Documentation ¶
Index ¶
- Constants
- func BatchAdminClientCall(ctx context.Context, ...) (uint32, error)
- func BatchAdminClientCall2[T []*schemav1.Schema | []*policyv1.Policy | []string](ctx context.Context, retrieveFn func(context.Context, ...string) (T, error), ...) error
- func MatchAllOf(m ...match) match
- func MatchAnyOf(m ...match) match
- func MatchExpr(expr string) match
- func MatchNoneOf(m ...match) match
- type AdminClient
- type AuditLogEntry
- type AuditLogOptions
- type AuditLogType
- type CheckResourcesResponse
- type Client
- type DerivedRoles
- func (dr *DerivedRoles) AddRole(name string, parentRoles []string) *DerivedRoles
- func (dr *DerivedRoles) AddRoleWithCondition(name string, parentRoles []string, m match) *DerivedRoles
- func (dr *DerivedRoles) Err() error
- func (dr *DerivedRoles) Validate() error
- func (dr *DerivedRoles) WithVariable(name, expr string) *DerivedRoles
- func (dr *DerivedRoles) WithVariablesImports(name ...string) *DerivedRoles
- type ExportVariables
- type GRPCAdminClient
- func (c *GRPCAdminClient) AddOrUpdatePolicy(ctx context.Context, policies *PolicySet) error
- func (c *GRPCAdminClient) AddOrUpdateSchema(ctx context.Context, schemas *SchemaSet) error
- func (c *GRPCAdminClient) AuditLogs(ctx context.Context, opts AuditLogOptions) (<-chan *AuditLogEntry, error)
- func (c *GRPCAdminClient) DeleteSchema(ctx context.Context, ids ...string) (uint32, error)
- func (c *GRPCAdminClient) DisablePolicy(ctx context.Context, ids ...string) (uint32, error)
- func (c *GRPCAdminClient) EnablePolicy(ctx context.Context, ids ...string) (uint32, error)
- func (c *GRPCAdminClient) GetPolicy(ctx context.Context, ids ...string) ([]*policyv1.Policy, error)
- func (c *GRPCAdminClient) GetSchema(ctx context.Context, ids ...string) ([]*schemav1.Schema, error)
- func (c *GRPCAdminClient) ListPolicies(ctx context.Context, opts ...ListPoliciesOption) ([]string, error)
- func (c *GRPCAdminClient) ListSchemas(ctx context.Context) ([]string, error)
- func (c *GRPCAdminClient) ReloadStore(ctx context.Context, wait bool) error
- func (c *GRPCAdminClient) WithHeaders(keyValues ...string) *GRPCAdminClient
- type GRPCClient
- func (c *GRPCClient) CheckResources(ctx context.Context, principal *Principal, resourceBatch *ResourceBatch) (*CheckResourcesResponse, error)
- func (c *GRPCClient) IsAllowed(ctx context.Context, principal *Principal, resource *Resource, action string) (bool, error)
- func (c *GRPCClient) PlanResources(ctx context.Context, principal *Principal, resource *Resource, action string) (*PlanResourcesResponse, error)
- func (c *GRPCClient) ServerInfo(ctx context.Context) (*ServerInfo, error)
- func (c *GRPCClient) With(reqOpts ...RequestOpt) *GRPCClient
- func (c *GRPCClient) WithPrincipal(p *Principal) PrincipalCtx
- type ListPoliciesOption
- type MatchResource
- type Opt
- func WithConnectTimeout(timeout time.Duration) Opt
- func WithMaxRetries(retries uint) Opt
- func WithPlaintext() Opt
- func WithPlaygroundInstance(instance string) Opt
- func WithRetryTimeout(timeout time.Duration) Opt
- func WithStatsHandler(handler stats.Handler) Opt
- func WithStreamInterceptors(interceptors ...grpc.StreamClientInterceptor) Opt
- func WithTLSAuthority(authority string) Opt
- func WithTLSCACert(certPath string) Opt
- func WithTLSClientCert(cert, key string) Opt
- func WithTLSInsecure() Opt
- func WithUnaryInterceptors(interceptors ...grpc.UnaryClientInterceptor) Opt
- func WithUserAgent(ua string) Opt
- type PlanResourcesResponse
- type PolicySet
- func (ps *PolicySet) AddDerivedRoles(policies ...*DerivedRoles) *PolicySet
- func (ps *PolicySet) AddExportVariables(policies ...*ExportVariables) *PolicySet
- func (ps *PolicySet) AddPolicies(policies ...*policyv1.Policy) *PolicySet
- func (ps *PolicySet) AddPolicyFromFile(file string) *PolicySet
- func (ps *PolicySet) AddPolicyFromFileWithErr(file string) (*PolicySet, error)
- func (ps *PolicySet) AddPolicyFromReader(r io.Reader) *PolicySet
- func (ps *PolicySet) AddPrincipalPolicies(policies ...*PrincipalPolicy) *PolicySet
- func (ps *PolicySet) AddResourcePolicies(policies ...*ResourcePolicy) *PolicySet
- func (ps *PolicySet) Err() error
- func (ps *PolicySet) GetPolicies() []*policyv1.Policy
