Documentation ¶
Overview ¶
Package client provides a client implementation to interact with a Cerbos instance and check access policies. Deprecated: Since Cerbos 0.31.0, the Go client is available as a separate package at github.com/cerbos/cerbos-sdk-go/cerbos
Index ¶
- Constants
- func BatchAdminClientCall(ctx context.Context, ...) (uint32, error)
- func BatchAdminClientCall2[T []*schemav1.Schema | []*policyv1.Policy | []string](ctx context.Context, retrieveFn func(context.Context, ...string) (T, error), ...) error
- func MatchAllOf(m ...match) match
- func MatchAnyOf(m ...match) match
- func MatchExpr(expr string) match
- func MatchNoneOf(m ...match) match
- func MinInt(a, b int) int
- type AdminClient
- type AuditLogEntry
- type AuditLogOptions
- type AuditLogType
- type CheckResourceBatchResponse
- type CheckResourceSetResponse
- type CheckResourcesResponse
- type Client
- type DerivedRoles
- func (dr *DerivedRoles) AddRole(name string, parentRoles []string) *DerivedRoles
- func (dr *DerivedRoles) AddRoleWithCondition(name string, parentRoles []string, m match) *DerivedRoles
- func (dr *DerivedRoles) Err() error
- func (dr *DerivedRoles) Validate() error
- func (dr *DerivedRoles) WithVariable(name, expr string) *DerivedRoles
- func (dr *DerivedRoles) WithVariablesImports(name ...string) *DerivedRoles
- type ExportVariables
- type GrpcAdminClient
- func (c *GrpcAdminClient) AddOrUpdatePolicy(ctx context.Context, policies *PolicySet) error
- func (c *GrpcAdminClient) AddOrUpdateSchema(ctx context.Context, schemas *SchemaSet) error
- func (c *GrpcAdminClient) AuditLogs(ctx context.Context, opts AuditLogOptions) (<-chan *AuditLogEntry, error)
- func (c *GrpcAdminClient) DeleteSchema(ctx context.Context, ids ...string) (uint32, error)
- func (c *GrpcAdminClient) DisablePolicy(ctx context.Context, ids ...string) (uint32, error)
- func (c *GrpcAdminClient) EnablePolicy(ctx context.Context, ids ...string) (uint32, error)
- func (c *GrpcAdminClient) GetPolicy(ctx context.Context, ids ...string) ([]*policyv1.Policy, error)
- func (c *GrpcAdminClient) GetSchema(ctx context.Context, ids ...string) ([]*schemav1.Schema, error)
- func (c *GrpcAdminClient) ListPolicies(ctx context.Context, opts ...ListPoliciesOption) ([]string, error)
- func (c *GrpcAdminClient) ListSchemas(ctx context.Context) ([]string, error)
- func (c *GrpcAdminClient) ReloadStore(ctx context.Context, wait bool) error
- type ListPoliciesOption
- type MatchResource
- type Opt
- func WithConnectTimeout(timeout time.Duration) Opt
- func WithMaxRetries(retries uint) Opt
- func WithPlaintext() Opt
- func WithPlaygroundInstance(instance string) Opt
- func WithRetryTimeout(timeout time.Duration) Opt
- func WithStreamInterceptors(interceptors ...grpc.StreamClientInterceptor) Opt
- func WithTLSAuthority(authority string) Opt
- func WithTLSCACert(certPath string) Opt
- func WithTLSClientCert(cert, key string) Opt
- func WithTLSInsecure() Opt
- func WithUnaryInterceptors(interceptors ...grpc.UnaryClientInterceptor) Opt
- func WithUserAgent(ua string) Opt
- type PlanResourcesResponse
- type PolicySet
- func (ps *PolicySet) AddDerivedRoles(policies ...*DerivedRoles) *PolicySet
- func (ps *PolicySet) AddExportVariables(policies ...*ExportVariables) *PolicySet
- func (ps *PolicySet) AddPolicies(policies ...*policyv1.Policy) *PolicySet
- func (ps *PolicySet) AddPolicyFromFile(file string) *PolicySet
- func (ps *PolicySet) AddPolicyFromFileWithErr(file string) (*PolicySet, error)
- func (ps *PolicySet) AddPolicyFromReader(r io.Reader) *PolicySet
- func (ps *PolicySet) AddPrincipalPolicies(policies ...*PrincipalPolicy) *PolicySet
- func (ps *PolicySet) AddResourcePolicies(policies ...*ResourcePolicy) *PolicySet
- func (ps *PolicySet) Err() error
- func (ps *PolicySet) GetPolicies() []*policyv1.Policy
- func (ps *PolicySet) Size() int
- func (ps *PolicySet) Validate() error
- type Principal
- func (p *Principal) Err() error
- func (p *Principal) ID() string
- func (p *Principal) Proto() *enginev1.Principal
