Documentation ¶
Overview ¶
Copyright The Guard Authors.
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
Copyright The Guard Authors.
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
Index ¶
- Constants
- func ConvertCheckAccessResponse(body []byte) (*authzv1.SubjectAccessReviewStatus, error)
- type AccessDecision
- type AccessInfo
- func (a *AccessInfo) AllowNonResPathDiscoveryAccess(request *authzv1.SubjectAccessReviewSpec) bool
- func (a *AccessInfo) CheckAccess(request *authzv1.SubjectAccessReviewSpec) (*authzv1.SubjectAccessReviewStatus, error)
- func (a *AccessInfo) GetResultFromCache(request *authzv1.SubjectAccessReviewSpec, store authz.Store) (bool, bool)
- func (a *AccessInfo) IsTokenExpired() bool
- func (a *AccessInfo) RefreshToken() error
- func (a *AccessInfo) SetResultInCache(request *authzv1.SubjectAccessReviewSpec, result bool, store authz.Store) error
- func (a *AccessInfo) ShouldSkipAuthzCheckForNonAADUsers() bool
- func (a *AccessInfo) SkipAuthzCheck(request *authzv1.SubjectAccessReviewSpec) bool
- type AuthorizationActionInfo
- type AuthorizationDecision
- type AuthorizationEntity
- type AuthzInfo
- type AzureDenyAssignment
- type AzureRoleAssignment
- type CheckAccessRequest
- type DenyAssignment
- type Permission
- type Principal
- type RoleAssignment
- type SubjectInfo
- type SubjectInfoAttributes
Constants ¶
const ( AccessAllowedVerdict = "Access allowed by Azure RBAC" AccessAllowedVerboseVerdict = "Access allowed by Azure RBAC Role Assignment %s of Role %s to user %s" Allowed = "allowed" AccessNotAllowedVerdict = "User does not have access to the resource in Azure. Update role assignment to allow access." NoOpinionVerdict = "Azure does not have opinion for this user." NonAADUserNoOpVerdict = "" /* 145-byte string literal not displayed */ NonAADUserNotAllowedVerdict = "" /* 207-byte string literal not displayed */ )
Variables ¶
This section is empty.
Functions ¶
func ConvertCheckAccessResponse ¶
func ConvertCheckAccessResponse(body []byte) (*authzv1.SubjectAccessReviewStatus, error)
Types ¶
type AccessDecision ¶
type AccessDecision struct {
Decision string `json:"accessDecision"`
}
type AccessInfo ¶
type AccessInfo struct {
// contains filtered or unexported fields
}
AccessInfo allows you to check user access from MS RBAC
func (*AccessInfo) AllowNonResPathDiscoveryAccess ¶
func (a *AccessInfo) AllowNonResPathDiscoveryAccess(request *authzv1.SubjectAccessReviewSpec) bool
func (*AccessInfo) CheckAccess ¶
func (a *AccessInfo) CheckAccess(request *authzv1.SubjectAccessReviewSpec) (*authzv1.SubjectAccessReviewStatus, error)
func (*AccessInfo) GetResultFromCache ¶
func (a *AccessInfo) GetResultFromCache(request *authzv1.SubjectAccessReviewSpec, store authz.Store) (bool, bool)
func (*AccessInfo) IsTokenExpired ¶
func (a *AccessInfo) IsTokenExpired() bool
func (*AccessInfo) RefreshToken ¶
func (a *AccessInfo) RefreshToken() error
func (*AccessInfo) SetResultInCache ¶
func (a *AccessInfo) SetResultInCache(request *authzv1.SubjectAccessReviewSpec, result bool, store authz.Store) error
func (*AccessInfo) ShouldSkipAuthzCheckForNonAADUsers ¶
func (a *AccessInfo) ShouldSkipAuthzCheckForNonAADUsers() bool
func (*AccessInfo) SkipAuthzCheck ¶
func (a *AccessInfo) SkipAuthzCheck(request *authzv1.SubjectAccessReviewSpec) bool
type AuthorizationActionInfo ¶
type AuthorizationActionInfo struct { AuthorizationEntity IsDataAction bool `json:"IsDataAction"` }
type AuthorizationDecision ¶
type AuthorizationDecision struct { Decision string `json:"accessDecision"` ActionId string `json:"actionId"` IsDataAction bool `json:"isDataAction"` AzureRoleAssignment AzureRoleAssignment `json:"roleAssignment,omitempty"` AzureDenyAssignment AzureDenyAssignment `json:"denyAssignment,omitempty"` TimeToLiveInMs int `json:"timeToLiveInMs"` }
type AuthorizationEntity ¶
type AuthorizationEntity struct {
Id string `json:"Id"`
}
type AzureDenyAssignment ¶
type AzureDenyAssignment struct { MetaData map[string]interface{} `json:"metadata"` IsSystemProtected string `json:"isSystemProtected"` IsBuiltIn bool `json:"isBuiltIn"` DenyAssignment }
type AzureRoleAssignment ¶
type AzureRoleAssignment struct { DelegatedManagedIdentityResourceId string `json:"delegatedManagedIdentityResourceId"` RoleAssignment }
type CheckAccessRequest ¶
type CheckAccessRequest struct { Subject SubjectInfo `json:"Subject"` Actions []AuthorizationActionInfo `json:"Actions"` Resource AuthorizationEntity `json:"Resource"` }
type DenyAssignment ¶
type DenyAssignment struct { Id string `json:"id"` Name string `json:"name"` Description string `json:"description"` Permission Scope string `json:"scope"` DoNotApplyToChildScopes bool `json:"doNotApplyToChildScopes"` Principals []Principal ExcludePrincipals []Principal Condition string `json:"condition"` ConditionVersion string `json:"conditionVersion"` }
type Permission ¶
type Permission struct { Actions []string `json:"actions,omitempty"` NoActions []string `json:"noactions,omitempty"` DataActions []string `json:"dataactions,omitempty"` NoDataActions []string `json:"nodataactions,omitempty"` Condition string `json:"condition"` ConditionVersion string `json:"conditionVersion"` }
type RoleAssignment ¶
type RoleAssignment struct { Id string `json:"id"` RoleDefinitionId string `json:"roleDefinitionId"` PrincipalId string `json:"principalId"` PrincipalType string `json:"principalType"` Scope string `json:"scope"` Condition string `json:"condition"` ConditionVersion string `json:"conditionVersion"` CanDelegate bool `json:"canDelegate"` }
type SubjectInfo ¶
type SubjectInfo struct {
Attributes SubjectInfoAttributes `json:"Attributes"`
}