Documentation
¶
Overview ¶
Package realmset provides queryable representation of LUCI Realms DB.
Used internally by authdb.Snapshot.
Index ¶
- Constants
- type Binding
- type Bindings
- type PermissionIndex
- type RealmBindings
- type Realms
- func (r *Realms) Bindings(realm string, perm PermissionIndex) Bindings
- func (r *Realms) Data(realm string) *protocol.RealmData
- func (r *Realms) HasRealm(realm string) bool
- func (r *Realms) PermissionIndex(perm realms.Permission) (idx PermissionIndex, ok bool)
- func (r *Realms) QueryBindings(perm PermissionIndex) (map[string][]RealmBindings, bool)
Constants ¶
const ExpectedAPIVersion = 1
ExpectedAPIVersion is the supported value of api_version field.
See Build implementation for details.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Binding ¶
type Binding struct {
Condition *conds.Condition // nil if the binding is unconditional
Groups graph.SortedNodeSet
Idents stringset.Set
}
Binding represents a set of principals and a condition when it can be used.
See Bindings(...) method for more details.
type Bindings ¶
type Bindings []Binding
Bindings is a list of bindings in a single realm for a single permission.
type PermissionIndex ¶
type PermissionIndex uint32
PermissionIndex is used in place of permission names.
Note: should match an int type used in `permissions` field in the proto.
type RealmBindings ¶
type RealmBindings struct {
// Realms is a full realm name as "<project>:<name>".
Realm string
// Bindings is a list of bindings for a permission passed to QueryBindings.
Bindings Bindings
}
RealmBindings is a realm name plus bindings for a single permission there.
Used as part of QueryBindings return value.
type Realms ¶
type Realms struct {
// contains filtered or unexported fields
}
Realms is a queryable representation of realms.Realms proto.
func Build ¶
func Build(r *protocol.Realms, qg *graph.QueryableGraph, registered map[realms.Permission]realms.PermissionFlags) (*Realms, error)
Build constructs Realms from the proto message, the group graph and permissions registered by the processes.
Only registered permissions will be queriable. Bindings with all other permissions will be ignored to save RAM.
func (*Realms) Bindings ¶
func (r *Realms) Bindings(realm string, perm PermissionIndex) Bindings
Bindings returns representation of bindings that define who has the requested permission in the given realm.
Each returned binding is a tuple (condition, groups, identities):
- Condition: a predicate over realms.Attrs map that evaluates to true if this binding is "active". Inactive bindings should be skipped.
- Groups: a set of groups with principals that have the permission, represented by a sorted slice of group indexes in a graph.QueryableGraph which was passed to Build().
- Identities: a set of identity strings that were specified in the realm ACL directly (not via a group).
The permission should be specified as its index obtained via PermissionIndex.
The realm name is not validated. Unknown or invalid realms are silently treated as empty. No fallback to @root happens.
Returns nil if the requested permission is not mentioned in any binding in the realm at all.
func (*Realms) PermissionIndex ¶
func (r *Realms) PermissionIndex(perm realms.Permission) (idx PermissionIndex, ok bool)
PermissionIndex returns an index of the given permission.
It can be passed to Bindings(...). Returns (0, false) if there's no such permission in the Realms DB.
func (*Realms) QueryBindings ¶
func (r *Realms) QueryBindings(perm PermissionIndex) (map[string][]RealmBindings, bool)
QueryBindings returns **all** bindings for the given permission across all realms and projects.
The result is a map "project name => list of (realm, bindings for the requested permission in this realm)". It includes only projects and realms that have bindings for the queried permission. The order of items in the list is not well-defined.
This information is available only for permission flagged with UsedInQueryRealms. Returns `ok == false` if `perm` was not flagged.
Source Files