- func (p *Principal) Roles() []string
- func (p *Principal) Validate() error
- func (p *Principal) WithAttr(key string, value any) *Principal
- func (p *Principal) WithAttributes(attr map[string]any) *Principal
- func (p *Principal) WithPolicyVersion(policyVersion string) *Principal
- func (p *Principal) WithRoles(roles ...string) *Principal
- func (p *Principal) WithScope(scope string) *Principal
- type PrincipalContext
- type PrincipalPolicy
- func (pp *PrincipalPolicy) AddPrincipalRules(rules ...*PrincipalRule) *PrincipalPolicy
- func (pp *PrincipalPolicy) Err() error
- func (pp *PrincipalPolicy) Validate() error
- func (pp *PrincipalPolicy) WithScope(scope string) *PrincipalPolicy
- func (pp *PrincipalPolicy) WithVariable(name, expr string) *PrincipalPolicy
- func (pp *PrincipalPolicy) WithVariablesImports(name ...string) *PrincipalPolicy
- func (pp *PrincipalPolicy) WithVersion(version string) *PrincipalPolicy
- type PrincipalRule
- func (pr *PrincipalRule) AllowAction(action string) *PrincipalRule
- func (pr *PrincipalRule) AllowActionOnCondition(action string, m match) *PrincipalRule
- func (pr *PrincipalRule) DenyAction(action string) *PrincipalRule
- func (pr *PrincipalRule) DenyActionOnCondition(action string, m match) *PrincipalRule
- func (pr *PrincipalRule) Err() error
- func (pr *PrincipalRule) Validate() error
- type RequestOpt
- type Resource
- func (r *Resource) Err() error
- func (r *Resource) ID() string
- func (r *Resource) Kind() string
- func (r *Resource) Proto() *enginev1.Resource
- func (r *Resource) Validate() error
- func (r *Resource) WithAttr(key string, value any) *Resource
- func (r *Resource) WithAttributes(attr map[string]any) *Resource
- func (r *Resource) WithPolicyVersion(policyVersion string) *Resource
- func (r *Resource) WithScope(scope string) *Resource
- type ResourceBatch
- type ResourcePolicy
- func (rp *ResourcePolicy) AddResourceRules(rules ...*ResourceRule) *ResourcePolicy
- func (rp *ResourcePolicy) Err() error
- func (rp *ResourcePolicy) Validate() error
- func (rp *ResourcePolicy) WithDerivedRolesImports(imp ...string) *ResourcePolicy
- func (rp *ResourcePolicy) WithPrincipalSchema(principalSchema *Schema) *ResourcePolicy
- func (rp *ResourcePolicy) WithResourceSchema(resourceSchema *Schema) *ResourcePolicy
- func (rp *ResourcePolicy) WithScope(scope string) *ResourcePolicy
- func (rp *ResourcePolicy) WithVariable(name, expr string) *ResourcePolicy
- func (rp *ResourcePolicy) WithVariablesImports(name ...string) *ResourcePolicy
- type ResourceResult
- type ResourceRule
- func (rr *ResourceRule) Err() error
- func (rr *ResourceRule) Validate() error
- func (rr *ResourceRule) WithCondition(m match) *ResourceRule
- func (rr *ResourceRule) WithDerivedRoles(roles ...string) *ResourceRule
- func (rr *ResourceRule) WithName(name string) *ResourceRule
- func (rr *ResourceRule) WithRoles(roles ...string) *ResourceRule
- type ResourceSet
- type Schema
- type SchemaSet
- func (ss *SchemaSet) AddSchemaFromFile(file string, ignorePathInID bool) *SchemaSet
- func (ss *SchemaSet) AddSchemaFromFileWithErr(file string, ignorePathInID bool) (*SchemaSet, error)
- func (ss *SchemaSet) AddSchemaFromFileWithIDAndErr(file, id string) (*SchemaSet, error)
- func (ss *SchemaSet) AddSchemaFromReader(r io.Reader, id string) *SchemaSet
- func (ss *SchemaSet) AddSchemas(schemas ...*schemav1.Schema) *SchemaSet
- func (ss *SchemaSet) Err() error
- func (ss *SchemaSet) GetSchemas() []*schemav1.Schema
- func (ss *SchemaSet) Size() int
- type ServerInfo
Examples ¶
Constants ¶
const MaxIDPerReq = 25
Variables ¶
This section is empty.
Functions ¶
func BatchAdminClientCall ¶ added in v0.26.0
func BatchAdminClientCall2 ¶ added in v0.26.0
func MatchAllOf ¶
func MatchAllOf(m ...match) match
MatchAllOf matches all of the expressions (logical AND).
func MatchAnyOf ¶
func MatchAnyOf(m ...match) match
MatchAnyOf matches any of the expressions (logical OR).
func MatchNoneOf ¶
func MatchNoneOf(m ...match) match
MatchNoneOf matches none of the expressions (logical NOT).
Types ¶
type AdminClient ¶
type AdminClient interface { AddOrUpdatePolicy(ctx context.Context, policies *PolicySet) error AuditLogs(ctx context.Context, opts AuditLogOptions) (<-chan *AuditLogEntry, error) ListPolicies(ctx context.Context, opts ...ListPoliciesOption) ([]string, error) GetPolicy(ctx context.Context, ids ...string) ([]*policyv1.Policy, error) DisablePolicy(ctx context.Context, ids ...string) (uint32, error) EnablePolicy(ctx context.Context, ids ...string) (uint32, error) AddOrUpdateSchema(ctx context.Context, schemas *SchemaSet) error DeleteSchema(ctx context.Context, ids ...string) (uint32, error) ListSchemas(ctx context.Context) ([]string, error) GetSchema(ctx context.Context, ids ...string) ([]*schemav1.Schema, error) ReloadStore(ctx context.Context, wait bool) error }
func NewAdminClient ¶
func NewAdminClient(address string, opts ...Opt) (AdminClient, error)
NewAdminClient creates a new admin client. It will look for credentials in the following order: - Environment: CERBOS_USERNAME and CERBOS_PASSWORD - Netrc file (~/.netrc if an override is not defined in the NETRC environment variable)
Note that Unix domain socket connections cannot fallback to netrc and require either the environment variables to be defined or the credentials to provided explicitly via the NewAdminClientWithCredentials function.
Example ¶
package main import ( "context" "log" "github.com/cerbos/cerbos/client" ) func main() { // Create an admin client using the credentials stored in environment variables or netrc. ac, err := client.NewAdminClient("10.1.2.3:3593", client.WithTLSCACert("/path/to/ca.crt")) if err != nil { log.Fatalf("Failed to create admin client: %v", err) } policy := client.NewResourcePolicy("album:comments", "default"). WithDerivedRolesImports("album_derived_roles"). AddResourceRules( client.NewAllowResourceRule("view"). WithDerivedRoles("owners"). WithCondition( client.MatchAllOf( client.MatchExpr(`request.resource.attr.status == "unmoderated"`), client.MatchExpr(`request.resource.attr.user_status == "anonymous"`), ), ), ) if err := ac.AddOrUpdatePolicy(context.TODO(), client.NewPolicySet().AddResourcePolicies(policy)); err != nil { log.Fatalf("Failed to add policy: %v", err) } }
Output:
func NewAdminClientWithCredentials ¶
func NewAdminClientWithCredentials(address, username, password string, opts ...Opt) (AdminClient, error)
NewAdminClientWithCredentials creates a new admin client using credentials explicitly passed as arguments.
type AuditLogEntry ¶ added in v0.5.0
type AuditLogEntry struct {
// contains filtered or unexported fields
}
func (*AuditLogEntry) AccessLog ¶ added in v0.5.0
func (e *AuditLogEntry) AccessLog() (*auditv1.AccessLogEntry, error)
func (*AuditLogEntry) DecisionLog ¶ added in v0.5.0
func (e *AuditLogEntry) DecisionLog() (*auditv1.DecisionLogEntry, error)
type AuditLogOptions ¶ added in v0.5.0
type AuditLogOptions struct { StartTime time.Time EndTime time.Time Lookup string Tail uint32 Type AuditLogType }
AuditLogOptions is used to filter audit logs.
type AuditLogType ¶ added in v0.5.0
type AuditLogType uint8
const ( AccessLogs AuditLogType = iota DecisionLogs )
type CheckResourceBatchResponse ¶
type CheckResourceBatchResponse struct { *responsev1.CheckResourceBatchResponse // contains filtered or unexported fields }
CheckResourceBatchResponse is the response from the CheckResourceBatch API call.
func (*CheckResourceBatchResponse) Errors ¶ added in v0.11.0
func (crbr *CheckResourceBatchResponse) Errors() error
Errors returns any validation errors returned by the server.
func (*CheckResourceBatchResponse) IsAllowed ¶
func (crbr *CheckResourceBatchResponse) IsAllowed(resourceID, action string) bool
IsAllowed returns true if the given resource and action is allowed. If the resource or the action is not included in the response, the result will always be false.
func (*CheckResourceBatchResponse) MarshalJSON ¶ added in v0.11.0
func (crbr *CheckResourceBatchResponse) MarshalJSON() ([]byte, error)
func (*CheckResourceBatchResponse) String ¶
func (crbr *CheckResourceBatchResponse) String() string
type CheckResourceSetResponse ¶
type CheckResourceSetResponse struct {
*responsev1.CheckResourceSetResponse
}
CheckResourceSetResponse is the response from the CheckResourceSet API call.
func (*CheckResourceSetResponse) Errors ¶ added in v0.11.0
func (crsr *CheckResourceSetResponse) Errors() error
Errors returns all validation errors returned by the server.
func (*CheckResourceSetResponse) IsAllowed ¶
func (crsr *CheckResourceSetResponse) IsAllowed(resourceID, action string) bool
IsAllowed returns true if the response indicates that the given action on the given resource is allowed. If the resource or action is not contained in the response, the return value will always be false.
func (*CheckResourceSetResponse) MarshalJSON ¶ added in v0.11.0
func (crsr *CheckResourceSetResponse) MarshalJSON() ([]byte, error)
func (*CheckResourceSetResponse) String ¶
func (crsr *CheckResourceSetResponse) String() string
type CheckResourcesResponse ¶ added in v0.16.0
type CheckResourcesResponse struct { *responsev1.CheckResourcesResponse // contains filtered or unexported fields }
CheckResourcesResponse is the response from the CheckResources API call.
