opa

package
v0.0.0-...-0490640 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: May 16, 2019 License: Apache-2.0 Imports: 18 Imported by: 0

README

OPA decision engine

policy.go

This file is generated from policy/*.rego.

The generation is done using go-bindata, from go generate. Run this from components/authz-service:

$ go generate ./...
$ # no output on success

It requires that go-bindata is installed.

TODO (sr): ensure this works properly in habitat and studio env. Other projects also use go-bindata, IIRC.

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func Asset 

func Asset(name string) ([]byte, error)

Asset loads and returns the asset for the given name. It returns an error if the asset could not be found or could not be loaded.

func AssetDir 

func AssetDir(name string) ([]string, error)

AssetDir returns the file names below a certain directory embedded in the file by go-bindata. For example if you run go-bindata on data/... and data contains the following hierarchy: 

data/
  foo.txt
  img/
    a.png
    b.png

then AssetDir("data") would return []string{"foo.txt", "img"} AssetDir("data/img") would return []string{"a.png", "b.png"} AssetDir("foo.txt") and AssetDir("notexist") would return an error AssetDir("") will return []string{"data"}.

func AssetInfo 

func AssetInfo(name string) (os.FileInfo, error)

AssetInfo loads and returns the asset info for the given name. It returns an error if the asset could not be found or could not be loaded.

func AssetNames 

func AssetNames() []string

AssetNames returns the names of the assets.

func MustAsset 

func MustAsset(name string) []byte

MustAsset is like Asset but panics when Asset would return an error. It simplifies safe initialization of global variables.

func RestoreAsset 

func RestoreAsset(dir, name string) error

RestoreAsset restores an asset under the given directory

func RestoreAssets 

func RestoreAssets(dir, name string) error

RestoreAssets restores an asset under the given directory recursively

Types

type ErrEvaluation 

type ErrEvaluation struct {
	// contains filtered or unexported fields
}

ErrEvaluation is returned when a query evaluation returns an error.

func (*ErrEvaluation) Error 

func (e *ErrEvaluation) Error() string

type ErrUnexpectedResultExpression 

type ErrUnexpectedResultExpression struct {
	// contains filtered or unexported fields
}

ErrUnexpectedResultExpression is returned when one of the result sets expressions can't be made sense of

func (*ErrUnexpectedResultExpression) Error 

func (e *ErrUnexpectedResultExpression) Error() string

type ErrUnexpectedResultSet 

type ErrUnexpectedResultSet struct {
	// contains filtered or unexported fields
}

ErrUnexpectedResultSet is returned when the result set of an OPA query can't be made sense of

func (*ErrUnexpectedResultSet) Error 

func (e *ErrUnexpectedResultSet) Error() string

type OptFunc 

type OptFunc func(*State)

OptFunc is the type of functional options to be passed to New()

func WithModules 

func WithModules(mods map[string]*ast.Module) OptFunc

WithModules allows for injecting an OPA policy via opa.New() for engine initialization.

type State 

type State struct {
	// contains filtered or unexported fields
}

State wraps the state of OPA we need to track

func New 

func New(ctx context.Context, l logger.Logger, opts ...OptFunc) (*State, error)

New initializes a fresh OPA state, using the default, hardcoded OPA policy from policy/authz*.rego unless overridden via an opa.OptFunc.

func (*State) DumpData 

func (s *State) DumpData(ctx context.Context) error

DumpData is a bit fast-and-loose when it comes to error checking; it's not meant to be used in production

func (*State) FilterAuthorizedPairs 

func (s *State) FilterAuthorizedPairs(
	ctx context.Context,
	subjects engine.Subjects,
	pairs []engine.Pair) ([]engine.Pair, error)

FilterAuthorizedPairs passes the pairs into OPA, lets it take care of the filtering, and returns the result (sub)list

func (*State) IsAuthorized 

func (s *State) IsAuthorized(
	ctx context.Context,
	subjects engine.Subjects,
	action engine.Action,
	resource engine.Resource) (bool, error)

IsAuthorized evaluates whether a given [subject, resource, action] tuple is authorized given the service's state

func (*State) ListProjectMappings 

func (s *State) ListProjectMappings(ctx context.Context) (map[string][]engine.Rule, error)

ListProjectMappings returns a map of all the rules for each projectID.

func (*State) RulesForProject 

func (s *State) RulesForProject(
	ctx context.Context,
	projectID string) ([]engine.Rule, error)

Note(sr) Right now, it doesn't seem like this was doing much more than retrieving data from OPA's store. However, that's fine -- we'll need those mapping rules in OPA's store for other things (most likely), so retrieving them from there is a decent approximation of our approach.

func (*State) SetPolicies 

func (s *State) SetPolicies(ctx context.Context, policies map[string]interface{}) error

SetPolicies replaces OPA's data with a new set of policies, and resets the partial evaluation cache

func (*State) V2FilterAuthorizedPairs 

func (s *State) V2FilterAuthorizedPairs(
	ctx context.Context,
	subjects engine.Subjects,
	pairs []engine.Pair) ([]engine.Pair, error)

V2FilterAuthorizedPairs passes the pairs into OPA, lets it take care of the filtering, and returns the result (sub)list

func (*State) V2FilterAuthorizedProjects 

func (s *State) V2FilterAuthorizedProjects(
	ctx context.Context,
	subjects engine.Subjects,
	pairs []engine.Pair) ([]string, error)

V2FilterAuthorizedProjects passes the pairs of all action/resources into OPA, lets it take care of the filtering, and returns the projects associated with the resulting (sub)list.

func (*State) V2IsAuthorized 

func (s *State) V2IsAuthorized(
	ctx context.Context,
	subjects engine.Subjects,
	action engine.Action,
	resource engine.Resource) (bool, error)

V2IsAuthorized evaluates whether a given [subject, resource, action] tuple is authorized given the service's state

func (*State) V2ProjectsAuthorized 

func (s *State) V2ProjectsAuthorized(
	ctx context.Context,
	subjects engine.Subjects,
	action engine.Action,
	resource engine.Resource,
	projects engine.Projects) ([]string, error)

V2ProjectsAuthorized evaluates whether a given [subject, resource, action, projects] tuple is authorized and returns the list of associated allowed projects from the set of requested projects passed in.

func (*State) V2SetPolicies 

func (s *State) V2SetPolicies(
	ctx context.Context, policyMap map[string]interface{},
	roleMap map[string]interface{}, ruleMap map[string][]interface{}) error

Spike TODO: Can we have a separate method for just setting the rule mappings? OR does the entire OPA store have to be re-evaluated at once. IF that's true, should we have the same OPA instance in general for rules?

V2SetPolicies replaces OPA's data with a new set of policies and roles, and resets the partial evaluation cache for v2

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.