Documentation
¶
Index ¶
- Variables
- type ACL
- func (acl *ACL) Add(svc string, r Rule) error
- func (acl *ACL) Decide(service, host string) (Decision, error)
- func (acl *ACL) DisablePolicies(actions []string) error
- func (acl *ACL) PolicyDisabled(svc string, p EnforcementPolicy) error
- func (acl *ACL) Project(service string) (string, error)
- func (acl *ACL) Rule(service string) *Rule
- func (acl *ACL) Validate() error
- func (acl *ACL) ValidateDomainGlobs(svc string, globs []string) error
- type Decider
- type Decision
- type DecisionResult
- type EnforcementPolicy
- type Loader
- type Rule
- type YAMLConfig
- type YAMLLoader
- type YAMLRule
Constants ¶
This section is empty.
Variables ¶
var EnforcementPolicies = map[string]EnforcementPolicy{ "open": Open, "report": Report, "enforce": Enforce, }
Functions ¶
This section is empty.
Types ¶
type ACL ¶
type ACL struct {
Rules map[string]Rule
DefaultRule *Rule
GlobalDenyList []string
GlobalAllowList []string
DisabledPolicies []EnforcementPolicy
*logrus.Logger
}
func (*ACL) Add ¶
Add associates a rule with the specified service after verifying the rule's policy and domains are valid. Add returns an error if the service rule already exists.
func (*ACL) Decide ¶
Decide takes uses the rule configured for the given service to determine if
- The host is in the rule's allowed domain
- The host has been globally denied
- The host has been globally allowed
- There is a default rule for the ACL
func (*ACL) DisablePolicies ¶
DisablePolicies takes a slice of actions (open, report, enforce), maps them to their corresponding EnforcementPolicy, and adds them to the global disabledPolicy slice.
func (*ACL) PolicyDisabled ¶
func (acl *ACL) PolicyDisabled(svc string, p EnforcementPolicy) error
PolicyDisabled checks if an EnforcementPolicy is disabled at the ACL level
func (*ACL) Rule ¶
Rule returns the configured rule for a service, or the default rule if none is configured.
func (*ACL) Validate ¶
Validate checks that the ACL that every rule has a conformant domain glob and is not utilizing a disabled enforcement policy.
func (*ACL) ValidateDomainGlobs ¶
ValidateDomainGlobs takes a slice of domain globs and verifies they conform to smokescreen's domain glob policy.
Wildcards are valid only at the beginning of a domain glob, and only a single wildcard per glob pattern is allowed. Globs must include text after a wildcard.
Domains must use their normalized form (e.g., Punycode)
type Decision ¶
type Decision struct {
Reason string
Default bool
Result DecisionResult
Project string
}
type DecisionResult ¶
type DecisionResult int
DecisionResult represents the result of checking the ACL
const ( Allow DecisionResult = iota AllowAndReport Deny )
func (DecisionResult) String ¶
func (d DecisionResult) String() string
type EnforcementPolicy ¶
type EnforcementPolicy int
EnforcementPolicy represents what the policy is for a service
const ( Unknown EnforcementPolicy = iota Open Report Enforce )
func PolicyFromAction ¶
func PolicyFromAction(action string) (EnforcementPolicy, error)
func (EnforcementPolicy) String ¶
func (p EnforcementPolicy) String() string
type Rule ¶
type Rule struct {
Project string
Policy EnforcementPolicy
DomainGlobs []string
}
type YAMLConfig ¶
type YAMLConfig struct {
Services []YAMLRule `yaml:"services"`
Default *YAMLRule `yaml:"default"`
Version string `yaml:"version"`
GlobalDenyList []string `yaml:"global_deny_list"` // domains which will be blocked even in report mode
GlobalAllowList []string `yaml:"global_allow_list"` // domains which will be allowed for every host type
}
func (*YAMLConfig) Load ¶
func (cfg *YAMLConfig) Load() (*ACL, error)
func (*YAMLConfig) ValidateConfig ¶
func (yc *YAMLConfig) ValidateConfig() error
type YAMLLoader ¶
type YAMLLoader struct {
// contains filtered or unexported fields
}
func NewYAMLLoader ¶
func NewYAMLLoader(path string) *YAMLLoader
func (*YAMLLoader) Load ¶
func (yl *YAMLLoader) Load() (*ACL, error)
Source Files