cerbos

package
v0.2.4 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 8, 2024 License: Apache-2.0 Imports: 31 Imported by: 9

Documentation

Index

Examples

Constants

View Source 
const MaxIDPerReq = 25

Variables

This section is empty.

Functions

func BatchAdminClientCall 

func BatchAdminClientCall(ctx context.Context, retrieveFn func(context.Context, ...string) (uint32, error), ids ...string) (uint32, error)

func BatchAdminClientCall2 

func BatchAdminClientCall2[T []*schemav1.Schema | []*policyv1.Policy | []string](
	ctx context.Context,
	retrieveFn func(context.Context, ...string) (T, error),
	processFn func(context.Context, T) error,
	ids ...string,
) error

func MatchAllOf 

func MatchAllOf(m ...match) match

MatchAllOf matches all of the expressions (logical AND).

func MatchAnyOf 

func MatchAnyOf(m ...match) match

MatchAnyOf matches any of the expressions (logical OR).

func MatchExpr 

func MatchExpr(expr string) match

MatchExpr matches a single expression.

func MatchNoneOf 

func MatchNoneOf(m ...match) match

MatchNoneOf matches none of the expressions (logical NOT).

Types

type AdminClient 

type AdminClient interface {
	AddOrUpdatePolicy(ctx context.Context, policies *PolicySet) error
	AuditLogs(ctx context.Context, opts AuditLogOptions) (<-chan *AuditLogEntry, error)
	ListPolicies(ctx context.Context, opts ...ListPoliciesOption) ([]string, error)
	GetPolicy(ctx context.Context, ids ...string) ([]*policyv1.Policy, error)
	DisablePolicy(ctx context.Context, ids ...string) (uint32, error)
	EnablePolicy(ctx context.Context, ids ...string) (uint32, error)
	AddOrUpdateSchema(ctx context.Context, schemas *SchemaSet) error
	DeleteSchema(ctx context.Context, ids ...string) (uint32, error)
	ListSchemas(ctx context.Context) ([]string, error)
	GetSchema(ctx context.Context, ids ...string) ([]*schemav1.Schema, error)
	ReloadStore(ctx context.Context, wait bool) error
}

AdminClient provides access to the Cerbos Admin API.

type AuditLogEntry 

type AuditLogEntry struct {
	// contains filtered or unexported fields
}

func NewAuditLogEntry 

func NewAuditLogEntry(accessLog *auditv1.AccessLogEntry, decisionLog *auditv1.DecisionLogEntry, err error) *AuditLogEntry

func (*AuditLogEntry) AccessLog 

func (e *AuditLogEntry) AccessLog() (*auditv1.AccessLogEntry, error)

func (*AuditLogEntry) DecisionLog 

func (e *AuditLogEntry) DecisionLog() (*auditv1.DecisionLogEntry, error)

type AuditLogOptions 

type AuditLogOptions struct {
	StartTime time.Time
	EndTime   time.Time
	Lookup    string
	Tail      uint32
	Type      AuditLogType
}

AuditLogOptions is used to filter audit logs.

type AuditLogType 

type AuditLogType uint8
const (
	AccessLogs AuditLogType = iota
	DecisionLogs
)

type CheckResourcesResponse 

type CheckResourcesResponse struct {
	*responsev1.CheckResourcesResponse
	// contains filtered or unexported fields
}

CheckResourcesResponse is the response from the CheckResources API call.

func (*CheckResourcesResponse) Errors 

func (crr *CheckResourcesResponse) Errors() error

Errors returns any validation errors returned by the server.

func (*CheckResourcesResponse) GetResource 

func (crr *CheckResourcesResponse) GetResource(resourceID string, match ...MatchResource) *ResourceResult

GetResource finds the resource with the given ID and optional properties from the result list. Returns a ResourceResult object with the Err field set if the resource is not found.

func (*CheckResourcesResponse) MarshalJSON 

func (crr *CheckResourcesResponse) MarshalJSON() ([]byte, error)

func (*CheckResourcesResponse) String 

func (crr *CheckResourcesResponse) String() string

type Client 

type Client[C any, P PrincipalContext] interface {
	// IsAllowed checks access to a single resource by a principal and returns true if access is granted.
	IsAllowed(ctx context.Context, principal *Principal, resource *Resource, action string) (bool, error)
	// CheckResources checks access to a batch of resources of different kinds.
	CheckResources(ctx context.Context, principal *Principal, resources *ResourceBatch) (*CheckResourcesResponse, error)
	// ServerInfo retrieves server information.
	ServerInfo(ctx context.Context) (*ServerInfo, error)
	// With sets per-request options for the client.
	With(opts ...RequestOpt) C
	// PlanResources creates a query plan for performing the given action on a set of resources of the given kind.
	PlanResources(ctx context.Context, principal *Principal, resource *Resource, action string) (*PlanResourcesResponse, error)
	// WithPrincipal sets the principal to be used for subsequent API calls.
	// WithPrincipal sets the principal to be used for subsequent API calls.
	WithPrincipal(principal *Principal) P
}

Client provides access to the Cerbos API.

type DerivedRoles 

type DerivedRoles struct {
	Obj *policyv1.DerivedRoles
}

DerivedRoles is a builder for derived roles.

func NewDerivedRoles 

func NewDerivedRoles(name string) *DerivedRoles

NewDerivedRoles creates a new derived roles set with the given name.

func (*DerivedRoles) AddRole 

func (dr *DerivedRoles) AddRole(name string, parentRoles []string) *DerivedRoles

AddRole adds a new derived role with the given name which is an alias for the set of parent roles.

func (*DerivedRoles) AddRoleWithCondition 

func (dr *DerivedRoles) AddRoleWithCondition(name string, parentRoles []string, m match) *DerivedRoles

AddRoleWithCondition adds a derived role with a condition attached.

func (*DerivedRoles) Err 

func (dr *DerivedRoles) Err() error

Err returns any errors accumulated during the construction of the derived roles.

func (*DerivedRoles) Validate 

func (dr *DerivedRoles) Validate() error

Validate checks whether the derived roles are valid.

func (*DerivedRoles) WithVariable 

func (dr *DerivedRoles) WithVariable(name, expr string) *DerivedRoles

WithVariable adds a variable definition for use in conditions.

func (*DerivedRoles) WithVariablesImports 

func (dr *DerivedRoles) WithVariablesImports(name ...string) *DerivedRoles

WithVariablesImports adds import statements for exported variables.

type ExportVariables 

type ExportVariables struct {
	Obj *policyv1.ExportVariables
}

ExportVariables is a builder for exported variables.

func NewExportVariables 

func NewExportVariables(name string) *ExportVariables

NewExportVariables creates a new exported variables set with the given name.

func (*ExportVariables) AddVariable 

func (ev *ExportVariables) AddVariable(name, expr string) *ExportVariables

AddVariable defines an exported variable with the given name to be computed by the given expression.

func (*ExportVariables) Err 

func (ev *ExportVariables) Err() error

Err returns any errors accumulated during the construction of the exported variables.

func (*ExportVariables) Validate 

func (ev *ExportVariables) Validate() error

Validate checks whether the exported variables are valid.

type GRPCAdminClient 

type GRPCAdminClient struct {
	// contains filtered or unexported fields
}

func NewAdminClient 

func NewAdminClient(address string, opts ...Opt) (*GRPCAdminClient, error)

NewAdminClient creates a new admin client. It will look for credentials in the following order: - Environment: CERBOS_USERNAME and CERBOS_PASSWORD - Netrc file (~/.netrc if an override is not defined in the NETRC environment variable)

Note that Unix domain socket connections cannot fallback to netrc and require either the environment variables to be defined or the credentials to provided explicitly via the NewAdminClientWithCredentials function.

Example

ExampleNewAdminClient demonstrates how to instantiate a new admin client and make a request. 

package main

import (
	"context"
	"log"

	"github.com/cerbos/cerbos-sdk-go/cerbos"
)

func main() {
	// Create an admin client using the credentials stored in environment variables or netrc.
	ac, err := cerbos.NewAdminClient("10.1.2.3:3593", cerbos.WithTLSCACert("/path/to/ca.crt"))
	if err != nil {
		log.Fatalf("Failed to create admin client: %v", err)
	}

	policy := cerbos.NewResourcePolicy("album:comments", "default").
		WithDerivedRolesImports("album_derived_roles").
		AddResourceRules(
			cerbos.NewAllowResourceRule("view").
				WithDerivedRoles("owners").
				WithCondition(
					cerbos.MatchAllOf(
						cerbos.MatchExpr(`request.resource.attr.status == "unmoderated"`),
						cerbos.MatchExpr(`request.resource.attr.user_status == "anonymous"`),
					),
				),
		)

	if err := ac.AddOrUpdatePolicy(context.TODO(), cerbos.NewPolicySet().AddResourcePolicies(policy)); err != nil {
		log.Fatalf("Failed to add policy: %v", err)
	}
}

Output:

func NewAdminClientWithCredentials 

func NewAdminClientWithCredentials(address, username, password string, opts ...Opt) (*GRPCAdminClient, error)

NewAdminClientWithCredentials creates a new admin client using credentials explicitly passed as arguments.

func (*GRPCAdminClient) AddOrUpdatePolicy 

func (c *GRPCAdminClient) AddOrUpdatePolicy(ctx context.Context, policies *PolicySet) error

func (*GRPCAdminClient) AddOrUpdateSchema 

func (c *GRPCAdminClient) AddOrUpdateSchema(ctx context.Context, schemas *SchemaSet) error

func (*GRPCAdminClient) AuditLogs 

func (c *GRPCAdminClient) AuditLogs(ctx context.Context, opts AuditLogOptions) (<-chan *AuditLogEntry, error)

func (*GRPCAdminClient) DeleteSchema 

func (c *GRPCAdminClient) DeleteSchema(ctx context.Context, ids ...string) (uint32, error)

func (*GRPCAdminClient) DisablePolicy 

func (c *GRPCAdminClient) DisablePolicy(ctx context.Context, ids ...string) (uint32, error)

func (*GRPCAdminClient) EnablePolicy 

func (c *GRPCAdminClient) EnablePolicy(ctx context.Context, ids ...string) (uint32, error)

func (*GRPCAdminClient) GetPolicy 

func (c *GRPCAdminClient) GetPolicy(ctx context.Context, ids ...string) ([]*policyv1.Policy, error)

func (*GRPCAdminClient) GetSchema 

func (c *GRPCAdminClient) GetSchema(ctx context.Context, ids ...string) ([]*schemav1.Schema, error)

func (*GRPCAdminClient) ListPolicies 

func (c *GRPCAdminClient) ListPolicies(ctx context.Context, opts ...ListPoliciesOption) ([]string, error)

func (*GRPCAdminClient) ListSchemas 

func (c *GRPCAdminClient) ListSchemas(ctx context.Context) ([]string, error)

func (*GRPCAdminClient) ReloadStore 

func (c *GRPCAdminClient) ReloadStore(ctx context.Context, wait bool) error

func (*GRPCAdminClient) WithHeaders added in v0.2.2 

func (c *GRPCAdminClient) WithHeaders(keyValues ...string) *GRPCAdminClient

type GRPCClient 

type GRPCClient struct {
	// contains filtered or unexported fields
}

func New 

func New(address string, opts ...Opt) (*GRPCClient, error)

New creates a new Cerbos client.

Example

ExampleNew demonstrates how to instantiate a new client and make a request. 

package main

import (
	"context"
	"log"

	"github.com/cerbos/cerbos-sdk-go/cerbos"
)

func main() {
	// A client that connects to Cerbos over a Unix domain socket using a CA certificate to validate the server TLS certificates.
	c, err := cerbos.New("unix:/var/sock/cerbos", cerbos.WithTLSCACert("/path/to/ca.crt"))
	if err != nil {
		log.Fatalf("Failed to create client: %v", err)
	}

	allowed, err := c.IsAllowed(
		context.TODO(),
		cerbos.NewPrincipal("sally").WithRoles("user"),
		cerbos.NewResource("album:object", "A001"),
		"view",
	)
	if err != nil {
		log.Fatalf("Failed to check permission: %v", err)
	}

	log.Printf("Is Sally allowed to view album A001: %t", allowed)
}

Output:

func (*GRPCClient) CheckResources 

func (c *GRPCClient) CheckResources(ctx context.Context, principal *Principal, resourceBatch *ResourceBatch) (*CheckResourcesResponse, error)

func (*GRPCClient) IsAllowed 

func (c *GRPCClient) IsAllowed(ctx context.Context, principal *Principal, resource *Resource, action string) (bool, error)

func (*GRPCClient) PlanResources 

func (c *GRPCClient) PlanResources(ctx context.Context, principal *Principal, resource *Resource, action string) (*PlanResourcesResponse, error)

func (*GRPCClient) ServerInfo 

func (c *GRPCClient) ServerInfo(ctx context.Context) (*ServerInfo, error)

func (*GRPCClient) With 

func (c *GRPCClient) With(reqOpts ...RequestOpt) *GRPCClient

func (*GRPCClient) WithPrincipal 

func (c *GRPCClient) WithPrincipal(p *Principal) PrincipalCtx

type ListPoliciesOption 

type ListPoliciesOption func(*requestv1.ListPoliciesRequest)

func WithIncludeDisabled 

func WithIncludeDisabled() ListPoliciesOption

func WithNameRegexp 

func WithNameRegexp(re string) ListPoliciesOption

func WithScopeRegexp 

func WithScopeRegexp(re string) ListPoliciesOption

func WithVersionRegexp 

func WithVersionRegexp(v string) ListPoliciesOption

type MatchResource 

type MatchResource func(*responsev1.CheckResourcesResponse_ResultEntry_Resource) bool

MatchResource is a function that returns true if the given resource is of interest. This is useful when you have more than one resource with the same ID and need to distinguish between them in the response.

func MatchResourceKind 

func MatchResourceKind(kind string) MatchResource

MatchResourceKind is a matcher that checks that the resource kind matches the given value.

func MatchResourcePolicyKindScopeVersion 

func MatchResourcePolicyKindScopeVersion(kind, version, scope string) MatchResource

MatchResourcePolicyKindScopeVersion is a matcher that checks that the resource policy kind, version and scope matches the given values.

func MatchResourcePolicyVersion 

func MatchResourcePolicyVersion(version string) MatchResource

MatchResourcePolicyVersion is a matcher that checks that the resource policy version matches the given value.

func MatchResourceScope 

func MatchResourceScope(scope string) MatchResource

MatchResourceScope is a matcher that checks that the resource scope matches the given value.

type Opt 

type Opt func(*config)

func WithConnectTimeout 

func WithConnectTimeout(timeout time.Duration) Opt

WithConnectTimeout sets the connection establishment timeout.

func WithMaxRetries 

func WithMaxRetries(retries uint) Opt

WithMaxRetries sets the maximum number of retries per call.

func WithPlaintext 

func WithPlaintext() Opt

WithPlaintext configures the client to connect over h2c.

func WithPlaygroundInstance 

func WithPlaygroundInstance(instance string) Opt

WithPlaygroundInstance sets the Cerbos playground instance to use as the source of policies. Note that Playground instances are for demonstration purposes only and do not provide any performance or availability guarantees.

func WithRetryTimeout 

func WithRetryTimeout(timeout time.Duration) Opt

WithRetryTimeout sets the timeout per retry attempt.

func WithStatsHandler added in v0.2.1 

func WithStatsHandler(handler stats.Handler) Opt

WithStatsHandler sets the gRPC stats handler for the connection.

func WithStreamInterceptors 

func WithStreamInterceptors(interceptors ...grpc.StreamClientInterceptor) Opt

WithStreamInterceptors sets the interceptors to be used for streaming gRPC operations.

func WithTLSAuthority 

func WithTLSAuthority(authority string) Opt

WithTLSAuthority overrides the remote server authority if it is different from what is provided in the address.

func WithTLSCACert 

func WithTLSCACert(certPath string) Opt

WithTLSCACert sets the CA certificate chain to use for certificate verification.

func WithTLSClientCert 

func WithTLSClientCert(cert, key string) Opt

WithTLSClientCert sets the client certificate to use to authenticate to the server.

func WithTLSInsecure 

func WithTLSInsecure() Opt

WithTLSInsecure enables skipping TLS certificate verification.

func WithUnaryInterceptors 

func WithUnaryInterceptors(interceptors ...grpc.UnaryClientInterceptor) Opt

WithUnaryInterceptors sets the interceptors to be used for unary gRPC operations.

func WithUserAgent 

func WithUserAgent(ua string) Opt

WithUserAgent sets the user agent string.

type PlanResourcesResponse 

type PlanResourcesResponse struct {
	*responsev1.PlanResourcesResponse
}

type PolicySet 

type PolicySet struct {
	// contains filtered or unexported fields
}

PolicySet is a container for a set of policies.

func NewPolicySet 

func NewPolicySet() *PolicySet

NewPolicySet creates a new policy set.

func (*PolicySet) AddDerivedRoles 

func (ps *PolicySet) AddDerivedRoles(policies ...*DerivedRoles) *PolicySet

AddDerivedRoles adds the given derived roles to the set.

func (*PolicySet) AddExportVariables 

func (ps *PolicySet) AddExportVariables(policies ...*ExportVariables) *PolicySet

AddExportVariables adds the given exported variables to the set.

func (*PolicySet) AddPolicies 

func (ps *PolicySet) AddPolicies(policies ...*policyv1.Policy) *PolicySet

AddPolicies adds the given policies to the set.

func (*PolicySet) AddPolicyFromFile 

func (ps *PolicySet) AddPolicyFromFile(file string) *PolicySet

AddPolicyFromFile adds a policy from the given file to the set.

func (*PolicySet) AddPolicyFromFileWithErr 

func (ps *PolicySet) AddPolicyFromFileWithErr(file string) (*PolicySet, error)

AddPolicyFromFileWithErr adds a policy from the given file to the set and returns the error.

func (*PolicySet) AddPolicyFromReader 

func (ps *PolicySet) AddPolicyFromReader(r io.Reader) *PolicySet

AddPolicyFromReader adds a policy from the given reader to the set.

func (*PolicySet) AddPrincipalPolicies 

func (ps *PolicySet) AddPrincipalPolicies(policies ...*PrincipalPolicy) *PolicySet

AddPrincipalPolicies adds the given principal policies to the set.

func (*PolicySet) AddResourcePolicies 

func (ps *PolicySet) AddResourcePolicies(policies ...*ResourcePolicy) *PolicySet

AddResourcePolicies adds the given resource policies to the set.

func (*PolicySet) Err 

func (ps *PolicySet) Err() error

Err returns the errors accumulated during the construction of the policy set.

func (*PolicySet) GetPolicies 

func (ps *PolicySet) GetPolicies() []*policyv1.Policy

GetPolicies returns all of the policies in the set.

func (*PolicySet) Size 

func (ps *PolicySet) Size() int

Size returns the number of policies in this set.

func (*PolicySet) Validate 

func (ps *PolicySet) Validate() error

Validate checks whether the policy set is valid.

type Principal 

type Principal struct {
	Obj *enginev1.Principal
	// contains filtered or unexported fields
}

Principal is a container for principal data.

func NewPrincipal 

func NewPrincipal(id string, roles ...string) *Principal

NewPrincipal creates a new principal object with the given ID and roles.

func (*Principal) Err 

func (p *Principal) Err() error

Err returns any errors accumulated during the construction of the principal.

func (*Principal) ID 

func (p *Principal) ID() string

ID returns the principal ID.

func (*Principal) Proto 

func (p *Principal) Proto() *enginev1.Principal

Proto returns the underlying protobuf object representing the principal.

func (*Principal) Roles 

func (p *Principal) Roles() []string

Roles returns the principal roles.

func (*Principal) Validate 

func (p *Principal) Validate() error

Validate checks whether the principal object is valid.

func (*Principal) WithAttr 

func (p *Principal) WithAttr(key string, value any) *Principal

WithAttr adds a new attribute to the principal. It will overwrite any existing attribute having the same key.

func (*Principal) WithAttributes 

func (p *Principal) WithAttributes(attr map[string]any) *Principal

WithAttributes merges the given attributes to principal's existing attributes.

func (*Principal) WithPolicyVersion 

func (p *Principal) WithPolicyVersion(policyVersion string) *Principal

WithPolicyVersion sets the policy version for this principal.

func (*Principal) WithRoles 

func (p *Principal) WithRoles(roles ...string) *Principal

WithRoles appends the set of roles to principal's existing roles.

func (*Principal) WithScope 

func (p *Principal) WithScope(scope string) *Principal

WithScope sets the scope this principal belongs to.

type PrincipalContext 

type PrincipalContext interface {
	// Principal returns the principal attached to this context.
	Principal() *Principal
	// IsAllowed checks access to a single resource by the principal and returns true if access is granted.
	IsAllowed(ctx context.Context, resource *Resource, action string) (bool, error)
	// CheckResources checks access to a batch of resources of different kinds.
	CheckResources(ctx context.Context, resources *ResourceBatch) (*CheckResourcesResponse, error)
	// PlanResources creates a query plan for performing the given action on a set of resources of the given kind.
	PlanResources(ctx context.Context, resource *Resource, action string) (*PlanResourcesResponse, error)
}

PrincipalContext provides convenience methods to access the Cerbos API in the context of a single principal.

type PrincipalCtx 

type PrincipalCtx struct {
	// contains filtered or unexported fields
}

func (PrincipalCtx) CheckResources 

func (pc PrincipalCtx) CheckResources(ctx context.Context, batch *ResourceBatch) (*CheckResourcesResponse, error)

func (PrincipalCtx) IsAllowed 

func (pc PrincipalCtx) IsAllowed(ctx context.Context, resource *Resource, action string) (bool, error)

func (PrincipalCtx) PlanResources 

func (pc PrincipalCtx) PlanResources(ctx context.Context, resource *Resource, action string) (*PlanResourcesResponse, error)

func (PrincipalCtx) Principal 

func (pc PrincipalCtx) Principal() *Principal

type PrincipalPolicy 

type PrincipalPolicy struct {
	Obj *policyv1.PrincipalPolicy
	// contains filtered or unexported fields
}

PrincipalPolicy is a builder for principal policies.

func NewPrincipalPolicy 

func NewPrincipalPolicy(principal, version string) *PrincipalPolicy

NewPrincipalPolicy creates a new principal policy.

func (*PrincipalPolicy) AddPrincipalRules 

func (pp *PrincipalPolicy) AddPrincipalRules(rules ...*PrincipalRule) *PrincipalPolicy

AddPrincipalRules adds rules to this policy.

func (*PrincipalPolicy) Err 

func (pp *PrincipalPolicy) Err() error

Err returns the errors accumulated during the construction of this policy.

func (*PrincipalPolicy) Validate 

func (pp *PrincipalPolicy) Validate() error

Validate checks whether the policy is valid.

func (*PrincipalPolicy) WithScope 

func (pp *PrincipalPolicy) WithScope(scope string) *PrincipalPolicy

WithScope sets the scope of this policy.

func (*PrincipalPolicy) WithVariable 

func (pp *PrincipalPolicy) WithVariable(name, expr string) *PrincipalPolicy

WithVariable adds a variable definition for use in conditions.

func (*PrincipalPolicy) WithVariablesImports 

func (pp *PrincipalPolicy) WithVariablesImports(name ...string) *PrincipalPolicy

WithVariablesImports adds import statements for exported variables.

func (*PrincipalPolicy) WithVersion 

func (pp *PrincipalPolicy) WithVersion(version string) *PrincipalPolicy

WithVersion sets the version of this policy.

type PrincipalRule 

type PrincipalRule struct {
	Obj *policyv1.PrincipalRule
}

PrincipalRule is a builder for principal rules.

func NewPrincipalRule 

func NewPrincipalRule(resource string) *PrincipalRule

NewPrincipalRule creates a new rule for the specified resource.

func (*PrincipalRule) AllowAction 

func (pr *PrincipalRule) AllowAction(action string) *PrincipalRule

AllowAction sets the action as allowed on the resource.

func (*PrincipalRule) AllowActionOnCondition 

func (pr *PrincipalRule) AllowActionOnCondition(action string, m match) *PrincipalRule

AllowActionOnCondition sets the action as allowed if the condition is fulfilled.

func (*PrincipalRule) DenyAction 

func (pr *PrincipalRule) DenyAction(action string) *PrincipalRule

DenyAction sets the action as denied on the resource.

func (*PrincipalRule) DenyActionOnCondition 

func (pr *PrincipalRule) DenyActionOnCondition(action string, m match) *PrincipalRule

DenyActionOnCondition sets the action as denied if the condition is fulfilled.

func (*PrincipalRule) Err 

func (pr *PrincipalRule) Err() error

Err returns errors accumulated during the construction of the rule.

func (*PrincipalRule) Validate 

func (pr *PrincipalRule) Validate() error

Validate checks whether the rule is valid.

type RequestOpt 

type RequestOpt func(*internal.ReqOpt)

RequestOpt defines per-request options.

func AuxDataJWT 

func AuxDataJWT(token, keySetID string) RequestOpt

AuxDataJWT sets the JWT to be used as auxiliary data for the request.

func Headers added in v0.2.2 

func Headers(keyValues ...string) RequestOpt

Headers sets the gRPC header metadata for each request. Input should be a list of key-value pairs.

func IncludeMeta 

func IncludeMeta(f bool) RequestOpt

IncludeMeta sets the flag on requests that support it to signal that evaluation metadata should be sent back with the response.

type Resource 

type Resource struct {
	Obj *enginev1.Resource
	// contains filtered or unexported fields
}

Resource is a single resource instance.

func NewResource 

func NewResource(kind, id string) *Resource

NewResource creates a new instance of a resource.

func (*Resource) Err 

func (r *Resource) Err() error

Err returns any errors accumulated during the construction of the resource.

func (*Resource) ID 

func (r *Resource) ID() string

ID returns the resource ID.

func (*Resource) Kind 

func (r *Resource) Kind() string

Kind returns the resource kind.

func (*Resource) Proto 

func (r *Resource) Proto() *enginev1.Resource

Proto returns the underlying protobuf object representing the resource.

func (*Resource) Validate 

func (r *Resource) Validate() error

Validate checks whether the resource is valid.

func (*Resource) WithAttr 

func (r *Resource) WithAttr(key string, value any) *Resource

WithAttr adds a new attribute to the resource. It will overwrite any existing attribute having the same key.

func (*Resource) WithAttributes 

func (r *Resource) WithAttributes(attr map[string]any) *Resource

WithAttributes merges the given attributes to the resource's existing attributes.

func (*Resource) WithPolicyVersion 

func (r *Resource) WithPolicyVersion(policyVersion string) *Resource

WithPolicyVersion sets the policy version for this resource.

func (*Resource) WithScope 

func (r *Resource) WithScope(scope string) *Resource

WithScope sets the scope this resource belongs to.

type ResourceBatch 

type ResourceBatch struct {
	Batch []*requestv1.CheckResourcesRequest_ResourceEntry
	// contains filtered or unexported fields
}

ResourceBatch is a container for a batch of heterogeneous resources.

func NewResourceBatch 

func NewResourceBatch() *ResourceBatch

NewResourceBatch creates a new resource batch.

func (*ResourceBatch) Add 

func (rb *ResourceBatch) Add(resource *Resource, actions ...string) *ResourceBatch

Add a new resource to the batch.

func (*ResourceBatch) Err 

func (rb *ResourceBatch) Err() error

Err returns any errors accumulated during the construction of the resource batch.

func (*ResourceBatch) Validate 

func (rb *ResourceBatch) Validate() error

Validate checks whether the resource batch is valid.

type ResourcePolicy 

type ResourcePolicy struct {
	Obj *policyv1.ResourcePolicy
	// contains filtered or unexported fields
}

ResourcePolicy is a builder for resource policies.

func NewResourcePolicy 

func NewResourcePolicy(resource, version string) *ResourcePolicy

NewResourcePolicy creates a new resource policy builder.

func (*ResourcePolicy) AddResourceRules 

func (rp *ResourcePolicy) AddResourceRules(rules ...*ResourceRule) *ResourcePolicy

AddResourceRules adds resource rules to the policy.

func (*ResourcePolicy) Err 

func (rp *ResourcePolicy) Err() error

Err returns any errors accumulated during the construction of the policy.

func (*ResourcePolicy) Validate 

func (rp *ResourcePolicy) Validate() error

Validate checks whether the policy is valid.

func (*ResourcePolicy) WithDerivedRolesImports 

func (rp *ResourcePolicy) WithDerivedRolesImports(imp ...string) *ResourcePolicy

WithDerivedRolesImports adds import statements for derived roles.

func (*ResourcePolicy) WithPrincipalSchema 

func (rp *ResourcePolicy) WithPrincipalSchema(principalSchema *Schema) *ResourcePolicy

func (*ResourcePolicy) WithResourceSchema 

func (rp *ResourcePolicy) WithResourceSchema(resourceSchema *Schema) *ResourcePolicy

func (*ResourcePolicy) WithScope 

func (rp *ResourcePolicy) WithScope(scope string) *ResourcePolicy

func (*ResourcePolicy) WithVariable 

func (rp *ResourcePolicy) WithVariable(name, expr string) *ResourcePolicy

WithVariable adds a variable definition for use in conditions.

func (*ResourcePolicy) WithVariablesImports 

func (rp *ResourcePolicy) WithVariablesImports(name ...string) *ResourcePolicy

WithVariablesImports adds import statements for exported variables.

type ResourceResult 

type ResourceResult struct {
	*responsev1.CheckResourcesResponse_ResultEntry
	// contains filtered or unexported fields
}

func (*ResourceResult) Err 

func (rr *ResourceResult) Err() error

func (*ResourceResult) IsAllowed 

func (rr *ResourceResult) IsAllowed(action string) bool

IsAllowed returns true if the given action is allowed. Returns false if the action is not in the response of if there was an error getting this result.

func (*ResourceResult) Output 

func (rr *ResourceResult) Output(key string) *structpb.Value

type ResourceRule 

type ResourceRule struct {
	Obj *policyv1.ResourceRule
}

ResourceRule is a rule in a resource policy.

func NewAllowResourceRule 

func NewAllowResourceRule(actions ...string) *ResourceRule

NewAllowResourceRule creates a resource rule that allows the actions when matched.

func NewDenyResourceRule 

func NewDenyResourceRule(actions ...string) *ResourceRule

NewDenyResourceRule creates a resource rule that denies the actions when matched.

func (*ResourceRule) Err 

func (rr *ResourceRule) Err() error

Err returns errors accumulated during the construction of the resource rule.

func (*ResourceRule) Validate 

func (rr *ResourceRule) Validate() error

Validate checks whether the resource rule is valid.

func (*ResourceRule) WithCondition 

func (rr *ResourceRule) WithCondition(m match) *ResourceRule

WithCondition sets the condition that applies to this rule.

func (*ResourceRule) WithDerivedRoles 

func (rr *ResourceRule) WithDerivedRoles(roles ...string) *ResourceRule

WithDerivedRoles adds derived roles to which this rule applies.

func (*ResourceRule) WithName 

func (rr *ResourceRule) WithName(name string) *ResourceRule

WithName sets the name of the ResourceRule.

func (*ResourceRule) WithRoles 

func (rr *ResourceRule) WithRoles(roles ...string) *ResourceRule

WithRoles adds roles to which this rule applies.

type Schema 

type Schema struct {
	Obj *policyv1.Schemas_Schema
}

Schema is a builder for Schemas_Schema.

func NewSchema 

func NewSchema(ref string) *Schema

func (*Schema) AddIgnoredActions 

func (s *Schema) AddIgnoredActions(actions ...string) *Schema

AddIgnoredActions adds action(s) to the ignoreWhen field of the schema.

func (*Schema) Validate 

func (s *Schema) Validate() error

func (*Schema) WithRef 

func (s *Schema) WithRef(ref string) *Schema

WithRef sets the ref of this schema.

type SchemaSet 

type SchemaSet struct {
	// contains filtered or unexported fields
}

SchemaSet is a container for a set of schemas.

func NewSchemaSet 

func NewSchemaSet() *SchemaSet

NewSchemaSet creates a new schema set.

func (*SchemaSet) AddSchemaFromFile 

func (ss *SchemaSet) AddSchemaFromFile(file string, ignorePathInID bool) *SchemaSet

AddSchemaFromFile adds a schema from the given file to the set.

func (*SchemaSet) AddSchemaFromFileWithErr 

func (ss *SchemaSet) AddSchemaFromFileWithErr(file string, ignorePathInID bool) (*SchemaSet, error)

AddSchemaFromFileWithErr adds a schema from the given file to the set and returns the error.

func (*SchemaSet) AddSchemaFromFileWithIDAndErr 

func (ss *SchemaSet) AddSchemaFromFileWithIDAndErr(file, id string) (*SchemaSet, error)

AddSchemaFromFileWithIDAndErr adds a schema with the given id from the given file to the set and returns the error.

func (*SchemaSet) AddSchemaFromReader 

func (ss *SchemaSet) AddSchemaFromReader(r io.Reader, id string) *SchemaSet

AddSchemaFromReader adds a schema from the given reader to the set.

func (*SchemaSet) AddSchemas 

func (ss *SchemaSet) AddSchemas(schemas ...*schemav1.Schema) *SchemaSet

AddSchemas adds the given schemas to the set.

func (*SchemaSet) Err 

func (ss *SchemaSet) Err() error

Err returns the errors accumulated during the construction of the schema set.

func (*SchemaSet) GetSchemas 

func (ss *SchemaSet) GetSchemas() []*schemav1.Schema

GetSchemas returns all of the schemas in the set.

func (*SchemaSet) Size 

func (ss *SchemaSet) Size() int

Size returns the number of schemas in this set.

type ServerInfo 

type ServerInfo struct {
	*responsev1.ServerInfoResponse
}

func (*ServerInfo) MarshalJSON 

func (si *ServerInfo) MarshalJSON() ([]byte, error)

func (*ServerInfo) String 

func (si *ServerInfo) String() string

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.