Documentation ¶
Index ¶
- Variables
- func IsAuthLevelSufficient(authenticationLevel authentication.Level, authorizationLevel Level) bool
- func LevelToString(level Level) (policy string)
- type AccessControlDomain
- type AccessControlDomainMatcher
- type AccessControlGroup
- type AccessControlResource
- type AccessControlRule
- type AccessControlSubjects
- type AccessControlUser
- type Authorizer
- type Level
- type Object
- type RegexpGroupStringSubjectMatcher
- type RegexpStringSubjectMatcher
- type RuleMatchResult
- type StringSubjectMatcher
- type Subject
- type SubjectMatcher
- type SubjectObjectMatcher
Constants ¶
This section is empty.
Variables ¶
var ( // IdentitySubexpNames is a list of valid regex subexp names. IdentitySubexpNames = []string{subexpNameUser, subexpNameGroup} )
Functions ¶
func IsAuthLevelSufficient ¶
func IsAuthLevelSufficient(authenticationLevel authentication.Level, authorizationLevel Level) bool
IsAuthLevelSufficient returns true if the current authenticationLevel is above the authorizationLevel.
func LevelToString ¶ added in v4.36.3
LevelToString converts a int authorization level to string policy.
Types ¶
type AccessControlDomain ¶
type AccessControlDomain struct {
Matcher StringSubjectMatcher
}
AccessControlDomain represents an ACL domain.
func NewAccessControlDomain ¶ added in v4.35.0
func NewAccessControlDomain(domain string) AccessControlDomain
NewAccessControlDomain creates a new SubjectObjectMatcher that matches the domain as a basic string.
func NewAccessControlDomainRegex ¶ added in v4.35.0
func NewAccessControlDomainRegex(pattern regexp.Regexp) AccessControlDomain
NewAccessControlDomainRegex creates a new SubjectObjectMatcher that matches the domain either in a basic way or dynamic User/Group subexpression group way.
type AccessControlDomainMatcher ¶ added in v4.36.0
type AccessControlDomainMatcher struct { Name string Wildcard bool UserWildcard bool GroupWildcard bool }
AccessControlDomainMatcher is the basic domain matcher.
type AccessControlGroup ¶
type AccessControlGroup struct {
Name string
}
AccessControlGroup represents an ACL subject of type `group:`.
func (AccessControlGroup) IsMatch ¶
func (acg AccessControlGroup) IsMatch(subject Subject) (match bool)
IsMatch returns true if the AccessControlGroup name matches one of the groups of the Subject.
type AccessControlResource ¶
type AccessControlResource struct {
Matcher StringSubjectMatcher
}
AccessControlResource represents an ACL resource that matches without named groups.
func NewAccessControlResource ¶ added in v4.36.0
func NewAccessControlResource(pattern regexp.Regexp) AccessControlResource
NewAccessControlResource creates a AccessControlResource or AccessControlResourceGroup.
type AccessControlRule ¶
type AccessControlRule struct { Position int Domains []AccessControlDomain Resources []AccessControlResource Methods []string Networks []*net.IPNet Subjects []AccessControlSubjects Policy Level }
AccessControlRule controls and represents an ACL internally.
func NewAccessControlRule ¶
func NewAccessControlRule(pos int, rule schema.ACLRule, networksMap map[string][]*net.IPNet, networksCacheMap map[string]*net.IPNet) *AccessControlRule
NewAccessControlRule parses a schema ACL and generates an internal ACL.
func NewAccessControlRules ¶
func NewAccessControlRules(config schema.AccessControlConfiguration) (rules []*AccessControlRule)
NewAccessControlRules converts a schema.AccessControlConfiguration into an AccessControlRule slice.
type AccessControlSubjects ¶
type AccessControlSubjects struct {
Subjects []SubjectMatcher
}
AccessControlSubjects represents an ACL subject.
func (*AccessControlSubjects) AddSubject ¶
func (acs *AccessControlSubjects) AddSubject(subjectRule string)
AddSubject appends to the AccessControlSubjects based on a subject rule string.
func (AccessControlSubjects) IsMatch ¶
func (acs AccessControlSubjects) IsMatch(subject Subject) (match bool)
IsMatch returns true if the ACL subjects match the subject properties.
