access

package
v0.4.34 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Dec 11, 2024 License: BSD-3-Clause-Clear Imports: 5 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func GetDefinitionFqnFromDefinition

func GetDefinitionFqnFromDefinition(def *policy.Attribute) (string, error)

func GetDefinitionFqnFromValue

func GetDefinitionFqnFromValue(v *policy.Value) (string, error)

func GetDefinitionFqnFromValueFqn

func GetDefinitionFqnFromValueFqn(valueFqn string) (string, error)

Splits off the Value from the FQN to get the parent Definition FQN:

Input: https://<namespace>/attr/<attr name>/value/<value>
Output: https://<namespace>/attr/<attr name>

func GetFqnToDefinitionMap

func GetFqnToDefinitionMap(ctx context.Context, attributeDefinitions []*policy.Attribute, log *logger.Logger) (map[string]*policy.Attribute, error)

GroupDefinitionsByFqn takes a slice of Attribute Definitions and returns them as a map: FQN -> Attribute Definition

func GroupValueFqnsByDefinition

func GroupValueFqnsByDefinition(valueFqns []string) (map[string][]string, error)

func GroupValuesByDefinition

func GroupValuesByDefinition(values []*policy.Value) (map[string][]*policy.Value, error)

Groups Attribute Values by their parent Attribute Definition FQN

Types

type DataRuleResult

type DataRuleResult struct {
	// Indicates whether, for this specific data AttributeDefinition, an entity satisfied
	// the rule conditions (allof/anyof/hierarchy)
	Passed bool `json:"passed" example:"false"`
	// Contains the AttributeDefinition of the data attribute rule this result represents
	RuleDefinition *policy.Attribute `json:"rule_definition"`
	// May contain 0 or more ValueFailure types, depending on the RuleDefinition and which (if any)
	// data Attribute Values/values the entity failed against
	//
	// For an AllOf rule, there should be no value failures if Passed=TRUE
	// For an AnyOf rule, there should be fewer entity value failures than
	// there are data attribute values in total if Passed=TRUE
	// For a Hierarchy rule, there should be either no value failures if Passed=TRUE,
	// or exactly one value failure if Passed=FALSE
	ValueFailures []ValueFailure `json:"value_failures"`
}

DataRuleResult represents the rule-level (or AttributeDefinition-level) decision for a specific entity - the result of comparing entity Attribute Values to a single data AttributeDefinition/rule (with potentially many values)

There may be multiple "instances" (that is, Attribute Values) of a single AttributeDefinition on both data and entities, each with a different value.

type Decision

type Decision struct {
	// The important bit - does this entity Have Access or not, for this set of data attribute values
	// This will be TRUE if, for *every* DataRuleResult in Results, EntityRuleResult.Passed == TRUE
	// Otherwise, it will be false
	Access bool `json:"access" example:"false"`
	// Results will contain at most 1 DataRuleResult for each data Attribute Value.
	// e.g. if we compare an entity's Attribute Values against 5 data Attribute Values,
	// then there will be 5 rule results, each indicating whether this entity "passed" validation
	// for that data Attribute Value or not.
	//
	// If an entity was skipped for a particular rule evaluation because of a GroupBy clause
	// on the AttributeDefinition for a given data Attribute Value, however, then there may be
	// FEWER DataRuleResults then there are DataRules
	//
	// e.g. there are 5 data Attribute Values, and two entities each with a set of Attribute Values,
	// the definition for one of those data Attribute Values has a GroupBy clause that excludes the second entity
	//-> the first entity will have 5 DataRuleResults with Passed = true
	//-> the second entity will have 4 DataRuleResults Passed = true
	//-> both will have Access == true.
	Results []DataRuleResult `json:"entity_rule_result"`
}

A Decision represents the overall access decision for a specific entity, - that is, the aggregate result of comparing entity Attribute Values to every data Attribute Value.

type Pdp

type Pdp struct {
	// contains filtered or unexported fields
}

func NewPdp

func NewPdp(l *logger.Logger) *Pdp

func (*Pdp) DetermineAccess

func (pdp *Pdp) DetermineAccess(
	ctx context.Context,
	dataAttributes []*policy.Value,
	entityAttributeSets map[string][]string,
	attributeDefinitions []*policy.Attribute,
) (map[string]*Decision, error)

DetermineAccess will take data Attribute Values, entities mapped entityId to Attribute Value FQNs, and data AttributeDefinitions, compare every data Attribute against every entity's set of Attribute Values, generating a rolled-up decision result for each entity, as well as a detailed breakdown of every data comparison.

type ValueFailure

type ValueFailure struct {
	// The data attribute w/value that "caused" the denial
	DataAttribute *policy.Value `json:"data_attribute"`
	// Optional denial message
	Message string `json:"message" example:"Criteria NOT satisfied for entity: {entity_id} - lacked attribute value: {attribute}"`
}

ValueFailure indicates, for a given entity and data Attribute Value, which data values (aka specific data Attribute Value) the entity "failed" on.

There may be multiple "instances" (that is, Attribute Values) of a single AttributeDefinition on both data and entities, each with a different value.

A ValueFailure does not necessarily mean the requirements for an AttributeDefinition were not or will not be met, it is purely informational - there will be one value failure, per entity, per rule, per value the entity lacks - it is up to the rule itself (anyof/allof/hierarchy) to translate this into an overall failure or not.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL