT", "PATCH"},
					Effect:  ladon.AllowAccess,
				}),
				converter.LadonToProtoPolicy(&ladon.DefaultPolicy{
					ID:          "user-meta-read",
					Description: "PolicyGroup.LoggedUsers.Rule3",
					Subjects:    []string{"profile:standard", "profile:shared"},
					Resources: []string{
						"rest:/user-meta/bookmarks",
						"rest:/user-meta/namespace",
						"rest:/user-meta/search",
						"rest:/user-meta/tags/<.+>",
					},
					Actions: []string{"GET", "POST"},
					Effect:  ladon.AllowAccess,
				}),
				converter.LadonToProtoPolicy(&ladon.DefaultPolicy{
					ID:          "user-meta-put",
					Description: "PolicyGroup.LoggedUsers.Rule4",
					Subjects:    []string{"profile:standard", "profile:shared"},
					Resources: []string{
						"rest:/user-meta/update",
					},
					Actions: []string{"PUT"},
					Effect:  ladon.AllowAccess,
				}),
				converter.LadonToProtoPolicy(&ladon.DefaultPolicy{
					ID:          "frontend-read",
					Description: "PolicyGroup.LoggedUsers.Rule5",
					Subjects:    []string{"profile:standard", "profile:shared"},
					Resources: []string{
						"rest:/frontend/<.*>",
					},
					Actions: []string{"GET"},
					Effect:  ladon.AllowAccess,
				}),
				converter.LadonToProtoPolicy(&ladon.DefaultPolicy{
					ID:          "frontend-post",
					Description: "PolicyGroup.LoggedUsers.Rule6",
					Subjects:    []string{"profile:standard", "profile:shared"},
					Resources: []string{
						"rest:/frontend/binaries/USER/<.+>",
						"rest:/frontend/enroll",
						"rest:/frontend/session",
					},
					Actions: []string{"POST"},
					Effect:  ladon.AllowAccess,
				}),
			},
		},

		{
			Uuid:          "oidc-actions-policies",
			Name:          "PolicyGroup.OIDC.Title",
			Description:   "PolicyGroup.OIDC.Description",
			ResourceGroup: idm.PolicyResourceGroup_oidc,
			Policies: []*idm.Policy{
				converter.LadonToProtoPolicy(&ladon.DefaultPolicy{
					ID:          "all-users-login",
					Description: "PolicyGroup.OIDC.Rule1",
					Subjects:    []string{"user:<.+>", "profile:<.+>", "role:<.+>"},
					Resources:   []string{"oidc"},
					Actions:     []string{"login"},
					Effect:      ladon.AllowAccess,
				}),
			},
		},

		{
			Uuid:          "sample-acl-policy",
			Name:          "PolicyGroup.ACLSample1.Title",
			Description:   "PolicyGroup.ACLSample1.Description",
			ResourceGroup: idm.PolicyResourceGroup_acl,
			Policies: []*idm.Policy{
				converter.LadonToProtoPolicy(&ladon.DefaultPolicy{
					ID:          "acl-complex-rule1",
					Description: "PolicyGroup.ACLSample1.Rule1",
					Subjects:    []string{"policy:sample-acl-policy"},
					Resources:   []string{"acl"},
					Actions:     []string{"read", "write"},
					Effect:      ladon.AllowAccess,
				}),
				converter.LadonToProtoPolicy(&ladon.DefaultPolicy{
					ID:          "acl-complex-rule2",
					Description: "PolicyGroup.ACLSample1.Rule2",
					Subjects:    []string{"policy:sample-acl-policy"},
					Resources:   []string{"acl"},
					Actions:     []string{"write"},
					Effect:      ladon.DenyAccess,
					Conditions: ladon.Conditions{
						servicecontext.HttpMetaRemoteAddress: &conditions.StringNotMatchCondition{
							Matches: "localhost|127.0.0.1|::1",
						},
						permissions.PolicyNodeMetaName: &ladon.StringMatchCondition{
							Matches: "target",
						},
					},
				}),
				converter.LadonToProtoPolicy(&ladon.DefaultPolicy{
					ID:          "acl-complex-rule3",
					Description: "PolicyGroup.ACLSample1.Rule3",
					Subjects:    []string{"policy:sample-acl-policy"},
					Resources:   []string{"acl"},
					Actions:     []string{"read"},
					Effect:      ladon.DenyAccess,
					Conditions: ladon.Conditions{
						servicecontext.HttpMetaRemoteAddress: &conditions.StringNotMatchCondition{
							Matches: "localhost|127.0.0.1|::1",
						},
						permissions.PolicyNodeMetaName: &ladon.StringMatchCondition{
							Matches: "(.+)\\.png",
						},
					},
				}),
			},
		},

		{
			Uuid:          "limited-period-access-acl-policy2",
			Name:          "PolicyGroup.ACLSamplePeriod.Title",
			Description:   "PolicyGroup.ACLSamplePeriod.Description",
			ResourceGroup: idm.PolicyResourceGroup_acl,
			Policies: []*idm.Policy{
				converter.LadonToProtoPolicy(&ladon.DefaultPolicy{
					ID:          "acl-temporary-access2",
					Description: "PolicyGroup.ACLSamplePeriod.Rule1",
					Subjects:    []string{"policy:limited-period-access-acl-policy2"},
					Resources:   []string{"acl"},
					Actions:     []string{"write", "read"},
					Effect:      ladon.AllowAccess,
					Conditions: ladon.Conditions{
						servicecontext.ClientTime: &conditions.WithinPeriodCondition{
							Matches: "2018-02-01T00:00+0100/2018-04-01T00:00+0100",
						},
					},
				}),
			},
		},

		{
			Uuid:          "no-access-after-acl-policy",
			Name:          "PolicyGroup.ACLSampleDateDisable.Title",
			Description:   "PolicyGroup.ACLSampleDateDisable.Description",
			ResourceGroup: idm.PolicyResourceGroup_acl,
			Policies: []*idm.Policy{
				converter.LadonToProtoPolicy(&ladon.DefaultPolicy{
					ID:          "acl-date-rule1",
					Description: "PolicyGroup.ACLSampleDateDisable.Rule1",
					Subjects:    []string{"policy:no-access-after-acl-policy"},
					Resources:   []string{"acl"},
					Actions:     []string{"read", "write"},
					Effect:      ladon.AllowAccess,
				}),
				converter.LadonToProtoPolicy(&ladon.DefaultPolicy{
					ID:          "acl-date-rule2",
					Description: "PolicyGroup.ACLSampleDateDisable.Rule2",
					Subjects:    []string{"policy:no-access-after-acl-policy"},
					Resources:   []string{"acl"},
					Actions:     []string{"read", "write"},
					Effect:      ladon.DenyAccess,
					Conditions: ladon.Conditions{
						servicecontext.ServerTime: &conditions.DateAfterCondition{
							Matches: "2018-02-28T23:59+0100",
						},
					},
				}),
			},
		},

		{
			Uuid:          "office-hours-access-acl-policy",
			Name:          "PolicyGroup.ACLSampleBusinessHours.Title",
			Description:   "PolicyGroup.ACLSampleBusinessHours.Description",
			ResourceGroup: idm.PolicyResourceGroup_acl,
			Policies: []*idm.Policy{
				converter.LadonToProtoPolicy(&ladon.DefaultPolicy{
					ID:          "acl-office-hours-rule",
					Description: "PolicyGroup.ACLSampleBusinessHours.Rule1",
					Subjects:    []string{"policy:office-hours-access-acl-policy"},
					Resources:   []string{"acl"},
					Actions:     []string{"read", "write"},
					Effect:      ladon.AllowAccess,
					Conditions: ladon.Conditions{
						servicecontext.ClientTime: &conditions.OfficeHoursCondition{
							Matches: "Monday-Friday/09:00/18:30",
						},
					},
				}),
			},
		},

		{
			Uuid:          "no-external-access-acl-policy",
			Name:          "PolicyGroup.ACLSampleExternalIP.Title",
			Description:   "PolicyGroup.ACLSampleExternalIP.Description",
			ResourceGroup: idm.PolicyResourceGroup_acl,
			Policies: []*idm.Policy{
				converter.LadonToProtoPolicy(&ladon.DefaultPolicy{
					ID:          "acl-complex-rule4",
					Description: "PolicyGroup.ACLSampleExternalIP.Rule1",
					Subjects:    []string{"policy:no-external-access-acl-policy"},
					Resources:   []string{"acl"},
					Actions:     []string{"read", "write"},
					Effect:      ladon.AllowAccess,
				}),
				converter.LadonToProtoPolicy(&ladon.DefaultPolicy{
					ID:          "acl-complex-rule5",
					Description: "PolicyGroup.ACLSampleExternalIP.Rule2",
					Subjects:    []string{"policy:no-external-access-acl-policy"},
					Resources:   []string{"acl"},
					Actions:     []string{"read", "write"},
					Effect:      ladon.DenyAccess,
					Conditions: ladon.Conditions{
						servicecontext.HttpMetaRemoteAddress: &conditions.StringNotMatchCondition{
							Matches: "localhost|127.0.0.1|::1",
						},
					},
				}),
			},
		},
	}
)

Functions

func InitDefaults 

func InitDefaults(ctx context.Context) error

InitDefaults is called once at first launch to create default policy groups.

func NewDAO 

func NewDAO(o dao.DAO) dao.DAO

func Upgrade101 

func Upgrade101(ctx context.Context) error

Upgrade101 adapts policy dbs. It is called once at service launch when Cells version become >= 1.0.1.

func Upgrade103 

func Upgrade103(ctx context.Context) error

Upgrade103 adapts policy dbs. It is called once at service launch when Cells version become >= 1.0.3 .

func Upgrade120 

func Upgrade120(ctx context.Context) error

Upgrade120 performs upgrade on policies starting at v1.2.0

func Upgrade122 

func Upgrade122(ctx context.Context) error

Upgrade122 adapts policy dbs. It is called once at service launch when Cells version become >= 1.2.2.

func Upgrade142 

func Upgrade142(ctx context.Context) error

Upgrade120 performs upgrade on policies starting at v1.2.0

func Upgrade202 

func Upgrade202(ctx context.Context) error

func Upgrade210 

func Upgrade210(ctx context.Context) error

func Upgrade220 

func Upgrade220(ctx context.Context) error

Types

type DAO 

type DAO interface {
	sql.DAO
	ladon.Warden
	ladon.Manager

	StorePolicyGroup(ctx context.Context, group *idm.PolicyGroup) (*idm.PolicyGroup, error)
	ListPolicyGroups(ctx context.Context) ([]*idm.PolicyGroup, error)
	DeletePolicyGroup(ctx context.Context, group *idm.PolicyGroup) error
}

Source Files

View all Source files

Directories

Path Synopsis
Package conditions provides implementation of basic condition rules to enable building elaborated policies.
 Package conditions provides implementation of basic condition rules to enable building elaborated policies.
Package grpc is the policy engine service
 Package grpc is the policy engine service
Package lang provides policy-related i18n strings
 Package lang provides policy-related i18n strings
Package rest is a gateway to the underlying grpc service
 Package rest is a gateway to the underlying grpc service

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.