cerbos

package
v0.4.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jun 3, 2026 License: Apache-2.0 Imports: 35 Imported by: 19

Documentation

Index

Examples

Constants

View Source 
const MaxIDPerReq = 25

Variables

View Source 
var ErrNoSuchOutput = errors.New("no such output")

Functions

func BatchAdminClientCall 

func BatchAdminClientCall(ctx context.Context, retrieveFn func(context.Context, ...string) (uint32, error), ids ...string) (uint32, error)

func BatchAdminClientCall2 

func BatchAdminClientCall2[T []*schemav1.Schema | []*policyv1.Policy | []string](
	ctx context.Context,
	retrieveFn func(context.Context, ...string) (T, error),
	processFn func(context.Context, T) error,
	ids ...string,
) error

func MatchAllOf 

func MatchAllOf(m ...match) match

MatchAllOf matches all of the expressions (logical AND).

func MatchAnyOf 

func MatchAnyOf(m ...match) match

MatchAnyOf matches any of the expressions (logical OR).

func MatchExpr 

func MatchExpr(expr string) match

MatchExpr matches a single expression.

func MatchNoneOf 

func MatchNoneOf(m ...match) match

MatchNoneOf matches none of the expressions (logical NOT).

Types

type AdminClient 

type AdminClient interface {
	AddOrUpdatePolicy(ctx context.Context, policies *PolicySet) error
	AuditLogs(ctx context.Context, opts AuditLogOptions) (<-chan *AuditLogEntry, error)
	ListPolicies(ctx context.Context, opts ...FilterOption) ([]string, error)
	InspectPolicies(ctx context.Context, opts ...FilterOption) (*responsev1.InspectPoliciesResponse, error)
	GetPolicy(ctx context.Context, ids ...string) ([]*policyv1.Policy, error)
	DeletePolicy(ctx context.Context, ids ...string) (uint32, error)
	DisablePolicy(ctx context.Context, ids ...string) (uint32, error)
	EnablePolicy(ctx context.Context, ids ...string) (uint32, error)
	AddOrUpdateSchema(ctx context.Context, schemas *SchemaSet) error
	DeleteSchema(ctx context.Context, ids ...string) (uint32, error)
	ListSchemas(ctx context.Context) ([]string, error)
	GetSchema(ctx context.Context, ids ...string) ([]*schemav1.Schema, error)
	PurgeStoreRevisions(ctx context.Context, keepLast uint32) (uint32, error)
	ReloadStore(ctx context.Context, wait bool) error
}

AdminClient provides access to the Cerbos Admin API.

type AuditLogEntry 

type AuditLogEntry struct {
	// contains filtered or unexported fields
}

func NewAuditLogEntry 

func NewAuditLogEntry(accessLog *auditv1.AccessLogEntry, decisionLog *auditv1.DecisionLogEntry, err error) *AuditLogEntry

func (*AuditLogEntry) AccessLog 

func (e *AuditLogEntry) AccessLog() (*auditv1.AccessLogEntry, error)

func (*AuditLogEntry) DecisionLog 

func (e *AuditLogEntry) DecisionLog() (*auditv1.DecisionLogEntry, error)

type AuditLogOptions 

type AuditLogOptions struct {
	StartTime time.Time
	EndTime   time.Time
	Lookup    string
	Tail      uint32
	Type      AuditLogType
}

AuditLogOptions is used to filter audit logs.

type AuditLogType 

type AuditLogType uint8
const (
	AccessLogs AuditLogType = iota
	DecisionLogs
)

type BatchingAdapter added in v0.3.17 

type BatchingAdapter struct {
	*GRPCClient
}

BatchingAdapter wraps a GRPCClient and automatically splits CheckResources calls into multiple batches when the number of resources exceeds the batch size limit. CerbosCallId in the returned CheckResourcesResponse is a pipe (“|”) delimited concatenation of the CerbosCallId from each batch.

func NewBatchingAdapter added in v0.3.17 

func NewBatchingAdapter(client *GRPCClient) *BatchingAdapter

NewBatchingAdapter creates a new BatchingAdapter that wraps the given GRPCClient.

func (*BatchingAdapter) CheckResources added in v0.3.17 

func (ba *BatchingAdapter) CheckResources(ctx context.Context, principal *Principal, resourceBatch *ResourceBatch) (*CheckResourcesResponse, error)

func (*BatchingAdapter) With added in v0.3.17 

func (ba *BatchingAdapter) With(reqOpts ...RequestOpt) *BatchingAdapter

func (*BatchingAdapter) WithPrincipal added in v0.3.17 

func (ba *BatchingAdapter) WithPrincipal(p *Principal) *BatchingPrincipalCtx

type BatchingPrincipalCtx added in v0.3.17 

type BatchingPrincipalCtx struct {
	// contains filtered or unexported fields
}

BatchingPrincipalCtx provides convenience methods to access the Cerbos API in the context of a single principal, with automatic batching for CheckResources.

func (BatchingPrincipalCtx) CheckResources added in v0.3.17 

func (pc BatchingPrincipalCtx) CheckResources(ctx context.Context, batch *ResourceBatch) (*CheckResourcesResponse, error)

func (BatchingPrincipalCtx) IsAllowed added in v0.3.17 

func (pc BatchingPrincipalCtx) IsAllowed(ctx context.Context, resource *Resource, action string) (bool, error)

func (BatchingPrincipalCtx) PlanResources added in v0.3.17 

func (pc BatchingPrincipalCtx) PlanResources(ctx context.Context, resource *Resource, actions ...string) (*PlanResourcesResponse, error)

func (BatchingPrincipalCtx) Principal added in v0.3.17 

func (pc BatchingPrincipalCtx) Principal() *Principal

type CheckResourcesResponse 

type CheckResourcesResponse struct {
	*responsev1.CheckResourcesResponse
	// contains filtered or unexported fields
}

CheckResourcesResponse is the response from the CheckResources API call.

func (*CheckResourcesResponse) Errors 

func (crr *CheckResourcesResponse) Errors() error

Errors returns any validation errors returned by the server.

func (*CheckResourcesResponse) GetResource 

func (crr *CheckResourcesResponse) GetResource(resourceID string, match ...MatchResource) *ResourceResult

GetResource finds the resource with the given ID and optional properties from the result list. Returns a ResourceResult object with the Err field set if the resource is not found.

func (*CheckResourcesResponse) MarshalJSON 

func (crr *CheckResourcesResponse) MarshalJSON() ([]byte, error)

func (*CheckResourcesResponse) String 

func (crr *CheckResourcesResponse) String() string

type Client 

type Client[C any, P PrincipalContext] interface {
	// IsAllowed checks access to a single resource by a principal and returns true if access is granted.
	IsAllowed(ctx context.Context, principal *Principal, resource *Resource, action string) (bool, error)
	// CheckResources checks access to a batch of resources of different kinds.
	CheckResources(ctx context.Context, principal *Principal, resources *ResourceBatch) (*CheckResourcesResponse, error)
	// ServerInfo retrieves server information.
	ServerInfo(ctx context.Context) (*ServerInfo, error)
	// With sets per-request options for the client.
	With(opts ...RequestOpt) C
	// PlanResources creates a query plan for performing the given action on a set of resources of the given kind.
	PlanResources(ctx context.Context, principal *Principal, resource *Resource, actions ...string) (*PlanResourcesResponse, error)
	// WithPrincipal sets the principal to be used for subsequent API calls.
	WithPrincipal(principal *Principal) P
}

Client provides access to the Cerbos API.

type DerivedRoles 

type DerivedRoles struct {
	Obj *policyv1.DerivedRoles
	// contains filtered or unexported fields
}

DerivedRoles is a builder for derived roles.

func NewDerivedRoles 

func NewDerivedRoles(name string) *DerivedRoles

NewDerivedRoles creates a new derived roles set with the given name.

func (*DerivedRoles) AddRole 

func (dr *DerivedRoles) AddRole(name string, parentRoles []string) *DerivedRoles

AddRole adds a new derived role with the given name which is an alias for the set of parent roles.

func (*DerivedRoles) AddRoleWithCondition 

func (dr *DerivedRoles) AddRoleWithCondition(name string, parentRoles []string, m match) *DerivedRoles

AddRoleWithCondition adds a derived role with a condition attached.

func (*DerivedRoles) Err 

func (dr *DerivedRoles) Err() error

Err returns any errors accumulated during the construction of the derived roles.

func (*DerivedRoles) Validate 

func (dr *DerivedRoles) Validate() error

Validate checks whether the derived roles are valid.

func (*DerivedRoles) WithConstant added in v0.2.11 

func (dr *DerivedRoles) WithConstant(name string, value any) *DerivedRoles

WithConstant adds a constant definition for use in conditions.

func (*DerivedRoles) WithConstantsImports added in v0.2.11 

func (dr *DerivedRoles) WithConstantsImports(name ...string) *DerivedRoles

WithConstantsImports adds import statements for exported constants.

func (*DerivedRoles) WithVariable 

func (dr *DerivedRoles) WithVariable(name, expr string) *DerivedRoles

WithVariable adds a variable definition for use in conditions.

func (*DerivedRoles) WithVariablesImports 

func (dr *DerivedRoles) WithVariablesImports(name ...string) *DerivedRoles

WithVariablesImports adds import statements for exported variables.

type ExportConstants added in v0.2.11 

type ExportConstants struct {
	Obj *policyv1.ExportConstants
	// contains filtered or unexported fields
}

ExportConstants is a builder for exported constants.

func NewExportConstants added in v0.2.11 

func NewExportConstants(name string) *ExportConstants

NewExportConstants creates a new exported constants set with the given name.

func (*ExportConstants) AddConstant added in v0.2.11 

func (ec *ExportConstants) AddConstant(name string, value any) *ExportConstants

AddConstant defines an exported constant with the given name to be the given value.

func (*ExportConstants) Err added in v0.2.11 

func (ec *ExportConstants) Err() error

Err returns any errors accumulated during the construction of the exported constants.

func (*ExportConstants) Validate added in v0.2.11 

func (ec *ExportConstants) Validate() error

Validate checks whether the exported constants are valid.

type ExportVariables 

type ExportVariables struct {
	Obj *policyv1.ExportVariables
}

ExportVariables is a builder for exported variables.

func NewExportVariables 

func NewExportVariables(name string) *ExportVariables

NewExportVariables creates a new exported variables set with the given name.

func (*ExportVariables) AddVariable 

func (ev *ExportVariables) AddVariable(name, expr string) *ExportVariables

AddVariable defines an exported variable with the given name to be computed by the given expression.

func (*ExportVariables) Err 

func (ev *ExportVariables) Err() error

Err returns any errors accumulated during the construction of the exported variables.

func (*ExportVariables) Validate 

func (ev *ExportVariables) Validate() error

Validate checks whether the exported variables are valid.

type FilterOption added in v0.2.5 

type FilterOption func(*FilterOptions)

FilterOption allows filtering policies while calling InspectPolicies and ListPolicies.

func WithIncludeDisabled 

func WithIncludeDisabled() FilterOption

func WithNameRegexp 

func WithNameRegexp(re string) FilterOption

func WithPolicyID added in v0.2.6 

func WithPolicyID(id ...string) FilterOption

func WithScopeRegexp 

func WithScopeRegexp(re string) FilterOption

func WithVersionRegexp 

func WithVersionRegexp(v string) FilterOption

type FilterOptions added in v0.2.5 

type FilterOptions struct {
	NameRegexp      string
	ScopeRegexp     string
	VersionRegexp   string
	PolicyIDs       []string
	IncludeDisabled bool
}

type GRPCAdminClient 

type GRPCAdminClient struct {
	// contains filtered or unexported fields
}

func NewAdminClient 

func NewAdminClient(address string, opts ...Opt) (*GRPCAdminClient, error)

NewAdminClient creates a new admin client. It will look for credentials in the following order: - Environment: CERBOS_USERNAME and CERBOS_PASSWORD - Netrc file (~/.netrc if an override is not defined in the NETRC environment variable)

Note that Unix domain socket connections cannot fallback to netrc and require either the environment variables to be defined or the credentials to provided explicitly via the NewAdminClientWithCredentials function.

Example

ExampleNewAdminClient demonstrates how to instantiate a new admin client and make a request. 

package main

import (
	"context"
	"log"

	"github.com/cerbos/cerbos-sdk-go/cerbos"
)

func main() {
	// Create an admin client using the credentials stored in environment variables or netrc.
	ac, err := cerbos.NewAdminClient("10.1.2.3:3593", cerbos.WithTLSCACert("/path/to/ca.crt"))
	if err != nil {
		log.Fatalf("Failed to create admin client: %v", err)
	}

	policy := cerbos.NewResourcePolicy("album:comments", "default").
		WithDerivedRolesImports("album_derived_roles").
		AddResourceRules(
			cerbos.NewAllowResourceRule("view").
				WithDerivedRoles("owners").
				WithCondition(
					cerbos.MatchAllOf(
						cerbos.MatchExpr(`request.resource.attr.status == "unmoderated"`),
						cerbos.MatchExpr(`request.resource.attr.user_status == "anonymous"`),
					),
				),
		)

	if err := ac.AddOrUpdatePolicy(context.TODO(), cerbos.NewPolicySet().AddResourcePolicies(policy)); err != nil {
		log.Fatalf("Failed to add policy: %v", err)
	}
}

func NewAdminClientWithCredentials 

func NewAdminClientWithCredentials(address, username, password string, opts ...Opt) (*GRPCAdminClient, error)

NewAdminClientWithCredentials creates a new admin client using credentials explicitly passed as arguments.

func (*GRPCAdminClient) AddOrUpdatePolicy 

func (c *GRPCAdminClient) AddOrUpdatePolicy(ctx context.Context, policies *PolicySet) error

func (*GRPCAdminClient) AddOrUpdateSchema 

func (c *GRPCAdminClient) AddOrUpdateSchema(ctx context.Context, schemas *SchemaSet) error

func (*GRPCAdminClient) AuditLogs 

func (c *GRPCAdminClient) AuditLogs(ctx context.Context, opts AuditLogOptions) (<-chan *AuditLogEntry, error)

func (*GRPCAdminClient) DeletePolicy added in v0.3.14 

func (c *GRPCAdminClient) DeletePolicy(ctx context.Context, ids ...string) (uint32, error)

func (*GRPCAdminClient) DeleteSchema 

func (c *GRPCAdminClient) DeleteSchema(ctx context.Context, ids ...string) (uint32, error)

func (*GRPCAdminClient) DisablePolicy 

func (c *GRPCAdminClient) DisablePolicy(ctx context.Context, ids ...string) (uint32, error)

func (*GRPCAdminClient) EnablePolicy 

func (c *GRPCAdminClient) EnablePolicy(ctx context.Context, ids ...string) (uint32, error)

func (*GRPCAdminClient) GetPolicy 

func (c *GRPCAdminClient) GetPolicy(ctx context.Context, ids ...string) ([]*policyv1.Policy, error)

func (*GRPCAdminClient) GetSchema 

func (c *GRPCAdminClient) GetSchema(ctx context.Context, ids ...string) ([]*schemav1.Schema, error)

func (*GRPCAdminClient) InspectPolicies added in v0.2.5 

func (c *GRPCAdminClient) InspectPolicies(ctx context.Context, opts ...FilterOption) (*responsev1.InspectPoliciesResponse, error)

func (*GRPCAdminClient) ListPolicies 

func (c *GRPCAdminClient) ListPolicies(ctx context.Context, opts ...FilterOption) ([]string, error)

func (*GRPCAdminClient) ListSchemas 

func (c *GRPCAdminClient) ListSchemas(ctx context.Context) ([]string, error)

func (*GRPCAdminClient) PurgeStoreRevisions added in v0.3.15 

func (c *GRPCAdminClient) PurgeStoreRevisions(ctx context.Context, keepLast uint32) (uint32, error)

func (*GRPCAdminClient) ReloadStore 

func (c *GRPCAdminClient) ReloadStore(ctx context.Context, wait bool) error

func (*GRPCAdminClient) WithHeaders added in v0.2.2 

func (c *GRPCAdminClient) WithHeaders(keyValues ...string) *GRPCAdminClient

type GRPCClient 

type GRPCClient struct {
	// contains filtered or unexported fields
}

func New 

func New(address string, opts ...Opt) (*GRPCClient, error)

New creates a new Cerbos client.