type AccessControlUser ¶
type AccessControlUser struct {
Name string
}
AccessControlUser represents an ACL subject of type `user:`.
func (AccessControlUser) IsMatch ¶
func (acu AccessControlUser) IsMatch(subject Subject) (match bool)
IsMatch returns true if the AccessControlUser name matches the Subject username.
type Authorizer ¶
type Authorizer struct {
// contains filtered or unexported fields
}
Authorizer the component in charge of checking whether a user can access a given resource.
func NewAuthorizer ¶
func NewAuthorizer(configuration *schema.Configuration) (authorizer *Authorizer)
NewAuthorizer create an instance of authorizer with a given access control configuration.
func (Authorizer) GetRequiredLevel ¶
func (p Authorizer) GetRequiredLevel(subject Subject, object Object) Level
GetRequiredLevel retrieve the required level of authorization to access the object.
func (Authorizer) GetRuleMatchResults ¶ added in v4.34.0
func (p Authorizer) GetRuleMatchResults(subject Subject, object Object) (results []RuleMatchResult)
GetRuleMatchResults iterates through the rules and produces a list of RuleMatchResult provided a subject and object.
func (Authorizer) IsSecondFactorEnabled ¶
func (p Authorizer) IsSecondFactorEnabled() bool
IsSecondFactorEnabled return true if at least one policy is set to second factor.
type Level ¶
type Level int
Level is the type representing an authorization level.
func StringToLevel ¶ added in v4.36.3
StringToLevel converts a string policy to int authorization level.
type Object ¶
Object represents a protected object for the purposes of ACL matching.
func NewObjectRaw ¶
NewObjectRaw creates a new Object type from a URL and a method header.
type RegexpGroupStringSubjectMatcher ¶ added in v4.36.0
type RegexpGroupStringSubjectMatcher struct { Pattern regexp.Regexp SubexpNameUser int SubexpNameGroup int }
RegexpGroupStringSubjectMatcher matches the input string against the pattern taking into account Subexp groups.
func (RegexpGroupStringSubjectMatcher) IsMatch ¶ added in v4.36.0
func (r RegexpGroupStringSubjectMatcher) IsMatch(input string, subject Subject) (match bool)
IsMatch returns true if the underlying pattern matches the input given the subject.
func (RegexpGroupStringSubjectMatcher) String ¶ added in v4.36.0
func (r RegexpGroupStringSubjectMatcher) String() string
String returns the pattern string.
type RegexpStringSubjectMatcher ¶ added in v4.36.0
RegexpStringSubjectMatcher just matches the input string against the pattern.
func (RegexpStringSubjectMatcher) IsMatch ¶ added in v4.36.0
func (r RegexpStringSubjectMatcher) IsMatch(input string, _ Subject) (match bool)
IsMatch returns true if the underlying pattern matches the input.
func (RegexpStringSubjectMatcher) String ¶ added in v4.36.0
func (r RegexpStringSubjectMatcher) String() string
String returns the pattern string.
type RuleMatchResult ¶ added in v4.34.0
type RuleMatchResult struct { Rule *AccessControlRule Skipped bool MatchDomain bool MatchResources bool MatchMethods bool MatchNetworks bool MatchSubjects bool MatchSubjectsExact bool }
RuleMatchResult describes how well a rule matched a subject/object combo.
func (RuleMatchResult) IsMatch ¶ added in v4.34.0
func (r RuleMatchResult) IsMatch() (match bool)
IsMatch returns true if all the criteria matched.
func (RuleMatchResult) IsPotentialMatch ¶ added in v4.34.0
func (r RuleMatchResult) IsPotentialMatch() (match bool)
IsPotentialMatch returns true if the rule is potentially a match.
type StringSubjectMatcher ¶ added in v4.36.0
StringSubjectMatcher is a matcher that takes an input string and subject.
type Subject ¶
Subject represents the identity of a user for the purposes of ACL matching.
func (Subject) IsAnonymous ¶
IsAnonymous returns true if the Subject username and groups are empty.
type SubjectMatcher ¶ added in v4.35.0
SubjectMatcher is a matcher that takes a subject.
type SubjectObjectMatcher ¶ added in v4.35.0
SubjectObjectMatcher is a matcher that takes both a subject and an object.