eval

package
v0.0.0-...-1643d90 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jan 26, 2020 License: UPL-1.0 Imports: 24 Imported by: 0

Documentation

Overview

Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved. Licensed under the Universal Permissive License (UPL) Version 1.0 as shown at http://oss.oracle.com/licenses/upl.

Index

Constants

This section is empty.

Variables

View Source 
var All_Pattern = regexp.MustCompile(`^\^?\.\*\$?$`)
View Source 
var Prefix_Pattern = regexp.MustCompile(`^\^?[\w/]+\.\*\$?$`)

Patterns used to match resource expression. Now support prefix, suffix and all three patterns.

View Source 
var Suffix_Pattern = regexp.MustCompile(`^\^?\.\*[\w/]+\$?$`)

Functions

func AddPolicyToResourceExpressionCache 

func AddPolicyToResourceExpressionCache(resourceToPolicyMap *ResourceToPolicyMap, resourceExpression string, policyID string)

func CallCustomerFunction 

func CallCustomerFunction(cf *pms.Function, request *ext.CustomerFunctionRequest) (interface{}, error)

func CallCustomerFunctionViaDelegator 

func CallCustomerFunctionViaDelegator(delegatorUrl string, cf *pms.Function, request *ext.CustomerFunctionRequest) (interface{}, error)

func DeletePolicyFromResourceExpressionCache 

func DeletePolicyFromResourceExpressionCache(resourceToPolicyMap *ResourceToPolicyMap, resourceExpression string, policyID string)

func NewFromFile 

func NewFromFile(fileLoc string, isWatch bool) (adsapi.PolicyEvaluator, error)

NewFromFile loads policies from a policy file, and returns an evaluator instance

func ReverseString 

func ReverseString(s string) string

Types

type BasePolicyCacheData 

type BasePolicyCacheData struct {
	/*
		In current cache, we don't distinguish andPrincipals and orPrincipals.
		If one principal occured in one policy, we will use this principal as key to index this policy.
		That mean after quiried all related policies, need further match operation to verify the policy
	*/
	//{principal:ResourceToPolicyMap}
	PrincipalToPolicies map[string]*ResourceToPolicyMap
	//No principal defined in policy, mean match any principal
	NilPrincipalToPolicies *ResourceToPolicyMap
	Conditions             map[string]*govaluate.EvaluableExpression
}

type FuncResult 

type FuncResult struct {
	Result interface{}
	TTL    int64
}

type FuncResultCache 

type FuncResultCache struct {
	sync.RWMutex
	Results map[string]FuncResult
}

func (*FuncResultCache) AddToCache 

func (frc *FuncResultCache) AddToCache(key string, cf *pms.Function, result interface{})

func (*FuncResultCache) CleanExpiredResult 

func (frc *FuncResultCache) CleanExpiredResult()

func (*FuncResultCache) DeleteFromCache 

func (frc *FuncResultCache) DeleteFromCache(funcName string)

func (*FuncResultCache) ReadFromCache 

func (frc *FuncResultCache) ReadFromCache(key string, cf *pms.Function) interface{}

type InternalEvaluator 

type InternalEvaluator interface {
	adsapi.PolicyEvaluator
	TokenAsserter
}

func New 

func New(configFile string) (InternalEvaluator, error)

New creates a policy evaluator based on the given configuration file

func NewFromConfig 

func NewFromConfig(conf *cfg.Config) (InternalEvaluator, error)

NewFromConfig creates a policy evaluator based on the given configuration file

func NewWithStore 

func NewWithStore(conf *cfg.Config, s pms.PolicyStoreManagerADS) (InternalEvaluator, error)

NewWithStore creates a policy evaluator with policy store

type PolicyCacheData 

type PolicyCacheData struct {
	BasePolicyCacheData
	PolicyMap map[string]*pms.Policy
}

func NewPolicyCacheData 

func NewPolicyCacheData() (p *PolicyCacheData)

func (*PolicyCacheData) AddPolicyToCache 

func (p *PolicyCacheData) AddPolicyToCache(policy *pms.Policy, condition *govaluate.EvaluableExpression)

func (*PolicyCacheData) DeletePolicyFromCache 

func (p *PolicyCacheData) DeletePolicyFromCache(policyID string)

func (*PolicyCacheData) GetRelatedPolicyMap 

func (p *PolicyCacheData) GetRelatedPolicyMap(subjectPrincipals []string, resource string, matchResource bool) map[string]*pms.Policy

type PolicyEvalImpl 

type PolicyEvalImpl struct {
	RuntimePolicyStore *RuntimePolicyStore //This is runtime policy store
	Store              pms.PolicyStoreManagerADS
	AsserterFunc       func(ctx *adsapi.RequestContext) error
}

func (*PolicyEvalImpl) AddFunctionInRuntimeCache 

func (p *PolicyEvalImpl) AddFunctionInRuntimeCache(cf *pms.Function)

func (*PolicyEvalImpl) AddPolicyInRuntimeCache 

func (p *PolicyEvalImpl) AddPolicyInRuntimeCache(serviceName string, policy *pms.Policy)

func (*PolicyEvalImpl) AddRolePolicyInRuntimeCache 

func (p *PolicyEvalImpl) AddRolePolicyInRuntimeCache(serviceName string, rolepolicy *pms.RolePolicy)

func (*PolicyEvalImpl) AddServiceInRuntimeCache 

func (p *PolicyEvalImpl) AddServiceInRuntimeCache(service *pms.Service)

func (*PolicyEvalImpl) AssertToken 

func (p *PolicyEvalImpl) AssertToken(ctx *adsapi.RequestContext) error

func (*PolicyEvalImpl) CleanExpiredFunctionResult 

func (p *PolicyEvalImpl) CleanExpiredFunctionResult()

func (*PolicyEvalImpl) DeleteFunctionInRuntimeCache 

func (p *PolicyEvalImpl) DeleteFunctionInRuntimeCache(funcName string)

func (*PolicyEvalImpl) DeletePolicyInRuntimeCache 

func (p *PolicyEvalImpl) DeletePolicyInRuntimeCache(serviceName string, policyID string)

func (*PolicyEvalImpl) DeleteRolePolicyInRuntimeCache 

func (p *PolicyEvalImpl) DeleteRolePolicyInRuntimeCache(serviceName string, rolePolicyID string)

func (*PolicyEvalImpl) Diagnose 

func (p *PolicyEvalImpl) Diagnose(ctx adsapi.RequestContext) (*adsapi.EvaluationResult, error)

Return all the policies related to a subject

func (*PolicyEvalImpl) Discover 

func (p *PolicyEvalImpl) Discover(ctx ads.RequestContext) (bool, ads.Reason, error)

func (*PolicyEvalImpl) GetAllGrantedPermissions 

func (p *PolicyEvalImpl) GetAllGrantedPermissions(ctx adsapi.RequestContext) ([]pms.Permission, error)

Limitations: This function only calculate granted permissions with resource, will not calculate granted permissions with resource expression.

func (*PolicyEvalImpl) GetAllGrantedRoles 

func (p *PolicyEvalImpl) GetAllGrantedRoles(ctx adsapi.RequestContext) ([]string, error)

func (*PolicyEvalImpl) InternalIsAllowed 

func (p *PolicyEvalImpl) InternalIsAllowed(ctx *adsapi.RequestContext, evaluationResult *adsapi.EvaluationResult) (bool, adsapi.Reason, error)

func (*PolicyEvalImpl) IsAllowed 

func (p *PolicyEvalImpl) IsAllowed(ctx adsapi.RequestContext) (bool, adsapi.Reason, error)

func (*PolicyEvalImpl) Refresh 

func (p *PolicyEvalImpl) Refresh() error

func (*PolicyEvalImpl) SetAsserterFunc 

func (p *PolicyEvalImpl) SetAsserterFunc(f func(ctx *adsapi.RequestContext) error)

func (*PolicyEvalImpl) StopWatch 

func (p *PolicyEvalImpl) StopWatch()