Example

ExampleNew demonstrates how to instantiate a new client and make a request. 

package main

import (
	"context"
	"log"

	"github.com/cerbos/cerbos-sdk-go/cerbos"
)

func main() {
	// A client that connects to Cerbos over a Unix domain socket using a CA certificate to validate the server TLS certificates.
	c, err := cerbos.New("unix:/var/sock/cerbos", cerbos.WithTLSCACert("/path/to/ca.crt"))
	if err != nil {
		log.Fatalf("Failed to create client: %v", err)
	}

	allowed, err := c.IsAllowed(
		context.TODO(),
		cerbos.NewPrincipal("sally").WithRoles("user"),
		cerbos.NewResource("album:object", "A001"),
		"view",
	)
	if err != nil {
		log.Fatalf("Failed to check permission: %v", err)
	}

	log.Printf("Is Sally allowed to view album A001: %t", allowed)
}

func (*GRPCClient) CheckResources 

func (c *GRPCClient) CheckResources(ctx context.Context, principal *Principal, resourceBatch *ResourceBatch) (*CheckResourcesResponse, error)

func (*GRPCClient) IsAllowed 

func (c *GRPCClient) IsAllowed(ctx context.Context, principal *Principal, resource *Resource, action string) (bool, error)

func (*GRPCClient) PlanResources 

func (c *GRPCClient) PlanResources(ctx context.Context, principal *Principal, resource *Resource, actions ...string) (*PlanResourcesResponse, error)

func (*GRPCClient) ServerInfo 

func (c *GRPCClient) ServerInfo(ctx context.Context) (*ServerInfo, error)

func (*GRPCClient) With 

func (c *GRPCClient) With(reqOpts ...RequestOpt) *GRPCClient

func (*GRPCClient) WithPrincipal 

func (c *GRPCClient) WithPrincipal(p *Principal) PrincipalCtx

type Hub added in v0.3.0 

type Hub[S HubStoreClient] interface {
	StoreClient() S
}

Hub provides access to Cerbos Hub APIs.

type HubClient added in v0.3.0 

type HubClient struct {
	// contains filtered or unexported fields
}

func NewHubClient added in v0.3.0 

func NewHubClient(opts ...HubOpt) (*HubClient, error)

NewHubClient creates a client configured to interact with Cerbos Hub. Supply credentials using CERBOS_HUB_CLIENT_ID and CERBOS_HUB_CLIENT_SECRET environment variables or using the WithHubCredentials option.

func (*HubClient) StoreClient added in v0.3.0 

func (hc *HubClient) StoreClient() *localhub.StoreClient

type HubOpt added in v0.3.0 

type HubOpt func(*hubConfig)

func WithAdvancedOptions added in v0.3.11 

func WithAdvancedOptions(opts ...Opt) HubOpt

WithAdvancedOptions is only used for internal testing purposes. Don't use in production.

func WithHubAPIEndpoint added in v0.3.0 

func WithHubAPIEndpoint(endpoint string) HubOpt

WithHubAPIEndpoint overrides the API endpoint.

func WithHubCredentials added in v0.3.0 

func WithHubCredentials(clientID, clientSecret string) HubOpt

WithHubCredentials sets the access credentials for the client. If not provided, the credentials are read from CERBOS_HUB_CLIENT_ID and CERBOS_HUB_CLIENT_SECRET environment variables.

func WithSavedCredentials added in v0.3.18 

func WithSavedCredentials(credentials *authv1.SavedCredentials) HubOpt

WithSavedCredentials uses saved credentials for authentication.

type HubStoreClient added in v0.3.0 

type HubStoreClient interface {
	ReplaceFiles(context.Context, *hub.ReplaceFilesRequest) (*hub.ReplaceFilesResponse, error)
	ReplaceFilesLenient(context.Context, *hub.ReplaceFilesRequest) (*hub.ReplaceFilesResponse, error)
	ModifyFiles(context.Context, *hub.ModifyFilesRequest) (*hub.ModifyFilesResponse, error)
	ModifyFilesLenient(context.Context, *hub.ModifyFilesRequest) (*hub.ModifyFilesResponse, error)
	ListFiles(context.Context, *hub.ListFilesRequest) (*hub.ListFilesResponse, error)
	GetCurrentVersion(context.Context, *hub.GetCurrentVersionRequest) (*hub.GetCurrentVersionResponse, error)
	GetFiles(context.Context, *hub.GetFilesRequest) (*hub.GetFilesResponse, error)
}

HubStoreClient provides access to the Cerbos Hub store API.

type ListPoliciesOption deprecated 

type ListPoliciesOption = FilterOption

ListPoliciesOption allows filtering policies while calling ListPolicies

Deprecated: ListPoliciesOption is deprecated, use FilterOption instead.

type MatchResource 

type MatchResource func(*responsev1.CheckResourcesResponse_ResultEntry_Resource) bool

MatchResource is a function that returns true if the given resource is of interest. This is useful when you have more than one resource with the same ID and need to distinguish between them in the response.

func MatchResourceKind 

func MatchResourceKind(kind string) MatchResource

MatchResourceKind is a matcher that checks that the resource kind matches the given value.

func MatchResourcePolicyKindScopeVersion 

func MatchResourcePolicyKindScopeVersion(kind, version, scope string) MatchResource

MatchResourcePolicyKindScopeVersion is a matcher that checks that the resource policy kind, version and scope matches the given values.

func MatchResourcePolicyVersion 

func MatchResourcePolicyVersion(version string) MatchResource

MatchResourcePolicyVersion is a matcher that checks that the resource policy version matches the given value.

func MatchResourceScope 

func MatchResourceScope(scope string) MatchResource

MatchResourceScope is a matcher that checks that the resource scope matches the given value.

type Opt 

type Opt func(*internalgrpc.Config)

func WithConnectTimeout 

func WithConnectTimeout(timeout time.Duration) Opt

WithConnectTimeout sets the connection establishment timeout.

func WithMaxRecvMsgSizeBytes added in v0.3.8 

func WithMaxRecvMsgSizeBytes(size uint) Opt

WithMaxRecvMsgSizeBytes sets the maximum size of a single response payload that can be received from the server.

func WithMaxRetries 

func WithMaxRetries(retries uint) Opt

WithMaxRetries sets the maximum number of retries per call.

func WithMaxSendMsgSizeBytes added in v0.3.8 

func WithMaxSendMsgSizeBytes(size uint) Opt

WithMaxSendMsgSizeBytes sets the maximum size of a single request payload that can be sent to the server.