func (*CheckResourcesResponse) Errors ¶ added in v0.16.0
func (crr *CheckResourcesResponse) Errors() error
Errors returns any validation errors returned by the server.
func (*CheckResourcesResponse) GetResource ¶ added in v0.16.0
func (crr *CheckResourcesResponse) GetResource(resourceID string, match ...MatchResource) *ResourceResult
GetResource finds the resource with the given ID and optional properties from the result list. Returns a ResourceResult object with the Err field set if the resource is not found.
func (*CheckResourcesResponse) MarshalJSON ¶ added in v0.16.0
func (crr *CheckResourcesResponse) MarshalJSON() ([]byte, error)
func (*CheckResourcesResponse) String ¶ added in v0.16.0
func (crr *CheckResourcesResponse) String() string
type Client ¶
type Client interface { // IsAllowed checks access to a single resource by a principal and returns true if access is granted. IsAllowed(ctx context.Context, principal *Principal, resource *Resource, action string) (bool, error) // CheckResourceSet checks access to a set of resources of the same kind. // Deprecated: Use CheckResources instead. CheckResourceSet(ctx context.Context, principal *Principal, resources *ResourceSet, actions ...string) (*CheckResourceSetResponse, error) // CheckResourceBatch checks access to a batch of resources of different kinds. // Deprecated: Use CheckResources instead. CheckResourceBatch(ctx context.Context, principal *Principal, resources *ResourceBatch) (*CheckResourceBatchResponse, error) // CheckResources checks access to a batch of resources of different kinds. CheckResources(ctx context.Context, principal *Principal, resources *ResourceBatch) (*CheckResourcesResponse, error) // ServerInfo retrieves server information. ServerInfo(ctx context.Context) (*ServerInfo, error) // With sets per-request options for the client. With(opts ...RequestOpt) Client // PlanResources creates a query plan for performing the given action on a set of resources of the given kind. PlanResources(ctx context.Context, principal *Principal, resource *Resource, action string) (*PlanResourcesResponse, error) // WithPrincipal sets the principal to be used for subsequent API calls. // WithPrincipal sets the principal to be used for subsequent API calls. WithPrincipal(principal *Principal) PrincipalContext }
Client provides access to the Cerbos API.
func New ¶
New creates a new Cerbos client.
Example ¶
package main import ( "context" "log" "github.com/cerbos/cerbos/client" ) func main() { // A client that connects to Cerbos over a Unix domain socket using a CA certificate to validate the server TLS certificates. c, err := client.New("unix:/var/sock/cerbos", client.WithTLSCACert("/path/to/ca.crt")) if err != nil { log.Fatalf("Failed to create client: %v", err) } allowed, err := c.IsAllowed( context.TODO(), client.NewPrincipal("sally").WithRoles("user"), client.NewResource("album:object", "A001"), "view", ) if err != nil { log.Fatalf("Failed to check permission: %v", err) } log.Printf("Is Sally allowed to view album A001: %t", allowed) }
Output:
type DerivedRoles ¶
type DerivedRoles struct {
// contains filtered or unexported fields
}
DerivedRoles is a builder for derived roles.
func NewDerivedRoles ¶
func NewDerivedRoles(name string) *DerivedRoles
NewDerivedRoles creates a new derived roles set with the given name.
func (*DerivedRoles) AddRole ¶
func (dr *DerivedRoles) AddRole(name string, parentRoles []string) *DerivedRoles
AddRole adds a new derived role with the given name which is an alias for the set of parent roles.
func (*DerivedRoles) AddRoleWithCondition ¶
func (dr *DerivedRoles) AddRoleWithCondition(name string, parentRoles []string, m match) *DerivedRoles
AddRoleWithCondition adds a derived role with a condition attached.
func (*DerivedRoles) Err ¶
func (dr *DerivedRoles) Err() error
Err returns any errors accumulated during the construction of the derived roles.
func (*DerivedRoles) Validate ¶
func (dr *DerivedRoles) Validate() error
Validate checks whether the derived roles are valid.
func (*DerivedRoles) WithVariable ¶ added in v0.29.0
func (dr *DerivedRoles) WithVariable(name, expr string) *DerivedRoles
WithVariable adds a variable definition for use in conditions.
func (*DerivedRoles) WithVariablesImports ¶ added in v0.29.0
func (dr *DerivedRoles) WithVariablesImports(name ...string) *DerivedRoles
WithVariablesImports adds import statements for exported variables.
type ExportVariables ¶ added in v0.29.0
type ExportVariables struct {
// contains filtered or unexported fields
}
ExportVariables is a builder for exported variables.
func NewExportVariables ¶ added in v0.29.0
func NewExportVariables(name string) *ExportVariables
NewExportVariables creates a new exported variables set with the given name.
func (*ExportVariables) AddVariable ¶ added in v0.29.0
func (ev *ExportVariables) AddVariable(name, expr string) *ExportVariables
AddVariable defines an exported variable with the given name to be computed by the given expression.
func (*ExportVariables) Err ¶ added in v0.29.0
func (ev *ExportVariables) Err() error
Err returns any errors accumulated during the construction of the exported variables.
func (*ExportVariables) Validate ¶ added in v0.29.0
func (ev *ExportVariables) Validate() error
Validate checks whether the exported variables are valid.
type GrpcAdminClient ¶ added in v0.5.0
type GrpcAdminClient struct {
// contains filtered or unexported fields
}
func (*GrpcAdminClient) AddOrUpdatePolicy ¶ added in v0.5.0
func (c *GrpcAdminClient) AddOrUpdatePolicy(ctx context.Context, policies *PolicySet) error
func (*GrpcAdminClient) AddOrUpdateSchema ¶ added in v0.14.0
func (c *GrpcAdminClient) AddOrUpdateSchema(ctx context.Context, schemas *SchemaSet) error
func (*GrpcAdminClient) AuditLogs ¶ added in v0.5.0
func (c *GrpcAdminClient) AuditLogs(ctx context.Context, opts AuditLogOptions) (<-chan *AuditLogEntry, error)
func (*GrpcAdminClient) DeleteSchema ¶ added in v0.25.0
func (*GrpcAdminClient) DisablePolicy ¶ added in v0.25.0
func (*GrpcAdminClient) EnablePolicy ¶ added in v0.26.0
func (*GrpcAdminClient) ListPolicies ¶ added in v0.7.0
func (c *GrpcAdminClient) ListPolicies(ctx context.Context, opts ...ListPoliciesOption) ([]string, error)
func (*GrpcAdminClient) ListSchemas ¶ added in v0.12.0
func (c *GrpcAdminClient) ListSchemas(ctx context.Context) ([]string, error)
func (*GrpcAdminClient) ReloadStore ¶ added in v0.15.0
func (c *GrpcAdminClient) ReloadStore(ctx context.Context, wait bool) error
type ListPoliciesOption ¶ added in v0.26.0
type ListPoliciesOption func(*requestv1.ListPoliciesRequest)
func WithIncludeDisabled ¶ added in v0.26.0
func WithIncludeDisabled() ListPoliciesOption
func WithNameRegexp ¶ added in v0.29.0
func WithNameRegexp(re string) ListPoliciesOption
func WithScopeRegexp ¶ added in v0.29.0
func WithScopeRegexp(re string) ListPoliciesOption
func WithVersionRegexp ¶ added in v0.29.0
func WithVersionRegexp(v string) ListPoliciesOption
type MatchResource ¶ added in v0.16.0
type MatchResource func(*responsev1.CheckResourcesResponse_ResultEntry_Resource) bool
MatchResource is a function that returns true if the given resource is of interest. This is useful when you have more than one resource with the same ID and need to distinguish between them in the response.
func MatchResourceKind ¶ added in v0.16.0
func MatchResourceKind(kind string) MatchResource
MatchResourceKind is a matcher that checks that the resource kind matches the given value.
func MatchResourcePolicyKindScopeVersion ¶ added in v0.16.0
func MatchResourcePolicyKindScopeVersion(kind, version, scope string) MatchResource
MatchResourcePolicyKindScopeVersion is a matcher that checks that the resource policy kind, version and scope matches the given values.
func MatchResourcePolicyVersion ¶ added in v0.16.0
func MatchResourcePolicyVersion(version string) MatchResource
MatchResourcePolicyVersion is a matcher that checks that the resource policy version matches the given value.
func MatchResourceScope ¶ added in v0.16.0
func MatchResourceScope(scope string) MatchResource
MatchResourceScope is a matcher that checks that the resource scope matches the given value.
type Opt ¶
type Opt func(*config)
func WithConnectTimeout ¶
WithConnectTimeout sets the connection establishment timeout.
func WithMaxRetries ¶
WithMaxRetries sets the maximum number of retries per call.
func WithPlaintext ¶
func WithPlaintext() Opt
WithPlaintext configures the client to connect over h2c.
func WithPlaygroundInstance ¶ added in v0.6.0
WithPlaygroundInstance sets the Cerbos playground instance to use as the source of policies. Note that Playground instances are for demonstration purposes only and do not provide any performance or availability guarantees.
func WithRetryTimeout ¶
WithRetryTimeout sets the timeout per retry attempt.
func WithStreamInterceptors ¶ added in v0.30.0
func WithStreamInterceptors(interceptors ...grpc.StreamClientInterceptor) Opt
WithStreamInterceptors sets the interceptors to be used for streaming gRPC operations.
func WithTLSAuthority ¶
WithTLSAuthority overrides the remote server authority if it is different from what is provided in the address.
func WithTLSCACert ¶
WithTLSCACert sets the CA certificate chain to use for certificate verification.
func WithTLSClientCert ¶
WithTLSClientCert sets the client certificate to use to authenticate to the server.
func WithTLSInsecure ¶
func WithTLSInsecure() Opt
WithTLSInsecure enables skipping TLS certificate verification.
func WithUnaryInterceptors ¶ added in v0.30.0
func WithUnaryInterceptors(interceptors ...grpc.UnaryClientInterceptor) Opt
WithUnaryInterceptors sets the interceptors to be used for unary gRPC operations.
type PlanResourcesResponse ¶ added in v0.16.0
type PlanResourcesResponse struct {
*responsev1.PlanResourcesResponse
}
type PolicySet ¶
type PolicySet struct {
// contains filtered or unexported fields
}
PolicySet is a container for a set of policies.
func (*PolicySet) AddDerivedRoles ¶
func (ps *PolicySet) AddDerivedRoles(policies ...*DerivedRoles) *PolicySet
AddDerivedRoles adds the given derived roles to the set.
func (*PolicySet) AddExportVariables ¶ added in v0.29.0
func (ps *PolicySet) AddExportVariables(policies ...*ExportVariables) *PolicySet
AddExportVariables adds the given exported variables to the set.
func (*PolicySet) AddPolicies ¶ added in v0.12.0
AddPolicies adds the given policies to the set.
func (*PolicySet) AddPolicyFromFile ¶
AddPolicyFromFile adds a policy from the given file to the set.
func (*PolicySet) AddPolicyFromFileWithErr ¶ added in v0.14.0
AddPolicyFromFileWithErr adds a policy from the given file to the set and returns the error.
func (*PolicySet) AddPolicyFromReader ¶
AddPolicyFromReader adds a policy from the given reader to the set.
func (*PolicySet) AddPrincipalPolicies ¶
func (ps *PolicySet) AddPrincipalPolicies(policies ...*PrincipalPolicy) *PolicySet
AddPrincipalPolicies adds the given principal policies to the set.
func (*PolicySet) AddResourcePolicies ¶
func (ps *PolicySet) AddResourcePolicies(policies ...*ResourcePolicy) *PolicySet
AddResourcePolicies adds the given resource policies to the set.
func (*PolicySet) Err ¶
Err returns the errors accumulated during the construction of the policy set.
func (*PolicySet) GetPolicies ¶ added in v0.12.0
GetPolicies returns all of the policies in the set.
type Principal ¶
type Principal struct {
// contains filtered or unexported fields
}
Principal is a container for principal data.
func NewPrincipal ¶
NewPrincipal creates a new principal object with the given ID and roles.
func (*Principal) Err ¶
Err returns any errors accumulated during the construction of the principal.
func (*Principal) Proto ¶ added in v0.29.0
Proto returns the underlying protobuf object representing the principal.
func (*Principal) WithAttr ¶
WithAttr adds a new attribute to the principal. It will overwrite any existing attribute having the same key.
func (*Principal) WithAttributes ¶
WithAttributes merges the given attributes to principal's existing attributes.
func (*Principal) WithPolicyVersion ¶
WithPolicyVersion sets the policy version for this principal.
type PrincipalContext ¶ added in v0.16.0
type PrincipalContext interface { // Principal returns the principal attached to this context. Principal() *Principal // IsAllowed checks access to a single resource by the principal and returns true if access is granted. IsAllowed(ctx context.Context, resource *Resource, action string) (bool, error) // CheckResources checks access to a batch of resources of different kinds. CheckResources(ctx context.Context, resources *ResourceBatch) (*CheckResourcesResponse, error) // PlanResources creates a query plan for performing the given action on a set of resources of the given kind. PlanResources(ctx context.Context, resource *Resource, action string) (*PlanResourcesResponse, error) }
PrincipalContext provides convenience methods to access the Cerbos API in the context of a single principal.
type PrincipalPolicy ¶
type PrincipalPolicy struct {
// contains filtered or unexported fields
}
PrincipalPolicy is a builder for principal policies.
func NewPrincipalPolicy ¶
func NewPrincipalPolicy(principal, version string) *PrincipalPolicy
NewPrincipalPolicy creates a new principal policy.
func (*PrincipalPolicy) AddPrincipalRules ¶
func (pp *PrincipalPolicy) AddPrincipalRules(rules ...*PrincipalRule) *PrincipalPolicy
AddPrincipalRules adds rules to this policy.
func (*PrincipalPolicy) Err ¶
func (pp *PrincipalPolicy) Err() error
Err returns the errors accumulated during the construction of this policy.
func (*PrincipalPolicy) Validate ¶
func (pp *PrincipalPolicy) Validate() error
Validate checks whether the policy is valid.
func (*PrincipalPolicy) WithScope ¶ added in v0.22.0
func (pp *PrincipalPolicy) WithScope(scope string) *PrincipalPolicy
WithScope sets the scope of this policy.
func (*PrincipalPolicy) WithVariable ¶ added in v0.29.0
func (pp *PrincipalPolicy) WithVariable(name, expr string) *PrincipalPolicy
WithVariable adds a variable definition for use in conditions.
func (*PrincipalPolicy) WithVariablesImports ¶ added in v0.29.0
func (pp *PrincipalPolicy) WithVariablesImports(name ...string) *PrincipalPolicy
WithVariablesImports adds import statements for exported variables.
func (*PrincipalPolicy) WithVersion ¶ added in v0.22.0
func (pp *PrincipalPolicy) WithVersion(version string) *PrincipalPolicy
WithVersion sets the version of this policy.
