Documentation
¶
Index ¶
- func ClusterByAuthority[attrCluster Clusterable](attrs []attrCluster) map[string][]attrCluster
- func ClusterByCanonicalName(attrs []Clusterable) map[string][]Clusterable
- func ClusterByCanonicalNameAD(ads []*policy.Attribute) map[string][]*policy.Attribute
- func ClusterByCanonicalNameAI(attributes []AttributeInstance) map[string][]AttributeInstance
- func GetAuthority(attrdef AttributeInstance) string
- func GetCanonicalName(ai AttributeInstance) string
- func GetCanonicalNameADV(instance *policy.Attribute) string
- type AttributeInstance
- type Clusterable
- type DataRuleResult
- type Decision
- type Pdp
- type ValueFailure
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func ClusterByAuthority ¶
func ClusterByAuthority[attrCluster Clusterable](attrs []attrCluster) map[string][]attrCluster
ClusterByAuthority takes a slice of Clusterables, and returns them as a map, where the map is keyed by each unique Authorities (e.g. 'https://myauthority.org') found in the slice of Clusterables
func ClusterByCanonicalName ¶
func ClusterByCanonicalName(attrs []Clusterable) map[string][]Clusterable
ClusterByCanonicalName takes a slice of Clusterable (attributeInstance OR AttributeDefinition), and returns them as a map, where the map is keyed by each unique CanonicalName (e.g. Authority+Name, 'https://myauthority.org/attr/<name>') found in the slice of Clusterables
func ClusterByCanonicalNameAD ¶
ClusterByCanonicalNameAD takes a slice of Clusterable (attributeInstance OR AttributeDefinition), and returns them as a map, where the map is keyed by each unique CanonicalName (e.g. Authority+Name, 'https://myauthority.org/attr/<name>') found in the slice of Clusterables
func ClusterByCanonicalNameAI ¶
func ClusterByCanonicalNameAI(attributes []AttributeInstance) map[string][]AttributeInstance
func GetAuthority ¶
func GetAuthority(attrdef AttributeInstance) string
GetAuthority Returns the authority of this AttributeDefinition:
<scheme>://<hostname>
func GetCanonicalName ¶
func GetCanonicalName(ai AttributeInstance) string
GetCanonicalName Returns the canonical URI representation of this AttributeDefinition:
<scheme>://<hostname>/attr/<name>
func GetCanonicalNameADV ¶
Types ¶
type AttributeInstance ¶
type AttributeInstance struct {
Authority string `json:"authority"`
Name string `json:"name"`
Value string `json:"value"`
}
attributeInstance is created by selecting the Authority, Name and a specific Value from an AttributeDefinition.
An attributeInstance is a single, unique attribute, with a single value.
Applied to an entity, the attributeInstance becomes an entity attribute. Applied to data, the attributeInstance becomes a data attribute.
When making an access decisions, these two kinds of AttributeInstances are compared with each other.
Example attributeInstance: https://derp.com/attr/Blob/value/Green ->
Authority = https://derp.com Name = Blob CanonicalName = Authority + Name https://derp.com/attr/Blob Value = Green
func ParseInstanceFromParts ¶
func ParseInstanceFromParts(namespace, name, value string) (AttributeInstance, error)
ParseInstanceFromParts Accepts attribute namespace, name and value strings, and returns an attributeInstance
func ParseInstanceFromURI ¶
func ParseInstanceFromURI(attributeURI string) (AttributeInstance, error)
ParseInstanceFromURI Accepts a valid attribute instance URI (authority + name + value in the canonical format 'https://example.org/attr/MyAttrName/value/MyAttrValue') and returns an attributeInstance.
Strings that are not valid URLs will result in a parsing failure, and return an error.
func (AttributeInstance) GetAuthority ¶
func (attr AttributeInstance) GetAuthority() string
func (AttributeInstance) GetCanonicalName ¶
func (attr AttributeInstance) GetCanonicalName() string
GetCanonicalName For cases where just the canonical name of this attributeInstance is required (e.g. <authority>/attr/<name> - the authority and name, but not the value):
<authority>/attr/<name>
func (AttributeInstance) String ¶
func (attr AttributeInstance) String() string
Implement the standard "stringify" interface and return a string in the canonical attributeInstance format of
<authority>/attr/<name>/value/<value>
type Clusterable ¶
type Clusterable interface {
// GetCanonicalName Returns the canonical URI representation of this clusterable thing, in the format
// <scheme>://<hostname>/attr/<name>
GetCanonicalName() string
// GetAuthority Returns the authority of this clusterable thing, in the format
// <scheme>://<hostname>
GetAuthority() string
GroupBy() *AttributeInstance
Rule() policy.AttributeRuleTypeEnum
Order() []string
}
Clusterable is an interface that either AttributeInstances or AttributeDefinitions can implement, to support easily "clustering" or grouping a slice of either by their shared CanonicalName or Authority.
type DataRuleResult ¶
type DataRuleResult struct {
// Indicates whether, for this specific data AttributeDefinition, an entity satisfied
//the rule conditions (allof/anyof/hierarchy)
Passed bool `json:"passed" example:"false"`
// Contains the AttributeDefinition of the data attribute rule this result represents
RuleDefinition *policy.Attribute `json:"rule_definition"`
// May contain 0 or more ValueFailure types, depending on the RuleDefinition and which (if any)
//data AttributeInstances/values the entity failed against
//
//For an AllOf rule, there should be no value failures if Passed=TRUE
//For an AnyOf rule, there should be fewer entity value failures than
//there are data attribute values in total if Passed=TRUE
//For a Hierarchy rule, there should be either no value failures if Passed=TRUE,
//or exactly one value failure if Passed=FALSE
ValueFailures []ValueFailure `json:"value_failures"`
}
DataRuleResult represents the rule-level (or AttributeDefinition-level) decision for a specific entity - the result of comparing entity AttributeInstances to a single data AttributeDefinition/rule (with potentially many values)
There may be multiple "instances" (that is, AttributeInstances) of a single AttributeDefinition on both data and entities, each with a different value.
type Decision ¶
type Decision struct {
// The important bit - does this entity Have Access or not, for this set of data attribute values
//This will be TRUE if, for *every* DataRuleResult in Results, EntityRuleResult.Passed == TRUE
//Otherwise, it will be false
Access bool `json:"access" example:"false"`
// Results will contain at most 1 DataRuleResult for each data attributeInstance.
//e.g. if we compare an entity's AttributeInstances against 5 data AttributeInstances,
//then there will be 5 rule results, each indicating whether this entity "passed" validation
//for that data attributeInstance or not.
//
//If an entity was skipped for a particular rule evaluation because of a GroupBy clause
//on the AttributeDefinition for a given data attributeInstance, however, then there may be
// FEWER DataRuleResults then there are DataRules
//
//e.g. there are 5 data AttributeInstances, and two entities each with a set of AttributeInstances,
//the definition for one of those data AttributeInstances has a GroupBy clause that excludes the second entity
//-> the first entity will have 5 DataRuleResults with Passed = true
//-> the second entity will have 4 DataRuleResults Passed = true
//-> both will have Access == true.
Results []DataRuleResult `json:"entity_rule_result"`
}
A Decision represents the overall access decision for a specific entity, - that is, the aggregate result of comparing entity AttributeInstances to every data attributeInstance.
type Pdp ¶
type Pdp struct {
}
func (*Pdp) DetermineAccess ¶
func (pdp *Pdp) DetermineAccess( ctx context.Context, dataAttributes []AttributeInstance, entityAttributeSets map[string][]AttributeInstance, attributeDefinitions []*policy.Attribute, ) (map[string]*Decision, error)
DetermineAccess will take data AttributeInstances, data AttributeDefinitions, and entity attributeInstance sets, and compare every data attributeInstance against every entity's attributeInstance set, generating a rolled-up decision result for each entity, as well as a detailed breakdown of every data attributeInstance comparison.
type ValueFailure ¶
type ValueFailure struct {
// The data attribute w/value that "caused" the denial
DataAttribute *AttributeInstance `json:"data_attribute"`
// Optional denial message
Message string `json:"message" example:"Criteria NOT satisfied for entity: {entity_id} - lacked attribute value: {attribute}"`
}
ValueFailure indicates, for a given entity and data attributeInstance, which data values (aka specific data attributeInstance) the entity "failed" on.
There may be multiple "instances" (that is, AttributeInstances) of a single AttributeDefinition on both data and entities, each with a different value.
A ValueFailure does not necessarily mean the requirements for an AttributeDefinition were not or will not be met, it is purely informational - there will be one value failure, per entity, per rule, per value the entity lacks - it is up to the rule itself (anyof/allof/hierarchy) to translate this into an overall failure or not.
Source Files