func WithPlaintext 

func WithPlaintext() Opt

WithPlaintext configures the client to connect over h2c.

func WithPlaygroundInstance 

func WithPlaygroundInstance(instance string) Opt

WithPlaygroundInstance sets the Cerbos playground instance to use as the source of policies. Note that Playground instances are for demonstration purposes only and do not provide any performance or availability guarantees.

func WithRetryTimeout 

func WithRetryTimeout(timeout time.Duration) Opt

WithRetryTimeout sets the timeout per retry attempt.

func WithStatsHandler added in v0.2.1 

func WithStatsHandler(handler stats.Handler) Opt

WithStatsHandler sets the gRPC stats handler for the connection.

func WithStreamInterceptors 

func WithStreamInterceptors(interceptors ...grpc.StreamClientInterceptor) Opt

WithStreamInterceptors sets the interceptors to be used for streaming gRPC operations.

func WithTLSAuthority 

func WithTLSAuthority(authority string) Opt

WithTLSAuthority overrides the remote server authority if it is different from what is provided in the address.

func WithTLSCACert 

func WithTLSCACert(certPath string) Opt

WithTLSCACert sets the CA certificate chain to use for certificate verification.

func WithTLSClientCert 

func WithTLSClientCert(cert, key string) Opt

WithTLSClientCert sets the client certificate to use to authenticate to the server.

func WithTLSInsecure 

func WithTLSInsecure() Opt

WithTLSInsecure enables skipping TLS certificate verification.

func WithUnaryInterceptors 

func WithUnaryInterceptors(interceptors ...grpc.UnaryClientInterceptor) Opt

WithUnaryInterceptors sets the interceptors to be used for unary gRPC operations.

func WithUserAgent 

func WithUserAgent(ua string) Opt

WithUserAgent sets the user agent string.

type OutputEvaluationError added in v0.4.0 

type OutputEvaluationError struct {
	// contains filtered or unexported fields
}

func (*OutputEvaluationError) Error added in v0.4.0 

func (oee *OutputEvaluationError) Error() string

type PlanResourcesResponse 

type PlanResourcesResponse struct {
	*responsev1.PlanResourcesResponse
}

func (*PlanResourcesResponse) GetAction added in v0.3.3 

func (prr *PlanResourcesResponse) GetAction() string

type PolicySet 

type PolicySet struct {
	// contains filtered or unexported fields
}

PolicySet is a container for a set of policies.

func NewPolicySet 

func NewPolicySet() *PolicySet

NewPolicySet creates a new policy set.

func (*PolicySet) AddDerivedRoles 

func (ps *PolicySet) AddDerivedRoles(policies ...*DerivedRoles) *PolicySet

AddDerivedRoles adds the given derived roles to the set.

func (*PolicySet) AddExportConstants added in v0.2.11 

func (ps *PolicySet) AddExportConstants(policies ...*ExportConstants) *PolicySet

AddExportConstants adds the given exported constants to the set.

func (*PolicySet) AddExportVariables 

func (ps *PolicySet) AddExportVariables(policies ...*ExportVariables) *PolicySet

AddExportVariables adds the given exported variables to the set.

func (*PolicySet) AddPolicies 

func (ps *PolicySet) AddPolicies(policies ...*policyv1.Policy) *PolicySet

AddPolicies adds the given policies to the set.

func (*PolicySet) AddPolicyFromFile 

func (ps *PolicySet) AddPolicyFromFile(file string) *PolicySet

AddPolicyFromFile adds a policy from the given file to the set.

func (*PolicySet) AddPolicyFromFileWithErr 

func (ps *PolicySet) AddPolicyFromFileWithErr(file string) (*PolicySet, error)

AddPolicyFromFileWithErr adds a policy from the given file to the set and returns the error.

func (*PolicySet) AddPolicyFromReader 

func (ps *PolicySet) AddPolicyFromReader(r io.Reader) *PolicySet

AddPolicyFromReader adds a policy from the given reader to the set.

func (*PolicySet) AddPrincipalPolicies 

func (ps *PolicySet) AddPrincipalPolicies(policies ...*PrincipalPolicy) *PolicySet

AddPrincipalPolicies adds the given principal policies to the set.

func (*PolicySet) AddResourcePolicies 

func (ps *PolicySet) AddResourcePolicies(policies ...*ResourcePolicy) *PolicySet

AddResourcePolicies adds the given resource policies to the set.

func (*PolicySet) Err 

func (ps *PolicySet) Err() error

Err returns the errors accumulated during the construction of the policy set.

func (*PolicySet) GetPolicies 

func (ps *PolicySet) GetPolicies() []*policyv1.Policy

GetPolicies returns all of the policies in the set.

func (*PolicySet) Size 

func (ps *PolicySet) Size() int

Size returns the number of policies in this set.

func (*PolicySet) Validate 

func (ps *PolicySet) Validate() error

Validate checks whether the policy set is valid.

type Principal 

type Principal struct {
	Obj *enginev1.Principal
	// contains filtered or unexported fields
}

Principal is a container for principal data.

func NewPrincipal 

func NewPrincipal(id string, roles ...string) *Principal

NewPrincipal creates a new principal object with the given ID and roles.

func (*Principal) Err 

func (p *Principal) Err() error

Err returns any errors accumulated during the construction of the principal.

func (*Principal) ID 

func (p *Principal) ID() string

ID returns the principal ID.

func (*Principal) Proto 

func (p *Principal) Proto() *enginev1.Principal

Proto returns the underlying protobuf object representing the principal.

func (*Principal) Roles 

func (p *Principal) Roles() []string

Roles returns the principal roles.

func (*Principal) Validate 

func (p *Principal) Validate() error

Validate checks whether the principal object is valid.

func (*Principal) WithAttr 

func (p *Principal) WithAttr(key string, value any) *Principal

WithAttr adds a new attribute to the principal. It will overwrite any existing attribute having the same key.

func (*Principal) WithAttrValue added in v0.3.14 

func (p *Principal) WithAttrValue(k string, v *structpb.Value) *Principal

func (*Principal) WithAttributes 

func (p *Principal) WithAttributes(attr map[string]any) *Principal

WithAttributes merges the given attributes to principal's existing attributes.

func (*Principal) WithPolicyVersion 

func (p *Principal) WithPolicyVersion(policyVersion string) *Principal

WithPolicyVersion sets the policy version for this principal.

func (*Principal) WithRoles 

func (p *Principal) WithRoles(roles ...string) *Principal

WithRoles appends the set of roles to principal's existing roles.

func (*Principal) WithScope 

func (p *Principal) WithScope(scope string) *Principal

WithScope sets the scope this principal belongs to.

type PrincipalContext 

type PrincipalContext interface {
	// Principal returns the principal attached to this context.
	Principal() *Principal
	// IsAllowed checks access to a single resource by the principal and returns true if access is granted.
	IsAllowed(ctx context.Context, resource *Resource, action string) (bool, error)
	// CheckResources checks access to a batch of resources of different kinds.
	CheckResources(ctx context.Context, resources *ResourceBatch) (*CheckResourcesResponse, error)
	// PlanResources creates a query plan for performing the given action on a set of resources of the given kind.
	PlanResources(ctx context.Context, resource *Resource, actions ...string) (*PlanResourcesResponse, error)
}

PrincipalContext provides convenience methods to access the Cerbos API in the context of a single principal.

type PrincipalCtx 

type PrincipalCtx struct {
	// contains filtered or unexported fields
}

func (PrincipalCtx) CheckResources 

func (pc PrincipalCtx) CheckResources(ctx context.Context, batch *ResourceBatch) (*CheckResourcesResponse, error)

func (PrincipalCtx) IsAllowed 

func (pc PrincipalCtx) IsAllowed(ctx context.Context, resource *Resource, action string) (bool, error)

func (PrincipalCtx) PlanResources 

func (pc PrincipalCtx) PlanResources(ctx context.Context, resource *Resource, actions ...string) (*PlanResourcesResponse, error)

func (PrincipalCtx) Principal 

func (pc PrincipalCtx) Principal() *Principal

type PrincipalPolicy 

type PrincipalPolicy struct {
	Obj *policyv1.PrincipalPolicy
	// contains filtered or unexported fields
}

PrincipalPolicy is a builder for principal policies.

func NewPrincipalPolicy 

func NewPrincipalPolicy(principal, version string) *PrincipalPolicy

NewPrincipalPolicy creates a new principal policy.

func (*PrincipalPolicy) AddPrincipalRules 

func (pp *PrincipalPolicy) AddPrincipalRules(rules ...*PrincipalRule) *PrincipalPolicy

AddPrincipalRules adds rules to this policy.

func (*PrincipalPolicy) Err 

func (pp *PrincipalPolicy) Err() error

Err returns the errors accumulated during the construction of this policy.

func (*PrincipalPolicy) Validate 

func (pp *PrincipalPolicy) Validate() error

Validate checks whether the policy is valid.

func (*PrincipalPolicy) WithConstant added in v0.2.11 

func (pp *PrincipalPolicy) WithConstant(name string, value any) *PrincipalPolicy

WithConstant adds a constant definition for use in conditions.

func (*PrincipalPolicy) WithConstantsImports added in v0.2.11 

func (pp *PrincipalPolicy) WithConstantsImports(name ...string) *PrincipalPolicy

WithConstantsImports adds import statements for exported constants.

func (*PrincipalPolicy) WithScope 

func (pp *PrincipalPolicy) WithScope(scope string) *PrincipalPolicy

WithScope sets the scope of this policy.

func (*PrincipalPolicy) WithVariable 

func (pp *PrincipalPolicy) WithVariable(name, expr string) *PrincipalPolicy

WithVariable adds a variable definition for use in conditions.

func (*PrincipalPolicy) WithVariablesImports 

func (pp *PrincipalPolicy) WithVariablesImports(name ...string) *PrincipalPolicy

WithVariablesImports adds import statements for exported variables.

func (*PrincipalPolicy) WithVersion 

func (pp *PrincipalPolicy) WithVersion(version string) *PrincipalPolicy

WithVersion sets the version of this policy.

type PrincipalRule 

type PrincipalRule struct {
	Obj *policyv1.PrincipalRule
}

PrincipalRule is a builder for principal rules.

func NewPrincipalRule 

func NewPrincipalRule(resource string) *PrincipalRule

NewPrincipalRule creates a new rule for the specified resource.

func (*PrincipalRule) AllowAction 

func (pr *PrincipalRule) AllowAction(action string) *PrincipalRule

AllowAction sets the action as allowed on the resource.

func (*PrincipalRule) AllowActionOnCondition 

func (pr *PrincipalRule) AllowActionOnCondition(action string, m match) *PrincipalRule

AllowActionOnCondition sets the action as allowed if the condition is fulfilled.

func (*PrincipalRule) DenyAction 

func (pr *PrincipalRule) DenyAction(action string) *PrincipalRule

DenyAction sets the action as denied on the resource.

func (*PrincipalRule) DenyActionOnCondition 

func (pr *PrincipalRule) DenyActionOnCondition(action string, m match) *PrincipalRule

DenyActionOnCondition sets the action as denied if the condition is fulfilled.

func (*PrincipalRule) Err 

func (pr *PrincipalRule) Err() error

Err returns errors accumulated during the construction of the rule.

func (*PrincipalRule) Validate 

func (pr *PrincipalRule) Validate() error

Validate checks whether the rule is valid.

type RequestOpt 

type RequestOpt func(*internal.ReqOpt)

RequestOpt defines per-request options.

func AddAnnotations added in v0.3.18 

func AddAnnotations(annotations map[string]*structpb.Value) RequestOpt

AddAnnotations adds key-value pairs of metadata to the request context field of Check/Plan requests. These annotations are captured by the PDP audit logs and can be used to attach extra context for log analysis. This method is cumulative: previously added annotations are preserved unless they are overwritten. Use SetAnnotations to clear old values.

func AllowPartialRequests added in v0.3.18 

func AllowPartialRequests() RequestOpt

AllowPartialRequests enables sending incomplete requests via the SDK. This is to be used in situations where the requests go through an extra layer for enrichment before hitting the PDP.

func AuxDataJWT 

func AuxDataJWT(token, keySetID string) RequestOpt

AuxDataJWT sets the JWT to be used as auxiliary data for the request.

func Headers added in v0.2.2 

func Headers(keyValues ...string) RequestOpt

Headers sets the gRPC header metadata for each request. Input should be a list of key-value pairs.

func IncludeMeta 

func IncludeMeta(f bool) RequestOpt

IncludeMeta sets the flag on requests that support it to signal that evaluation metadata should be sent back with the response.

func RequestIDGenerator added in v0.2.8 

func RequestIDGenerator(generator func(context.Context) string) RequestOpt

RequestIDGenerator is invoked on every request to generate a request ID. If not defined, a random request ID is generated by the SDK client.

func SetAnnotations added in v0.3.18 

func SetAnnotations(annotations map[string]*structpb.Value) RequestOpt

SetAnnotations adds key-value pairs of metadata to the request context field of Check/Plan requests. These annotations are captured by the PDP audit logs and can be used to attach extra context for log analysis. This method clears any existing annotations. Use AddAnnotations if you want to preserve existing values.

type Resource 

type Resource struct {
	Obj *enginev1.Resource
	// contains filtered or unexported fields
}

Resource is a single resource instance.

func NewResource 

func NewResource(kind, id string) *Resource

NewResource creates a new instance of a resource.

func (*Resource) Err 

func (r *Resource) Err() error

Err returns any errors accumulated during the construction of the resource.

func (*Resource) ID 

func (r *Resource) ID() string

ID returns the resource ID.

func (*Resource) Kind 

func (r *Resource) Kind() string

Kind returns the resource kind.

func (*Resource) Proto 

func (r *Resource) Proto() *enginev1.Resource

Proto returns the underlying protobuf object representing the resource.

func (*Resource) Validate 

func (r *Resource) Validate() error

Validate checks whether the resource is valid.

func (*Resource) WithAttr 

func (r *Resource) WithAttr(key string, value any) *Resource

WithAttr adds a new attribute to the resource. It will overwrite any existing attribute having the same key.

func (*Resource) WithAttrValue added in v0.3.14 

func (r *Resource) WithAttrValue(key string, value *structpb.Value) *Resource

WithAttrValue adds a new attribute to the resource. It will overwrite any existing attribute having the same key.

func (*Resource) WithAttributes 

func (r *Resource) WithAttributes(attr map[string]any) *Resource

WithAttributes merges the given attributes to the resource's existing attributes.

func (*Resource) WithPolicyVersion 

func (r *Resource) WithPolicyVersion(policyVersion string) *Resource

WithPolicyVersion sets the policy version for this resource.

func (*Resource) WithScope 

func (r *Resource) WithScope(scope string) *Resource

WithScope sets the scope this resource belongs to.

type ResourceBatch 

type ResourceBatch struct {
	Batch []*requestv1.CheckResourcesRequest_ResourceEntry
	// contains filtered or unexported fields
}

ResourceBatch is a container for a batch of heterogeneous resources.

func NewResourceBatch 

func NewResourceBatch() *ResourceBatch

NewResourceBatch creates a new resource batch.

func (*ResourceBatch) Add 

func (rb *ResourceBatch) Add(resource *Resource, actions ...string) *ResourceBatch

Add a new resource to the batch.

func (*ResourceBatch) Err 

func (rb *ResourceBatch) Err() error

Err returns any errors accumulated during the construction of the resource batch.

func (*ResourceBatch) Validate 

func (rb *ResourceBatch) Validate() error

Validate checks whether the resource batch is valid.

type ResourcePolicy 

type ResourcePolicy struct {
	Obj *policyv1.ResourcePolicy
	// contains filtered or unexported fields
}

ResourcePolicy is a builder for resource policies.

func NewResourcePolicy 

func NewResourcePolicy(resource, version string) *ResourcePolicy

NewResourcePolicy creates a new resource policy builder.

func (*ResourcePolicy) AddResourceRules 

func (rp *ResourcePolicy) AddResourceRules(rules ...*ResourceRule) *ResourcePolicy

AddResourceRules adds resource rules to the policy.

func (*ResourcePolicy) Err 

func (rp *ResourcePolicy) Err() error

Err returns any errors accumulated during the construction of the policy.

func (*ResourcePolicy) Validate 

func (rp *ResourcePolicy) Validate() error

Validate checks whether the policy is valid.

func (*ResourcePolicy) WithConstant added in v0.2.11 

func (rp *ResourcePolicy) WithConstant(name string, value any) *ResourcePolicy

WithConstant adds a constant definition for use in conditions.

func (*ResourcePolicy) WithConstantsImports added in v0.2.11 

func (rp *ResourcePolicy) WithConstantsImports(name ...string) *ResourcePolicy

WithConstantsImports adds import statements for exported constants.

func (*ResourcePolicy) WithDerivedRolesImports 

func (rp *ResourcePolicy) WithDerivedRolesImports(imp ...string) *ResourcePolicy

WithDerivedRolesImports adds import statements for derived roles.

func (*ResourcePolicy) WithPrincipalSchema 

func (rp *ResourcePolicy) WithPrincipalSchema(principalSchema *Schema) *ResourcePolicy

func (*ResourcePolicy) WithResourceSchema 

func (rp *ResourcePolicy) WithResourceSchema(resourceSchema *Schema) *ResourcePolicy

func (*ResourcePolicy) WithScope 

func (rp *ResourcePolicy) WithScope(scope string) *ResourcePolicy

func (*ResourcePolicy) WithVariable 

func (rp *ResourcePolicy) WithVariable(name, expr string) *ResourcePolicy

WithVariable adds a variable definition for use in conditions.

func (*ResourcePolicy) WithVariablesImports 

func (rp *ResourcePolicy) WithVariablesImports(name ...string) *ResourcePolicy

WithVariablesImports adds import statements for exported variables.

type ResourceResult 

type ResourceResult struct {
	*responsev1.CheckResourcesResponse_ResultEntry
	// contains filtered or unexported fields
}

func (*ResourceResult) Err 

func (rr *ResourceResult) Err() error

func (*ResourceResult) IsAllowed 

func (rr *ResourceResult) IsAllowed(action string) bool

IsAllowed returns true if the given action is allowed. Returns false if the action is not in the response of if there was an error getting this result.

func (*ResourceResult) Output 

func (rr *ResourceResult) Output(source string) (*structpb.Value, error)

Output returns the value of a policy output expression for the given source ("policy-id#rule-name"). It returns ErrNoSuchOutput if there is no output for the source, or an *OutputEvaluationError if the server failed to evaluate the output expression.

type ResourceRule 

type ResourceRule struct {
	Obj *policyv1.ResourceRule
}

ResourceRule is a rule in a resource policy.

func NewAllowResourceRule 

func NewAllowResourceRule(actions ...string) *ResourceRule

NewAllowResourceRule creates a resource rule that allows the actions when matched.

func NewDenyResourceRule 

func NewDenyResourceRule(actions ...string) *ResourceRule

NewDenyResourceRule creates a resource rule that denies the actions when matched.

func (*ResourceRule) Err 

func (rr *ResourceRule) Err() error

Err returns errors accumulated during the construction of the resource rule.

func (*ResourceRule) Validate 

func (rr *ResourceRule) Validate() error

Validate checks whether the resource rule is valid.

func (*ResourceRule) WithCondition 

func (rr *ResourceRule) WithCondition(m match) *ResourceRule

WithCondition sets the condition that applies to this rule.

func (*ResourceRule) WithDerivedRoles 

func (rr *ResourceRule) WithDerivedRoles(roles ...string) *ResourceRule

WithDerivedRoles adds derived roles to which this rule applies.

func (*ResourceRule) WithName 

func (rr *ResourceRule) WithName(name string) *ResourceRule

WithName sets the name of the ResourceRule.

func (*ResourceRule) WithRoles 

func (rr *ResourceRule) WithRoles(roles ...string) *ResourceRule

WithRoles adds roles to which this rule applies.

type Schema 

type Schema struct {
	Obj *policyv1.Schemas_Schema
}

Schema is a builder for Schemas_Schema.

func NewSchema 

func NewSchema(ref string) *Schema

func (*Schema) AddIgnoredActions 

func (s *Schema) AddIgnoredActions(actions ...string) *Schema

AddIgnoredActions adds action(s) to the ignoreWhen field of the schema.

func (*Schema) Validate 

func (s *Schema) Validate() error

func (*Schema) WithRef 

func (s *Schema) WithRef(ref string) *Schema

WithRef sets the ref of this schema.

type SchemaSet 

type SchemaSet struct {
	// contains filtered or unexported fields
}

SchemaSet is a container for a set of schemas.

func NewSchemaSet 

func NewSchemaSet() *SchemaSet

NewSchemaSet creates a new schema set.

func (*SchemaSet) AddSchemaFromFile 

func (ss *SchemaSet) AddSchemaFromFile(file string, ignorePathInID bool) *SchemaSet

AddSchemaFromFile adds a schema from the given file to the set.

func (*SchemaSet) AddSchemaFromFileWithErr 

func (ss *SchemaSet) AddSchemaFromFileWithErr(file string, ignorePathInID bool) (*SchemaSet, error)

AddSchemaFromFileWithErr adds a schema from the given file to the set and returns the error.

func (*SchemaSet) AddSchemaFromFileWithIDAndErr 

func (ss *SchemaSet) AddSchemaFromFileWithIDAndErr(file, id string) (*SchemaSet, error)

AddSchemaFromFileWithIDAndErr adds a schema with the given id from the given file to the set and returns the error.

func (*SchemaSet) AddSchemaFromReader 

func (ss *SchemaSet) AddSchemaFromReader(r io.Reader, id string) *SchemaSet

AddSchemaFromReader adds a schema from the given reader to the set.

func (*SchemaSet) AddSchemas 

func (ss *SchemaSet) AddSchemas(schemas ...*schemav1.Schema) *SchemaSet

AddSchemas adds the given schemas to the set.

func (*SchemaSet) Err 

func (ss *SchemaSet) Err() error

Err returns the errors accumulated during the construction of the schema set.

func (*SchemaSet) GetSchemas 

func (ss *SchemaSet) GetSchemas() []*schemav1.Schema

GetSchemas returns all of the schemas in the set.

func (*SchemaSet) Size 

func (ss *SchemaSet) Size() int

Size returns the number of schemas in this set.

type ServerInfo 

type ServerInfo struct {
	*responsev1.ServerInfoResponse
}

func (*ServerInfo) MarshalJSON 

func (si *ServerInfo) MarshalJSON() ([]byte, error)

func (*ServerInfo) String 

func (si *ServerInfo) String() string

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.