Documentation ¶
Index ¶
- func GetDefinitionFqnFromDefinition(def *policy.Attribute) (string, error)
- func GetDefinitionFqnFromValue(v *policy.Value) (string, error)
- func GetDefinitionFqnFromValueFqn(valueFqn string) (string, error)
- func GetFqnToDefinitionMap(ctx context.Context, attributeDefinitions []*policy.Attribute, ...) (map[string]*policy.Attribute, error)
- func GroupValueFqnsByDefinition(valueFqns []string) (map[string][]string, error)
- func GroupValuesByDefinition(values []*policy.Value) (map[string][]*policy.Value, error)
- type DataRuleResult
- type Decision
- type Pdp
- type ValueFailure
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func GetDefinitionFqnFromValueFqn ¶
Splits off the Value from the FQN to get the parent Definition FQN:
Input: https://<namespace>/attr/<attr name>/value/<value> Output: https://<namespace>/attr/<attr name>
func GetFqnToDefinitionMap ¶
func GetFqnToDefinitionMap(ctx context.Context, attributeDefinitions []*policy.Attribute, log *logger.Logger) (map[string]*policy.Attribute, error)
GroupDefinitionsByFqn takes a slice of Attribute Definitions and returns them as a map: FQN -> Attribute Definition
Types ¶
type DataRuleResult ¶
type DataRuleResult struct { // Indicates whether, for this specific data AttributeDefinition, an entity satisfied // the rule conditions (allof/anyof/hierarchy) Passed bool `json:"passed" example:"false"` // Contains the AttributeDefinition of the data attribute rule this result represents RuleDefinition *policy.Attribute `json:"rule_definition"` // May contain 0 or more ValueFailure types, depending on the RuleDefinition and which (if any) // data Attribute Values/values the entity failed against // // For an AllOf rule, there should be no value failures if Passed=TRUE // For an AnyOf rule, there should be fewer entity value failures than // there are data attribute values in total if Passed=TRUE // For a Hierarchy rule, there should be either no value failures if Passed=TRUE, // or exactly one value failure if Passed=FALSE ValueFailures []ValueFailure `json:"value_failures"` }
DataRuleResult represents the rule-level (or AttributeDefinition-level) decision for a specific entity - the result of comparing entity Attribute Values to a single data AttributeDefinition/rule (with potentially many values)
There may be multiple "instances" (that is, Attribute Values) of a single AttributeDefinition on both data and entities, each with a different value.
type Decision ¶
type Decision struct { // The important bit - does this entity Have Access or not, for this set of data attribute values // This will be TRUE if, for *every* DataRuleResult in Results, EntityRuleResult.Passed == TRUE // Otherwise, it will be false Access bool `json:"access" example:"false"` // Results will contain at most 1 DataRuleResult for each data Attribute Value. // e.g. if we compare an entity's Attribute Values against 5 data Attribute Values, // then there will be 5 rule results, each indicating whether this entity "passed" validation // for that data Attribute Value or not. // // If an entity was skipped for a particular rule evaluation because of a GroupBy clause // on the AttributeDefinition for a given data Attribute Value, however, then there may be // FEWER DataRuleResults then there are DataRules // // e.g. there are 5 data Attribute Values, and two entities each with a set of Attribute Values, // the definition for one of those data Attribute Values has a GroupBy clause that excludes the second entity //-> the first entity will have 5 DataRuleResults with Passed = true //-> the second entity will have 4 DataRuleResults Passed = true //-> both will have Access == true. Results []DataRuleResult `json:"entity_rule_result"` }
A Decision represents the overall access decision for a specific entity, - that is, the aggregate result of comparing entity Attribute Values to every data Attribute Value.
type Pdp ¶
type Pdp struct {
// contains filtered or unexported fields
}
func (*Pdp) DetermineAccess ¶
func (pdp *Pdp) DetermineAccess( ctx context.Context, dataAttributes []*policy.Value, entityAttributeSets map[string][]string, attributeDefinitions []*policy.Attribute, ) (map[string]*Decision, error)
DetermineAccess will take data Attribute Values, entities mapped entityId to Attribute Value FQNs, and data AttributeDefinitions, compare every data Attribute against every entity's set of Attribute Values, generating a rolled-up decision result for each entity, as well as a detailed breakdown of every data comparison.
type ValueFailure ¶
type ValueFailure struct { // The data attribute w/value that "caused" the denial DataAttribute *policy.Value `json:"data_attribute"` // Optional denial message Message string `json:"message" example:"Criteria NOT satisfied for entity: {entity_id} - lacked attribute value: {attribute}"` }
ValueFailure indicates, for a given entity and data Attribute Value, which data values (aka specific data Attribute Value) the entity "failed" on.
There may be multiple "instances" (that is, Attribute Values) of a single AttributeDefinition on both data and entities, each with a different value.
A ValueFailure does not necessarily mean the requirements for an AttributeDefinition were not or will not be met, it is purely informational - there will be one value failure, per entity, per rule, per value the entity lacks - it is up to the rule itself (anyof/allof/hierarchy) to translate this into an overall failure or not.