backend

package
v0.1.6 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 8, 2025 License: Apache-2.0 Imports: 22 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	// APITitle refers to the API description used in the open-api spec.
	APITitle = "Ephemeral Access API"
	// APIVersion refers to the API version used in the open-api spec.
	APIVersion = "0.0.1"
)
View Source 
const (
	MaxGeneratedNameLength = maxNameLength - randomLength
)

Variables

This section is empty.

Functions

func RegisterRoutes 

func RegisterRoutes(api huma.API, h *APIHandler)

RegisterRoutes will register all routes provided by the access request REST API in the given api.

Types

type APIHandler 

type APIHandler struct {
	// contains filtered or unexported fields
}

APIHandler is responsible for defining all handlers available as part of the AccessRequest REST API.

func NewAPIHandler 

func NewAPIHandler(s Service, logger log.Logger) *APIHandler

NewAPIHandler will instantiate and return a new APIHandler.

type AccessRequestKey 

type AccessRequestKey struct {
	Namespace            string
	ApplicationName      string
	ApplicationNamespace string
	Username             string
}

type AccessRequestResponseBody 

type AccessRequestResponseBody struct {
	Name        string `json:"name" example:"some-accessrequest" doc:"The access request name."`
	Namespace   string `json:"namespace" example:"some-namespace" doc:"The access request namespace."`
	Username    string `json:"username" example:"some-user@acme.org" doc:"The user associated with the access request."`
	Permission  string `json:"permission" example:"Operator Access" doc:"The permission description of the role associated to this access request."`
	Role        string `json:"role" example:"custom-role-template" doc:"The role template associated to this access request."`
	RequestedAt string `` /* 141-byte string literal not displayed */
	Status      string `` /* 140-byte string literal not displayed */
	ExpiresAt   string `` /* 137-byte string literal not displayed */
	Message     string `` /* 149-byte string literal not displayed */
}

AccessRequestResponseBody defines the access request fields returned as part of the response body.

type AllowedRoleResponseBody 

type AllowedRoleResponseBody struct {
	RoleName        string `json:"roleName" example:"custom-role-template" doc:"The role template name to request."`
	RoleDisplayName string `` /* 127-byte string literal not displayed */
}

AllowedRoleResponseBody defines the allowed role response.

type ArgoCDHeaders 

type ArgoCDHeaders struct {
	ArgoCDUsername        string `` /* 168-byte string literal not displayed */
	ArgoCDUserGroups      string `` /* 169-byte string literal not displayed */
	ArgoCDApplicationName string `` /* 184-byte string literal not displayed */
	ArgoCDProjectName     string `` /* 170-byte string literal not displayed */
	ArgoCDNamespace       string `` /* 172-byte string literal not displayed */
}

ArgoCDHeaders defines the required headers that are sent by Argo CD API server to proxy extensions.

func (*ArgoCDHeaders) Application 

func (h *ArgoCDHeaders) Application() (namespace string, name string, err error)

func (*ArgoCDHeaders) Groups 

func (h *ArgoCDHeaders) Groups() []string

type CreateAccessRequestBody 

type CreateAccessRequestBody struct {
	RoleName string `json:"roleName" example:"custom-role-template" doc:"The role template name to request."`
}

CreateAccessRequestBody defines the create access response body.

type CreateAccessRequestInput 

type CreateAccessRequestInput struct {
	ArgoCDHeaders
	Body CreateAccessRequestBody
}

CreateAccessRequestInput defines the create access input parameters.

type CreateAccessRequestResponse 

type CreateAccessRequestResponse struct {
	Body AccessRequestResponseBody
}

CreateAccessRequestResponse defines the create access response.

type DefaultService 

type DefaultService struct {
	// contains filtered or unexported fields
}

DefaultService is the real Service implementation.

func NewDefaultService 

func NewDefaultService(c Persister, l log.Logger, namespace string, arDuration time.Duration) *DefaultService

NewDefaultService will return a new DefaultService instance.