- func (ps *PolicySet) Size() int
- func (ps *PolicySet) Validate() error
- type Principal
- func (p *Principal) Err() error
- func (p *Principal) ID() string
- func (p *Principal) Proto() *enginev1.Principal
- func (p *Principal) Roles() []string
- func (p *Principal) Validate() error
- func (p *Principal) WithAttr(key string, value any) *Principal
- func (p *Principal) WithAttributes(attr map[string]any) *Principal
- func (p *Principal) WithPolicyVersion(policyVersion string) *Principal
- func (p *Principal) WithRoles(roles ...string) *Principal
- func (p *Principal) WithScope(scope string) *Principal
- type PrincipalContext
- type PrincipalCtx
- func (pc PrincipalCtx) CheckResources(ctx context.Context, batch *ResourceBatch) (*CheckResourcesResponse, error)
- func (pc PrincipalCtx) IsAllowed(ctx context.Context, resource *Resource, action string) (bool, error)
- func (pc PrincipalCtx) PlanResources(ctx context.Context, resource *Resource, action string) (*PlanResourcesResponse, error)
- func (pc PrincipalCtx) Principal() *Principal
- type PrincipalPolicy
- func (pp *PrincipalPolicy) AddPrincipalRules(rules ...*PrincipalRule) *PrincipalPolicy
- func (pp *PrincipalPolicy) Err() error
- func (pp *PrincipalPolicy) Validate() error
- func (pp *PrincipalPolicy) WithScope(scope string) *PrincipalPolicy
- func (pp *PrincipalPolicy) WithVariable(name, expr string) *PrincipalPolicy
- func (pp *PrincipalPolicy) WithVariablesImports(name ...string) *PrincipalPolicy
- func (pp *PrincipalPolicy) WithVersion(version string) *PrincipalPolicy
- type PrincipalRule
- func (pr *PrincipalRule) AllowAction(action string) *PrincipalRule
- func (pr *PrincipalRule) AllowActionOnCondition(action string, m match) *PrincipalRule
- func (pr *PrincipalRule) DenyAction(action string) *PrincipalRule
- func (pr *PrincipalRule) DenyActionOnCondition(action string, m match) *PrincipalRule
- func (pr *PrincipalRule) Err() error
- func (pr *PrincipalRule) Validate() error
- type RequestOpt
- type Resource
- func (r *Resource) Err() error
- func (r *Resource) ID() string
- func (r *Resource) Kind() string
- func (r *Resource) Proto() *enginev1.Resource
- func (r *Resource) Validate() error
- func (r *Resource) WithAttr(key string, value any) *Resource
- func (r *Resource) WithAttributes(attr map[string]any) *Resource
- func (r *Resource) WithPolicyVersion(policyVersion string) *Resource
- func (r *Resource) WithScope(scope string) *Resource
- type ResourceBatch
- type ResourcePolicy
- func (rp *ResourcePolicy) AddResourceRules(rules ...*ResourceRule) *ResourcePolicy
- func (rp *ResourcePolicy) Err() error
- func (rp *ResourcePolicy) Validate() error
- func (rp *ResourcePolicy) WithDerivedRolesImports(imp ...string) *ResourcePolicy
- func (rp *ResourcePolicy) WithPrincipalSchema(principalSchema *Schema) *ResourcePolicy
- func (rp *ResourcePolicy) WithResourceSchema(resourceSchema *Schema) *ResourcePolicy
- func (rp *ResourcePolicy) WithScope(scope string) *ResourcePolicy
- func (rp *ResourcePolicy) WithVariable(name, expr string) *ResourcePolicy
- func (rp *ResourcePolicy) WithVariablesImports(name ...string) *ResourcePolicy
- type ResourceResult
- type ResourceRule
- func (rr *ResourceRule) Err() error
- func (rr *ResourceRule) Validate() error
- func (rr *ResourceRule) WithCondition(m match) *ResourceRule
- func (rr *ResourceRule) WithDerivedRoles(roles ...string) *ResourceRule
- func (rr *ResourceRule) WithName(name string) *ResourceRule
- func (rr *ResourceRule) WithRoles(roles ...string) *ResourceRule
- type Schema
- type SchemaSet
- func (ss *SchemaSet) AddSchemaFromFile(file string, ignorePathInID bool) *SchemaSet
- func (ss *SchemaSet) AddSchemaFromFileWithErr(file string, ignorePathInID bool) (*SchemaSet, error)
- func (ss *SchemaSet) AddSchemaFromFileWithIDAndErr(file, id string) (*SchemaSet, error)
- func (ss *SchemaSet) AddSchemaFromReader(r io.Reader, id string) *SchemaSet
- func (ss *SchemaSet) AddSchemas(schemas ...*schemav1.Schema) *SchemaSet
- func (ss *SchemaSet) Err() error
- func (ss *SchemaSet) GetSchemas() []*schemav1.Schema
- func (ss *SchemaSet) Size() int
- type ServerInfo
Examples ¶
Constants ¶
const MaxIDPerReq = 25
Variables ¶
This section is empty.
Functions ¶
func BatchAdminClientCall ¶
func BatchAdminClientCall2 ¶
func MatchAllOf ¶
func MatchAllOf(m ...match) match
MatchAllOf matches all of the expressions (logical AND).
func MatchAnyOf ¶
func MatchAnyOf(m ...match) match
MatchAnyOf matches any of the expressions (logical OR).
func MatchNoneOf ¶
func MatchNoneOf(m ...match) match
MatchNoneOf matches none of the expressions (logical NOT).
Types ¶
type AdminClient ¶
type AdminClient interface { AddOrUpdatePolicy(ctx context.Context, policies *PolicySet) error AuditLogs(ctx context.Context, opts AuditLogOptions) (<-chan *AuditLogEntry, error) ListPolicies(ctx context.Context, opts ...ListPoliciesOption) ([]string, error) GetPolicy(ctx context.Context, ids ...string) ([]*policyv1.Policy, error) DisablePolicy(ctx context.Context, ids ...string) (uint32, error) EnablePolicy(ctx context.Context, ids ...string) (uint32, error) AddOrUpdateSchema(ctx context.Context, schemas *SchemaSet) error DeleteSchema(ctx context.Context, ids ...string) (uint32, error) ListSchemas(ctx context.Context) ([]string, error) GetSchema(ctx context.Context, ids ...string) ([]*schemav1.Schema, error) ReloadStore(ctx context.Context, wait bool) error }
AdminClient provides access to the Cerbos Admin API.
type AuditLogEntry ¶
type AuditLogEntry struct {
// contains filtered or unexported fields
}
func NewAuditLogEntry ¶
func NewAuditLogEntry(accessLog *auditv1.AccessLogEntry, decisionLog *auditv1.DecisionLogEntry, err error) *AuditLogEntry
func (*AuditLogEntry) AccessLog ¶
func (e *AuditLogEntry) AccessLog() (*auditv1.AccessLogEntry, error)
func (*AuditLogEntry) DecisionLog ¶
func (e *AuditLogEntry) DecisionLog() (*auditv1.DecisionLogEntry, error)
type AuditLogOptions ¶
type AuditLogOptions struct { StartTime time.Time EndTime time.Time Lookup string Tail uint32 Type AuditLogType }
AuditLogOptions is used to filter audit logs.
type CheckResourcesResponse ¶
type CheckResourcesResponse struct { *responsev1.CheckResourcesResponse // contains filtered or unexported fields }
CheckResourcesResponse is the response from the CheckResources API call.
func (*CheckResourcesResponse) Errors ¶
func (crr *CheckResourcesResponse) Errors() error
Errors returns any validation errors returned by the server.
func (*CheckResourcesResponse) GetResource ¶
func (crr *CheckResourcesResponse) GetResource(resourceID string, match ...MatchResource) *ResourceResult
GetResource finds the resource with the given ID and optional properties from the result list. Returns a ResourceResult object with the Err field set if the resource is not found.
func (*CheckResourcesResponse) MarshalJSON ¶
func (crr *CheckResourcesResponse) MarshalJSON() ([]byte, error)
func (*CheckResourcesResponse) String ¶
func (crr *CheckResourcesResponse) String() string
type Client ¶
type Client[C any, P PrincipalContext] interface { // IsAllowed checks access to a single resource by a principal and returns true if access is granted. IsAllowed(ctx context.Context, principal *Principal, resource *Resource, action string) (bool, error) // CheckResources checks access to a batch of resources of different kinds. CheckResources(ctx context.Context, principal *Principal, resources *ResourceBatch) (*CheckResourcesResponse, error) // ServerInfo retrieves server information. ServerInfo(ctx context.Context) (*ServerInfo, error) // With sets per-request options for the client. With(opts ...RequestOpt) C // PlanResources creates a query plan for performing the given action on a set of resources of the given kind. PlanResources(ctx context.Context, principal *Principal, resource *Resource, action string) (*PlanResourcesResponse, error) // WithPrincipal sets the principal to be used for subsequent API calls. // WithPrincipal sets the principal to be used for subsequent API calls. WithPrincipal(principal *Principal) P }
Client provides access to the Cerbos API.
type DerivedRoles ¶
type DerivedRoles struct {
Obj *policyv1.DerivedRoles
}
DerivedRoles is a builder for derived roles.
