rbac

package

v0.7.1 Latest Latest Go to latest Published: Nov 13, 2020 License: Apache-2.0 Imports: 22 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/appscode/guard

Links

Open Source Insights

Documentation ¶

Overview ¶

Copyright The Guard Authors.

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

Copyright The Guard Authors.

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

Index ¶

Constants
func ConvertCheckAccessResponse(body []byte) (*authzv1.SubjectAccessReviewStatus, error)
type AccessDecision
type AccessInfo
- func New(opts authzOpts.Options, authopts auth.Options, authzInfo *AuthzInfo) (*AccessInfo, error)
type AuthorizationActionInfo
type AuthorizationDecision
type AuthorizationEntity
type AuthzInfo
type AzureDenyAssignment
type AzureRoleAssignment
type CheckAccessRequest
type DenyAssignment
type Permission
type Principal
type RoleAssignment
type SubjectInfo
type SubjectInfoAttributes

Constants ¶

View Source

const (
	AccessAllowedVerdict        = "Access allowed by Azure RBAC"
	AccessAllowedVerboseVerdict = "Access allowed by Azure RBAC Role Assignment %s of Role %s to user %s"
	Allowed                     = "allowed"
	AccessNotAllowedVerdict     = "User does not have access to the resource in Azure. Update role assignment to allow access."

	NoOpinionVerdict            = "Azure does not have opinion for this user."
	NonAADUserNoOpVerdict       = "" /* 145-byte string literal not displayed */
	NonAADUserNotAllowedVerdict = "" /* 207-byte string literal not displayed */
)

Variables ¶

This section is empty.

Functions ¶

func ConvertCheckAccessResponse ¶

func ConvertCheckAccessResponse(body []byte) (*authzv1.SubjectAccessReviewStatus, error)

Types ¶

type AccessDecision ¶

type AccessDecision struct {
	Decision string `json:"accessDecision"`
}

type AccessInfo ¶

type AccessInfo struct {
	// contains filtered or unexported fields
}

AccessInfo allows you to check user access from MS RBAC

func New ¶

func New(opts authzOpts.Options, authopts auth.Options, authzInfo *AuthzInfo) (*AccessInfo, error)

func (*AccessInfo) AllowNonResPathDiscoveryAccess ¶

func (a *AccessInfo) AllowNonResPathDiscoveryAccess(request *authzv1.SubjectAccessReviewSpec) bool

func (*AccessInfo) CheckAccess ¶

func (a *AccessInfo) CheckAccess(request *authzv1.SubjectAccessReviewSpec) (*authzv1.SubjectAccessReviewStatus, error)

func (*AccessInfo) GetResultFromCache ¶

func (a *AccessInfo) GetResultFromCache(request *authzv1.SubjectAccessReviewSpec, store authz.Store) (bool, bool)

func (*AccessInfo) IsTokenExpired ¶

func (a *AccessInfo) IsTokenExpired() bool

func (*AccessInfo) RefreshToken ¶

func (a *AccessInfo) RefreshToken() error

func (*AccessInfo) SetResultInCache ¶

func (a *AccessInfo) SetResultInCache(request *authzv1.SubjectAccessReviewSpec, result bool, store authz.Store) error

func (*AccessInfo) ShouldSkipAuthzCheckForNonAADUsers ¶

func (a *AccessInfo) ShouldSkipAuthzCheckForNonAADUsers() bool

func (*AccessInfo) SkipAuthzCheck ¶

func (a *AccessInfo) SkipAuthzCheck(request *authzv1.SubjectAccessReviewSpec) bool

type AuthorizationActionInfo ¶

type AuthorizationActionInfo struct {
	AuthorizationEntity
	IsDataAction bool `json:"IsDataAction"`
}

type AuthorizationDecision ¶

type AuthorizationDecision struct {
	Decision            string              `json:"accessDecision"`
	ActionId            string              `json:"actionId"`
	IsDataAction        bool                `json:"isDataAction"`
	AzureRoleAssignment AzureRoleAssignment `json:"roleAssignment,omitempty"`
	AzureDenyAssignment AzureDenyAssignment `json:"denyAssignment,omitempty"`
	TimeToLiveInMs      int                 `json:"timeToLiveInMs"`
}

type AuthorizationEntity ¶

type AuthorizationEntity struct {
	Id string `json:"Id"`
}

type AuthzInfo ¶

type AuthzInfo struct {
	AADEndpoint string
	ARMEndPoint string
}

type AzureDenyAssignment ¶

type AzureDenyAssignment struct {
	MetaData          map[string]interface{} `json:"metadata"`
	IsSystemProtected string                 `json:"isSystemProtected"`
	IsBuiltIn         bool                   `json:"isBuiltIn"`
	DenyAssignment
}

type AzureRoleAssignment ¶

type AzureRoleAssignment struct {
	DelegatedManagedIdentityResourceId string `json:"delegatedManagedIdentityResourceId"`
	RoleAssignment
}

type CheckAccessRequest ¶

type CheckAccessRequest struct {
	Subject  SubjectInfo               `json:"Subject"`
	Actions  []AuthorizationActionInfo `json:"Actions"`
	Resource AuthorizationEntity       `json:"Resource"`
}

type DenyAssignment ¶

type DenyAssignment struct {
	Id          string `json:"id"`
	Name        string `json:"name"`
	Description string `json:"description"`
	Permission
	Scope                   string `json:"scope"`
	DoNotApplyToChildScopes bool   `json:"doNotApplyToChildScopes"`
	Principals              []Principal
	ExcludePrincipals       []Principal
	Condition               string `json:"condition"`
	ConditionVersion        string `json:"conditionVersion"`
}

type Permission ¶

type Permission struct {
	Actions          []string `json:"actions,omitempty"`
	NoActions        []string `json:"noactions,omitempty"`
	DataActions      []string `json:"dataactions,omitempty"`
	NoDataActions    []string `json:"nodataactions,omitempty"`
	Condition        string   `json:"condition"`
	ConditionVersion string   `json:"conditionVersion"`
}

type Principal ¶

type Principal struct {
	Id   string `json:"id"`
	Type string `json:"type"`
}

type RoleAssignment ¶

type RoleAssignment struct {
	Id               string `json:"id"`
	RoleDefinitionId string `json:"roleDefinitionId"`
	PrincipalId      string `json:"principalId"`
	PrincipalType    string `json:"principalType"`
	Scope            string `json:"scope"`
	Condition        string `json:"condition"`
	ConditionVersion string `json:"conditionVersion"`
	CanDelegate      bool   `json:"canDelegate"`
}

type SubjectInfo ¶

type SubjectInfo struct {
	Attributes SubjectInfoAttributes `json:"Attributes"`
}

type SubjectInfoAttributes ¶

type SubjectInfoAttributes struct {
	ObjectId string   `json:"ObjectId"`
	Groups   []string `json:"Groups,omitempty"`
}

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL