Documentation ¶
Overview ¶
Package iamcel provides primitives for using CEL expressions for access management.
Index ¶
- Constants
- func NewAfterEnv(method protoreflect.MethodDescriptor) (*cel.Env, error)
- func NewAncestorFunctionDeclaration() *expr.Decl
- func NewAncestorFunctionImplementation() *functions.Overload
- func NewBeforeEnv(method protoreflect.MethodDescriptor) (*cel.Env, error)
- func NewTestAllFunctionDeclaration() *expr.Decl
- func NewTestAllFunctionImplementation(options *iamv1.MethodAuthorizationOptions, tester ResourcePermissionsTester) *functions.Overload
- func NewTestAnyFunctionDeclaration() *expr.Decl
- func NewTestAnyFunctionImplementation(options *iamv1.MethodAuthorizationOptions, tester ResourcePermissionsTester) *functions.Overload
- func NewTestFunctionDeclaration() *expr.Decl
- func NewTestFunctionImplementation(options *iamv1.MethodAuthorizationOptions, tester ResourcePermissionTester) *functions.Overload
- type PermissionTester
- type ResourcePermissionTester
- type ResourcePermissionsTester
Constants ¶
const AncestorFunction = "ancestor"
AncestorFunction is the name of the CEL ancestor function.
const TestAllFunction = "test_all"
TestAllFunction is the name of the function for testing that all resources have a specified permission.
const TestAnyFunction = "test_any"
TestAnyFunction is the name of the test_any permission function.
const TestFunction = "test"
TestFunction is the name of the test permission function.
Variables ¶
This section is empty.
Functions ¶
func NewAfterEnv ¶
func NewAfterEnv(method protoreflect.MethodDescriptor) (*cel.Env, error)
NewAfterEnv creates a new CEL environment for authorization checks that run after the request has been handled.
func NewAncestorFunctionDeclaration ¶
NewAncestorFunctionDeclaration creates a new declaration for the ancestor function.
func NewAncestorFunctionImplementation ¶
NewAncestorFunctionImplementation creates a new implementation for the ancestor function.
func NewBeforeEnv ¶
func NewBeforeEnv(method protoreflect.MethodDescriptor) (*cel.Env, error)
NewBeforeEnv creates a new CEL environment for authorization checks that run before the request has been handled.
func NewTestAllFunctionDeclaration ¶
NewTestAllFunctionDeclaration creates a new declaration for the test_all function.
func NewTestAllFunctionImplementation ¶
func NewTestAllFunctionImplementation( options *iamv1.MethodAuthorizationOptions, tester ResourcePermissionsTester, ) *functions.Overload
NewTestAllFunctionImplementation creates a new implementation for the test_all function.
func NewTestAnyFunctionDeclaration ¶
NewTestAnyFunctionDeclaration creates a new declaration for the test_any function.
func NewTestAnyFunctionImplementation ¶
func NewTestAnyFunctionImplementation( options *iamv1.MethodAuthorizationOptions, tester ResourcePermissionsTester, ) *functions.Overload
NewTestAnyFunctionImplementation creates a new implementation for the test_all function.
func NewTestFunctionDeclaration ¶
NewTestFunctionDeclaration creates a new declaration for the test permission function.
func NewTestFunctionImplementation ¶
func NewTestFunctionImplementation( options *iamv1.MethodAuthorizationOptions, tester ResourcePermissionTester, ) *functions.Overload
NewTestFunctionImplementation creates a new implementation for the test permission function.
Types ¶
type PermissionTester ¶ added in v0.33.0
type PermissionTester interface { ResourcePermissionTester ResourcePermissionsTester }
type ResourcePermissionTester ¶
type ResourcePermissionTester interface { TestResourcePermission( ctx context.Context, members []string, resource string, permission string, ) (bool, error) }
ResourcePermissionTester is an interface for testing the presence for a single resource permission binding.
type ResourcePermissionsTester ¶
type ResourcePermissionsTester interface { TestResourcePermissions( ctx context.Context, members []string, resourcePermissions map[string]string, ) (map[string]bool, error) }
ResourcePermissionsTester is an interface for testing the presence for multiple resource permission bindings.