StopWatch stops watching policy store. After stopping watching, policy changes will not be updated automatically

type Request2Delegator 

type Request2Delegator struct {
	Function *pms.Function                `json:"function"`
	Request  *ext.CustomerFunctionRequest `json:"request"`
}

type ResourceToPolicyMap 

type ResourceToPolicyMap struct {
	//{resource:{policyID: bool}}
	ResourceToPolicies           map[string]map[string]bool
	PrefixResourceExpressionTree *radix.Tree
	SuffixResourceExpressionTree *radix.Tree
	//{resourceExpression:{policyID: bool}}
	//This map contains the resource expressions not match prefix, suffix and all patterns.
	//That mean the incoming resource in isAllowed need match these resource expressions one by one.
	ResourceExpressionToPolicies map[string]map[string]bool
	//resources/resExpressions could be empty, which means any resource
	//Also use this map to store the ".*" resourceexpression policy. which also
	//means any resource.
	NilResourceToPolicies map[string]bool
}

type Role 

type Role struct {
	Name               string
	ParentPrincipals   map[string]bool
	ParentRoles        map[string]bool
	ChildRoles         map[string]bool
	DeniedRoles        map[string]bool
	DeniedByRoles      map[string]bool
	DeniedByPrincipals map[string]bool //TODO this could be removed?
}

type RolePolicyCacheData 

type RolePolicyCacheData struct {
	BasePolicyCacheData
	PolicyMap map[string]*pms.RolePolicy
}

func NewRolePolicyCacheData 

func NewRolePolicyCacheData() (p *RolePolicyCacheData)

func (*RolePolicyCacheData) AddRolePolicyToCache 

func (p *RolePolicyCacheData) AddRolePolicyToCache(policy *pms.RolePolicy, condition *govaluate.EvaluableExpression)

func (*RolePolicyCacheData) DeleteRolePolicyFromCache 

func (p *RolePolicyCacheData) DeleteRolePolicyFromCache(policyID string)

func (*RolePolicyCacheData) GetRelatedRolePolicyMap 

func (p *RolePolicyCacheData) GetRelatedRolePolicyMap(subjectPrincipals []string, resource string) map[string]*pms.RolePolicy

type RuntimePolicyStore 

type RuntimePolicyStore struct {
	sync.RWMutex
	Functions           map[string]govaluate.ExpressionFunction
	RuntimeServices     map[string]*RuntimeService
	FunctionResultCache *FuncResultCache
	FuncSvcEndpoint     string //endpoint in sphinx side to call external customer function
}

func NewRuntimePolicyStore 

func NewRuntimePolicyStore() *RuntimePolicyStore

type RuntimeService 

type RuntimeService struct {
	sync.RWMutex
	Name              string
	Type              string
	PoliciesCache     *PolicyCacheData
	RolePoliciesCache *RolePolicyCacheData
	Functions         map[string]govaluate.ExpressionFunction
}

func NewRuntimeService 

func NewRuntimeService() *RuntimeService

func (*RuntimeService) GetRelatedPolicyMap 

func (svc *RuntimeService) GetRelatedPolicyMap(subjectPrincipals []string, resource string,
	matchResource bool) map[string]*pms.Policy

func (*RuntimeService) GetRelatedRolePolicyMap 

func (svc *RuntimeService) GetRelatedRolePolicyMap(subjectPrincipals []string, resource string) map[string]*pms.RolePolicy

type TokenAsserter 

type TokenAsserter interface {
	// set asserter func for policy evaluator
	SetAsserterFunc(f func(ctx *adsapi.RequestContext) error)
	// AssertToken assert token and generate subject to represent the identity
	AssertToken(ctx *adsapi.RequestContext) error
}

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.