Documentation ¶
Index ¶
- Constants
- Variables
- func Match(p Policy, haystack []string, needle string) (bool, error)
- type CIDRCondition
- type Condition
- type Conditions
- type Context
- type DefaultPolicy
- func (p *DefaultPolicy) AllowAccess() bool
- func (p *DefaultPolicy) GetActions() []string
- func (p *DefaultPolicy) GetConditions() Conditions
- func (p *DefaultPolicy) GetDescription() string
- func (p *DefaultPolicy) GetEffect() string
- func (p *DefaultPolicy) GetEndDelimiter() byte
- func (p *DefaultPolicy) GetID() string
- func (p *DefaultPolicy) GetResources() []string
- func (p *DefaultPolicy) GetStartDelimiter() byte
- func (p *DefaultPolicy) GetSubjects() []string
- func (p *DefaultPolicy) UnmarshalJSON(data []byte) error
- type EqualsSubjectCondition
- type Ladon
- type Manager
- type MemoryManager
- type Policies
- type Policy
- type RedisManager
- type Request
- type RethinkManager
- func (m *RethinkManager) ColdStart() error
- func (m *RethinkManager) Create(policy Policy) error
- func (m *RethinkManager) Delete(id string) error
- func (m *RethinkManager) FindPoliciesForSubject(subject string) (Policies, error)
- func (m *RethinkManager) Get(id string) (Policy, error)
- func (m *RethinkManager) Watch(ctx context.Context)
- type SQLManager
- type StringEqualCondition
- type Warden
Constants ¶
const AllowAccess = "allow"
AllowAccess should be used as effect for policies that allow access.
const DenyAccess = "deny"
DenyAccess should be used as effect for policies that deny access.
Variables ¶
var ConditionFactories = map[string]func() Condition{ new(StringEqualCondition).GetName(): func() Condition { return new(StringEqualCondition) }, new(CIDRCondition).GetName(): func() Condition { return new(CIDRCondition) }, new(EqualsSubjectCondition).GetName(): func() Condition { return new(EqualsSubjectCondition) }, }
ConditionFactories is where you can add custom conditions
var ( // ErrForbidden is returned when access is forbidden. ErrForbidden = errors.New("Forbidden") )
Functions ¶
Types ¶
type CIDRCondition ¶
type CIDRCondition struct {
CIDR string `json:"cidr"`
}
CIDRCondition makes sure that the warden requests' IP address is in the given CIDR.
func (*CIDRCondition) Fulfills ¶
func (c *CIDRCondition) Fulfills(value interface{}, _ *Request) bool
Fulfills returns true if the the request is fulfilled by the condition.
func (*CIDRCondition) GetName ¶
func (c *CIDRCondition) GetName() string
GetName returns the condition's name.
type Condition ¶
type Condition interface { // GetName returns the condition's name. GetName() string // Fulfills returns true if the request is fulfilled by the condition. Fulfills(interface{}, *Request) bool }
Condition either do or do not fulfill an access request.
type Conditions ¶
Conditions is a collection of conditions.
func (Conditions) AddCondition ¶
func (cs Conditions) AddCondition(key string, c Condition)
AddCondition adds a condition to the collection.
func (Conditions) MarshalJSON ¶
func (cs Conditions) MarshalJSON() ([]byte, error)
MarshalJSON marshals a list of conditions to json.
func (Conditions) UnmarshalJSON ¶
func (cs Conditions) UnmarshalJSON(data []byte) error
UnmarshalJSON unmarshals a list of conditions from json.
type DefaultPolicy ¶
type DefaultPolicy struct { ID string `json:"id" gorethink:"id"` Description string `json:"description" gorethink:"description"` Subjects []string `json:"subjects" gorethink:"subjects"` Effect string `json:"effect" gorethink:"effect"` Resources []string `json:"resources" gorethink:"resources"` Actions []string `json:"actions" gorethink:"actions"` Conditions Conditions `json:"conditions" gorethink:"conditions"` }
DefaultPolicy is the default implementation of the policy interface.
func (*DefaultPolicy) AllowAccess ¶
func (p *DefaultPolicy) AllowAccess() bool
AllowAccess returns true if the policy effect is allow, otherwise false.
func (*DefaultPolicy) GetActions ¶
func (p *DefaultPolicy) GetActions() []string
GetActions returns the policies actions.
func (*DefaultPolicy) GetConditions ¶
func (p *DefaultPolicy) GetConditions() Conditions
GetConditions returns the policies conditions.
func (*DefaultPolicy) GetDescription ¶
func (p *DefaultPolicy) GetDescription() string
GetDescription returns the policies description.
func (*DefaultPolicy) GetEffect ¶
func (p *DefaultPolicy) GetEffect() string
GetEffect returns the policies effect which might be 'allow' or 'deny'.
func (*DefaultPolicy) GetEndDelimiter ¶
func (p *DefaultPolicy) GetEndDelimiter() byte
GetEndDelimiter returns the delimiter which identifies the end of a regular expression.
func (*DefaultPolicy) GetResources ¶
func (p *DefaultPolicy) GetResources() []string
GetResources returns the policies resources.
func (*DefaultPolicy) GetStartDelimiter ¶
func (p *DefaultPolicy) GetStartDelimiter() byte
GetStartDelimiter returns the delimiter which identifies the beginning of a regular expression.
func (*DefaultPolicy) GetSubjects ¶
func (p *DefaultPolicy) GetSubjects() []string
GetSubjects returns the policies subjects.
func (*DefaultPolicy) UnmarshalJSON ¶
func (p *DefaultPolicy) UnmarshalJSON(data []byte) error
UnmarshalJSON overwrite own policy with values of the given in policy in JSON format
type EqualsSubjectCondition ¶
type EqualsSubjectCondition struct{}
EqualsSubjectCondition is a condition which is fulfilled if the request's subject is equal to the given value string
func (*EqualsSubjectCondition) Fulfills ¶
func (c *EqualsSubjectCondition) Fulfills(value interface{}, r *Request) bool
Fulfills returns true if the request's subject is equal to the given value string
func (*EqualsSubjectCondition) GetName ¶
func (c *EqualsSubjectCondition) GetName() string
GetName returns the condition's name.
type Manager ¶
type Manager interface { // Create persists the policy. Create(policy Policy) error // Get retrieves a policy. Get(id string) (Policy, error) // Delete removes a policy. Delete(id string) error // Finds all policies associated with the subject. FindPoliciesForSubject(subject string) (Policies, error) }
Manager is responsible for managing and persisting policies.
type MemoryManager ¶
MemoryManager is an in-memory (non-persistent) implementation of Manager.
func NewMemoryManager ¶
func NewMemoryManager() *MemoryManager
NewMemoryManager constructs and initalizes new MemoryManager with no policies
func (*MemoryManager) Create ¶
func (m *MemoryManager) Create(policy Policy) error
Create a new pollicy to MemoryManager
func (*MemoryManager) Delete ¶
func (m *MemoryManager) Delete(id string) error
Delete removes a policy.
func (*MemoryManager) FindPoliciesForSubject ¶
func (m *MemoryManager) FindPoliciesForSubject(subject string) (Policies, error)
FindPoliciesForSubject finds all policies associated with the subject.
type Policy ¶
type Policy interface { // GetID returns the policies id. GetID() string // GetDescription returns the policies description. GetDescription() string // GetSubjects returns the policies subjects. GetSubjects() []string // AllowAccess returns true if the policy effect is allow, otherwise false. AllowAccess() bool // GetEffect returns the policies effect which might be 'allow' or 'deny'. GetEffect() string // GetResources returns the policies resources. GetResources() []string // GetActions returns the policies actions. GetActions() []string // GetConditions returns the policies conditions. GetConditions() Conditions // GetStartDelimiter returns the delimiter which identifies the beginning of a regular expression. GetStartDelimiter() byte // GetEndDelimiter returns the delimiter which identifies the end of a regular expression. GetEndDelimiter() byte }
Policy represent a policy model.
type RedisManager ¶ added in v0.3.4
type RedisManager struct {
// contains filtered or unexported fields
}
RedisManager is a redis implementation of Manager to store policies persistently.
func NewRedisManager ¶ added in v0.3.4
func NewRedisManager(db *redis.Client, keyPrefix string) *RedisManager
NewRedisManager initializes a new RedisManager with no policies
func (*RedisManager) Create ¶ added in v0.3.4
func (m *RedisManager) Create(policy Policy) error
Create a new policy to RedisManager
func (*RedisManager) Delete ¶ added in v0.3.4
func (m *RedisManager) Delete(id string) error
Delete removes a policy.
func (*RedisManager) FindPoliciesForSubject ¶ added in v0.3.4
func (m *RedisManager) FindPoliciesForSubject(subject string) (Policies, error)
FindPoliciesForSubject finds all policies associated with the subject.
type Request ¶
type Request struct { // Resource is the resource that access is requested to. Resource string `json:"resource"` // Action is the action that is requested on the resource. Action string `json:"action"` // Subejct is the subject that is requesting access. Subject string `json:"subject"` // Context is the request's environmental context. Context Context `json:"context"` }
Request is the warden's request object.
type RethinkManager ¶
type RethinkManager struct { Session *r.Session Table r.Term sync.RWMutex Policies map[string]Policy }
RethinkManager is a rethinkdb implementation of Manager to store policies persistently.
func (*RethinkManager) ColdStart ¶
func (m *RethinkManager) ColdStart() error
ColdStart loads all policies from rethinkdb into memory.
func (*RethinkManager) Create ¶
func (m *RethinkManager) Create(policy Policy) error
Create inserts a new policy.
func (*RethinkManager) Delete ¶
func (m *RethinkManager) Delete(id string) error
Delete removes a policy.
func (*RethinkManager) FindPoliciesForSubject ¶
func (m *RethinkManager) FindPoliciesForSubject(subject string) (Policies, error)
FindPoliciesForSubject returns Policies (an array of policy) for a given subject.
func (*RethinkManager) Get ¶
func (m *RethinkManager) Get(id string) (Policy, error)
Get retrieves a policy.
func (*RethinkManager) Watch ¶
func (m *RethinkManager) Watch(ctx context.Context)
Watch is used to watch for changes on rethinkdb (which happens asynchronous) and updates manager's policy accordingly.
type SQLManager ¶ added in v0.3.0
type SQLManager struct {
// contains filtered or unexported fields
}
SQLManager is a postgres implementation for Manager to store policies persistently.
func NewSQLManager ¶ added in v0.3.0
func NewSQLManager(db *sqlx.DB, schema []string) *SQLManager
NewSQLManager initializes a new SQLManager for given db instance.
func (*SQLManager) Create ¶ added in v0.3.0
func (s *SQLManager) Create(policy Policy) (err error)
Create inserts a new policy
func (*SQLManager) CreateSchemas ¶ added in v0.3.0
func (s *SQLManager) CreateSchemas() error
CreateSchemas creates ladon_policy tables
func (*SQLManager) Delete ¶ added in v0.3.0
func (s *SQLManager) Delete(id string) error
Delete removes a policy.
func (*SQLManager) FindPoliciesForSubject ¶ added in v0.3.0
func (s *SQLManager) FindPoliciesForSubject(subject string) (policies Policies, err error)
FindPoliciesForSubject returns Policies (an array of policy) for a given subject
type StringEqualCondition ¶
type StringEqualCondition struct {
Equals string `json:"equals"`
}
StringEqualCondition is a condition which is fulfilled if the given string value is the same as specified in StringEqualCondition
func (*StringEqualCondition) Fulfills ¶
func (c *StringEqualCondition) Fulfills(value interface{}, _ *Request) bool
Fulfills returns true if the given value is a string and is the same as in StringEqualCondition.Equals
func (*StringEqualCondition) GetName ¶
func (c *StringEqualCondition) GetName() string
GetName returns the condition's name.
type Warden ¶
type Warden interface { // IsAllowed returns nil if subject s can perform action a on resource r with context c or an error otherwise. // if err := guard.IsAllowed(&Request{Resource: "article/1234", Action: "update", Subject: "peter"}); err != nil { // return errors.New("Not allowed") // } IsAllowed(r *Request) error }
Warden is responsible for deciding if subject s can perform action a on resource r with context c.