func NewDerivedRoles ¶
func NewDerivedRoles(name string) *DerivedRoles
NewDerivedRoles creates a new derived roles set with the given name.
func (*DerivedRoles) AddRole ¶
func (dr *DerivedRoles) AddRole(name string, parentRoles []string) *DerivedRoles
AddRole adds a new derived role with the given name which is an alias for the set of parent roles.
func (*DerivedRoles) AddRoleWithCondition ¶
func (dr *DerivedRoles) AddRoleWithCondition(name string, parentRoles []string, m match) *DerivedRoles
AddRoleWithCondition adds a derived role with a condition attached.
func (*DerivedRoles) Err ¶
func (dr *DerivedRoles) Err() error
Err returns any errors accumulated during the construction of the derived roles.
func (*DerivedRoles) Validate ¶
func (dr *DerivedRoles) Validate() error
Validate checks whether the derived roles are valid.
func (*DerivedRoles) WithVariable ¶
func (dr *DerivedRoles) WithVariable(name, expr string) *DerivedRoles
WithVariable adds a variable definition for use in conditions.
func (*DerivedRoles) WithVariablesImports ¶
func (dr *DerivedRoles) WithVariablesImports(name ...string) *DerivedRoles
WithVariablesImports adds import statements for exported variables.
type ExportVariables ¶
type ExportVariables struct {
Obj *policyv1.ExportVariables
}
ExportVariables is a builder for exported variables.
func NewExportVariables ¶
func NewExportVariables(name string) *ExportVariables
NewExportVariables creates a new exported variables set with the given name.
func (*ExportVariables) AddVariable ¶
func (ev *ExportVariables) AddVariable(name, expr string) *ExportVariables
AddVariable defines an exported variable with the given name to be computed by the given expression.
func (*ExportVariables) Err ¶
func (ev *ExportVariables) Err() error
Err returns any errors accumulated during the construction of the exported variables.
func (*ExportVariables) Validate ¶
func (ev *ExportVariables) Validate() error
Validate checks whether the exported variables are valid.
type GRPCAdminClient ¶
type GRPCAdminClient struct {
// contains filtered or unexported fields
}
func NewAdminClient ¶
func NewAdminClient(address string, opts ...Opt) (*GRPCAdminClient, error)
NewAdminClient creates a new admin client. It will look for credentials in the following order: - Environment: CERBOS_USERNAME and CERBOS_PASSWORD - Netrc file (~/.netrc if an override is not defined in the NETRC environment variable)
Note that Unix domain socket connections cannot fallback to netrc and require either the environment variables to be defined or the credentials to provided explicitly via the NewAdminClientWithCredentials function.
Example ¶
ExampleNewAdminClient demonstrates how to instantiate a new admin client and make a request.
package main import ( "context" "log" "github.com/cerbos/cerbos-sdk-go/cerbos" ) func main() { // Create an admin client using the credentials stored in environment variables or netrc. ac, err := cerbos.NewAdminClient("10.1.2.3:3593", cerbos.WithTLSCACert("/path/to/ca.crt")) if err != nil { log.Fatalf("Failed to create admin client: %v", err) } policy := cerbos.NewResourcePolicy("album:comments", "default"). WithDerivedRolesImports("album_derived_roles"). AddResourceRules( cerbos.NewAllowResourceRule("view"). WithDerivedRoles("owners"). WithCondition( cerbos.MatchAllOf( cerbos.MatchExpr(`request.resource.attr.status == "unmoderated"`), cerbos.MatchExpr(`request.resource.attr.user_status == "anonymous"`), ), ), ) if err := ac.AddOrUpdatePolicy(context.TODO(), cerbos.NewPolicySet().AddResourcePolicies(policy)); err != nil { log.Fatalf("Failed to add policy: %v", err) } }
Output:
func NewAdminClientWithCredentials ¶
func NewAdminClientWithCredentials(address, username, password string, opts ...Opt) (*GRPCAdminClient, error)
NewAdminClientWithCredentials creates a new admin client using credentials explicitly passed as arguments.
func (*GRPCAdminClient) AddOrUpdatePolicy ¶
func (c *GRPCAdminClient) AddOrUpdatePolicy(ctx context.Context, policies *PolicySet) error
func (*GRPCAdminClient) AddOrUpdateSchema ¶
func (c *GRPCAdminClient) AddOrUpdateSchema(ctx context.Context, schemas *SchemaSet) error
func (*GRPCAdminClient) AuditLogs ¶
func (c *GRPCAdminClient) AuditLogs(ctx context.Context, opts AuditLogOptions) (<-chan *AuditLogEntry, error)
func (*GRPCAdminClient) DeleteSchema ¶
func (*GRPCAdminClient) DisablePolicy ¶
func (*GRPCAdminClient) EnablePolicy ¶
func (*GRPCAdminClient) ListPolicies ¶
func (c *GRPCAdminClient) ListPolicies(ctx context.Context, opts ...ListPoliciesOption) ([]string, error)
func (*GRPCAdminClient) ListSchemas ¶
func (c *GRPCAdminClient) ListSchemas(ctx context.Context) ([]string, error)
func (*GRPCAdminClient) ReloadStore ¶
func (c *GRPCAdminClient) ReloadStore(ctx context.Context, wait bool) error
func (*GRPCAdminClient) WithHeaders ¶ added in v0.2.2
func (c *GRPCAdminClient) WithHeaders(keyValues ...string) *GRPCAdminClient
type GRPCClient ¶
type GRPCClient struct {
// contains filtered or unexported fields
}
func New ¶
func New(address string, opts ...Opt) (*GRPCClient, error)
New creates a new Cerbos client.
