Documentation ¶
Index ¶
- Constants
- Variables
- func NewErrResourceNotFound(err error) error
- type AuditLogger
- type AuditLoggerInfo
- type AuditLoggerNoOp
- type BooleanCondition
- type CIDRCondition
- type Condition
- type Conditions
- type Context
- type DefaultPolicy
- func (p *DefaultPolicy) AllowAccess() bool
- func (p *DefaultPolicy) GetActions() []string
- func (p *DefaultPolicy) GetConditions() Conditions
- func (p *DefaultPolicy) GetDescription() string
- func (p *DefaultPolicy) GetEffect() string
- func (p *DefaultPolicy) GetEndDelimiter() byte
- func (p *DefaultPolicy) GetID() string
- func (p *DefaultPolicy) GetMeta() []byte
- func (p *DefaultPolicy) GetResources() []string
- func (p *DefaultPolicy) GetStartDelimiter() byte
- func (p *DefaultPolicy) GetSubjects() []string
- func (p *DefaultPolicy) UnmarshalJSON(data []byte) error
- func (p *DefaultPolicy) UnmarshalMeta(v interface{}) error
- type EqualsSubjectCondition
- type Ladon
- type Manager
- type ManagerMigrator
- type Metric
- type MetricNoOp
- type Policies
- type Policy
- type RegexpMatcher
- type Request
- type ResourceContainsCondition
- type StringEqualCondition
- type StringMatchCondition
- type StringPairsEqualCondition
- type Warden
Constants ¶
const AllowAccess = "allow"
AllowAccess should be used as effect for policies that allow access.
const DenyAccess = "deny"
DenyAccess should be used as effect for policies that deny access.
Variables ¶
var ( // ErrRequestDenied is returned when an access request can not be satisfied by any policy. ErrRequestDenied = &errorWithContext{ error: errors.New("Request was denied by default"), code: http.StatusForbidden, status: http.StatusText(http.StatusForbidden), reason: "The request was denied because no matching policy was found.", } // ErrRequestForcefullyDenied is returned when an access request is explicitly denied by a policy. ErrRequestForcefullyDenied = &errorWithContext{ error: errors.New("Request was forcefully denied"), code: http.StatusForbidden, status: http.StatusText(http.StatusForbidden), reason: "The request was denied because a policy denied request.", } // ErrNotFound is returned when a resource can not be found. ErrNotFound = &errorWithContext{ error: errors.New("Resource could not be found"), code: http.StatusNotFound, status: http.StatusText(http.StatusNotFound), } )
var ConditionFactories = map[string]func() Condition{ new(StringEqualCondition).GetName(): func() Condition { return new(StringEqualCondition) }, new(CIDRCondition).GetName(): func() Condition { return new(CIDRCondition) }, new(EqualsSubjectCondition).GetName(): func() Condition { return new(EqualsSubjectCondition) }, new(StringPairsEqualCondition).GetName(): func() Condition { return new(StringPairsEqualCondition) }, new(StringMatchCondition).GetName(): func() Condition { return new(StringMatchCondition) }, new(ResourceContainsCondition).GetName(): func() Condition { return new(ResourceContainsCondition) }, new(BooleanCondition).GetName(): func() Condition { return new(BooleanCondition) }, }
ConditionFactories is where you can add custom conditions
var DefaultAuditLogger = &AuditLoggerNoOp{}
var DefaultMatcher = NewRegexpMatcher(512)
var DefaultMetric = &MetricNoOp{}
Functions ¶
func NewErrResourceNotFound ¶ added in v0.6.0
Types ¶
type AuditLogger ¶ added in v0.8.5
type AuditLogger interface { LogRejectedAccessRequest(ctx context.Context, request *Request, pool Policies, deciders Policies) LogGrantedAccessRequest(ctx context.Context, request *Request, pool Policies, deciders Policies) }
AuditLogger tracks denied and granted authorizations.
type AuditLoggerInfo ¶ added in v0.8.5
AuditLoggerInfo outputs information about granting or rejecting policies.
func (*AuditLoggerInfo) LogGrantedAccessRequest ¶ added in v0.8.5
func (*AuditLoggerInfo) LogRejectedAccessRequest ¶ added in v0.8.5
type AuditLoggerNoOp ¶ added in v0.8.5
type AuditLoggerNoOp struct{}
AuditLoggerNoOp is the default AuditLogger, that tracks nothing.
func (*AuditLoggerNoOp) LogGrantedAccessRequest ¶ added in v0.8.5
func (*AuditLoggerNoOp) LogRejectedAccessRequest ¶ added in v0.8.5
type BooleanCondition ¶ added in v0.8.10
type BooleanCondition struct {
BooleanValue bool `json:"value"`
}
BooleanCondition is used to determine if a boolean context matches an expected boolean condition.
BooleanCondition implements the ladon.Condition interface. See https://github.com/ory/ladon/blob/master/condition.go
func (*BooleanCondition) Fulfills ¶ added in v0.8.10
func (c *BooleanCondition) Fulfills(ctx context.Context, value interface{}, _ *Request) bool
Fulfills determines if the BooleanCondition is fulfilled. The BooleanCondition is fulfilled if the provided boolean value matches the conditions boolean value.
func (*BooleanCondition) GetName ¶ added in v0.8.10
func (c *BooleanCondition) GetName() string
GetName returns the name of the BooleanCondition
type CIDRCondition ¶
type CIDRCondition struct {
CIDR string `json:"cidr"`
}
CIDRCondition makes sure that the warden requests' IP address is in the given CIDR.
func (*CIDRCondition) Fulfills ¶
func (c *CIDRCondition) Fulfills(ctx context.Context, value interface{}, _ *Request) bool
Fulfills returns true if the the request is fulfilled by the condition.
func (*CIDRCondition) GetName ¶
func (c *CIDRCondition) GetName() string
GetName returns the condition's name.
type Condition ¶
type Condition interface { // GetName returns the condition's name. GetName() string // Fulfills returns true if the request is fulfilled by the condition. Fulfills(context.Context, interface{}, *Request) bool }
Condition either do or do not fulfill an access request.
type Conditions ¶
Conditions is a collection of conditions.
func (Conditions) AddCondition ¶
func (cs Conditions) AddCondition(key string, c Condition)
AddCondition adds a condition to the collection.
func (Conditions) MarshalJSON ¶
func (cs Conditions) MarshalJSON() ([]byte, error)
MarshalJSON marshals a list of conditions to json.
func (Conditions) UnmarshalJSON ¶
func (cs Conditions) UnmarshalJSON(data []byte) error
UnmarshalJSON unmarshals a list of conditions from json.
type DefaultPolicy ¶
type DefaultPolicy struct { ID string `json:"id" gorethink:"id"` Description string `json:"description" gorethink:"description"` Subjects []string `json:"subjects" gorethink:"subjects"` Effect string `json:"effect" gorethink:"effect"` Resources []string `json:"resources" gorethink:"resources"` Actions []string `json:"actions" gorethink:"actions"` Conditions Conditions `json:"conditions" gorethink:"conditions"` Meta []byte `json:"meta" gorethink:"meta"` }
DefaultPolicy is the default implementation of the policy interface.
func (*DefaultPolicy) AllowAccess ¶
func (p *DefaultPolicy) AllowAccess() bool
AllowAccess returns true if the policy effect is allow, otherwise false.
func (*DefaultPolicy) GetActions ¶
func (p *DefaultPolicy) GetActions() []string
GetActions returns the policies actions.
func (*DefaultPolicy) GetConditions ¶
func (p *DefaultPolicy) GetConditions() Conditions
GetConditions returns the policies conditions.
func (*DefaultPolicy) GetDescription ¶
func (p *DefaultPolicy) GetDescription() string
GetDescription returns the policies description.
func (*DefaultPolicy) GetEffect ¶
func (p *DefaultPolicy) GetEffect() string
GetEffect returns the policies effect which might be 'allow' or 'deny'.
func (*DefaultPolicy) GetEndDelimiter ¶
func (p *DefaultPolicy) GetEndDelimiter() byte
GetEndDelimiter returns the delimiter which identifies the end of a regular expression.
func (*DefaultPolicy) GetMeta ¶ added in v0.8.10
func (p *DefaultPolicy) GetMeta() []byte
GetMeta returns the policies arbitrary metadata set by the user.
func (*DefaultPolicy) GetResources ¶
func (p *DefaultPolicy) GetResources() []string
GetResources returns the policies resources.
func (*DefaultPolicy) GetStartDelimiter ¶
func (p *DefaultPolicy) GetStartDelimiter() byte
GetStartDelimiter returns the delimiter which identifies the beginning of a regular expression.
func (*DefaultPolicy) GetSubjects ¶
func (p *DefaultPolicy) GetSubjects() []string
GetSubjects returns the policies subjects.
func (*DefaultPolicy) UnmarshalJSON ¶
func (p *DefaultPolicy) UnmarshalJSON(data []byte) error
UnmarshalJSON overwrite own policy with values of the given in policy in JSON format
func (*DefaultPolicy) UnmarshalMeta ¶ added in v0.8.10
func (p *DefaultPolicy) UnmarshalMeta(v interface{}) error
UnmarshalMeta parses the policies []byte encoded metadata and stores the result in the value pointed to by v.
type EqualsSubjectCondition ¶
type EqualsSubjectCondition struct{}
EqualsSubjectCondition is a condition which is fulfilled if the request's subject is equal to the given value string
func (*EqualsSubjectCondition) Fulfills ¶
func (c *EqualsSubjectCondition) Fulfills(ctx context.Context, value interface{}, r *Request) bool
Fulfills returns true if the request's subject is equal to the given value string
func (*EqualsSubjectCondition) GetName ¶
func (c *EqualsSubjectCondition) GetName() string
GetName returns the condition's name.
type Ladon ¶
type Ladon struct { Manager Manager Matcher matcher AuditLogger AuditLogger Metric Metric }
Ladon is an implementation of Warden.
func (*Ladon) DoPoliciesAllow ¶ added in v0.8.3
DoPoliciesAllow returns nil if subject s has permission p on resource r with context c for a given policy list or an error otherwise. The IsAllowed interface should be preferred since it uses the manager directly. This is a lower level interface for when you don't want to use the ladon manager.
type Manager ¶
type Manager interface { // Create persists the policy. Create(ctx context.Context, policy Policy) error // Update updates an existing policy. Update(ctx context.Context, policy Policy) error // Get retrieves a policy. Get(ctx context.Context, id string) (Policy, error) // Delete removes a policy. Delete(ctx context.Context, id string) error // GetAll retrieves all policies. GetAll(ctx context.Context, limit, offset int64) (Policies, error) // FindRequestCandidates returns candidates that could match the request object. It either returns // a set that exactly matches the request, or a superset of it. If an error occurs, it returns nil and // the error. FindRequestCandidates(ctx context.Context, r *Request) (Policies, error) // FindPoliciesForSubject returns policies that could match the subject. It either returns // a set of policies that applies to the subject, or a superset of it. // If an error occurs, it returns nil and the error. FindPoliciesForSubject(ctx context.Context, subject string) (Policies, error) // FindPoliciesForResource returns policies that could match the resource. It either returns // a set of policies that apply to the resource, or a superset of it. // If an error occurs, it returns nil and the error. FindPoliciesForResource(ctx context.Context, resource string) (Policies, error) }
Manager is responsible for managing and persisting policies.
type ManagerMigrator ¶ added in v0.6.0
type Metric ¶ added in v1.0.3
type Metric interface { // RequestDeniedBy is called when we get explicit deny by policy RequestDeniedBy(Request, Policy) // RequestAllowedBy is called when a matching policy has been found. RequestAllowedBy(Request, Policies) // RequestNoMatch is called when no policy has matched our request RequestNoMatch(Request) // RequestProcessingError is called when unexpected error occured RequestProcessingError(Request, Policy, error) }
Metric is used to expose metrics about authz
type MetricNoOp ¶ added in v1.0.3
type MetricNoOp struct{}
MetricNoOp is the default metrics implementation , that tracks nothing.
func (*MetricNoOp) RequestAllowedBy ¶ added in v1.0.3
func (*MetricNoOp) RequestAllowedBy(r Request, p Policies)
func (*MetricNoOp) RequestDeniedBy ¶ added in v1.0.3
func (*MetricNoOp) RequestDeniedBy(r Request, p Policy)
func (*MetricNoOp) RequestNoMatch ¶ added in v1.0.3
func (*MetricNoOp) RequestNoMatch(r Request)
func (*MetricNoOp) RequestProcessingError ¶ added in v1.0.3
func (*MetricNoOp) RequestProcessingError(r Request, p Policy, err error)
type Policy ¶
type Policy interface { // GetID returns the policies id. GetID() string // GetDescription returns the policies description. GetDescription() string // GetSubjects returns the policies subjects. GetSubjects() []string // AllowAccess returns true if the policy effect is allow, otherwise false. AllowAccess() bool // GetEffect returns the policies effect which might be 'allow' or 'deny'. GetEffect() string // GetResources returns the policies resources. GetResources() []string // GetActions returns the policies actions. GetActions() []string // GetConditions returns the policies conditions. GetConditions() Conditions // GetMeta returns the policies arbitrary metadata set by the user. GetMeta() []byte // GetStartDelimiter returns the delimiter which identifies the beginning of a regular expression. GetStartDelimiter() byte // GetEndDelimiter returns the delimiter which identifies the end of a regular expression. GetEndDelimiter() byte }
Policy represent a policy model.
type RegexpMatcher ¶ added in v0.6.0
func NewRegexpMatcher ¶ added in v0.6.0
func NewRegexpMatcher(size int) *RegexpMatcher
type Request ¶
type Request struct { // Resource is the resource that access is requested to. Resource string `json:"resource"` // Action is the action that is requested on the resource. Action string `json:"action"` // Subejct is the subject that is requesting access. Subject string `json:"subject"` // Context is the request's environmental context. Context Context `json:"context"` }
Request is the warden's request object.
type ResourceContainsCondition ¶ added in v0.8.7
type ResourceContainsCondition struct{}
ResourceContainsCondition is fulfilled if the context matches a substring within the resource name
func (*ResourceContainsCondition) Fulfills ¶ added in v0.8.7
func (c *ResourceContainsCondition) Fulfills(ctx context.Context, value interface{}, r *Request) bool
Fulfills returns true if the request's resouce contains the given value string
func (*ResourceContainsCondition) GetName ¶ added in v0.8.7
func (c *ResourceContainsCondition) GetName() string
GetName returns the condition's name.
type StringEqualCondition ¶
type StringEqualCondition struct {
Equals string `json:"equals"`
}
StringEqualCondition is a condition which is fulfilled if the given string value is the same as specified in StringEqualCondition
func (*StringEqualCondition) Fulfills ¶
func (c *StringEqualCondition) Fulfills(ctx context.Context, value interface{}, _ *Request) bool
Fulfills returns true if the given value is a string and is the same as in StringEqualCondition.Equals
func (*StringEqualCondition) GetName ¶
func (c *StringEqualCondition) GetName() string
GetName returns the condition's name.
type StringMatchCondition ¶ added in v0.8.2
type StringMatchCondition struct {
Matches string `json:"matches"`
}
StringMatchCondition is a condition which is fulfilled if the given string value matches the regex pattern specified in StringMatchCondition
func (*StringMatchCondition) Fulfills ¶ added in v0.8.2
func (c *StringMatchCondition) Fulfills(ctx context.Context, value interface{}, _ *Request) bool
Fulfills returns true if the given value is a string and matches the regex pattern in StringMatchCondition.Matches
func (*StringMatchCondition) GetName ¶ added in v0.8.2
func (c *StringMatchCondition) GetName() string
GetName returns the condition's name.
type StringPairsEqualCondition ¶ added in v0.4.3
type StringPairsEqualCondition struct{}
StringPairsEqualCondition is a condition which is fulfilled if the given array of pairs contains two-element string arrays where both elements in the string array are equal
func (*StringPairsEqualCondition) Fulfills ¶ added in v0.4.3
func (c *StringPairsEqualCondition) Fulfills(ctx context.Context, value interface{}, _ *Request) bool
Fulfills returns true if the given value is an array of string arrays and each string array has exactly two values which are equal
func (*StringPairsEqualCondition) GetName ¶ added in v0.4.3
func (c *StringPairsEqualCondition) GetName() string
GetName returns the condition's name.
type Warden ¶
type Warden interface { // IsAllowed returns nil if subject s can perform action a on resource r with context c or an error otherwise. // if err := guard.IsAllowed(&Request{Resource: "article/1234", Action: "update", Subject: "peter"}); err != nil { // return errors.New("Not allowed") // } IsAllowed(ctx context.Context, r *Request) error }
Warden is responsible for deciding if subject s can perform action a on resource r with context c.
Source Files ¶
- audit_logger.go
- audit_logger_info.go
- audit_logger_noop.go
- condition.go
- condition_boolean.go
- condition_cidr.go
- condition_resource_contains.go
- condition_string_equal.go
- condition_string_match.go
- condition_string_pairs_equal.go
- condition_subject_equal.go
- const.go
- context.go
- errors.go
- ladon.go
- manager.go
- manager_migrator.go
- matcher.go
- matcher_regexp.go
- metric.go
- metric_noop.go
- policy.go
- warden.go