Documentation ¶
Overview ¶
Package enforcer contains the PADME Enforcer definition. See relevant docs.
This package defines the different enforcer APIs and provides interfaces to convert any request into a PADME Resource so it can be evaluated against the policies known to the enforcer.
Package enforcer contains the PADME Enforcer definition. See relevant docs.
This package defines the different enforcer APIs and provides interfaces to convert any request into a PADME Resource so it can be evaluated against the policies known to the enforcer.
Index ¶
- Constants
- type AnswerAPIRequestAdapter
- type ControllerAPI
- type Enforcer
- func (e *Enforcer) Answer(properties []*policy.Rule, credential *policy.Credential) bool
- func (e *Enforcer) Apply(bundle *policy.PolicyBundle) bool
- func (e *Enforcer) Disable(pluginID string) bool
- func (e *Enforcer) Enable(pluginID string) bool
- func (e *Enforcer) Fetch() *policy.PolicyBundle
- func (e *Enforcer) Plugins() []string
- func (e *Enforcer) RegisterHandler(id string, handler PolicyEventHandler) bool
- func (e *Enforcer) RegisterPlugin(plugin plugins.Plugin) bool
- func (e *Enforcer) UnregisterHandler(id string)
- func (e *Enforcer) UnregisterPlugin(plugin plugins.Plugin) bool
- type PacketAnswerAPI
- type PluginAPI
- type PolicyEvent
- type PolicyEventHandler
- type RequestAnswerAPI
Constants ¶
const ( // PolicyApply event is fired when a policy is applied. // for example if a plugin was added/enabled, or if its start time passed. PolicyApply = PolicyEvent(iota) // PolicyApplyError event is fired when attempt to apply a policy failed. PolicyApplyError // PolicyRemove event is fired when policy is removed. // For example if a plugin was removed or the end time of a policy passed. PolicyRemove // PolicyRemoveError event is fired when An attempt to remove a policy failed. PolicyRemoveError )
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type AnswerAPIRequestAdapter ¶
type AnswerAPIRequestAdapter interface { // Adapt takes an incoming request and translates it into an AnswerAPIRequest. // // It returns a list of rules describing the resource represented by the incoming // request and the credentials associated to it. Adapt(interface{}) ([]*policy.Rule, *policy.Credential) }
AnswerAPIRequestAdapter defines how the different requests that come into PADME are translated in an AnswerAPI request. Sources of requests can be PADME webhooks, platform-specific webhooks such as the k8s SAR API webhook, etc.
type ControllerAPI ¶
type ControllerAPI interface { // Register a controller with this enforcer for notifications of events // // The controller must specify an id by which it will be known to this enforcer. // this id must be unique among controllers. // // Parameters: // id - the controller id // handler - the handler which is to be called when an event occurs. // // Returns: // true - registration succeeded // false - registration failed RegisterHandler(id string, handler PolicyEventHandler) bool // Unregister remoes remove the registration of a controller with this enforcer. // // Unlike plugins the unregistration of a control does not // effect the state of policies installed on this enforcer. // Simply, events that might have been reported to unregistered // controller are simply lost. // // Parameters: // id - the id of a previously registered controller UnregisterHandler(id string) // Apply a policy bundle to the enforcer. // // Policies are specifically ordered. Thus the addition, removal, or // modification of one or more policy requires a new policy bundle to // be applied to the enforcer. The controller is responsible for // determining which policies have been added or removed and // modifying its state or the state of its plugins as necessary. // If no PolicyVersions change, and no policies are added // or removed, then nothing is done. // // A return code is provided, however failures for individual policies // are returned via the PolicyEventHandler. // // Rollback is achieved by shipping an old policy bundle with higher // version numbers. // // Parameters: // bundle - the policy bundle to apply // // Return: // true - all policies were applied // false - some polices were not applied, see PolicyEventHandler for specific issues Apply(bundle *policy.PolicyBundle) bool // Fetch retrieves the current policy bundle from this enforcer Fetch() *policy.PolicyBundle // Plugins returns a list of all the plugins supported by this enforcer. Plugins() []string // Enable explicitly enables a particular plugin. // // If the plugin is already registered then this causes // it to become enabled and causes all policies that // use this plugin to be applied. If the plugin is // not registered then when it registers it automatically // becomes enabled. // // Specific errors encountered during the application of // policies are returned via the PolicyEventHandler // // Parameters: // pluginID - the id of the specific plugin // // Returns: // true - the plugin was enabled // false - the plugin could not be enabled Enable(pluginID string) bool // Disable explicitly disables a particular plugin. // // If the plugin is already registered, then all policies // operating through it are removed from the plugin. // If the plugin is not registered then the decision // is remembered and it must be explicitly enabled // before operating again. // // Specific errors encountered during the removal of // policies are returned via the PolicyEventHandler // // Specific errors encountered during the application of // policies are returned via the PolicyEventHandler // // Parameters: // pluginID - the id of the specific plugin // // Returns: // true - the plugin was disabled // false - the plugin could not be disabled Disable(pluginID string) bool }
ControllerAPI defines interactions between an Enforcer and a Controller. Controller/Enforcer discovery is presently not covered here. Mutual knowledge is assumed. This API is also agnostic as to whether or not push or pull is used between the Enforcer and Controller.
type Enforcer ¶
type Enforcer struct { // Location configures the location where teh current enforcer operates. // This field will be used when matching policies and only the policies that // apply to this location will be considered. Location *policy.Location // Store configures the repository where the policies for this enforcer // are stored. Store store.PolicyRepository // Handlers are the list of controllers known to this enforcer that // are subscribed to policy events Handlers map[string]PolicyEventHandler // RegisteredPlugins are the list of plugins this enforcer will delegate to when // checking policies for an incoming resource RegisteredPlugins map[string]*loadedPlugin // contains filtered or unexported fields }
Enforcer is the main implementation of a PADME Enforcer.
func NewEnforcer ¶
func NewEnforcer(store store.PolicyRepository, location *policy.Location, credentials *policy.Credential) Enforcer
NewEnforcer builds a new Enforcer object with the given policy repository
func (*Enforcer) Answer ¶
Answer is the implementation of the Enforcer Answer API. It takes an access request for a given resource and evaluates it against the existing policies.
func (*Enforcer) Apply ¶
func (e *Enforcer) Apply(bundle *policy.PolicyBundle) bool
Apply applies the given PolicyBundle to this enforcer.
func (*Enforcer) Disable ¶
Disable disables the given plugin, if not already enabled, and applies to it all policies that are configured for that plugin
func (*Enforcer) Enable ¶
Enable enables the given plugin, if not already enabled, and applies to it all policies that are configured for that plugin
func (*Enforcer) Fetch ¶
func (e *Enforcer) Fetch() *policy.PolicyBundle
Fetch retrieves the current PolicyBundle
func (*Enforcer) RegisterHandler ¶
func (e *Enforcer) RegisterHandler(id string, handler PolicyEventHandler) bool
RegisterHandler registers a given controller in this enforcer and subscribe it to policy events
func (*Enforcer) RegisterPlugin ¶
RegisterPlugin adds the given plugin to this enforcer
func (*Enforcer) UnregisterHandler ¶
UnregisterHandler removes a controller from this enforcer and unsubscribe it from polocy events
type PacketAnswerAPI ¶
type PacketAnswerAPI interface { // Answer inspects a packet, extracts any protocol information that it can // from the packet, and matches it against policies known by the enforcer. // // true is returned if policies allow this traffic. // false is returned if policies do not allow this traffic, or if the packet was not understood. Answer(packet []byte) bool }
PacketAnswerAPI defines the Packet Level Answer API. It supports infrequent low level look ups such as those that might be found in software defined networking.
type PluginAPI ¶
type PluginAPI interface { // Register the specified plugin with the enforcer. Only one // plugin with a specified id may be registered with an enforcer // at a time. If a plugin could not be registered it should // not attempt enforcement actions. // // Upon registration of a new plugin, assuming the plugin // is enabled, all policies are evaluated and any that control // this plugin apply themselves to this plugin. // // Parameters: // plugin - the plugin object used to control this plugin // // Returns: // true - the plugin was successfully registered // false - the plugin could not be registered RegisterPlugin(plugin plugins.Plugin) bool // Unregister a plugin from the enforcer. When this occurs // all applied policies are removed. // // Parameters: // plugin - the plugin object used to control this plugin // // Returns: // true - the plugin was successfully unregistered // false - the plugin was not successfully unregistered. UnregisterPlugin(plugin plugins.Plugin) bool }
PluginAPI is used to configure sub-components that enforce policies on behalf of the Enforcer.
type PolicyEvent ¶
type PolicyEvent int
PolicyEvent defines events that can be notified to controllers upon policy operations on the enforcer
type PolicyEventHandler ¶
type PolicyEventHandler interface { // Handle is called when an event occurs on a policy // the version and description of the policy are passed to // the controller. An optional notes field // is used to carry the error string in the event of // a PLUGIN_APPLY_ERROR or PLUGIN_REMOVE_ERROR // // Parameters: // event - the event // policyVersion - the version of the policy that was effected // policyDescription - the description of the policy that was effected // notes - an error description or empty Handle(event PolicyEvent, policyVersion uint64, policyDescription string, notes string) }
PolicyEventHandler defines the interface Controllers are expected to implement to be notified of events occurring on policies.
type RequestAnswerAPI ¶
type RequestAnswerAPI interface { // Answer matches a request described by properties and credential // against the rules known by this enforcer. // // properties are the intrinsic properties of a given request. For // example the source tcp port or the destination ip address, or the // target URI. These are composed (along with the credential) // into a resource object. Composition of the properties is done // using an AND operation. // // Care must be taken in this API to ensure that standard // values for Layer and LType are readily available. // // No wild carding is permitted in a request. // // true is returned if policies allow this request. // false is returned if policies do not allow this request. Answer(properties []*policy.Rule, credential *policy.Credential) bool }
RequestAnswerAPI defines the Request Level Answer API. It supports most normal services requests. For example a web services request for a specific target URL uses this call.
Directories ¶
Path | Synopsis |
---|---|
Package plugins defines how Enforcer plugins are configured and loaded in PADME.
|
Package plugins defines how Enforcer plugins are configured and loaded in PADME. |
native
Package native provides a Go native plugin loader.
|
Package native provides a Go native plugin loader. |
Package store configures Enforcer persistence.
|
Package store configures Enforcer persistence. |
filesystem
Package filesystem defines storage repositories for the local filesystem.
|
Package filesystem defines storage repositories for the local filesystem. |
Package utils provides utility methods for the enforcer package
|
Package utils provides utility methods for the enforcer package |