cel

package
v0.32.0-alpha.1 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Oct 4, 2024 License: Apache-2.0 Imports: 17 Imported by: 2

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func RegisterMetrics added in v0.30.0

func RegisterMetrics()

func ResetMetricsForTest added in v0.30.0

func ResetMetricsForTest()

Types

type CELMatcher

type CELMatcher struct {
	CompilationResults []CompilationResult

	// These track if any expressions use fieldSelector and labelSelector,
	// so construction of data passed to the CEL expression can be optimized if those fields are unused.
	UsesLabelSelector bool
	UsesFieldSelector bool

	// These are optional fields which can be populated if metrics reporting is desired
	Metrics        MatcherMetrics
	AuthorizerType string
	AuthorizerName string
}

func (*CELMatcher) Eval

eval evaluates the given SubjectAccessReview against all cel matchCondition expression

type CompilationResult

type CompilationResult struct {
	Program            cel.Program
	ExpressionAccessor ExpressionAccessor

	// These track if a given expression uses fieldSelector and labelSelector,
	// so construction of data passed to the CEL expression can be optimized if those fields are unused.
	UsesFieldSelector bool
	UsesLabelSelector bool
}

CompilationResult represents a compiled authorization cel expression.

type Compiler

type Compiler interface {
	CompileCELExpression(expressionAccessor ExpressionAccessor) (CompilationResult, error)
}

Compiler is an interface for compiling CEL expressions with the desired environment mode.

func NewCompiler

func NewCompiler(env *environment.EnvSet) Compiler

NewCompiler returns a new Compiler.

type EvaluationResult

type EvaluationResult struct {
	EvalResult         ref.Val
	ExpressionAccessor ExpressionAccessor
}

EvaluationResult contains the minimal required fields and metadata of a cel evaluation

type ExpressionAccessor

type ExpressionAccessor interface {
	GetExpression() string
	ReturnTypes() []*celgo.Type
}

type MatcherMetrics added in v0.30.0

type MatcherMetrics interface {
	// RecordAuthorizationMatchConditionEvaluation records the total time taken to evaluate matchConditions for an Authorize() call to the given authorizer
	RecordAuthorizationMatchConditionEvaluation(ctx context.Context, authorizerType, authorizerName string, elapsed time.Duration)
	// RecordAuthorizationMatchConditionEvaluationFailure increments if any evaluation error was encountered evaluating matchConditions for an Authorize() call to the given authorizer
	RecordAuthorizationMatchConditionEvaluationFailure(ctx context.Context, authorizerType, authorizerName string)
	// RecordAuthorizationMatchConditionExclusion records increments when at least one matchCondition evaluates to false and excludes an Authorize() call to the given authorizer
	RecordAuthorizationMatchConditionExclusion(ctx context.Context, authorizerType, authorizerName string)
}

MatcherMetrics defines methods for reporting matchCondition metrics

func NewMatcherMetrics added in v0.30.0

func NewMatcherMetrics() MatcherMetrics

type NoopMatcherMetrics added in v0.30.0

type NoopMatcherMetrics struct{}

func (NoopMatcherMetrics) RecordAuthorizationMatchConditionEvaluation added in v0.30.0

func (NoopMatcherMetrics) RecordAuthorizationMatchConditionEvaluation(ctx context.Context, authorizerType, authorizerName string, elapsed time.Duration)

func (NoopMatcherMetrics) RecordAuthorizationMatchConditionEvaluationFailure added in v0.30.0

func (NoopMatcherMetrics) RecordAuthorizationMatchConditionEvaluationFailure(ctx context.Context, authorizerType, authorizerName string)

func (NoopMatcherMetrics) RecordAuthorizationMatchConditionExclusion added in v0.30.0

func (NoopMatcherMetrics) RecordAuthorizationMatchConditionExclusion(ctx context.Context, authorizerType, authorizerName string)

type SubjectAccessReviewMatchCondition

type SubjectAccessReviewMatchCondition struct {
	Expression string
}

SubjectAccessReviewMatchCondition is a CEL expression that maps a SubjectAccessReview request to a list of values.

func (*SubjectAccessReviewMatchCondition) GetExpression

func (v *SubjectAccessReviewMatchCondition) GetExpression() string

func (*SubjectAccessReviewMatchCondition) ReturnTypes

func (v *SubjectAccessReviewMatchCondition) ReturnTypes() []*celgo.Type

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL