client

package
v0.32.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Nov 30, 2023 License: Apache-2.0 Imports: 35 Imported by: 7

README

GitHub release (latest SemVer) Go Reference

Cerbos Client SDK for Go

Deprecated: From Cerbos 0.31.0 onwards, the Go client implementation is available as a separate package on github.com/cerbos/cerbos-sdk-go.

go get github.com/cerbos/cerbos/client

The Go client SDK is an easy way to implement access controls in your own applications by communicating with the Cerbos PDP. Whether Cerbos runs as a microservice or a sidecar, the client SDK is able to communicate with the PDP using TCP or Unix domain sockets.

See Go docs for more information.

Check Access

c, err := client.New("unix:/var/sock/cerbos", client.WithTLSCACert("/path/to/ca.crt"))
if err != nil {
    log.Fatalf("Failed to create client: %v", err)
}

allowed, err := c.IsAllowed(
    context.TODO(),
    client.NewPrincipal("sally").WithRoles("user"),
    client.NewResource("album:object", "A001"),
    "view",
)
if err != nil {
    log.Fatalf("Failed to check permission: %v", err)
}

log.Printf("Is Sally allowed to view album A001: %t", allowed)

Easy unit/integration tests

The client SDK comes with test utilities to help you easily test your integration by spinning up temporary Cerbos instances.

s, err := testutil.StartCerbosServer(testutil.WithPolicyRepositoryDatabase("sqlite3", ":memory:"))
if err != nil {
    log.Fatalf("Failed to start Cerbos server: %v", err)
}

defer s.Stop()

c, err := client.New(s.GRPCAddr(), client.WithPlaintext())
if err != nil {
    log.Fatalf("Failed to create Cerbos client: %v", err)
}

// tests

Documentation

Overview

Package client provides a client implementation to interact with a Cerbos instance and check access policies. Deprecated: Since Cerbos 0.31.0, the Go client is available as a separate package at github.com/cerbos/cerbos-sdk-go/cerbos

Index

Examples

Constants

View Source
const MaxIDPerReq = 25

Variables

This section is empty.

Functions

func BatchAdminClientCall added in v0.26.0

func BatchAdminClientCall(ctx context.Context, retrieveFn func(context.Context, ...string) (uint32, error), ids ...string) (uint32, error)

func BatchAdminClientCall2 added in v0.26.0

func BatchAdminClientCall2[T []*schemav1.Schema | []*policyv1.Policy | []string](
	ctx context.Context,
	retrieveFn func(context.Context, ...string) (T, error),
	processFn func(context.Context, T) error,
	ids ...string,
) error

func MatchAllOf

func MatchAllOf(m ...match) match

MatchAllOf matches all of the expressions (logical AND).

func MatchAnyOf

func MatchAnyOf(m ...match) match

MatchAnyOf matches any of the expressions (logical OR).

func MatchExpr

func MatchExpr(expr string) match

MatchExpr matches a single expression.

func MatchNoneOf

func MatchNoneOf(m ...match) match

MatchNoneOf matches none of the expressions (logical NOT).

func MinInt added in v0.26.0

func MinInt(a, b int) int

Types

type AdminClient

type AdminClient interface {
	AddOrUpdatePolicy(ctx context.Context, policies *PolicySet) error
	AuditLogs(ctx context.Context, opts AuditLogOptions) (<-chan *AuditLogEntry, error)
	ListPolicies(ctx context.Context, opts ...ListPoliciesOption) ([]string, error)
	GetPolicy(ctx context.Context, ids ...string) ([]*policyv1.Policy, error)
	DisablePolicy(ctx context.Context, ids ...string) (uint32, error)
	EnablePolicy(ctx context.Context, ids ...string) (uint32, error)
	AddOrUpdateSchema(ctx context.Context, schemas *SchemaSet) error
	DeleteSchema(ctx context.Context, ids ...string) (uint32, error)
	ListSchemas(ctx context.Context) ([]string, error)
	GetSchema(ctx context.Context, ids ...string) ([]*schemav1.Schema, error)
	ReloadStore(ctx context.Context, wait bool) error
}

func NewAdminClient

func NewAdminClient(address string, opts ...Opt) (AdminClient, error)

NewAdminClient creates a new admin client. It will look for credentials in the following order: - Environment: CERBOS_USERNAME and CERBOS_PASSWORD - Netrc file (~/.netrc if an override is not defined in the NETRC environment variable)

Note that Unix domain socket connections cannot fallback to netrc and require either the environment variables to be defined or the credentials to provided explicitly via the NewAdminClientWithCredentials function.

Example
package main

import (
	"context"
	"log"

	"github.com/cerbos/cerbos/client"
)

func main() {
	// Create an admin client using the credentials stored in environment variables or netrc.
	ac, err := client.NewAdminClient("10.1.2.3:3593", client.WithTLSCACert("/path/to/ca.crt"))
	if err != nil {
		log.Fatalf("Failed to create admin client: %v", err)
	}

	policy := client.NewResourcePolicy("album:comments", "default").
		WithDerivedRolesImports("album_derived_roles").
		AddResourceRules(
			client.NewAllowResourceRule("view").
				WithDerivedRoles("owners").
				WithCondition(
					client.MatchAllOf(
						client.MatchExpr(`request.resource.attr.status == "unmoderated"`),
						client.MatchExpr(`request.resource.attr.user_status == "anonymous"`),
					),
				),
		)

	if err := ac.AddOrUpdatePolicy(context.TODO(), client.NewPolicySet().AddResourcePolicies(policy)); err != nil {
		log.Fatalf("Failed to add policy: %v", err)
	}
}
Output:

func NewAdminClientWithCredentials

func NewAdminClientWithCredentials(address, username, password string, opts ...Opt) (AdminClient, error)

NewAdminClientWithCredentials creates a new admin client using credentials explicitly passed as arguments.

type AuditLogEntry added in v0.5.0

type AuditLogEntry struct {
	// contains filtered or unexported fields
}

func (*AuditLogEntry) AccessLog added in v0.5.0

func (e *AuditLogEntry) AccessLog() (*auditv1.AccessLogEntry, error)

func (*AuditLogEntry) DecisionLog added in v0.5.0

func (e *AuditLogEntry) DecisionLog() (*auditv1.DecisionLogEntry, error)

type AuditLogOptions added in v0.5.0

type AuditLogOptions struct {
	StartTime time.Time
	EndTime   time.Time
	Lookup    string
	Tail      uint32
	Type      AuditLogType
}

AuditLogOptions is used to filter audit logs.

type AuditLogType added in v0.5.0

type AuditLogType uint8
const (
	AccessLogs AuditLogType = iota
	DecisionLogs
)

type CheckResourceBatchResponse

type CheckResourceBatchResponse struct {
	*responsev1.CheckResourceBatchResponse
	// contains filtered or unexported fields
}

CheckResourceBatchResponse is the response from the CheckResourceBatch API call.

func (*CheckResourceBatchResponse) Errors added in v0.11.0

func (crbr *CheckResourceBatchResponse) Errors() error

Errors returns any validation errors returned by the server.

func (*CheckResourceBatchResponse) IsAllowed

func (crbr *CheckResourceBatchResponse) IsAllowed(resourceID, action string) bool

IsAllowed returns true if the given resource and action is allowed. If the resource or the action is not included in the response, the result will always be false.

func (*CheckResourceBatchResponse) MarshalJSON added in v0.11.0

func (crbr *CheckResourceBatchResponse) MarshalJSON() ([]byte, error)

func (*CheckResourceBatchResponse) String

func (crbr *CheckResourceBatchResponse) String() string

type CheckResourceSetResponse

type CheckResourceSetResponse struct {
	*responsev1.CheckResourceSetResponse
}

CheckResourceSetResponse is the response from the CheckResourceSet API call.

func (*CheckResourceSetResponse) Errors added in v0.11.0

func (crsr *CheckResourceSetResponse) Errors() error

Errors returns all validation errors returned by the server.

func (*CheckResourceSetResponse) IsAllowed

func (crsr *CheckResourceSetResponse) IsAllowed(resourceID, action string) bool

IsAllowed returns true if the response indicates that the given action on the given resource is allowed. If the resource or action is not contained in the response, the return value will always be false.

func (*CheckResourceSetResponse) MarshalJSON added in v0.11.0

func (crsr *CheckResourceSetResponse) MarshalJSON() ([]byte, error)

func (*CheckResourceSetResponse) String

func (crsr *CheckResourceSetResponse) String() string

type CheckResourcesResponse added in v0.16.0

type CheckResourcesResponse struct {
	*responsev1.CheckResourcesResponse
	// contains filtered or unexported fields
}

CheckResourcesResponse is the response from the CheckResources API call.

func (*CheckResourcesResponse) Errors added in v0.16.0

func (crr *CheckResourcesResponse) Errors() error

Errors returns any validation errors returned by the server.

func (*CheckResourcesResponse) GetResource added in v0.16.0

func (crr *CheckResourcesResponse) GetResource(resourceID string, match ...MatchResource) *ResourceResult

GetResource finds the resource with the given ID and optional properties from the result list. Returns a ResourceResult object with the Err field set if the resource is not found.

func (*CheckResourcesResponse) MarshalJSON added in v0.16.0

func (crr *CheckResourcesResponse) MarshalJSON() ([]byte, error)

func (*CheckResourcesResponse) String added in v0.16.0

func (crr *CheckResourcesResponse) String() string

type Client

type Client interface {
	// IsAllowed checks access to a single resource by a principal and returns true if access is granted.
	IsAllowed(ctx context.Context, principal *Principal, resource *Resource, action string) (bool, error)
	// CheckResourceSet checks access to a set of resources of the same kind.
	// Deprecated: Use CheckResources instead.
	CheckResourceSet(ctx context.Context, principal *Principal, resources *ResourceSet, actions ...string) (*CheckResourceSetResponse, error)
	// CheckResourceBatch checks access to a batch of resources of different kinds.
	// Deprecated: Use CheckResources instead.
	CheckResourceBatch(ctx context.Context, principal *Principal, resources *ResourceBatch) (*CheckResourceBatchResponse, error)
	// CheckResources checks access to a batch of resources of different kinds.
	CheckResources(ctx context.Context, principal *Principal, resources *ResourceBatch) (*CheckResourcesResponse, error)
	// ServerInfo retrieves server information.
	ServerInfo(ctx context.Context) (*ServerInfo, error)
	// With sets per-request options for the client.
	With(opts ...RequestOpt) Client
	// PlanResources creates a query plan for performing the given action on a set of resources of the given kind.
	PlanResources(ctx context.Context, principal *Principal, resource *Resource, action string) (*PlanResourcesResponse, error)
	// WithPrincipal sets the principal to be used for subsequent API calls.
	// WithPrincipal sets the principal to be used for subsequent API calls.
	WithPrincipal(principal *Principal) PrincipalContext
}

Client provides access to the Cerbos API.

func New

func New(address string, opts ...Opt) (Client, error)

New creates a new Cerbos client.

Example
package main

import (
	"context"
	"log"

	"github.com/cerbos/cerbos/client"
)

func main() {
	// A client that connects to Cerbos over a Unix domain socket using a CA certificate to validate the server TLS certificates.
	c, err := client.New("unix:/var/sock/cerbos", client.WithTLSCACert("/path/to/ca.crt"))
	if err != nil {
		log.Fatalf("Failed to create client: %v", err)
	}

	allowed, err := c.IsAllowed(
		context.TODO(),
		client.NewPrincipal("sally").WithRoles("user"),
		client.NewResource("album:object", "A001"),
		"view",
	)
	if err != nil {
		log.Fatalf("Failed to check permission: %v", err)
	}

	log.Printf("Is Sally allowed to view album A001: %t", allowed)
}
Output:

type DerivedRoles

type DerivedRoles struct {
	// contains filtered or unexported fields
}

DerivedRoles is a builder for derived roles.

func NewDerivedRoles

func NewDerivedRoles(name string) *DerivedRoles

NewDerivedRoles creates a new derived roles set with the given name.

func (*DerivedRoles) AddRole

func (dr *DerivedRoles) AddRole(name string, parentRoles []string) *DerivedRoles

AddRole adds a new derived role with the given name which is an alias for the set of parent roles.

func (*DerivedRoles) AddRoleWithCondition

func (dr *DerivedRoles) AddRoleWithCondition(name string, parentRoles []string, m match) *DerivedRoles

AddRoleWithCondition adds a derived role with a condition attached.

func (*DerivedRoles) Err

func (dr *DerivedRoles) Err() error

Err returns any errors accumulated during the construction of the derived roles.

func (*DerivedRoles) Validate

func (dr *DerivedRoles) Validate() error

Validate checks whether the derived roles are valid.

func (*DerivedRoles) WithVariable added in v0.29.0

func (dr *DerivedRoles) WithVariable(name, expr string) *DerivedRoles

WithVariable adds a variable definition for use in conditions.

func (*DerivedRoles) WithVariablesImports added in v0.29.0

func (dr *DerivedRoles) WithVariablesImports(name ...string) *DerivedRoles

WithVariablesImports adds import statements for exported variables.

type ExportVariables added in v0.29.0

type ExportVariables struct {
	// contains filtered or unexported fields
}

ExportVariables is a builder for exported variables.

func NewExportVariables added in v0.29.0

func NewExportVariables(name string) *ExportVariables

NewExportVariables creates a new exported variables set with the given name.

func (*ExportVariables) AddVariable added in v0.29.0

func (ev *ExportVariables) AddVariable(name, expr string) *ExportVariables

AddVariable defines an exported variable with the given name to be computed by the given expression.

func (*ExportVariables) Err added in v0.29.0

func (ev *ExportVariables) Err() error

Err returns any errors accumulated during the construction of the exported variables.

func (*ExportVariables) Validate added in v0.29.0

func (ev *ExportVariables) Validate() error

Validate checks whether the exported variables are valid.

type GrpcAdminClient added in v0.5.0

type GrpcAdminClient struct {
	// contains filtered or unexported fields
}

func (*GrpcAdminClient) AddOrUpdatePolicy added in v0.5.0

func (c *GrpcAdminClient) AddOrUpdatePolicy(ctx context.Context, policies *PolicySet) error

func (*GrpcAdminClient) AddOrUpdateSchema added in v0.14.0

func (c *GrpcAdminClient) AddOrUpdateSchema(ctx context.Context, schemas *SchemaSet) error

func (*GrpcAdminClient) AuditLogs added in v0.5.0

func (c *GrpcAdminClient) AuditLogs(ctx context.Context, opts AuditLogOptions) (<-chan *AuditLogEntry, error)

func (*GrpcAdminClient) DeleteSchema added in v0.25.0

func (c *GrpcAdminClient) DeleteSchema(ctx context.Context, ids ...string) (uint32, error)

func (*GrpcAdminClient) DisablePolicy added in v0.25.0

func (c *GrpcAdminClient) DisablePolicy(ctx context.Context, ids ...string) (uint32, error)

func (*GrpcAdminClient) EnablePolicy added in v0.26.0

func (c *GrpcAdminClient) EnablePolicy(ctx context.Context, ids ...string) (uint32, error)

func (*GrpcAdminClient) GetPolicy added in v0.12.0

func (c *GrpcAdminClient) GetPolicy(ctx context.Context, ids ...string) ([]*policyv1.Policy, error)

func (*GrpcAdminClient) GetSchema added in v0.12.0

func (c *GrpcAdminClient) GetSchema(ctx context.Context, ids ...string) ([]*schemav1.Schema, error)

func (*GrpcAdminClient) ListPolicies added in v0.7.0

func (c *GrpcAdminClient) ListPolicies(ctx context.Context, opts ...ListPoliciesOption) ([]string, error)

func (*GrpcAdminClient) ListSchemas added in v0.12.0

func (c *GrpcAdminClient) ListSchemas(ctx context.Context) ([]string, error)

func (*GrpcAdminClient) ReloadStore added in v0.15.0

func (c *GrpcAdminClient) ReloadStore(ctx context.Context, wait bool) error

type ListPoliciesOption added in v0.26.0

type ListPoliciesOption func(*requestv1.ListPoliciesRequest)

func WithIncludeDisabled added in v0.26.0

func WithIncludeDisabled() ListPoliciesOption

func WithNameRegexp added in v0.29.0

func WithNameRegexp(re string) ListPoliciesOption

func WithScopeRegexp added in v0.29.0

func WithScopeRegexp(re string) ListPoliciesOption

func WithVersionRegexp added in v0.29.0

func WithVersionRegexp(v string) ListPoliciesOption

type MatchResource added in v0.16.0

MatchResource is a function that returns true if the given resource is of interest. This is useful when you have more than one resource with the same ID and need to distinguish between them in the response.

func MatchResourceKind added in v0.16.0

func MatchResourceKind(kind string) MatchResource

MatchResourceKind is a matcher that checks that the resource kind matches the given value.

func MatchResourcePolicyKindScopeVersion added in v0.16.0

func MatchResourcePolicyKindScopeVersion(kind, version, scope string) MatchResource

MatchResourcePolicyKindScopeVersion is a matcher that checks that the resource policy kind, version and scope matches the given values.

func MatchResourcePolicyVersion added in v0.16.0

func MatchResourcePolicyVersion(version string) MatchResource

MatchResourcePolicyVersion is a matcher that checks that the resource policy version matches the given value.

func MatchResourceScope added in v0.16.0

func MatchResourceScope(scope string) MatchResource

MatchResourceScope is a matcher that checks that the resource scope matches the given value.

type Opt

type Opt func(*config)

func WithConnectTimeout

func WithConnectTimeout(timeout time.Duration) Opt

WithConnectTimeout sets the connection establishment timeout.

func WithMaxRetries

func WithMaxRetries(retries uint) Opt

WithMaxRetries sets the maximum number of retries per call.

func WithPlaintext

func WithPlaintext() Opt

WithPlaintext configures the client to connect over h2c.

func WithPlaygroundInstance added in v0.6.0

func WithPlaygroundInstance(instance string) Opt

WithPlaygroundInstance sets the Cerbos playground instance to use as the source of policies. Note that Playground instances are for demonstration purposes only and do not provide any performance or availability guarantees.

func WithRetryTimeout

func WithRetryTimeout(timeout time.Duration) Opt

WithRetryTimeout sets the timeout per retry attempt.

func WithStreamInterceptors added in v0.30.0

func WithStreamInterceptors(interceptors ...grpc.StreamClientInterceptor) Opt

WithStreamInterceptors sets the interceptors to be used for streaming gRPC operations.

func WithTLSAuthority

func WithTLSAuthority(authority string) Opt

WithTLSAuthority overrides the remote server authority if it is different from what is provided in the address.

func WithTLSCACert

func WithTLSCACert(certPath string) Opt

WithTLSCACert sets the CA certificate chain to use for certificate verification.

