rbacutils

package
v0.0.0-...-21b9e53 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jan 1, 2025 License: Apache-2.0 Imports: 13 Imported by: 48

Documentation

Index

Constants

View Source
const (
	ActionList    = "list"
	ActionGet     = "get"
	ActionUpdate  = "update"
	ActionCreate  = "create"
	ActionDelete  = "delete"
	ActionPerform = "perform"

	ActionPatch = "patch"
)
View Source
const (
	WILD_MATCH = "*"

	Allow = TRbacResult("allow")
	Deny  = TRbacResult("deny")

	AdminAllow = TRbacResult("admin") // deprecated
	OwnerAllow = TRbacResult("owner") // deprecated
	UserAllow  = TRbacResult("user")  // deprecated
	GuestAllow = TRbacResult("guest") // deprecated

	GUEST_TOKEN = "guest_token"
)
View Source
const (
	DomainTagsKey  = "__domain_tags__"
	ProjectTagsKey = "__project_tags__"
	ObjectTagsKey  = "__object_tags__"
)
View Source
const (
	FAKE_TOKEN = "fake_token"
)
View Source
const (
	IP_PREFIX_SEP = ","
)

Variables

View Source
var (
	ErrEmptyPolicy = errors.New("empty policy")

	ErrUnsuportRuleData = errors.New("unsupport rule data")

	ErrConflict = errors.New("conflict?")

	ErrInvalidRules = errors.New("invalid rules")
)
View Source
var (
	PolicyDeny = SPolicyResult{
		Result: Deny,
	}
	PolicyAllow = SPolicyResult{
		Result: Allow,
	}
)
View Source
var (
	ShowMatchRuleDebug = false
)

Functions

func MatchIPStrings

func MatchIPStrings(prefstr string, ipstr string) bool

Types

type IBaseIdentity

type IBaseIdentity interface {
	GetLoginIp() string
	GetTokenString() string
}

type IRbacIdentity

type IRbacIdentity interface {
	GetProjectId() string
	GetRoleIds() []string

	IBaseIdentity
}

func NewRbacIdentity

func NewRbacIdentity(projectId string, roleIds []string, ip string) IRbacIdentity

type IRbacIdentity2

type IRbacIdentity2 interface {
	GetProjectDomainId() string
	GetProjectName() string
	GetRoles() []string

	IBaseIdentity
}

type SPolicy

type SPolicy struct {
	// policy rules
	Rules TPolicy
	// tags for domains
	DomainTags tagutils.TTagSetList
	// tags for projects
	ProjectTags tagutils.TTagSetList
	// tags for resources
	ObjectTags tagutils.TTagSetList
}

func DecodePolicy

func DecodePolicy(policyJson jsonutils.JSONObject) (*SPolicy, error)

func DecodePolicyData

func DecodePolicyData(domainTags, projectTags, objectTags tagutils.TTagSetList, input jsonutils.JSONObject) (*SPolicy, error)

func (SPolicy) Contains

func (policy1 SPolicy) Contains(policy2 SPolicy) bool

policy1 contains policy2 means

  1. any action allow in policy2 is allowed in policy1
  2. policy tags of policy1 contains of policy tags of policy2

func (SPolicy) Encode

func (policy SPolicy) Encode() jsonutils.JSONObject

func (SPolicy) GetMatchRule

func (policy SPolicy) GetMatchRule(service string, resource string, action string, extra ...string) *SPolicyMatch

type SPolicyMatch

type SPolicyMatch struct {
	Rule        SRbacRule
	DomainTags  tagutils.TTagSetList
	ProjectTags tagutils.TTagSetList
	ObjectTags  tagutils.TTagSetList
}

type SPolicyResult

type SPolicyResult struct {
	Result      TRbacResult
	DomainTags  tagutils.TTagSetList
	ProjectTags tagutils.TTagSetList
	ObjectTags  tagutils.TTagSetList
}

func (SPolicyResult) IsEmpty

func (result SPolicyResult) IsEmpty() bool

func (SPolicyResult) Json

func (result SPolicyResult) Json() jsonutils.JSONObject

func (SPolicyResult) Merge

func (SPolicyResult) String

func (result SPolicyResult) String() string

type SRbacPolicy

type SRbacPolicy struct {
	// condition, when the policy takes effects
	// Deprecated
	Condition string

	DomainId string

	IsPublic bool

	PublicScope rbacscope.TRbacScope

	SharedDomainIds []string

	Projects []string

	Roles []string

	Ips []netutils.IPV4Prefix

	Auth bool // whether needs authentication

	// scope, the scope of the policy, system/domain/project
	Scope rbacscope.TRbacScope
	// Deprecated
	// is_admin=true means scope=system, is_admin=false means scope=project
	IsAdmin bool

	Rules TPolicy
}

func (*SRbacPolicy) Decode

func (policy *SRbacPolicy) Decode(policyJson jsonutils.JSONObject) error

Deprecated

func (*SRbacPolicy) Encode

func (policy *SRbacPolicy) Encode() jsonutils.JSONObject

func (*SRbacPolicy) IsSystemWidePolicy

func (policy *SRbacPolicy) IsSystemWidePolicy() bool

func (*SRbacPolicy) Match

func (policy *SRbacPolicy) Match(userCred IRbacIdentity2) (bool, int)

check whether policy maches a userCred return value bool isMatched int match weight, the higher the value, the more exact the match the more exact match wins

func (*SRbacPolicy) MatchDomain

func (policy *SRbacPolicy) MatchDomain(domainId string) bool

func (*SRbacPolicy) MatchProject

func (policy *SRbacPolicy) MatchProject(projectName string) bool

func (*SRbacPolicy) MatchRoles

func (policy *SRbacPolicy) MatchRoles(roleNames []string) bool

type SRbacRule

type SRbacRule struct {
	Service  string
	Resource string
	Action   string
	Extra    []string
	Result   TRbacResult
}

func GetMatchRule

func GetMatchRule(rules []SRbacRule, service string, resource string, action string, extra ...string) *SRbacRule

type TPolicy

type TPolicy []SRbacRule

func DecodeRawPolicyData

func DecodeRawPolicyData(input jsonutils.JSONObject) (TPolicy, error)

func (TPolicy) Contains

func (policy1 TPolicy) Contains(policy2 TPolicy) bool

Contains of TPolicy

TPolicy p1 contains p2 means any action allowed by p2 is also allowed by p1
and any action denied by p1 is also denied by p2

func (TPolicy) EncodeRawData

func (policy TPolicy) EncodeRawData() jsonutils.JSONObject

func (TPolicy) Explain

func (policy TPolicy) Explain(request [][]string) [][]string

func (TPolicy) GetMatchRule

func (policy TPolicy) GetMatchRule(service string, resource string, action string, extra ...string) *SRbacRule

type TPolicyGroup

type TPolicyGroup map[rbacscope.TRbacScope]TPolicySet

func DecodePolicyGroup

func DecodePolicyGroup(json jsonutils.JSONObject) (TPolicyGroup, error)

func (TPolicyGroup) Encode

func (sets TPolicyGroup) Encode() jsonutils.JSONObject

func (TPolicyGroup) HighestScope

func (sets TPolicyGroup) HighestScope() rbacscope.TRbacScope

type TPolicyMatches

type TPolicyMatches []SPolicyMatch

func (TPolicyMatches) GetResult

func (matches TPolicyMatches) GetResult() SPolicyResult

type TPolicySet

type TPolicySet []SPolicy

func DecodePolicySet

func DecodePolicySet(jsonObj jsonutils.JSONObject) (TPolicySet, error)

func (TPolicySet) Contains

func (policies1 TPolicySet) Contains(policies2 TPolicySet) bool

Contains of TPolicySet

TPolicySet ps1 contains ps2 means any member of ps2 is contained by one of the members of ps1

func (TPolicySet) Encode

func (policies TPolicySet) Encode() jsonutils.JSONObject

func (TPolicySet) GetMatchRules

func (policies TPolicySet) GetMatchRules(service string, resource string, action string, extra ...string) []SPolicyMatch

type TRbacResult

type TRbacResult string

func (TRbacResult) IsAllow

func (r TRbacResult) IsAllow() bool

func (TRbacResult) IsDeny

func (r TRbacResult) IsDeny() bool

func (TRbacResult) LooserThan

func (r1 TRbacResult) LooserThan(r2 TRbacResult) bool

func (TRbacResult) StricterThan

func (r1 TRbacResult) StricterThan(r2 TRbacResult) bool

func (TRbacResult) Strictness

func (r TRbacResult) Strictness() int

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL