internal

package
v1.0.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 2, 2024 License: AGPL-3.0 Imports: 18 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

View Source 
var (
	ErrVaultClientRequired = errors.New("vault client required but not provided")
)

Functions

This section is empty.

Types

type AuthKind 

type AuthKind int
const (
	Token AuthKind = iota
	TokenAccessor
	RolePathMaybe
)

func GuessAuthKind 

func GuessAuthKind(thing string) (AuthKind, error)

Guesses what kind of string is coming down the pipe - a token, accessor, role path...

func (AuthKind) String 

func (a AuthKind) String() string

type Capability 

type Capability string

Capabilities declare what a token can do to a path.

https://developer.hashicorp.com/vault/docs/concepts/policies#capabilities 

const (
	Create    Capability = "create"
	Read      Capability = "read"
	Update    Capability = "update"
	Delete    Capability = "delete"
	List      Capability = "list"
	Sudo      Capability = "sudo"
	Deny      Capability = "deny"
	Subscribe Capability = "subscribe"
)

func (Capability) Less 

func (c Capability) Less(other Capability) bool

For use with `sort.Slice()`.

type ControlGroup 

type ControlGroup struct {
	TTL     any
	Factors map[string]any
}

type PathConfig 

type PathConfig struct {
	Path         string       `hcl:"path,label"`
	Capabilities []Capability `hcl:"capabilities"`

	// Captures other arguments we don't care about yet.
	// https://github.com/hashicorp/vault/blob/9bb4f9e996eb6d35617a0624f2c1232e25d75f3c/vault/policy.go#L129-L147
	Other hcl.Body `hcl:",remain"`
}

PathConfig represents a Vault path block

func (PathConfig) MarshalZerologObject 

func (p PathConfig) MarshalZerologObject(e *zerolog.Event)

MarshalZerologObject implements zerolog.LogObjectMarshaler.

type Policy 

type Policy struct {
	// The name of the policy in Vault - this attribute is not in the document.
	Name string `hcl:",optional"`
	// All of the path {} declarations. These should be sorted by PathConfig.Path, ascending.
	Paths []PathConfig `hcl:"path,block"`
}

Policy represents a Vault policy document.

func ParsePolicy 

func ParsePolicy(policyData, name string) (*Policy, error)

ParsePolicy creates a Policy object and sorts by path.

func (Policy) MarshalZerologObject 

func (p Policy) MarshalZerologObject(e *zerolog.Event)

MarshalZerologObject implements zerolog.LogObjectMarshaler.

type PolicyProvider 

type PolicyProvider interface {
	// Reads and parses a policy.
	GetPolicy(ctx context.Context, name string) (*Policy, error)
	// Generate a Resultant Set of Policy (RSoP) for a token, token accessor, or path to a Vault role definition.
	GetRSoP(ctx context.Context, principalThing string) (*RSoP, error)
}

func NewReadthroughPolicyProvider 

func NewReadthroughPolicyProvider(offlinePath string, client *vault.Client) (PolicyProvider, error)

ReadthroughPolicyProvider is a readthrough cache of Vault policies.

type RSoP 

type RSoP struct {
	// Policies should be a slice sorted by Policy.Name.
	Policies []*Policy
}

Resultant Set of Policy, or "what a token can do".

This struct is basically a container for functions that operate on a slice of Policy objects.

func (*RSoP) GetCapabilityMap 

func (r *RSoP) GetCapabilityMap() RSoPCapMap

GetCapabilityMap generates a map of path -> capability -> policies that grant it.

It essentially inverts each Policy.

func (*RSoP) MarshalZerologObject 

func (r *RSoP) MarshalZerologObject(e *zerolog.Event)

MarshalZerologObject implements zerolog.LogObjectMarshaler.

type RSoPCapMap 

type RSoPCapMap map[string]map[Capability][]string

A map of path -> capabilities -> policies that grant it.

func (RSoPCapMap) Diff 

func (r RSoPCapMap) Diff(other RSoPCapMap) *RSoPDifferential

Generates a differential between 2 policy sets.

func (RSoPCapMap) HCL 

func (r RSoPCapMap) HCL() string

Emits as HCL with inline comments of the responsible policies.

type RSoPDiffMetrics 

type RSoPDiffMetrics struct {
	// Total amount of capabilities modified
	CapabilityChanges int
}

type RSoPDifferential 

type RSoPDifferential struct {
	Added   RSoPCapMap
	Removed RSoPCapMap
}

The differences between two sets of policies.

func (*RSoPDifferential) Empty 

func (p *RSoPDifferential) Empty() bool

Whether there are any effective changes.

func (*RSoPDifferential) MarkdownTable 

func (p *RSoPDifferential) MarkdownTable() string

Emits a GitHub-flavored markdown table of changes or the empty string if there are none.

func (*RSoPDifferential) Metrics 

func (p *RSoPDifferential) Metrics() RSoPDiffMetrics

Returns changeset metrics like the total count of changes.

type ReadthroughPolicyProvider 

type ReadthroughPolicyProvider struct {
	// contains filtered or unexported fields
}

ReadthroughPolicyProvider is a readthrough cache of Vault policies.

func (*ReadthroughPolicyProvider) GetPolicy 

func (p *ReadthroughPolicyProvider) GetPolicy(ctx context.Context, name string) (*Policy, error)

Reads a policy from Vault or the cache path.

func (*ReadthroughPolicyProvider) GetRSoP 

func (p *ReadthroughPolicyProvider) GetRSoP(ctx context.Context, authThing string) (*RSoP, error)

Source Files

View all Source files

Directories

Path Synopsis
Package gitops handles interpreting changes to a git repository as RSoP differentials.
 Package gitops handles interpreting changes to a git repository as RSoP differentials.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.