func WithTLSClientCert

func WithTLSClientCert(cert, key string) Opt

WithTLSClientCert sets the client certificate to use to authenticate to the server.

func WithTLSInsecure

func WithTLSInsecure() Opt

WithTLSInsecure enables skipping TLS certificate verification.

func WithUnaryInterceptors added in v0.30.0

func WithUnaryInterceptors(interceptors ...grpc.UnaryClientInterceptor) Opt

WithUnaryInterceptors sets the interceptors to be used for unary gRPC operations.

func WithUserAgent

func WithUserAgent(ua string) Opt

WithUserAgent sets the user agent string.

type PlanResourcesResponse added in v0.16.0

type PlanResourcesResponse struct {
	*responsev1.PlanResourcesResponse
}

type PolicySet

type PolicySet struct {
	// contains filtered or unexported fields
}

PolicySet is a container for a set of policies.

func NewPolicySet

func NewPolicySet() *PolicySet

NewPolicySet creates a new policy set.

func (*PolicySet) AddDerivedRoles

func (ps *PolicySet) AddDerivedRoles(policies ...*DerivedRoles) *PolicySet

AddDerivedRoles adds the given derived roles to the set.

func (*PolicySet) AddExportVariables added in v0.29.0

func (ps *PolicySet) AddExportVariables(policies ...*ExportVariables) *PolicySet

AddExportVariables adds the given exported variables to the set.

func (*PolicySet) AddPolicies added in v0.12.0

func (ps *PolicySet) AddPolicies(policies ...*policyv1.Policy) *PolicySet

AddPolicies adds the given policies to the set.

func (*PolicySet) AddPolicyFromFile

func (ps *PolicySet) AddPolicyFromFile(file string) *PolicySet

AddPolicyFromFile adds a policy from the given file to the set.

func (*PolicySet) AddPolicyFromFileWithErr added in v0.14.0

func (ps *PolicySet) AddPolicyFromFileWithErr(file string) (*PolicySet, error)

AddPolicyFromFileWithErr adds a policy from the given file to the set and returns the error.

func (*PolicySet) AddPolicyFromReader

func (ps *PolicySet) AddPolicyFromReader(r io.Reader) *PolicySet

AddPolicyFromReader adds a policy from the given reader to the set.

func (*PolicySet) AddPrincipalPolicies

func (ps *PolicySet) AddPrincipalPolicies(policies ...*PrincipalPolicy) *PolicySet

AddPrincipalPolicies adds the given principal policies to the set.

func (*PolicySet) AddResourcePolicies

func (ps *PolicySet) AddResourcePolicies(policies ...*ResourcePolicy) *PolicySet

AddResourcePolicies adds the given resource policies to the set.

func (*PolicySet) Err

func (ps *PolicySet) Err() error

Err returns the errors accumulated during the construction of the policy set.

func (*PolicySet) GetPolicies added in v0.12.0

func (ps *PolicySet) GetPolicies() []*policyv1.Policy

GetPolicies returns all of the policies in the set.

func (*PolicySet) Size added in v0.13.0

func (ps *PolicySet) Size() int

Size returns the number of policies in this set.

func (*PolicySet) Validate

func (ps *PolicySet) Validate() error

Validate checks whether the policy set is valid.

type Principal

type Principal struct {
	// contains filtered or unexported fields
}

Principal is a container for principal data.

func NewPrincipal

func NewPrincipal(id string, roles ...string) *Principal

NewPrincipal creates a new principal object with the given ID and roles.

func (*Principal) Err

func (p *Principal) Err() error

Err returns any errors accumulated during the construction of the principal.

func (*Principal) ID added in v0.29.0

func (p *Principal) ID() string

ID returns the principal ID.

func (*Principal) Proto added in v0.29.0

func (p *Principal) Proto() *enginev1.Principal

Proto returns the underlying protobuf object representing the principal.

func (*Principal) Roles added in v0.29.0

func (p *Principal) Roles() []string

Roles returns the principal roles.

func (*Principal) Validate

func (p *Principal) Validate() error

Validate checks whether the principal object is valid.

func (*Principal) WithAttr

func (p *Principal) WithAttr(key string, value any) *Principal

WithAttr adds a new attribute to the principal. It will overwrite any existing attribute having the same key.

func (*Principal) WithAttributes

func (p *Principal) WithAttributes(attr map[string]any) *Principal

WithAttributes merges the given attributes to principal's existing attributes.

func (*Principal) WithPolicyVersion

func (p *Principal) WithPolicyVersion(policyVersion string) *Principal

WithPolicyVersion sets the policy version for this principal.

func (*Principal) WithRoles

func (p *Principal) WithRoles(roles ...string) *Principal

WithRoles appends the set of roles to principal's existing roles.

func (*Principal) WithScope added in v0.19.1

func (p *Principal) WithScope(scope string) *Principal

WithScope sets the scope this principal belongs to.

type PrincipalContext added in v0.16.0

type PrincipalContext interface {
	// Principal returns the principal attached to this context.
	Principal() *Principal
	// IsAllowed checks access to a single resource by the principal and returns true if access is granted.
	IsAllowed(ctx context.Context, resource *Resource, action string) (bool, error)
	// CheckResources checks access to a batch of resources of different kinds.
	CheckResources(ctx context.Context, resources *ResourceBatch) (*CheckResourcesResponse, error)
	// PlanResources creates a query plan for performing the given action on a set of resources of the given kind.
	PlanResources(ctx context.Context, resource *Resource, action string) (*PlanResourcesResponse, error)
}

PrincipalContext provides convenience methods to access the Cerbos API in the context of a single principal.

type PrincipalPolicy

type PrincipalPolicy struct {
	// contains filtered or unexported fields
}

PrincipalPolicy is a builder for principal policies.

func NewPrincipalPolicy

func NewPrincipalPolicy(principal, version string) *PrincipalPolicy

NewPrincipalPolicy creates a new principal policy.

func (*PrincipalPolicy) AddPrincipalRules

func (pp *PrincipalPolicy) AddPrincipalRules(rules ...*PrincipalRule) *PrincipalPolicy

AddPrincipalRules adds rules to this policy.

func (*PrincipalPolicy) Err

func (pp *PrincipalPolicy) Err() error

Err returns the errors accumulated during the construction of this policy.

func (*PrincipalPolicy) Validate

func (pp *PrincipalPolicy) Validate() error

Validate checks whether the policy is valid.

func (*PrincipalPolicy) WithScope added in v0.22.0

func (pp *PrincipalPolicy) WithScope(scope string) *PrincipalPolicy

WithScope sets the scope of this policy.

func (*PrincipalPolicy) WithVariable added in v0.29.0

func (pp *PrincipalPolicy) WithVariable(name, expr string) *PrincipalPolicy

WithVariable adds a variable definition for use in conditions.

func (*PrincipalPolicy) WithVariablesImports added in v0.29.0

func (pp *PrincipalPolicy) WithVariablesImports(name ...string) *PrincipalPolicy

WithVariablesImports adds import statements for exported variables.

func (*PrincipalPolicy) WithVersion added in v0.22.0

func (pp *PrincipalPolicy) WithVersion(version string) *PrincipalPolicy

WithVersion sets the version of this policy.

type PrincipalRule

type PrincipalRule struct {
	// contains filtered or unexported fields
}

PrincipalRule is a builder for principal rules.

func NewPrincipalRule

func NewPrincipalRule(resource string) *PrincipalRule

NewPrincipalRule creates a new rule for the specified resource.

func (*PrincipalRule) AllowAction

func (pr *PrincipalRule) AllowAction(action string) *PrincipalRule

AllowAction sets the action as allowed on the resource.

func (*PrincipalRule) AllowActionOnCondition

func (pr *PrincipalRule) AllowActionOnCondition(action string, m match) *PrincipalRule

AllowActionOnCondition sets the action as allowed if the condition is fulfilled.

func (*PrincipalRule) DenyAction

func (pr *PrincipalRule) DenyAction(action string) *PrincipalRule

DenyAction sets the action as denied on the resource.

func (*PrincipalRule) DenyActionOnCondition

func (pr *PrincipalRule) DenyActionOnCondition(action string, m match) *PrincipalRule

DenyActionOnCondition sets the action as denied if the condition is fulfilled.

func (*PrincipalRule) Err

func (pr *PrincipalRule) Err() error

Err returns errors accumulated during the construction of the rule.

func (*PrincipalRule) Validate

func (pr *PrincipalRule) Validate() error

Validate checks whether the rule is valid.

type RequestOpt added in v0.9.0

type RequestOpt func(*reqOpt)

RequestOpt defines per-request options.

func AuxDataJWT added in v0.9.0

func AuxDataJWT(token, keySetID string) RequestOpt

AuxDataJWT sets the JWT to be used as auxiliary data for the request.

func IncludeMeta added in v0.12.0

func IncludeMeta(f bool) RequestOpt

IncludeMeta sets the flag on requests that support it to signal that evaluation metadata should be sent back with the response.

type Resource

type Resource struct {
	// contains filtered or unexported fields
}

Resource is a single resource instance.

func NewResource

func NewResource(kind, id string) *Resource

NewResource creates a new instance of a resource.

func (*Resource) Err

func (r *Resource) Err() error

Err returns any errors accumulated during the construction of the resource.

func (*Resource) ID added in v0.29.0

func (r *Resource) ID() string

ID returns the resource ID.

func (*Resource) Kind added in v0.29.0

func (r *Resource) Kind() string

Kind returns the resource kind.

func (*Resource) Proto added in v0.29.0

func (r *Resource) Proto() *enginev1.Resource

Proto returns the underlying protobuf object representing the resource.

func (*Resource) Validate

func (r *Resource) Validate() error

Validate checks whether the resource is valid.

func (*Resource) WithAttr

func (r *Resource) WithAttr(key string, value any) *Resource

WithAttr adds a new attribute to the resource. It will overwrite any existing attribute having the same key.

func (*Resource) WithAttributes

func (r *Resource) WithAttributes(attr map[string]any) *Resource

WithAttributes merges the given attributes to the resource's existing attributes.

func (*Resource) WithPolicyVersion

func (r *Resource) WithPolicyVersion(policyVersion string) *Resource

WithPolicyVersion sets the policy version for this resource.

func (*Resource) WithScope added in v0.19.1

func (r *Resource) WithScope(scope string) *Resource

WithScope sets the scope this resource belongs to.

type ResourceBatch

type ResourceBatch struct {
	// contains filtered or unexported fields
}

ResourceBatch is a container for a batch of heterogeneous resources.

func NewResourceBatch

func NewResourceBatch() *ResourceBatch

NewResourceBatch creates a new resource batch.

func (*ResourceBatch) Add

func (rb *ResourceBatch) Add(resource *Resource, actions ...string) *ResourceBatch

Add a new resource to the batch.

func (*ResourceBatch) Err

func (rb *ResourceBatch) Err() error

Err returns any errors accumulated during the construction of the resource batch.

func (*ResourceBatch) Validate

func (rb *ResourceBatch) Validate() error

Validate checks whether the resource batch is valid.

type ResourcePolicy

type ResourcePolicy struct {
	// contains filtered or unexported fields
}

ResourcePolicy is a builder for resource policies.

func NewResourcePolicy

func NewResourcePolicy(resource, version string) *ResourcePolicy

NewResourcePolicy creates a new resource policy builder.

func (*ResourcePolicy) AddResourceRules

func (rp *ResourcePolicy) AddResourceRules(rules ...*ResourceRule) *ResourcePolicy

AddResourceRules adds resource rules to the policy.

func (*ResourcePolicy) Err

func (rp *ResourcePolicy) Err() error

Err returns any errors accumulated during the construction of the policy.

func (*ResourcePolicy) Validate

func (rp *ResourcePolicy) Validate() error

Validate checks whether the policy is valid.

func (*ResourcePolicy) WithDerivedRolesImports

func (rp *ResourcePolicy) WithDerivedRolesImports(imp ...string) *ResourcePolicy

WithDerivedRolesImports adds import statements for derived roles.

func (*ResourcePolicy) WithPrincipalSchema added in v0.22.0

func (rp *ResourcePolicy) WithPrincipalSchema(principalSchema *Schema) *ResourcePolicy

func (*ResourcePolicy) WithResourceSchema added in v0.22.0

func (rp *ResourcePolicy) WithResourceSchema(resourceSchema *Schema) *ResourcePolicy

func (*ResourcePolicy) WithScope added in v0.22.0

func (rp *ResourcePolicy) WithScope(scope string) *ResourcePolicy

func (*ResourcePolicy) WithVariable added in v0.29.0

func (rp *ResourcePolicy) WithVariable(name, expr string) *ResourcePolicy

WithVariable adds a variable definition for use in conditions.

func (*ResourcePolicy) WithVariablesImports added in v0.29.0

func (rp *ResourcePolicy) WithVariablesImports(name ...string) *ResourcePolicy

WithVariablesImports adds import statements for exported variables.

type ResourceResult added in v0.16.0

type ResourceResult struct {
	*responsev1.CheckResourcesResponse_ResultEntry
	// contains filtered or unexported fields
}

func (*ResourceResult) Err added in v0.16.0

func (rr *ResourceResult) Err() error

func (*ResourceResult) IsAllowed added in v0.16.0

func (rr *ResourceResult) IsAllowed(action string) bool

IsAllowed returns true if the given action is allowed. Returns false if the action is not in the response of if there was an error getting this result.

func (*ResourceResult) Output added in v0.27.0

func (rr *ResourceResult) Output(key string) *structpb.Value

type ResourceRule

type ResourceRule struct {
	// contains filtered or unexported fields
}

ResourceRule is a rule in a resource policy.

func NewAllowResourceRule

func NewAllowResourceRule(actions ...string) *ResourceRule

NewAllowResourceRule creates a resource rule that allows the actions when matched.

func NewDenyResourceRule

func NewDenyResourceRule(actions ...string) *ResourceRule

NewDenyResourceRule creates a resource rule that denies the actions when matched.

func (*ResourceRule) Err

func (rr *ResourceRule) Err() error

Err returns errors accumulated during the construction of the resource rule.

func (*ResourceRule) Validate

func (rr *ResourceRule) Validate() error

Validate checks whether the resource rule is valid.

func (*ResourceRule) WithCondition

func (rr *ResourceRule) WithCondition(m match) *ResourceRule

WithCondition sets the condition that applies to this rule.

func (*ResourceRule) WithDerivedRoles

func (rr *ResourceRule) WithDerivedRoles(roles ...string) *ResourceRule

WithDerivedRoles adds derived roles to which this rule applies.

func (*ResourceRule) WithName added in v0.22.0

func (rr *ResourceRule) WithName(name string) *ResourceRule

WithName sets the name of the ResourceRule.

func (*ResourceRule) WithRoles

func (rr *ResourceRule) WithRoles(roles ...string) *ResourceRule

WithRoles adds roles to which this rule applies.

type ResourceSet

type ResourceSet struct {
	// contains filtered or unexported fields
}

ResourceSet is a container for a set of resources of the same kind.

func NewResourceSet

func NewResourceSet(kind string) *ResourceSet

NewResourceSet creates a new resource set.

func (*ResourceSet) AddResourceInstance

func (rs *ResourceSet) AddResourceInstance(id string, attr map[string]any) *ResourceSet

AddResourceInstance adds a new resource instance to the resource set.

func (*ResourceSet) Err

func (rs *ResourceSet) Err() error

Err returns any errors accumulated during the construction of this resource set.

func (*ResourceSet) Validate

func (rs *ResourceSet) Validate() error

Validate checks whether this resource set is valid.

func (*ResourceSet) WithPolicyVersion

func (rs *ResourceSet) WithPolicyVersion(policyVersion string) *ResourceSet

WithPolicyVersion sets the policy version for this resource set.

type Schema added in v0.22.0

type Schema struct {
	// contains filtered or unexported fields
}

Schema is a builder for Schemas_Schema.

func NewSchema added in v0.22.0

func NewSchema(ref string) *Schema

func (*Schema) AddIgnoredActions added in v0.22.0

func (s *Schema) AddIgnoredActions(actions ...string) *Schema

AddIgnoredActions adds action(s) to the ignoreWhen field of the schema.

func (*Schema) Validate added in v0.22.0

func (s *Schema) Validate() error

func (*Schema) WithRef added in v0.22.0

func (s *Schema) WithRef(ref string) *Schema

WithRef sets the ref of this schema.

type SchemaSet added in v0.14.0

type SchemaSet struct {
	// contains filtered or unexported fields
}

SchemaSet is a container for a set of schemas.

func NewSchemaSet added in v0.14.0

func NewSchemaSet() *SchemaSet

NewSchemaSet creates a new schema set.

func (*SchemaSet) AddSchemaFromFile added in v0.14.0

func (ss *SchemaSet) AddSchemaFromFile(file string, ignorePathInID bool) *SchemaSet

AddSchemaFromFile adds a schema from the given file to the set.

func (*SchemaSet) AddSchemaFromFileWithErr added in v0.14.0

func (ss *SchemaSet) AddSchemaFromFileWithErr(file string, ignorePathInID bool) (*SchemaSet, error)

AddSchemaFromFileWithErr adds a schema from the given file to the set and returns the error.

func (*SchemaSet) AddSchemaFromFileWithIDAndErr added in v0.18.0

func (ss *SchemaSet) AddSchemaFromFileWithIDAndErr(file, id string) (*SchemaSet, error)

AddSchemaFromFileWithIDAndErr adds a schema with the given id from the given file to the set and returns the error.

func (*SchemaSet) AddSchemaFromReader added in v0.14.0

func (ss *SchemaSet) AddSchemaFromReader(r io.Reader, id string) *SchemaSet

AddSchemaFromReader adds a schema from the given reader to the set.

func (*SchemaSet) AddSchemas added in v0.14.0

func (ss *SchemaSet) AddSchemas(schemas ...*schemav1.Schema) *SchemaSet

AddSchemas adds the given schemas to the set.

func (*SchemaSet) Err added in v0.14.0

func (ss *SchemaSet) Err() error

Err returns the errors accumulated during the construction of the schema set.

func (*SchemaSet) GetSchemas added in v0.14.0

func (ss *SchemaSet) GetSchemas() []*schemav1.Schema

GetSchemas returns all of the schemas in the set.

func (*SchemaSet) Size added in v0.14.0

func (ss *SchemaSet) Size() int

Size returns the number of schemas in this set.

type ServerInfo added in v0.5.0

type ServerInfo struct {
	*responsev1.ServerInfoResponse
}

func (*ServerInfo) MarshalJSON added in v0.11.0

func (si *ServerInfo) MarshalJSON() ([]byte, error)

func (*ServerInfo) String added in v0.11.0

func (si *ServerInfo) String() string

Directories

Path Synopsis
Package testutil provides testing utilities such as functions to start a Cerbos server and tear it down.
Package testutil provides testing utilities such as functions to start a Cerbos server and tear it down.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL