policy

package
v5.3.7 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Apr 18, 2022 License: Apache-2.0 Imports: 20 Imported by: 0

Documentation

Overview

Package policy represents the athenz policy updater fetching and verify logic and provide an interface to verify the policy data.

Index

Constants

This section is empty.

Variables

View Source
var (
	// ErrDomainMismatch "Access denied due to domain mismatch between Resource and RoleToken"
	ErrDomainMismatch = errors.New("Access denied due to domain mismatch between Resource and RoleToken")

	// ErrDomainNotFound "Access denied due to domain not found in library cache"
	ErrDomainNotFound = errors.New("Access denied due to domain not found in library cache")

	// ErrNoMatch "Access denied due to no match to any of the assertions defined in domain policy file"
	ErrNoMatch = errors.New("Access denied due to no match to any of the assertions defined in domain policy file")

	// ErrInvalidPolicyResource "Access denied due to invalid/empty policy resources"
	ErrInvalidPolicyResource = errors.New("Access denied due to invalid/empty policy resources")

	// ErrDenyByPolicy "Access Check was explicitly denied"
	ErrDenyByPolicy = errors.New("Access Check was explicitly denied")

	// ErrDomainExpired "Access denied due to expired domain policy file"
	ErrDomainExpired = errors.New("Access denied due to expired domain policy file")

	// ErrFetchPolicy "Error fetching athenz policy"
	ErrFetchPolicy = errors.New("Error fetching athenz policy")
)

Functions

This section is empty.

Types

type Assertion

type Assertion struct {
	ResourceDomain string         `json:"resource_domain"`
	ActionRegexp   *regexp.Regexp `json:"-"`
	ResourceRegexp *regexp.Regexp `json:"-"`
	Effect         error          `json:"effect"`

	Action               string `json:"action"`
	Resource             string `json:"resource"`
	ActionRegexpString   string `json:"action_regexp_string"`
	ResourceRegexpString string `json:"resource_regexp_string"`
}

Assertion represents the refined assertion data use in policy checking

func NewAssertion

func NewAssertion(action, resource, effect string) (*Assertion, error)

NewAssertion returns the Assertion object or error

type Daemon

type Daemon interface {
	Start(context.Context) <-chan error
	Update(context.Context) error
	CheckPolicy(ctx context.Context, domain string, roles []string, action, resource string) error
	CheckPolicyRoles(ctx context.Context, domain string, roles []string, action, resource string) ([]string, error)
	GetPolicyCache(context.Context) map[string]interface{}
}

Daemon represents the daemon to retrieve policy data from Athenz.

func New

func New(opts ...Option) (Daemon, error)

New represent the constructor of Policyd

type Fetcher

type Fetcher interface {
	Domain() string
	Fetch(context.Context) (*SignedPolicy, error)
	FetchWithRetry(context.Context) (*SignedPolicy, error)
}

Fetcher represents fetcher object for fetching signed policy

type Option

type Option func(*policyd) error

Option represents a functional option

func WithAthenzDomains

func WithAthenzDomains(doms ...string) Option

WithAthenzDomains represents an AthenzDomain functional option

func WithAthenzURL

func WithAthenzURL(url string) Option

WithAthenzURL returns an AthenzURL functional option

func WithExpiryMargin

func WithExpiryMargin(d string) Option

WithExpiryMargin returns an ExpiryMargin functional option

func WithHTTPClient

func WithHTTPClient(c *http.Client) Option

WithHTTPClient returns a HttpClient functional option

func WithPubKeyProvider

func WithPubKeyProvider(pkp pubkey.Provider) Option

WithPubKeyProvider returns a PubKeyProvider functional option

func WithPurgePeriod

func WithPurgePeriod(d string) Option

WithPurgePeriod returns a PurgePeriod functional option

func WithRefreshPeriod

func WithRefreshPeriod(d string) Option

WithRefreshPeriod returns a RefreshPeriod functional option

func WithRetryAttempts

func WithRetryAttempts(c int) Option

WithRetryAttempts returns an RetryAttempts functional option

func WithRetryDelay

func WithRetryDelay(d string) Option

WithRetryDelay returns an RetryDelay functional option

type SignedPolicy

type SignedPolicy struct {
	util.DomainSignedPolicyData
}

SignedPolicy represents the signed policy data

func (*SignedPolicy) Verify

func (s *SignedPolicy) Verify(pkp pubkey.Provider) error

Verify verifies the signed policy and return any errors

type SignedPolicyVerifier

type SignedPolicyVerifier func(*SignedPolicy) error

SignedPolicyVerifier type defines the function signature to verify a signed policy.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL