Documentation ¶
Index ¶
- Variables
- func IsAuthLevelSufficient(authenticationLevel authentication.Level, authorizationLevel Level) bool
- func LevelToPolicy(level Level) (policy string)
- type AccessControlDomain
- type AccessControlDomainRegex
- type AccessControlDomainRegexBasic
- type AccessControlGroup
- type AccessControlResource
- type AccessControlRule
- type AccessControlSubjects
- type AccessControlUser
- type Authorizer
- type Level
- type Object
- type RuleMatchResult
- type Subject
- type SubjectMatcher
- type SubjectObjectMatcher
Constants ¶
This section is empty.
Variables ¶
var ( // IdentitySubexpNames is a list of valid regex subexp names. IdentitySubexpNames = []string{subexpNameUser, subexpNameGroup} )
Functions ¶
func IsAuthLevelSufficient ¶
func IsAuthLevelSufficient(authenticationLevel authentication.Level, authorizationLevel Level) bool
IsAuthLevelSufficient returns true if the current authenticationLevel is above the authorizationLevel.
func LevelToPolicy ¶ added in v4.34.0
LevelToPolicy converts a int authorization level to string policy.
Types ¶
type AccessControlDomain ¶
AccessControlDomain represents an ACL domain.
func (AccessControlDomain) IsMatch ¶
func (acl AccessControlDomain) IsMatch(subject Subject, object Object) (match bool)
IsMatch returns true if the ACL domain matches the object domain.
func (AccessControlDomain) String ¶ added in v4.35.0
func (acl AccessControlDomain) String() string
String returns a string representation of the SubjectObjectMatcher rule.
type AccessControlDomainRegex ¶ added in v4.35.0
type AccessControlDomainRegex struct { Pattern regexp.Regexp SubexpNameUser int SubexpNameGroup int }
AccessControlDomainRegex represents an ACL domain regex.
func (AccessControlDomainRegex) IsMatch ¶ added in v4.35.0
func (acl AccessControlDomainRegex) IsMatch(subject Subject, object Object) (match bool)
IsMatch returns true if the ACL regex matches the object domain.
func (AccessControlDomainRegex) String ¶ added in v4.35.0
func (acl AccessControlDomainRegex) String() string
String returns a text representation of a AccessControlDomainRegex.
type AccessControlDomainRegexBasic ¶ added in v4.35.0
AccessControlDomainRegexBasic represents a basic domain regex SubjectObjectMatcher.
func (AccessControlDomainRegexBasic) IsMatch ¶ added in v4.35.0
func (acl AccessControlDomainRegexBasic) IsMatch(_ Subject, object Object) (match bool)
IsMatch returns true if the ACL regex matches the object domain.
func (AccessControlDomainRegexBasic) String ¶ added in v4.35.0
func (acl AccessControlDomainRegexBasic) String() string
String returns a text representation of a AccessControlDomainRegexBasic.
type AccessControlGroup ¶
type AccessControlGroup struct {
Name string
}
AccessControlGroup represents an ACL subject of type `group:`.
func (AccessControlGroup) IsMatch ¶
func (acg AccessControlGroup) IsMatch(subject Subject) (match bool)
IsMatch returns true if the AccessControlGroup name matches one of the groups of the Subject.
type AccessControlResource ¶
AccessControlResource represents an ACL resource.
func (AccessControlResource) IsMatch ¶
func (acr AccessControlResource) IsMatch(object Object) (match bool)
IsMatch returns true if the ACL resource match the object path.
type AccessControlRule ¶
type AccessControlRule struct { Position int Domains []SubjectObjectMatcher Resources []AccessControlResource Methods []string Networks []*net.IPNet Subjects []AccessControlSubjects Policy Level }
AccessControlRule controls and represents an ACL internally.
func NewAccessControlRule ¶
func NewAccessControlRule(pos int, rule schema.ACLRule, networksMap map[string][]*net.IPNet, networksCacheMap map[string]*net.IPNet) *AccessControlRule
NewAccessControlRule parses a schema ACL and generates an internal ACL.
func NewAccessControlRules ¶
func NewAccessControlRules(config schema.AccessControlConfiguration) (rules []*AccessControlRule)
NewAccessControlRules converts a schema.AccessControlConfiguration into an AccessControlRule slice.
type AccessControlSubjects ¶
type AccessControlSubjects struct {
Subjects []SubjectMatcher
}
AccessControlSubjects represents an ACL subject.
func (*AccessControlSubjects) AddSubject ¶
func (acs *AccessControlSubjects) AddSubject(subjectRule string)
AddSubject appends to the AccessControlSubjects based on a subject rule string.
func (AccessControlSubjects) IsMatch ¶
func (acs AccessControlSubjects) IsMatch(subject Subject) (match bool)
IsMatch returns true if the ACL subjects match the subject properties.
type AccessControlUser ¶
type AccessControlUser struct {
Name string
}
AccessControlUser represents an ACL subject of type `user:`.
func (AccessControlUser) IsMatch ¶
func (acu AccessControlUser) IsMatch(subject Subject) (match bool)
IsMatch returns true if the AccessControlUser name matches the Subject username.
type Authorizer ¶
type Authorizer struct {
// contains filtered or unexported fields
}
Authorizer the component in charge of checking whether a user can access a given resource.
func NewAuthorizer ¶
func NewAuthorizer(configuration *schema.Configuration) *Authorizer
NewAuthorizer create an instance of authorizer with a given access control configuration.
func (Authorizer) GetRequiredLevel ¶
func (p Authorizer) GetRequiredLevel(subject Subject, object Object) Level
GetRequiredLevel retrieve the required level of authorization to access the object.
func (Authorizer) GetRuleMatchResults ¶ added in v4.34.0
func (p Authorizer) GetRuleMatchResults(subject Subject, object Object) (results []RuleMatchResult)
GetRuleMatchResults iterates through the rules and produces a list of RuleMatchResult provided a subject and object.
func (Authorizer) IsSecondFactorEnabled ¶
func (p Authorizer) IsSecondFactorEnabled() bool
IsSecondFactorEnabled return true if at least one policy is set to second factor.
type Level ¶
type Level int
Level is the type representing an authorization level.
func PolicyToLevel ¶
PolicyToLevel converts a string policy to int authorization level.
type Object ¶
Object represents a protected object for the purposes of ACL matching.
func NewObjectRaw ¶
NewObjectRaw creates a new Object type from a URL and a method header.
type RuleMatchResult ¶ added in v4.34.0
type RuleMatchResult struct { Rule *AccessControlRule Skipped bool MatchDomain bool MatchResources bool MatchMethods bool MatchNetworks bool MatchSubjects bool MatchSubjectsExact bool }
RuleMatchResult describes how well a rule matched a subject/object combo.
func (RuleMatchResult) IsMatch ¶ added in v4.34.0
func (r RuleMatchResult) IsMatch() (match bool)
IsMatch returns true if all the criteria matched.
func (RuleMatchResult) IsPotentialMatch ¶ added in v4.34.0
func (r RuleMatchResult) IsPotentialMatch() (match bool)
IsPotentialMatch returns true if the rule is potentially a match.
type Subject ¶
Subject represents the identity of a user for the purposes of ACL matching.
func (Subject) IsAnonymous ¶
IsAnonymous returns true if the Subject username and groups are empty.
type SubjectMatcher ¶ added in v4.35.0
SubjectMatcher is a matcher that takes a subject.
type SubjectObjectMatcher ¶ added in v4.35.0
type SubjectObjectMatcher interface { IsMatch(subject Subject, object Object) (match bool) String() string }
SubjectObjectMatcher is a matcher that takes both a subject and an object.
func NewAccessControlDomain ¶ added in v4.35.0
func NewAccessControlDomain(domain string) SubjectObjectMatcher
NewAccessControlDomain creates a new SubjectObjectMatcher that matches the domain as a basic string.
func NewAccessControlDomainRegex ¶ added in v4.35.0
func NewAccessControlDomainRegex(pattern regexp.Regexp) SubjectObjectMatcher
NewAccessControlDomainRegex creates a new SubjectObjectMatcher that matches the domain either in a basic way or dynamic User/Group subexpression group way.