realmset

package
v0.0.0-...-4fdfd67 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jan 10, 2025 License: Apache-2.0 Imports: 10 Imported by: 0

Documentation

Overview

Package realmset provides queryable representation of LUCI Realms DB.

Used internally by authdb.Snapshot.

Index

Constants

View Source
const ExpectedAPIVersion = 1

ExpectedAPIVersion is the supported value of api_version field.

See Build implementation for details.

Variables

This section is empty.

Functions

This section is empty.

Types

type Binding

type Binding struct {
	Condition *conds.Condition // nil if the binding is unconditional
	Groups    graph.SortedNodeSet
	Idents    stringset.Set
}

Binding represents a set of principals and a condition when it can be used.

See Bindings(...) method for more details.

type Bindings

type Bindings []Binding

Bindings is a list of bindings in a single realm for a single permission.

func (Bindings) Check

Check returns true if any of the bindings in the list are applying.

Checks conditions on `attrs` and memberships of the identity represented by `q`.

type PermissionIndex

type PermissionIndex uint32

PermissionIndex is used in place of permission names.

Note: should match an int type used in `permissions` field in the proto.

type RealmBindings

type RealmBindings struct {
	// Realms is a full realm name as "<project>:<name>".
	Realm string
	// Bindings is a list of bindings for a permission passed to QueryBindings.
	Bindings Bindings
}

RealmBindings is a realm name plus bindings for a single permission there.

Used as part of QueryBindings return value.

type Realms

type Realms struct {
	// contains filtered or unexported fields
}

Realms is a queryable representation of realms.Realms proto.

func Build

Build constructs Realms from the proto message, the group graph and permissions registered by the processes.

Only registered permissions will be queriable. Bindings with all other permissions will be ignored to save RAM.

func (*Realms) Bindings

func (r *Realms) Bindings(realm string, perm PermissionIndex) Bindings

Bindings returns representation of bindings that define who has the requested permission in the given realm.

Each returned binding is a tuple (condition, groups, identities):

  • Condition: a predicate over realms.Attrs map that evaluates to true if this binding is "active". Inactive bindings should be skipped.
  • Groups: a set of groups with principals that have the permission, represented by a sorted slice of group indexes in a graph.QueryableGraph which was passed to Build().
  • Identities: a set of identity strings that were specified in the realm ACL directly (not via a group).

The permission should be specified as its index obtained via PermissionIndex.

The realm name is not validated. Unknown or invalid realms are silently treated as empty. No fallback to @root happens.

Returns nil if the requested permission is not mentioned in any binding in the realm at all.

func (*Realms) Data

func (r *Realms) Data(realm string) *protocol.RealmData

Data returns RealmData attached to a realm or nil if none.

func (*Realms) HasRealm

func (r *Realms) HasRealm(realm string) bool

HasRealm returns true if the given realm exists in the DB.

func (*Realms) PermissionIndex

func (r *Realms) PermissionIndex(perm realms.Permission) (idx PermissionIndex, ok bool)

PermissionIndex returns an index of the given permission.

It can be passed to Bindings(...). Returns (0, false) if there's no such permission in the Realms DB.

func (*Realms) QueryBindings

func (r *Realms) QueryBindings(perm PermissionIndex) (map[string][]RealmBindings, bool)

QueryBindings returns **all** bindings for the given permission across all realms and projects.

The result is a map "project name => list of (realm, bindings for the requested permission in this realm)". It includes only projects and realms that have bindings for the queried permission. The order of items in the list is not well-defined.

This information is available only for permission flagged with UsedInQueryRealms. Returns `ok == false` if `perm` was not flagged.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL