policy

package

v5.3.4 Latest Latest Go to latest Published: Feb 11, 2022 License: Apache-2.0 Imports: 20 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/wfen/athenz-authorizer

Links

Open Source Insights

Documentation ¶

Overview ¶

Package policy represents the athenz policy updater fetching and verify logic and provide an interface to verify the policy data.

Index ¶

Variables
type Assertion
- func NewAssertion(action, resource, effect string) (*Assertion, error)
type Daemon
- func New(opts ...Option) (Daemon, error)
type Fetcher
type Option
type SignedPolicy
- func (s *SignedPolicy) Verify(pkp pubkey.Provider) error
type SignedPolicyVerifier

Constants ¶

This section is empty.

Variables ¶

View Source

var (
	// ErrDomainMismatch "Access denied due to domain mismatch between Resource and RoleToken"
	ErrDomainMismatch = errors.New("Access denied due to domain mismatch between Resource and RoleToken")

	// ErrDomainNotFound "Access denied due to domain not found in library cache"
	ErrDomainNotFound = errors.New("Access denied due to domain not found in library cache")

	// ErrNoMatch "Access denied due to no match to any of the assertions defined in domain policy file"
	ErrNoMatch = errors.New("Access denied due to no match to any of the assertions defined in domain policy file")

	// ErrInvalidPolicyResource "Access denied due to invalid/empty policy resources"
	ErrInvalidPolicyResource = errors.New("Access denied due to invalid/empty policy resources")

	// ErrDenyByPolicy "Access Check was explicitly denied"
	ErrDenyByPolicy = errors.New("Access Check was explicitly denied")

	// ErrDomainExpired "Access denied due to expired domain policy file"
	ErrDomainExpired = errors.New("Access denied due to expired domain policy file")

	// ErrFetchPolicy "Error fetching athenz policy"
	ErrFetchPolicy = errors.New("Error fetching athenz policy")
)

Functions ¶

This section is empty.

Types ¶

type Assertion ¶

type Assertion struct {
	ResourceDomain string         `json:"resource_domain"`
	ActionRegexp   *regexp.Regexp `json:"-"`
	ResourceRegexp *regexp.Regexp `json:"-"`
	Effect         error          `json:"effect"`

	Action               string `json:"action"`
	Resource             string `json:"resource"`
	ActionRegexpString   string `json:"action_regexp_string"`
	ResourceRegexpString string `json:"resource_regexp_string"`
}

Assertion represents the refined assertion data use in policy checking

func NewAssertion ¶

func NewAssertion(action, resource, effect string) (*Assertion, error)

NewAssertion returns the Assertion object or error

type Daemon ¶

type Daemon interface {
	Start(context.Context) <-chan error
	Update(context.Context) error
	CheckPolicy(ctx context.Context, domain string, roles []string, action, resource string) error
	CheckPolicyRoles(ctx context.Context, domain string, roles []string, action, resource string) ([]string, error)
	GetPolicyCache(context.Context) map[string]interface{}
}

Daemon represents the daemon to retrieve policy data from Athenz.

func New ¶

func New(opts ...Option) (Daemon, error)

New represent the constructor of Policyd

type Fetcher ¶

type Fetcher interface {
	Domain() string
	Fetch(context.Context) (*SignedPolicy, error)
	FetchWithRetry(context.Context) (*SignedPolicy, error)
}

Fetcher represents fetcher object for fetching signed policy

type Option ¶

type Option func(*policyd) error

Option represents a functional option

func WithAthenzDomains ¶

func WithAthenzDomains(doms ...string) Option

WithAthenzDomains represents an AthenzDomain functional option

func WithAthenzURL ¶

func WithAthenzURL(url string) Option

WithAthenzURL returns an AthenzURL functional option

func WithExpiryMargin ¶

func WithExpiryMargin(d string) Option

WithExpiryMargin returns an ExpiryMargin functional option

func WithHTTPClient ¶

func WithHTTPClient(c *http.Client) Option

WithHTTPClient returns a HttpClient functional option

func WithPubKeyProvider ¶

func WithPubKeyProvider(pkp pubkey.Provider) Option

WithPubKeyProvider returns a PubKeyProvider functional option

func WithPurgePeriod ¶

func WithPurgePeriod(d string) Option

WithPurgePeriod returns a PurgePeriod functional option

func WithRefreshPeriod ¶

func WithRefreshPeriod(d string) Option

WithRefreshPeriod returns a RefreshPeriod functional option

func WithRetryAttempts ¶

func WithRetryAttempts(c int) Option

WithRetryAttempts returns an RetryAttempts functional option

func WithRetryDelay ¶

func WithRetryDelay(d string) Option

WithRetryDelay returns an RetryDelay functional option

type SignedPolicy ¶

type SignedPolicy struct {
	util.DomainSignedPolicyData
}

SignedPolicy represents the signed policy data

func (*SignedPolicy) Verify ¶

func (s *SignedPolicy) Verify(pkp pubkey.Provider) error

Verify verifies the signed policy and return any errors

type SignedPolicyVerifier ¶

type SignedPolicyVerifier func(*SignedPolicy) error

SignedPolicyVerifier type defines the function signature to verify a signed policy.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL