iapl

Documentation

Overview

Package iapl contains functions and data for the Infratographer Authorization Policy Language, a domain-specific language for defining authorization policies based on resource relationships.

Index

• Variables
• type Action
• type ActionBinding
• type Condition
• type ConditionRelationshipAction
• type ConditionRoleBinding
• type Policy
  • func DefaultPolicy() Policy
  • func NewPolicy(p PolicyDocument) Policy
  • func NewPolicyFromFile(filePath string) (Policy, error)
• type PolicyDocument
  • func DefaultPolicyDocument() PolicyDocument
• type Relationship
• type ResourceType
• type Union

Variables

var (
	// ErrorTypeExists represents an error where a duplicate type or union was declared.
	ErrorTypeExists = errors.New("type already exists")
	// ErrorUnknownType represents an error where a resource type is unknown in the authorization policy.
	ErrorUnknownType = errors.New("unknown resource type")
	// ErrorInvalidCondition represents an error where an action binding condition is invalid.
	ErrorInvalidCondition = errors.New("invalid condition")
	// ErrorUnknownRelation represents an error where a relation is not defined for a resource type.
	ErrorUnknownRelation = errors.New("unknown relation")
	// ErrorUnknownAction represents an error where an action is not defined.
	ErrorUnknownAction = errors.New("unknown action")
)

Types

type Action

type Action struct {
	Name string
}

Action represents an action that can be taken in an authorization policy.

type ActionBinding

type ActionBinding struct {
	ActionName string
	TypeName   string
	Conditions []Condition
}

ActionBinding represents a binding of an action to a resource type or union.

type Condition

type Condition struct {
	RoleBinding        *ConditionRoleBinding
	RelationshipAction *ConditionRelationshipAction
}

Condition represents a necessary condition for performing an action.

type ConditionRelationshipAction

type ConditionRelationshipAction struct {
	Relation   string
	ActionName string
}

ConditionRelationshipAction represents a condition where another action must be allowed on a resource along a relation to perform an action.

type ConditionRoleBinding

type ConditionRoleBinding struct{}

ConditionRoleBinding represents a condition where a role binding is necessary to perform an action.

type Policy

type Policy interface {
	Validate() error
	Schema() []types.ResourceType
}

Policy represents an authorization policy as defined by IAPL.

func DefaultPolicy

func DefaultPolicy() Policy

DefaultPolicy generates the default policy for permissions-api.

func NewPolicy

func NewPolicy(p PolicyDocument) Policy

NewPolicy creates a policy from the given policy document.

func NewPolicyFromFile

func NewPolicyFromFile(filePath string) (Policy, error)

NewPolicyFromFile reads the provided file path and returns a new Policy.

type PolicyDocument

type PolicyDocument struct {
	ResourceTypes  []ResourceType
	Unions         []Union
	Actions        []Action
	ActionBindings []ActionBinding
}

PolicyDocument represents a partial authorization policy.

func DefaultPolicyDocument

func DefaultPolicyDocument() PolicyDocument

DefaultPolicyDocument returns the default policy document for permissions-api.

type Relationship

type Relationship struct {
	Relation        string
	TargetTypeNames []string
}

Relationship represents a named relation between two resources.

type ResourceType

type ResourceType struct {
	Name          string
	IDPrefix      string
	Relationships []Relationship
}

ResourceType represents a resource type in the authorization policy.

type Union

type Union struct {
	Name              string
	ResourceTypeNames []string
}

Union represents a named union of multiple concrete resource types.