Documentation ¶
Index ¶
- Variables
- func IsAuthLevelSufficient(authenticationLevel authentication.Level, authorizationLevel Level) bool
- func LevelToString(level Level) (policy string)
- type AccessControlDomain
- type AccessControlDomainMatcher
- type AccessControlGroup
- type AccessControlQuery
- type AccessControlQueryMatcherEqual
- type AccessControlQueryMatcherPattern
- type AccessControlQueryMatcherPresent
- type AccessControlResource
- type AccessControlRule
- func (acr *AccessControlRule) IsMatch(subject Subject, object Object) (match bool)
- func (acr *AccessControlRule) MatchesDomains(subject Subject, object Object) (matches bool)
- func (acr *AccessControlRule) MatchesMethods(object Object) (match bool)
- func (acr *AccessControlRule) MatchesNetworks(subject Subject) (match bool)
- func (acr *AccessControlRule) MatchesQuery(object Object) (match bool)
- func (acr *AccessControlRule) MatchesResources(subject Subject, object Object) (matches bool)
- func (acr *AccessControlRule) MatchesSubjectExact(subject Subject) (match bool)
- func (acr *AccessControlRule) MatchesSubjects(subject Subject) (match bool)
- type AccessControlSubjects
- type AccessControlUser
- type Authorizer
- type Level
- type Object
- type ObjectMatcher
- type RegexpGroupStringSubjectMatcher
- type RegexpStringSubjectMatcher
- type RuleMatchResult
- type StringSubjectMatcher
- type Subject
- type SubjectMatcher
- type SubjectObjectMatcher
Constants ¶
This section is empty.
Variables ¶
var ( // IdentitySubexpNames is a list of valid regex subexp names. IdentitySubexpNames = []string{subexpNameUser, subexpNameGroup} )
Functions ¶
func IsAuthLevelSufficient ¶
func IsAuthLevelSufficient(authenticationLevel authentication.Level, authorizationLevel Level) bool
IsAuthLevelSufficient returns true if the current authenticationLevel is above the authorizationLevel.
func LevelToString ¶ added in v4.36.3
LevelToString converts a int authorization level to string policy.
Types ¶
type AccessControlDomain ¶
type AccessControlDomain struct {
Matcher StringSubjectMatcher
}
AccessControlDomain represents an ACL domain.
func NewAccessControlDomain ¶ added in v4.35.0
func NewAccessControlDomain(domain string) (subjcets bool, rule AccessControlDomain)
NewAccessControlDomain creates a new SubjectObjectMatcher that matches the domain as a basic string.
func NewAccessControlDomainRegex ¶ added in v4.35.0
func NewAccessControlDomainRegex(pattern regexp.Regexp) (subjects bool, rule AccessControlDomain)
NewAccessControlDomainRegex creates a new SubjectObjectMatcher that matches the domain either in a basic way or dynamic User/Group subexpression group way.
type AccessControlDomainMatcher ¶ added in v4.36.0
type AccessControlDomainMatcher struct { Name string Wildcard bool UserWildcard bool GroupWildcard bool }
AccessControlDomainMatcher is the basic domain matcher.
type AccessControlGroup ¶
type AccessControlGroup struct {
Name string
}
AccessControlGroup represents an ACL subject of type `group:`.
func (AccessControlGroup) IsMatch ¶
func (acg AccessControlGroup) IsMatch(subject Subject) (match bool)
IsMatch returns true if the AccessControlGroup name matches one of the groups of the Subject.
type AccessControlQuery ¶ added in v4.37.0
type AccessControlQuery struct {
Rules []ObjectMatcher
}
AccessControlQuery represents an ACL query args rule.
func NewAccessControlQuery ¶ added in v4.37.0
func NewAccessControlQuery(config [][]schema.ACLQueryRule) (rules []AccessControlQuery)
NewAccessControlQuery creates a new AccessControlQuery rule type.
func (AccessControlQuery) IsMatch ¶ added in v4.37.0
func (acq AccessControlQuery) IsMatch(object Object) (isMatch bool)
IsMatch returns true if this rule matches the object.
type AccessControlQueryMatcherEqual ¶ added in v4.37.0
type AccessControlQueryMatcherEqual struct {
// contains filtered or unexported fields
}
AccessControlQueryMatcherEqual is a rule type that checks the equality of a query parameter.
func (AccessControlQueryMatcherEqual) IsMatch ¶ added in v4.37.0
func (acl AccessControlQueryMatcherEqual) IsMatch(object Object) (isMatch bool)
IsMatch returns true if this rule matches the object.
type AccessControlQueryMatcherPattern ¶ added in v4.37.0
type AccessControlQueryMatcherPattern struct {
// contains filtered or unexported fields
}
AccessControlQueryMatcherPattern is a rule type that checks a query parameter against regex.
func (AccessControlQueryMatcherPattern) IsMatch ¶ added in v4.37.0
func (acl AccessControlQueryMatcherPattern) IsMatch(object Object) (isMatch bool)
IsMatch returns true if this rule matches the object.
type AccessControlQueryMatcherPresent ¶ added in v4.37.0
type AccessControlQueryMatcherPresent struct {
// contains filtered or unexported fields
}
AccessControlQueryMatcherPresent is a rule type that checks the presence of a query parameter.
func (AccessControlQueryMatcherPresent) IsMatch ¶ added in v4.37.0
func (acl AccessControlQueryMatcherPresent) IsMatch(object Object) (isMatch bool)
IsMatch returns true if this rule matches the object.
type AccessControlResource ¶
type AccessControlResource struct {
Matcher StringSubjectMatcher
}
AccessControlResource represents an ACL resource that matches without named groups.
func NewAccessControlResource ¶ added in v4.36.0
func NewAccessControlResource(pattern regexp.Regexp) (subjects bool, rule AccessControlResource)
NewAccessControlResource creates a AccessControlResource or AccessControlResourceGroup.
type AccessControlRule ¶
type AccessControlRule struct { HasSubjects bool Position int Domains []AccessControlDomain Resources []AccessControlResource Query []AccessControlQuery Methods []string Networks []*net.IPNet Subjects []AccessControlSubjects Policy Level }
AccessControlRule controls and represents an ACL internally.
func NewAccessControlRule ¶
func NewAccessControlRule(pos int, rule schema.ACLRule, networksMap map[string][]*net.IPNet, networksCacheMap map[string]*net.IPNet) *AccessControlRule
NewAccessControlRule parses a schema ACL and generates an internal ACL.
func NewAccessControlRules ¶
func NewAccessControlRules(config schema.AccessControlConfiguration) (rules []*AccessControlRule)
NewAccessControlRules converts a schema.AccessControlConfiguration into an AccessControlRule slice.
func (*AccessControlRule) IsMatch ¶
func (acr *AccessControlRule) IsMatch(subject Subject, object Object) (match bool)
IsMatch returns true if all elements of an AccessControlRule match the object and subject.
func (*AccessControlRule) MatchesDomains ¶ added in v4.37.0
func (acr *AccessControlRule) MatchesDomains(subject Subject, object Object) (matches bool)
MatchesDomains returns true if the rule matches the domains.
func (*AccessControlRule) MatchesMethods ¶ added in v4.37.0
func (acr *AccessControlRule) MatchesMethods(object Object) (match bool)
MatchesMethods returns true if the rule matches the method.
func (*AccessControlRule) MatchesNetworks ¶ added in v4.37.0
func (acr *AccessControlRule) MatchesNetworks(subject Subject) (match bool)
MatchesNetworks returns true if the rule matches the networks.
func (*AccessControlRule) MatchesQuery ¶ added in v4.37.0
func (acr *AccessControlRule) MatchesQuery(object Object) (match bool)
MatchesQuery returns true if the rule matches the query arguments.
func (*AccessControlRule) MatchesResources ¶ added in v4.37.0
func (acr *AccessControlRule) MatchesResources(subject Subject, object Object) (matches bool)
MatchesResources returns true if the rule matches the resources.
func (*AccessControlRule) MatchesSubjectExact ¶ added in v4.37.0
func (acr *AccessControlRule) MatchesSubjectExact(subject Subject) (match bool)
MatchesSubjectExact returns true if the rule matches the subjects exactly.
func (*AccessControlRule) MatchesSubjects ¶ added in v4.37.0
func (acr *AccessControlRule) MatchesSubjects(subject Subject) (match bool)
MatchesSubjects returns true if the rule matches the subjects.
type AccessControlSubjects ¶
type AccessControlSubjects struct {
Subjects []SubjectMatcher
}
AccessControlSubjects represents an ACL subject.
func (*AccessControlSubjects) AddSubject ¶
func (acs *AccessControlSubjects) AddSubject(subjectRule string)
AddSubject appends to the AccessControlSubjects based on a subject rule string.
func (*AccessControlSubjects) IsMatch ¶
func (acs *AccessControlSubjects) IsMatch(subject Subject) (match bool)
IsMatch returns true if the ACL subjects match the subject properties.
type AccessControlUser ¶
type AccessControlUser struct {
Name string
}
AccessControlUser represents an ACL subject of type `user:`.
func (AccessControlUser) IsMatch ¶
func (acu AccessControlUser) IsMatch(subject Subject) (match bool)
IsMatch returns true if the AccessControlUser name matches the Subject username.
type Authorizer ¶
type Authorizer struct {
// contains filtered or unexported fields
}
Authorizer the component in charge of checking whether a user can access a given resource.
func NewAuthorizer ¶
func NewAuthorizer(config *schema.Configuration) (authorizer *Authorizer)
NewAuthorizer create an instance of authorizer with a given access control config.
func (Authorizer) GetRequiredLevel ¶
func (p Authorizer) GetRequiredLevel(subject Subject, object Object) (hasSubjects bool, level Level)
GetRequiredLevel retrieve the required level of authorization to access the object.
func (Authorizer) GetRuleMatchResults ¶ added in v4.34.0
func (p Authorizer) GetRuleMatchResults(subject Subject, object Object) (results []RuleMatchResult)
GetRuleMatchResults iterates through the rules and produces a list of RuleMatchResult provided a subject and object.
func (Authorizer) IsSecondFactorEnabled ¶
func (p Authorizer) IsSecondFactorEnabled() bool
IsSecondFactorEnabled return true if at least one policy is set to second factor.
type Level ¶
type Level int
Level is the type representing an authorization level.
func StringToLevel ¶ added in v4.36.3
StringToLevel converts a string policy to int authorization level.
type Object ¶
Object represents a protected object for the purposes of ACL matching.
func NewObjectRaw ¶
NewObjectRaw creates a new Object type from a URL and a method header.
type ObjectMatcher ¶ added in v4.37.0
ObjectMatcher is a matcher that takes an object.
func NewAccessControlQueryObjectMatcher ¶ added in v4.37.0
func NewAccessControlQueryObjectMatcher(rule schema.ACLQueryRule) (matcher ObjectMatcher, err error)
NewAccessControlQueryObjectMatcher creates a new ObjectMatcher rule type from a schema.ACLQueryRule.
type RegexpGroupStringSubjectMatcher ¶ added in v4.36.0
type RegexpGroupStringSubjectMatcher struct { Pattern regexp.Regexp SubexpNameUser int SubexpNameGroup int }
RegexpGroupStringSubjectMatcher matches the input string against the pattern taking into account Subexp groups.
func (RegexpGroupStringSubjectMatcher) IsMatch ¶ added in v4.36.0
func (r RegexpGroupStringSubjectMatcher) IsMatch(input string, subject Subject) (match bool)
IsMatch returns true if the underlying pattern matches the input given the subject.
func (RegexpGroupStringSubjectMatcher) String ¶ added in v4.36.0
func (r RegexpGroupStringSubjectMatcher) String() string
String returns the pattern string.
type RegexpStringSubjectMatcher ¶ added in v4.36.0
RegexpStringSubjectMatcher just matches the input string against the pattern.
func (RegexpStringSubjectMatcher) IsMatch ¶ added in v4.36.0
func (r RegexpStringSubjectMatcher) IsMatch(input string, _ Subject) (match bool)
IsMatch returns true if the underlying pattern matches the input.
func (RegexpStringSubjectMatcher) String ¶ added in v4.36.0
func (r RegexpStringSubjectMatcher) String() string
String returns the pattern string.
type RuleMatchResult ¶ added in v4.34.0
type RuleMatchResult struct { Rule *AccessControlRule Skipped bool MatchDomain bool MatchResources bool MatchQuery bool MatchMethods bool MatchNetworks bool MatchSubjects bool MatchSubjectsExact bool }
RuleMatchResult describes how well a rule matched a subject/object combo.
func (RuleMatchResult) IsMatch ¶ added in v4.34.0
func (r RuleMatchResult) IsMatch() (match bool)
IsMatch returns true if all the criteria matched.
func (RuleMatchResult) IsPotentialMatch ¶ added in v4.34.0
func (r RuleMatchResult) IsPotentialMatch() (match bool)
IsPotentialMatch returns true if the rule is potentially a match.
type StringSubjectMatcher ¶ added in v4.36.0
StringSubjectMatcher is a matcher that takes an input string and subject.
type Subject ¶
Subject represents the identity of a user for the purposes of ACL matching.
func (Subject) IsAnonymous ¶
IsAnonymous returns true if the Subject username and groups are empty.
type SubjectMatcher ¶ added in v4.35.0
SubjectMatcher is a matcher that takes a subject.
type SubjectObjectMatcher ¶ added in v4.35.0
SubjectObjectMatcher is a matcher that takes both a subject and an object.