Example ¶
ExampleNew demonstrates how to instantiate a new client and make a request.
package main import ( "context" "log" "github.com/cerbos/cerbos-sdk-go/cerbos" ) func main() { // A client that connects to Cerbos over a Unix domain socket using a CA certificate to validate the server TLS certificates. c, err := cerbos.New("unix:/var/sock/cerbos", cerbos.WithTLSCACert("/path/to/ca.crt")) if err != nil { log.Fatalf("Failed to create client: %v", err) } allowed, err := c.IsAllowed( context.TODO(), cerbos.NewPrincipal("sally").WithRoles("user"), cerbos.NewResource("album:object", "A001"), "view", ) if err != nil { log.Fatalf("Failed to check permission: %v", err) } log.Printf("Is Sally allowed to view album A001: %t", allowed) }
Output:
func (*GRPCClient) CheckResources ¶
func (c *GRPCClient) CheckResources(ctx context.Context, principal *Principal, resourceBatch *ResourceBatch) (*CheckResourcesResponse, error)
func (*GRPCClient) PlanResources ¶
func (c *GRPCClient) PlanResources(ctx context.Context, principal *Principal, resource *Resource, action string) (*PlanResourcesResponse, error)
func (*GRPCClient) ServerInfo ¶
func (c *GRPCClient) ServerInfo(ctx context.Context) (*ServerInfo, error)
func (*GRPCClient) With ¶
func (c *GRPCClient) With(reqOpts ...RequestOpt) *GRPCClient
func (*GRPCClient) WithPrincipal ¶
func (c *GRPCClient) WithPrincipal(p *Principal) PrincipalCtx
type ListPoliciesOption ¶
type ListPoliciesOption func(*requestv1.ListPoliciesRequest)
func WithIncludeDisabled ¶
func WithIncludeDisabled() ListPoliciesOption
func WithNameRegexp ¶
func WithNameRegexp(re string) ListPoliciesOption
func WithScopeRegexp ¶
func WithScopeRegexp(re string) ListPoliciesOption
func WithVersionRegexp ¶
func WithVersionRegexp(v string) ListPoliciesOption
type MatchResource ¶
type MatchResource func(*responsev1.CheckResourcesResponse_ResultEntry_Resource) bool
MatchResource is a function that returns true if the given resource is of interest. This is useful when you have more than one resource with the same ID and need to distinguish between them in the response.
func MatchResourceKind ¶
func MatchResourceKind(kind string) MatchResource
MatchResourceKind is a matcher that checks that the resource kind matches the given value.
func MatchResourcePolicyKindScopeVersion ¶
func MatchResourcePolicyKindScopeVersion(kind, version, scope string) MatchResource
MatchResourcePolicyKindScopeVersion is a matcher that checks that the resource policy kind, version and scope matches the given values.
func MatchResourcePolicyVersion ¶
func MatchResourcePolicyVersion(version string) MatchResource
MatchResourcePolicyVersion is a matcher that checks that the resource policy version matches the given value.
func MatchResourceScope ¶
func MatchResourceScope(scope string) MatchResource
MatchResourceScope is a matcher that checks that the resource scope matches the given value.
type Opt ¶
type Opt func(*config)
func WithConnectTimeout ¶
WithConnectTimeout sets the connection establishment timeout.
func WithMaxRetries ¶
WithMaxRetries sets the maximum number of retries per call.
func WithPlaintext ¶
func WithPlaintext() Opt
WithPlaintext configures the client to connect over h2c.
func WithPlaygroundInstance ¶
WithPlaygroundInstance sets the Cerbos playground instance to use as the source of policies. Note that Playground instances are for demonstration purposes only and do not provide any performance or availability guarantees.
func WithRetryTimeout ¶
WithRetryTimeout sets the timeout per retry attempt.
func WithStatsHandler ¶ added in v0.2.1
WithStatsHandler sets the gRPC stats handler for the connection.
func WithStreamInterceptors ¶
func WithStreamInterceptors(interceptors ...grpc.StreamClientInterceptor) Opt
WithStreamInterceptors sets the interceptors to be used for streaming gRPC operations.
func WithTLSAuthority ¶
WithTLSAuthority overrides the remote server authority if it is different from what is provided in the address.
func WithTLSCACert ¶
WithTLSCACert sets the CA certificate chain to use for certificate verification.
func WithTLSClientCert ¶
WithTLSClientCert sets the client certificate to use to authenticate to the server.
func WithTLSInsecure ¶
func WithTLSInsecure() Opt
WithTLSInsecure enables skipping TLS certificate verification.
func WithUnaryInterceptors ¶
func WithUnaryInterceptors(interceptors ...grpc.UnaryClientInterceptor) Opt
WithUnaryInterceptors sets the interceptors to be used for unary gRPC operations.
type PlanResourcesResponse ¶
type PlanResourcesResponse struct {
*responsev1.PlanResourcesResponse
}
type PolicySet ¶
type PolicySet struct {
// contains filtered or unexported fields
}
PolicySet is a container for a set of policies.
func (*PolicySet) AddDerivedRoles ¶
func (ps *PolicySet) AddDerivedRoles(policies ...*DerivedRoles) *PolicySet
AddDerivedRoles adds the given derived roles to the set.
func (*PolicySet) AddExportVariables ¶
func (ps *PolicySet) AddExportVariables(policies ...*ExportVariables) *PolicySet
AddExportVariables adds the given exported variables to the set.
func (*PolicySet) AddPolicies ¶
AddPolicies adds the given policies to the set.
func (*PolicySet) AddPolicyFromFile ¶
AddPolicyFromFile adds a policy from the given file to the set.
func (*PolicySet) AddPolicyFromFileWithErr ¶
AddPolicyFromFileWithErr adds a policy from the given file to the set and returns the error.
func (*PolicySet) AddPolicyFromReader ¶
AddPolicyFromReader adds a policy from the given reader to the set.
func (*PolicySet) AddPrincipalPolicies ¶
func (ps *PolicySet) AddPrincipalPolicies(policies ...*PrincipalPolicy) *PolicySet
AddPrincipalPolicies adds the given principal policies to the set.
func (*PolicySet) AddResourcePolicies ¶
func (ps *PolicySet) AddResourcePolicies(policies ...*ResourcePolicy) *PolicySet
AddResourcePolicies adds the given resource policies to the set.
func (*PolicySet) Err ¶
Err returns the errors accumulated during the construction of the policy set.
func (*PolicySet) GetPolicies ¶
GetPolicies returns all of the policies in the set.
type Principal ¶
Principal is a container for principal data.
func NewPrincipal ¶
NewPrincipal creates a new principal object with the given ID and roles.
func (*Principal) Err ¶
Err returns any errors accumulated during the construction of the principal.
func (*Principal) WithAttr ¶
WithAttr adds a new attribute to the principal. It will overwrite any existing attribute having the same key.
func (*Principal) WithAttributes ¶
WithAttributes merges the given attributes to principal's existing attributes.
func (*Principal) WithPolicyVersion ¶
WithPolicyVersion sets the policy version for this principal.
type PrincipalContext ¶
type PrincipalContext interface { // Principal returns the principal attached to this context. Principal() *Principal // IsAllowed checks access to a single resource by the principal and returns true if access is granted. IsAllowed(ctx context.Context, resource *Resource, action string) (bool, error) // CheckResources checks access to a batch of resources of different kinds. CheckResources(ctx context.Context, resources *ResourceBatch) (*CheckResourcesResponse, error) // PlanResources creates a query plan for performing the given action on a set of resources of the given kind. PlanResources(ctx context.Context, resource *Resource, action string) (*PlanResourcesResponse, error) }
PrincipalContext provides convenience methods to access the Cerbos API in the context of a single principal.
type PrincipalCtx ¶
type PrincipalCtx struct {
// contains filtered or unexported fields
}
func (PrincipalCtx) CheckResources ¶
func (pc PrincipalCtx) CheckResources(ctx context.Context, batch *ResourceBatch) (*CheckResourcesResponse, error)
func (PrincipalCtx) PlanResources ¶
func (pc PrincipalCtx) PlanResources(ctx context.Context, resource *Resource, action string) (*PlanResourcesResponse, error)
func (PrincipalCtx) Principal ¶
func (pc PrincipalCtx) Principal() *Principal
type PrincipalPolicy ¶
type PrincipalPolicy struct { Obj *policyv1.PrincipalPolicy // contains filtered or unexported fields }
PrincipalPolicy is a builder for principal policies.
func NewPrincipalPolicy ¶
func NewPrincipalPolicy(principal, version string) *PrincipalPolicy
NewPrincipalPolicy creates a new principal policy.
func (*PrincipalPolicy) AddPrincipalRules ¶
func (pp *PrincipalPolicy) AddPrincipalRules(rules ...*PrincipalRule) *PrincipalPolicy
AddPrincipalRules adds rules to this policy.
func (*PrincipalPolicy) Err ¶
func (pp *PrincipalPolicy) Err() error
Err returns the errors accumulated during the construction of this policy.
func (*PrincipalPolicy) Validate ¶
func (pp *PrincipalPolicy) Validate() error
Validate checks whether the policy is valid.
func (*PrincipalPolicy) WithScope ¶
func (pp *PrincipalPolicy) WithScope(scope string) *PrincipalPolicy
WithScope sets the scope of this policy.
func (*PrincipalPolicy) WithVariable ¶
func (pp *PrincipalPolicy) WithVariable(name, expr string) *PrincipalPolicy
WithVariable adds a variable definition for use in conditions.
func (*PrincipalPolicy) WithVariablesImports ¶
func (pp *PrincipalPolicy) WithVariablesImports(name ...string) *PrincipalPolicy
WithVariablesImports adds import statements for exported variables.
func (*PrincipalPolicy) WithVersion ¶
func (pp *PrincipalPolicy) WithVersion(version string) *PrincipalPolicy
WithVersion sets the version of this policy.
type PrincipalRule ¶
type PrincipalRule struct {
Obj *policyv1.PrincipalRule
}
PrincipalRule is a builder for principal rules.
func NewPrincipalRule ¶
func NewPrincipalRule(resource string) *PrincipalRule
NewPrincipalRule creates a new rule for the specified resource.
func (*PrincipalRule) AllowAction ¶
func (pr *PrincipalRule) AllowAction(action string) *PrincipalRule
AllowAction sets the action as allowed on the resource.
func (*PrincipalRule) AllowActionOnCondition ¶
func (pr *PrincipalRule) AllowActionOnCondition(action string, m match) *PrincipalRule
AllowActionOnCondition sets the action as allowed if the condition is fulfilled.
func (*PrincipalRule) DenyAction ¶
func (pr *PrincipalRule) DenyAction(action string) *PrincipalRule
DenyAction sets the action as denied on the resource.
func (*PrincipalRule) DenyActionOnCondition ¶
func (pr *PrincipalRule) DenyActionOnCondition(action string, m match) *PrincipalRule
DenyActionOnCondition sets the action as denied if the condition is fulfilled.
func (*PrincipalRule) Err ¶
func (pr *PrincipalRule) Err() error
Err returns errors accumulated during the construction of the rule.
func (*PrincipalRule) Validate ¶
func (pr *PrincipalRule) Validate() error
Validate checks whether the rule is valid.
type RequestOpt ¶
RequestOpt defines per-request options.
func AuxDataJWT ¶
func AuxDataJWT(token, keySetID string) RequestOpt
AuxDataJWT sets the JWT to be used as auxiliary data for the request.
func Headers ¶ added in v0.2.2
func Headers(keyValues ...string) RequestOpt
Headers sets the gRPC header metadata for each request. Input should be a list of key-value pairs.
func IncludeMeta ¶
func IncludeMeta(f bool) RequestOpt
IncludeMeta sets the flag on requests that support it to signal that evaluation metadata should be sent back with the response.
type Resource ¶
Resource is a single resource instance.
func NewResource ¶
NewResource creates a new instance of a resource.
func (*Resource) WithAttr ¶
WithAttr adds a new attribute to the resource. It will overwrite any existing attribute having the same key.
func (*Resource) WithAttributes ¶
WithAttributes merges the given attributes to the resource's existing attributes.
func (*Resource) WithPolicyVersion ¶
WithPolicyVersion sets the policy version for this resource.
type ResourceBatch ¶
type ResourceBatch struct { Batch []*requestv1.CheckResourcesRequest_ResourceEntry // contains filtered or unexported fields }
ResourceBatch is a container for a batch of heterogeneous resources.
func NewResourceBatch ¶
func NewResourceBatch() *ResourceBatch
NewResourceBatch creates a new resource batch.
func (*ResourceBatch) Add ¶
func (rb *ResourceBatch) Add(resource *Resource, actions ...string) *ResourceBatch
Add a new resource to the batch.
func (*ResourceBatch) Err ¶
func (rb *ResourceBatch) Err() error
Err returns any errors accumulated during the construction of the resource batch.
func (*ResourceBatch) Validate ¶
func (rb *ResourceBatch) Validate() error
Validate checks whether the resource batch is valid.
type ResourcePolicy ¶
type ResourcePolicy struct { Obj *policyv1.ResourcePolicy // contains filtered or unexported fields }
ResourcePolicy is a builder for resource policies.
func NewResourcePolicy ¶
func NewResourcePolicy(resource, version string) *ResourcePolicy
NewResourcePolicy creates a new resource policy builder.
func (*ResourcePolicy) AddResourceRules ¶
func (rp *ResourcePolicy) AddResourceRules(rules ...*ResourceRule) *ResourcePolicy
AddResourceRules adds resource rules to the policy.
func (*ResourcePolicy) Err ¶
func (rp *ResourcePolicy) Err() error
Err returns any errors accumulated during the construction of the policy.
func (*ResourcePolicy) Validate ¶
func (rp *ResourcePolicy) Validate() error
Validate checks whether the policy is valid.
func (*ResourcePolicy) WithDerivedRolesImports ¶
func (rp *ResourcePolicy) WithDerivedRolesImports(imp ...string) *ResourcePolicy
WithDerivedRolesImports adds import statements for derived roles.
func (*ResourcePolicy) WithPrincipalSchema ¶
func (rp *ResourcePolicy) WithPrincipalSchema(principalSchema *Schema) *ResourcePolicy
func (*ResourcePolicy) WithResourceSchema ¶
func (rp *ResourcePolicy) WithResourceSchema(resourceSchema *Schema) *ResourcePolicy
func (*ResourcePolicy) WithScope ¶
func (rp *ResourcePolicy) WithScope(scope string) *ResourcePolicy
func (*ResourcePolicy) WithVariable ¶
func (rp *ResourcePolicy) WithVariable(name, expr string) *ResourcePolicy
WithVariable adds a variable definition for use in conditions.
func (*ResourcePolicy) WithVariablesImports ¶
func (rp *ResourcePolicy) WithVariablesImports(name ...string) *ResourcePolicy
WithVariablesImports adds import statements for exported variables.
type ResourceResult ¶
type ResourceResult struct { *responsev1.CheckResourcesResponse_ResultEntry // contains filtered or unexported fields }
func (*ResourceResult) Err ¶
func (rr *ResourceResult) Err() error
func (*ResourceResult) IsAllowed ¶
func (rr *ResourceResult) IsAllowed(action string) bool
IsAllowed returns true if the given action is allowed. Returns false if the action is not in the response of if there was an error getting this result.
type ResourceRule ¶
type ResourceRule struct {
Obj *policyv1.ResourceRule
}
ResourceRule is a rule in a resource policy.
func NewAllowResourceRule ¶
func NewAllowResourceRule(actions ...string) *ResourceRule
NewAllowResourceRule creates a resource rule that allows the actions when matched.
func NewDenyResourceRule ¶
func NewDenyResourceRule(actions ...string) *ResourceRule
NewDenyResourceRule creates a resource rule that denies the actions when matched.
func (*ResourceRule) Err ¶
func (rr *ResourceRule) Err() error
Err returns errors accumulated during the construction of the resource rule.
func (*ResourceRule) Validate ¶
func (rr *ResourceRule) Validate() error
Validate checks whether the resource rule is valid.
func (*ResourceRule) WithCondition ¶
func (rr *ResourceRule) WithCondition(m match) *ResourceRule
WithCondition sets the condition that applies to this rule.
func (*ResourceRule) WithDerivedRoles ¶
func (rr *ResourceRule) WithDerivedRoles(roles ...string) *ResourceRule
WithDerivedRoles adds derived roles to which this rule applies.
func (*ResourceRule) WithName ¶
func (rr *ResourceRule) WithName(name string) *ResourceRule
WithName sets the name of the ResourceRule.
func (*ResourceRule) WithRoles ¶
func (rr *ResourceRule) WithRoles(roles ...string) *ResourceRule
WithRoles adds roles to which this rule applies.
type Schema ¶
type Schema struct {
Obj *policyv1.Schemas_Schema
}
Schema is a builder for Schemas_Schema.
func (*Schema) AddIgnoredActions ¶
AddIgnoredActions adds action(s) to the ignoreWhen field of the schema.
type SchemaSet ¶
type SchemaSet struct {
// contains filtered or unexported fields
}
SchemaSet is a container for a set of schemas.
func (*SchemaSet) AddSchemaFromFile ¶
AddSchemaFromFile adds a schema from the given file to the set.
func (*SchemaSet) AddSchemaFromFileWithErr ¶
AddSchemaFromFileWithErr adds a schema from the given file to the set and returns the error.
func (*SchemaSet) AddSchemaFromFileWithIDAndErr ¶
AddSchemaFromFileWithIDAndErr adds a schema with the given id from the given file to the set and returns the error.
func (*SchemaSet) AddSchemaFromReader ¶
AddSchemaFromReader adds a schema from the given reader to the set.
func (*SchemaSet) AddSchemas ¶
AddSchemas adds the given schemas to the set.
func (*SchemaSet) Err ¶
Err returns the errors accumulated during the construction of the schema set.
func (*SchemaSet) GetSchemas ¶
GetSchemas returns all of the schemas in the set.
type ServerInfo ¶
type ServerInfo struct {
*responsev1.ServerInfoResponse
}
func (*ServerInfo) MarshalJSON ¶
func (si *ServerInfo) MarshalJSON() ([]byte, error)
func (*ServerInfo) String ¶
func (si *ServerInfo) String() string