func (*DefaultService) CreateAccessRequest 

func (s *DefaultService) CreateAccessRequest(ctx context.Context, key *AccessRequestKey, binding *api.AccessBinding) (*api.AccessRequest, error)

func (*DefaultService) GetAccessBindingsForGroups 

func (s *DefaultService) GetAccessBindingsForGroups(ctx context.Context, namespace string, groups []string, app *unstructured.Unstructured, project *unstructured.Unstructured) ([]*api.AccessBinding, error)

GetAccessBindingsForGroups will retrieve the list of AccessBindings allowed by at least one of the given groups. The list will be ordered by the AccessBinding.Ordinal field in descending order. This means that AccessBindings associated with roles with lesser privileges will come first.

func (*DefaultService) GetAccessRequestByRole 

func (s *DefaultService) GetAccessRequestByRole(ctx context.Context, key *AccessRequestKey, roleName string) (*api.AccessRequest, error)

GetAccessRequestByRole will find the AccessRequest based on the given key and roleName. Result will discard Expired and Denied AccessRequests.

func (*DefaultService) GetAppProject 

func (s *DefaultService) GetAppProject(ctx context.Context, name string, namespace string) (*unstructured.Unstructured, error)

func (*DefaultService) GetApplication 

func (s *DefaultService) GetApplication(ctx context.Context, name string, namespace string) (*unstructured.Unstructured, error)

func (*DefaultService) GetGrantingAccessBinding 

func (s *DefaultService) GetGrantingAccessBinding(ctx context.Context, roleName string, namespace string, groups []string, app *unstructured.Unstructured, project *unstructured.Unstructured) (*api.AccessBinding, error)

func (*DefaultService) ListAccessRequests 

func (s *DefaultService) ListAccessRequests(ctx context.Context, key *AccessRequestKey, shouldSort bool) ([]*api.AccessRequest, error)

ListAccessRequests will return all AccessRequests based on the given key. If shouldSort is true, the result list will be sorted using defaultAccessRequestSort algorithm.

type K8sPersister 

type K8sPersister struct {
	// contains filtered or unexported fields
}

K8sPersister is a K8s implementation for the Persister interface.

func NewK8sPersister 

func NewK8sPersister(config *rest.Config, logger log.Logger) (*K8sPersister, error)

NewK8sPersister will return a new K8sPersister instance.

func (*K8sPersister) CreateAccessRequest 

func (c *K8sPersister) CreateAccessRequest(ctx context.Context, ar *api.AccessRequest) (*api.AccessRequest, error)

func (*K8sPersister) GetAppProject 

func (c *K8sPersister) GetAppProject(ctx context.Context, name, namespace string) (*unstructured.Unstructured, error)

func (*K8sPersister) GetApplication 

func (c *K8sPersister) GetApplication(ctx context.Context, name, namespace string) (*unstructured.Unstructured, error)

func (*K8sPersister) ListAccessBindings 

func (c *K8sPersister) ListAccessBindings(ctx context.Context, roleName, namespace string) (*api.AccessBindingList, error)

func (*K8sPersister) ListAccessRequests 

func (c *K8sPersister) ListAccessRequests(ctx context.Context, key *AccessRequestKey) (*api.AccessRequestList, error)

func (*K8sPersister) ListAllAccessBindings 

func (c *K8sPersister) ListAllAccessBindings(ctx context.Context, namespace string) (*api.AccessBindingList, error)

func (*K8sPersister) StartCache 

func (p *K8sPersister) StartCache(ctx context.Context) error

StartCache will initialize the Kubernetes persister cache and block the call.

type ListAccessRequestInput 

type ListAccessRequestInput struct {
	ArgoCDHeaders
}

ListAccessRequestInput defines the list access input parameters.

type ListAccessRequestResponse 

type ListAccessRequestResponse struct {
	Body ListAccessRequestResponseBody
}

ListAccessRequestResponse defines the list access response parameters.

type ListAccessRequestResponseBody 

type ListAccessRequestResponseBody struct {
	Items []AccessRequestResponseBody `json:"items"`
}

ListAccessRequestResponseBody defines the list access response body.

type ListAllowedRolesInput 

type ListAllowedRolesInput struct {
	ArgoCDHeaders
}

ListAllowedRolesInput defines the input parameters list of allowed roles.

type ListAllowedRolesResponse 

type ListAllowedRolesResponse struct {
	Body ListAllowedRolesResponseBody
}

ListAllowedRolesResponse defines the response of allowed roles requests.

type ListAllowedRolesResponseBody 

type ListAllowedRolesResponseBody struct {
	Items []AllowedRoleResponseBody `json:"items"`
}

ListAllowedRolesResponseBody defines the response body of allowed roles requests.

type Persister 

type Persister interface {

	// CreateAccessRequest creates a new Access Request object and returns it
	CreateAccessRequest(ctx context.Context, ar *api.AccessRequest) (*api.AccessRequest, error)
	// ListAccessRequests returns all the AccessRequest matching the key criterias
	ListAccessRequests(ctx context.Context, key *AccessRequestKey) (*api.AccessRequestList, error)

	// ListAccessBindings returns all the AccessBindings matching the specified role and namespace
	ListAccessBindings(ctx context.Context, roleName, namespace string) (*api.AccessBindingList, error)

	// ListAllAccessBindings returns all the AccessBindings in the given namespace
	ListAllAccessBindings(ctx context.Context, namespace string) (*api.AccessBindingList, error)

	// GetApplication returns an Unstructured object that represents the Application.
	// An Unstructured object is returned to avoid importing the full object type or losing properties
	// during unmarshalling from the partial typed object.
	GetApplication(ctx context.Context, name, namespace string) (*unstructured.Unstructured, error)

	// GetAppProject return an Unstructured object that represents the AppProject.
	// An Unstructured object is returned to avoid importing the full object type or losing properties
	// during unmarshalling from the partial typed object.
	GetAppProject(ctx context.Context, name, namespace string) (*unstructured.Unstructured, error)
}

Persister defines the operations to interact with the backend persistent layer (e.g. Kubernetes)

type Service 

type Service interface {
	// CreateAccessRequest will create an AccessRequest for the given key requesting the role specified by the AccessBinding.
	CreateAccessRequest(ctx context.Context, key *AccessRequestKey, binding *api.AccessBinding) (*api.AccessRequest, error)
	// GetAccessRequestByRole will retrieve the access request for the specified role.
	// Will return a nil value without any error if an access request isn't found for this role.
	GetAccessRequestByRole(ctx context.Context, key *AccessRequestKey, roleName string) (*api.AccessRequest, error)
	// ListAccessRequests will list non-expired access requests and optionally sort them by importance.
	// The importance sort is based on status, role ordinal, name and creation date.
	ListAccessRequests(ctx context.Context, key *AccessRequestKey, sort bool) ([]*api.AccessRequest, error)

	// GetGrantingAccessBinding will return the first AccessBinding allowing at least one of the group to request the specified role
	// AccessBinding can be located in the specified namespace or in the controller namespace.
	// If no bindings are granting access, nil is returned.
	GetGrantingAccessBinding(ctx context.Context, roleName string, namespace string, groups []string, app *unstructured.Unstructured, project *unstructured.Unstructured) (*api.AccessBinding, error)

	// GetAccessBindingsForGroups will retrieve the list of AccessBindings allowed by at least one of the given groups.
	// The list will be ordered by the AccessBinding.Ordinal field in descending order. This means that AccessBindings
	// associated with roles with lesser privileges will come first.
	GetAccessBindingsForGroups(ctx context.Context, namespace string, groups []string, app *unstructured.Unstructured, project *unstructured.Unstructured) ([]*api.AccessBinding, error)

	// GetApplication returns the Unstructured object representing the application. The Unstructured object
	// can be used to evaluate granting AccessBinding.
	GetApplication(ctx context.Context, name, namespace string) (*unstructured.Unstructured, error)
	// GetAppProject returns the Unstructured object representing the app project. The Unstructured object
	// can be used to evaluate granting AccessBinding.
	GetAppProject(ctx context.Context, name, namespace string) (*unstructured.Unstructured, error)
}

Service defines the operations provided by the backend. Backend business logic should be added in implementations of this interface.

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.