type PrincipalRule ¶
type PrincipalRule struct {
// contains filtered or unexported fields
}
PrincipalRule is a builder for principal rules.
func NewPrincipalRule ¶
func NewPrincipalRule(resource string) *PrincipalRule
NewPrincipalRule creates a new rule for the specified resource.
func (*PrincipalRule) AllowAction ¶
func (pr *PrincipalRule) AllowAction(action string) *PrincipalRule
AllowAction sets the action as allowed on the resource.
func (*PrincipalRule) AllowActionOnCondition ¶
func (pr *PrincipalRule) AllowActionOnCondition(action string, m match) *PrincipalRule
AllowActionOnCondition sets the action as allowed if the condition is fulfilled.
func (*PrincipalRule) DenyAction ¶
func (pr *PrincipalRule) DenyAction(action string) *PrincipalRule
DenyAction sets the action as denied on the resource.
func (*PrincipalRule) DenyActionOnCondition ¶
func (pr *PrincipalRule) DenyActionOnCondition(action string, m match) *PrincipalRule
DenyActionOnCondition sets the action as denied if the condition is fulfilled.
func (*PrincipalRule) Err ¶
func (pr *PrincipalRule) Err() error
Err returns errors accumulated during the construction of the rule.
func (*PrincipalRule) Validate ¶
func (pr *PrincipalRule) Validate() error
Validate checks whether the rule is valid.
type RequestOpt ¶ added in v0.9.0
type RequestOpt func(*reqOpt)
RequestOpt defines per-request options.
func AuxDataJWT ¶ added in v0.9.0
func AuxDataJWT(token, keySetID string) RequestOpt
AuxDataJWT sets the JWT to be used as auxiliary data for the request.
func IncludeMeta ¶ added in v0.12.0
func IncludeMeta(f bool) RequestOpt
IncludeMeta sets the flag on requests that support it to signal that evaluation metadata should be sent back with the response.
type Resource ¶
type Resource struct {
// contains filtered or unexported fields
}
Resource is a single resource instance.
func NewResource ¶
NewResource creates a new instance of a resource.
func (*Resource) Proto ¶ added in v0.29.0
Proto returns the underlying protobuf object representing the resource.
func (*Resource) WithAttr ¶
WithAttr adds a new attribute to the resource. It will overwrite any existing attribute having the same key.
func (*Resource) WithAttributes ¶
WithAttributes merges the given attributes to the resource's existing attributes.
func (*Resource) WithPolicyVersion ¶
WithPolicyVersion sets the policy version for this resource.
type ResourceBatch ¶
type ResourceBatch struct {
// contains filtered or unexported fields
}
ResourceBatch is a container for a batch of heterogeneous resources.
func NewResourceBatch ¶
func NewResourceBatch() *ResourceBatch
NewResourceBatch creates a new resource batch.
func (*ResourceBatch) Add ¶
func (rb *ResourceBatch) Add(resource *Resource, actions ...string) *ResourceBatch
Add a new resource to the batch.
func (*ResourceBatch) Err ¶
func (rb *ResourceBatch) Err() error
Err returns any errors accumulated during the construction of the resource batch.
func (*ResourceBatch) Validate ¶
func (rb *ResourceBatch) Validate() error
Validate checks whether the resource batch is valid.
type ResourcePolicy ¶
type ResourcePolicy struct {
// contains filtered or unexported fields
}
ResourcePolicy is a builder for resource policies.
func NewResourcePolicy ¶
func NewResourcePolicy(resource, version string) *ResourcePolicy
NewResourcePolicy creates a new resource policy builder.
func (*ResourcePolicy) AddResourceRules ¶
func (rp *ResourcePolicy) AddResourceRules(rules ...*ResourceRule) *ResourcePolicy
AddResourceRules adds resource rules to the policy.
func (*ResourcePolicy) Err ¶
func (rp *ResourcePolicy) Err() error
Err returns any errors accumulated during the construction of the policy.
func (*ResourcePolicy) Validate ¶
func (rp *ResourcePolicy) Validate() error
Validate checks whether the policy is valid.
func (*ResourcePolicy) WithDerivedRolesImports ¶
func (rp *ResourcePolicy) WithDerivedRolesImports(imp ...string) *ResourcePolicy
WithDerivedRolesImports adds import statements for derived roles.
func (*ResourcePolicy) WithPrincipalSchema ¶ added in v0.22.0
func (rp *ResourcePolicy) WithPrincipalSchema(principalSchema *Schema) *ResourcePolicy
func (*ResourcePolicy) WithResourceSchema ¶ added in v0.22.0
func (rp *ResourcePolicy) WithResourceSchema(resourceSchema *Schema) *ResourcePolicy
func (*ResourcePolicy) WithScope ¶ added in v0.22.0
func (rp *ResourcePolicy) WithScope(scope string) *ResourcePolicy
func (*ResourcePolicy) WithVariable ¶ added in v0.29.0
func (rp *ResourcePolicy) WithVariable(name, expr string) *ResourcePolicy
WithVariable adds a variable definition for use in conditions.
func (*ResourcePolicy) WithVariablesImports ¶ added in v0.29.0
func (rp *ResourcePolicy) WithVariablesImports(name ...string) *ResourcePolicy
WithVariablesImports adds import statements for exported variables.
type ResourceResult ¶ added in v0.16.0
type ResourceResult struct { *responsev1.CheckResourcesResponse_ResultEntry // contains filtered or unexported fields }
func (*ResourceResult) Err ¶ added in v0.16.0
func (rr *ResourceResult) Err() error
func (*ResourceResult) IsAllowed ¶ added in v0.16.0
func (rr *ResourceResult) IsAllowed(action string) bool
IsAllowed returns true if the given action is allowed. Returns false if the action is not in the response of if there was an error getting this result.
type ResourceRule ¶
type ResourceRule struct {
// contains filtered or unexported fields
}
ResourceRule is a rule in a resource policy.
func NewAllowResourceRule ¶
func NewAllowResourceRule(actions ...string) *ResourceRule
NewAllowResourceRule creates a resource rule that allows the actions when matched.
func NewDenyResourceRule ¶
func NewDenyResourceRule(actions ...string) *ResourceRule
NewDenyResourceRule creates a resource rule that denies the actions when matched.
func (*ResourceRule) Err ¶
func (rr *ResourceRule) Err() error
Err returns errors accumulated during the construction of the resource rule.
func (*ResourceRule) Validate ¶
func (rr *ResourceRule) Validate() error
Validate checks whether the resource rule is valid.
func (*ResourceRule) WithCondition ¶
func (rr *ResourceRule) WithCondition(m match) *ResourceRule
WithCondition sets the condition that applies to this rule.
func (*ResourceRule) WithDerivedRoles ¶
func (rr *ResourceRule) WithDerivedRoles(roles ...string) *ResourceRule
WithDerivedRoles adds derived roles to which this rule applies.
func (*ResourceRule) WithName ¶ added in v0.22.0
func (rr *ResourceRule) WithName(name string) *ResourceRule
WithName sets the name of the ResourceRule.
func (*ResourceRule) WithRoles ¶
func (rr *ResourceRule) WithRoles(roles ...string) *ResourceRule
WithRoles adds roles to which this rule applies.
type ResourceSet ¶
type ResourceSet struct {
// contains filtered or unexported fields
}
ResourceSet is a container for a set of resources of the same kind.
func NewResourceSet ¶
func NewResourceSet(kind string) *ResourceSet
NewResourceSet creates a new resource set.
func (*ResourceSet) AddResourceInstance ¶
func (rs *ResourceSet) AddResourceInstance(id string, attr map[string]any) *ResourceSet
AddResourceInstance adds a new resource instance to the resource set.
func (*ResourceSet) Err ¶
func (rs *ResourceSet) Err() error
Err returns any errors accumulated during the construction of this resource set.
func (*ResourceSet) Validate ¶
func (rs *ResourceSet) Validate() error
Validate checks whether this resource set is valid.
func (*ResourceSet) WithPolicyVersion ¶
func (rs *ResourceSet) WithPolicyVersion(policyVersion string) *ResourceSet
WithPolicyVersion sets the policy version for this resource set.
type Schema ¶ added in v0.22.0
type Schema struct {
// contains filtered or unexported fields
}
Schema is a builder for Schemas_Schema.
func (*Schema) AddIgnoredActions ¶ added in v0.22.0
AddIgnoredActions adds action(s) to the ignoreWhen field of the schema.
type SchemaSet ¶ added in v0.14.0
type SchemaSet struct {
// contains filtered or unexported fields
}
SchemaSet is a container for a set of schemas.
func NewSchemaSet ¶ added in v0.14.0
func NewSchemaSet() *SchemaSet
NewSchemaSet creates a new schema set.
func (*SchemaSet) AddSchemaFromFile ¶ added in v0.14.0
AddSchemaFromFile adds a schema from the given file to the set.
func (*SchemaSet) AddSchemaFromFileWithErr ¶ added in v0.14.0
AddSchemaFromFileWithErr adds a schema from the given file to the set and returns the error.
func (*SchemaSet) AddSchemaFromFileWithIDAndErr ¶ added in v0.18.0
AddSchemaFromFileWithIDAndErr adds a schema with the given id from the given file to the set and returns the error.
func (*SchemaSet) AddSchemaFromReader ¶ added in v0.14.0
AddSchemaFromReader adds a schema from the given reader to the set.
func (*SchemaSet) AddSchemas ¶ added in v0.14.0
AddSchemas adds the given schemas to the set.
func (*SchemaSet) Err ¶ added in v0.14.0
Err returns the errors accumulated during the construction of the schema set.
func (*SchemaSet) GetSchemas ¶ added in v0.14.0
GetSchemas returns all of the schemas in the set.
type ServerInfo ¶ added in v0.5.0
type ServerInfo struct {
*responsev1.ServerInfoResponse
}
func (*ServerInfo) MarshalJSON ¶ added in v0.11.0
func (si *ServerInfo) MarshalJSON() ([]byte, error)
func (*ServerInfo) String ¶ added in v0.11.0
func (si *ServerInfo) String() string