engine

package

v0.0.0-...-0490640 Latest Latest Go to latest Published: May 16, 2019 License: Apache-2.0 Imports: 1 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/athmakuru/chef-automate

Links

Open Source Insights

Documentation ¶

Index ¶

func ProjectList(projects ...string) []string
type Action
type Authorizer
type Engine
type Pair
type Project
type ProjectRulesRetriever
type Projects
type Resource
type Rule
type Subjects
- func Subject(subs ...string) Subjects
type V1Engine
type V2Authorizer
type V2Writer
type Writer

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func ProjectList ¶

func ProjectList(projects ...string) []string

ProjectList is a convenience function, allowing us to pass

engine.ProjectList("project-9")

instead of

engine.Projects([]string{"project-9"})

as argument to `FilterAuthorizedProjects`

Types ¶

type Action ¶

type Action string

Action is how the subject wants to interact with the resource

type Authorizer ¶

type Authorizer interface {
	IsAuthorized(context.Context, Subjects, Action, Resource) (bool, error)

	// FilterAuthorizedPairs returns the sublist of authorized Pairs from the
	// passed-in list. It takes the subjects into account, and follows the same
	// logic a sequence of IsAuthorized() calls would use.
	FilterAuthorizedPairs(context.Context, Subjects, []Pair) ([]Pair, error)
}

Authorizer is the interface for asking whether a concrete SAR tuple is authorized or not; and for filtering a given set of resource/action pairs, together with subjects, according to its authorization status.

type Engine ¶

type Engine interface {
	V1Engine

	// V2Authorizer and V2Writer are never used together (the authz section of the
	// service needs V2Authorizer, the policy section cares about V2Writer), so we
	// collect them here instead of introducing a V2Engine interface.
	V2Authorizer
	V2Writer

	ProjectRulesRetriever
}

Engine abstracts different decision engines.

Currently, a full-featured engine needs to support both v1 and v2. These are split to allow for a better decoupling in wiring up things -- i.e., the v2 authz and policy implementations only require V2Authorizer and V2Writer, respectively. Our OPA implementation of engine.Engine supports all of those interfaces, and can thus be plugged into either of those constructors.

type Pair ¶

type Pair struct {
	Resource Resource `json:"resource"`
	Action   Action   `json:"action"`
}

Pair is a convenience type for filtering a set of pairs according to their authorization

type Project ¶

type Project string

Project is the input query's REQUESTED project i.e. the project selected in the project filter. TODO: make this an array!!

type ProjectRulesRetriever ¶

type ProjectRulesRetriever interface {
	RulesForProject(context.Context, string) ([]Rule, error)
	ListProjectMappings(context.Context) (map[string][]Rule, error)
}

type Projects ¶

type Projects []string

A list of requested projects

type Resource ¶

type Resource string

Resource is what the subject is attempting to interact with

type Rule ¶

type Rule struct {
	Type   string
	Values []string
}

type Subjects ¶

type Subjects []string

Subjects contains the requestor and all the teams they're a member of. The strings are namespaced, so for the requestor, this would be

"user:type:EXTERNALID"

and for their teams

"team:type:TEAMID"

func Subject ¶

func Subject(subs ...string) Subjects

Subject is a convenience function, allowing us to pass

engine.Subject("team:local:admin")

instead of

engine.Subjects([]string{"team:local:admin"})

as argument to `IsAuthorized`

type V1Engine ¶

type V1Engine interface {
	Authorizer
	Writer
}

V1Engine is the interface representing the IAM v1 backing engine methods: updating the engine store (engine.Writer) and querying it for certain authorization requests (engine.Authorizer).

type V2Authorizer ¶

type V2Authorizer interface {

	// V2IsAuthorized returns an allow/deny decision
	// allowed by the subjects/action/resource tuple.
	V2IsAuthorized(context.Context, Subjects, Action, Resource) (bool, error)

	// V2ProjectsAuthorized returns a subset of the requested projects (Projects)
	// allowed by the subjects/action/resource tuple.
	V2ProjectsAuthorized(context.Context, Subjects, Action, Resource, Projects) ([]string, error)

	// FilterAuthorizedProjects returns a sublist of the passed-in pairs
	// allowed by the subjects.
	V2FilterAuthorizedPairs(context.Context, Subjects, []Pair) ([]Pair, error)

	// V2FilterAuthorizedProjects returns a list of projects corresponding to the
	// sublist of authorized Pairs allowed from the passed-in list.
	V2FilterAuthorizedProjects(context.Context, Subjects, []Pair) ([]string, error)
}

type V2Writer ¶

type V2Writer interface {
	V2SetPolicies(context.Context, map[string]interface{}, map[string]interface{}, map[string][]interface{}) error
}

type Writer ¶

type Writer interface {
	SetPolicies(context.Context, map[string]interface{}) error
}

Writer is the interface for writing policies to a decision engine

Source Files ¶

View all Source files

engine.go

Directories ¶

Path	Synopsis
opa

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL