Documentation
¶
Index ¶
- func GetDefinitionFqnFromDefinition(def *policy.Attribute) (string, error)
- func GetDefinitionFqnFromValue(v *policy.Value) (string, error)
- func GetDefinitionFqnFromValueFqn(valueFqn string) (string, error)
- func GetFqnToDefinitionMap(attributeDefinitions []*policy.Attribute) (map[string]*policy.Attribute, error)
- func GroupValueFqnsByDefinition(valueFqns []string) (map[string][]string, error)
- func GroupValuesByDefinition(values []*policy.Value) (map[string][]*policy.Value, error)
- type DataRuleResult
- type Decision
- type Pdp
- type ValueFailure
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func GetDefinitionFqnFromValueFqn ¶
Splits off the Value from the FQN to get the parent Definition FQN:
Input: https://<namespace>/attr/<attr name>/value/<value> Output: https://<namespace>/attr/<attr name>
func GetFqnToDefinitionMap ¶
func GetFqnToDefinitionMap(attributeDefinitions []*policy.Attribute) (map[string]*policy.Attribute, error)
GroupDefinitionsByFqn takes a slice of Attribute Definitions and returns them as a map: FQN -> Attribute Definition
Types ¶
type DataRuleResult ¶
type DataRuleResult struct {
// Indicates whether, for this specific data AttributeDefinition, an entity satisfied
// the rule conditions (allof/anyof/hierarchy)
Passed bool `json:"passed" example:"false"`
// Contains the AttributeDefinition of the data attribute rule this result represents
RuleDefinition *policy.Attribute `json:"rule_definition"`
// May contain 0 or more ValueFailure types, depending on the RuleDefinition and which (if any)
// data Attribute Values/values the entity failed against
//
// For an AllOf rule, there should be no value failures if Passed=TRUE
// For an AnyOf rule, there should be fewer entity value failures than
// there are data attribute values in total if Passed=TRUE
// For a Hierarchy rule, there should be either no value failures if Passed=TRUE,
// or exactly one value failure if Passed=FALSE
ValueFailures []ValueFailure `json:"value_failures"`
}
DataRuleResult represents the rule-level (or AttributeDefinition-level) decision for a specific entity - the result of comparing entity Attribute Values to a single data AttributeDefinition/rule (with potentially many values)
There may be multiple "instances" (that is, Attribute Values) of a single AttributeDefinition on both data and entities, each with a different value.
type Decision ¶
type Decision struct {
// The important bit - does this entity Have Access or not, for this set of data attribute values
// This will be TRUE if, for *every* DataRuleResult in Results, EntityRuleResult.Passed == TRUE
// Otherwise, it will be false
Access bool `json:"access" example:"false"`
// Results will contain at most 1 DataRuleResult for each data Attribute Value.
// e.g. if we compare an entity's Attribute Values against 5 data Attribute Values,
// then there will be 5 rule results, each indicating whether this entity "passed" validation
// for that data Attribute Value or not.
//
// If an entity was skipped for a particular rule evaluation because of a GroupBy clause
// on the AttributeDefinition for a given data Attribute Value, however, then there may be
// FEWER DataRuleResults then there are DataRules
//
// e.g. there are 5 data Attribute Values, and two entities each with a set of Attribute Values,
// the definition for one of those data Attribute Values has a GroupBy clause that excludes the second entity
//-> the first entity will have 5 DataRuleResults with Passed = true
//-> the second entity will have 4 DataRuleResults Passed = true
//-> both will have Access == true.
Results []DataRuleResult `json:"entity_rule_result"`
}
A Decision represents the overall access decision for a specific entity, - that is, the aggregate result of comparing entity Attribute Values to every data Attribute Value.
type Pdp ¶
type Pdp struct{}
func (*Pdp) DetermineAccess ¶
func (pdp *Pdp) DetermineAccess( ctx context.Context, dataAttributes []*policy.Value, entityAttributeSets map[string][]string, attributeDefinitions []*policy.Attribute, ) (map[string]*Decision, error)
DetermineAccess will take data Attribute Values, entities mapped entityId to Attribute Value FQNs, and data AttributeDefinitions, compare every data Attribute against every entity's set of Attribute Values, generating a rolled-up decision result for each entity, as well as a detailed breakdown of every data comparison.
type ValueFailure ¶
type ValueFailure struct {
// The data attribute w/value that "caused" the denial
DataAttribute *policy.Value `json:"data_attribute"`
// Optional denial message
Message string `json:"message" example:"Criteria NOT satisfied for entity: {entity_id} - lacked attribute value: {attribute}"`
}
ValueFailure indicates, for a given entity and data Attribute Value, which data values (aka specific data Attribute Value) the entity "failed" on.
There may be multiple "instances" (that is, Attribute Values) of a single AttributeDefinition on both data and entities, each with a different value.
A ValueFailure does not necessarily mean the requirements for an AttributeDefinition were not or will not be met, it is purely informational - there will be one value failure, per entity, per rule, per value the entity lacks - it is up to the rule itself (anyof/allof/hierarchy) to translate this into an overall failure or not.
Source Files