Documentation
¶
Overview ¶
Authorization package
Index ¶
Constants ¶
View Source
const ( ActionRead = "read" ActionList = "list" ActionCreate = "create" ActionUpdate = "update" ActionDelete = "delete" ResourceWorkflowContract = "workflow_contract" ResourceCASArtifact = "cas_artifact" ResourceCASBackend = "cas_backend" ResourceReferrer = "referrer" ResourceAvailableIntegration = "integration_available" ResourceRegisteredIntegration = "integration_registered" ResourceAttachedIntegration = "integration_attached" ResourceOrgMetric = "metrics_org" ResourceRobotAccount = "robot_account" ResourceWorkflowRun = "workflow_run" ResourceWorkflow = "workflow" Organization = "organization" ResourceGroup = "group" ResourceGroupMembership = "group_membership" ResourceProjectAPIToken = "project_api_token" ResourceProjectMembership = "project_membership" ResourceProjectMembershipInvitations = "project_membership_invitations" // We have for now three roles, viewer, admin and owner // The owner of an org // The administrator of an org // The read only viewer of an org // These roles are hierarchical // This means that the Owner role inherits all the policies from Admin so from the Viewer Role RoleOwner Role = "role:org:owner" RoleAdmin Role = "role:org:admin" RoleViewer Role = "role:org:viewer" // RoleOrgMember is the role that users get by default when they join an organization. // They cannot see projects until they are invited. However, they are able to create their own projects, // so Casbin rules (role, resource-type, action) are NOT enough to check for permission, since we must check for ownership as well. // That last check will be done at the service level. RoleOrgMember Role = "role:org:member" RoleProjectAdmin Role = "role:project:admin" RoleProjectViewer Role = "role:project:viewer" // RoleGroupMaintainer is a role that can manage groups in an organization. RoleGroupMaintainer Role = "role:group:maintainer" )
View Source
const ( MembershipTypeUser MembershipType = "user" MembershipTypeGroup MembershipType = "group" ResourceTypeOrganization ResourceType = "organization" ResourceTypeProject ResourceType = "project" ResourceTypeGroup ResourceType = "group" )
Variables ¶
View Source
var ( // Referrer PolicyReferrerRead = &Policy{ResourceReferrer, ActionRead} // Artifact PolicyArtifactDownload = &Policy{ResourceCASArtifact, ActionRead} PolicyArtifactUpload = &Policy{ResourceCASArtifact, ActionCreate} // CAS backend PolicyCASBackendList = &Policy{ResourceCASBackend, ActionList} // Available integrations PolicyAvailableIntegrationList = &Policy{ResourceAvailableIntegration, ActionList} PolicyAvailableIntegrationRead = &Policy{ResourceAvailableIntegration, ActionRead} // Registered integrations PolicyRegisteredIntegrationList = &Policy{ResourceRegisteredIntegration, ActionList} PolicyRegisteredIntegrationRead = &Policy{ResourceRegisteredIntegration, ActionRead} PolicyRegisteredIntegrationAdd = &Policy{ResourceRegisteredIntegration, ActionCreate} // Attached integrations PolicyAttachedIntegrationList = &Policy{ResourceAttachedIntegration, ActionList} PolicyAttachedIntegrationAttach = &Policy{ResourceAttachedIntegration, ActionCreate} PolicyAttachedIntegrationDetach = &Policy{ResourceAttachedIntegration, ActionDelete} // Org Metrics PolicyOrgMetricsRead = &Policy{ResourceOrgMetric, ActionList} // Robot Account PolicyRobotAccountList = &Policy{ResourceRobotAccount, ActionList} PolicyRobotAccountCreate = &Policy{ResourceRobotAccount, ActionCreate} // Workflow Contract PolicyWorkflowContractList = &Policy{ResourceWorkflowContract, ActionList} PolicyWorkflowContractRead = &Policy{ResourceWorkflowContract, ActionRead} PolicyWorkflowContractUpdate = &Policy{ResourceWorkflowContract, ActionUpdate} PolicyWorkflowContractCreate = &Policy{ResourceWorkflowContract, ActionCreate} PolicyWorkflowContractDelete = &Policy{ResourceWorkflowContract, ActionDelete} // WorkflowRun PolicyWorkflowRunList = &Policy{ResourceWorkflowRun, ActionList} PolicyWorkflowRunRead = &Policy{ResourceWorkflowRun, ActionRead} PolicyWorkflowRunCreate = &Policy{ResourceWorkflowRun, ActionCreate} PolicyWorkflowRunUpdate = &Policy{ResourceWorkflowRun, ActionUpdate} // Workflow PolicyWorkflowList = &Policy{ResourceWorkflow, ActionList} PolicyWorkflowRead = &Policy{ResourceWorkflow, ActionRead} PolicyWorkflowCreate = &Policy{ResourceWorkflow, ActionCreate} PolicyWorkflowUpdate = &Policy{ResourceWorkflow, ActionUpdate} PolicyWorkflowDelete = &Policy{ResourceWorkflow, ActionDelete} // User Membership PolicyOrganizationRead = &Policy{Organization, ActionRead} PolicyOrganizationListMemberships = &Policy{Organization, ActionRead} // Groups PolicyGroupList = &Policy{ResourceGroup, ActionList} PolicyGroupListPendingInvitations = &Policy{ResourceGroup, ActionList} PolicyGroupRead = &Policy{ResourceGroup, ActionRead} // Group Memberships PolicyGroupListMemberships = &Policy{ResourceGroupMembership, ActionList} PolicyGroupAddMemberships = &Policy{ResourceGroupMembership, ActionCreate} PolicyGroupRemoveMemberships = &Policy{ResourceGroupMembership, ActionDelete} // Project API Token PolicyProjectAPITokenList = &Policy{ResourceProjectAPIToken, ActionList} PolicyProjectAPITokenCreate = &Policy{ResourceProjectAPIToken, ActionCreate} PolicyProjectAPITokenRevoke = &Policy{ResourceProjectAPIToken, ActionDelete} // Project Memberships PolicyProjectListMemberships = &Policy{ResourceProjectMembership, ActionList} PolicyProjectAddMemberships = &Policy{ResourceProjectMembership, ActionCreate} PolicyProjectUpdateMemberships = &Policy{ResourceProjectMembership, ActionUpdate} PolicyProjectRemoveMemberships = &Policy{ResourceProjectMembership, ActionDelete} )
View Source
var ManagedResources = []string{ ResourceWorkflowContract, ResourceCASArtifact, ResourceCASBackend, ResourceReferrer, ResourceAvailableIntegration, ResourceRegisteredIntegration, ResourceAttachedIntegration, ResourceOrgMetric, ResourceRobotAccount, ResourceWorkflowRun, ResourceWorkflow, Organization, ResourceGroup, ResourceGroupMembership, ResourceProjectMembership, }
ManagedResources are the resources that are managed by Chainloop, considered during permissions sync
View Source
var RolesMap = map[Role][]*Policy{ RoleViewer: { PolicyReferrerRead, PolicyArtifactDownload, PolicyCASBackendList, PolicyAvailableIntegrationList, PolicyAvailableIntegrationRead, PolicyRegisteredIntegrationList, PolicyAttachedIntegrationList, PolicyOrgMetricsRead, PolicyRobotAccountList, PolicyWorkflowContractList, PolicyWorkflowContractRead, PolicyWorkflowRunList, PolicyWorkflowRunRead, PolicyWorkflowList, PolicyWorkflowRead, PolicyOrganizationRead, }, RoleAdmin: { PolicyArtifactUpload, }, RoleOrgMember: { PolicyWorkflowRead, PolicyWorkflowContractList, PolicyWorkflowContractRead, PolicyWorkflowContractCreate, PolicyWorkflowContractUpdate, PolicyWorkflowContractDelete, PolicyWorkflowList, PolicyWorkflowCreate, PolicyWorkflowUpdate, PolicyWorkflowDelete, PolicyWorkflowRunList, PolicyWorkflowRunRead, PolicyArtifactDownload, PolicyArtifactUpload, PolicyCASBackendList, PolicyOrganizationRead, PolicyAvailableIntegrationList, PolicyAvailableIntegrationRead, PolicyRegisteredIntegrationList, PolicyRegisteredIntegrationRead, PolicyAttachedIntegrationList, PolicyAttachedIntegrationAttach, PolicyAttachedIntegrationDetach, PolicyOrgMetricsRead, PolicyReferrerRead, PolicyGroupList, PolicyGroupRead, PolicyGroupListMemberships, PolicyProjectAPITokenList, PolicyProjectAPITokenCreate, PolicyProjectAPITokenRevoke, PolicyProjectListMemberships, PolicyProjectAddMemberships, PolicyProjectRemoveMemberships, PolicyProjectUpdateMemberships, }, RoleProjectViewer: { PolicyWorkflowRead, PolicyWorkflowRunRead, }, RoleProjectAdmin: { PolicyWorkflowRead, PolicyWorkflowCreate, PolicyWorkflowRunCreate, PolicyWorkflowRunUpdate, PolicyWorkflowUpdate, PolicyWorkflowDelete, PolicyWorkflowRunRead, PolicyAttachedIntegrationAttach, PolicyAttachedIntegrationDetach, PolicyProjectAPITokenList, PolicyProjectAPITokenCreate, PolicyProjectAPITokenRevoke, PolicyProjectListMemberships, PolicyProjectAddMemberships, PolicyProjectRemoveMemberships, PolicyProjectUpdateMemberships, }, RoleGroupMaintainer: { PolicyGroupListPendingInvitations, PolicyGroupAddMemberships, PolicyGroupRemoveMemberships, }, }
RolesMap The default list of policies for each role NOTE: roles are not necessarily hierarchical, however the Admin Role inherits all the policies from the Viewer Role so we do not need to add them as well.
View Source
var ServerOperationsMap = map[string][]*Policy{ "/controlplane.v1.ReferrerService/DiscoverPrivate": {PolicyReferrerRead}, "/controlplane.v1.CASCredentialsService/Get": {}, "/controlplane.v1.CASRedirectService/DownloadRedirect": {PolicyArtifactDownload}, "/controlplane.v1.CASRedirectService/GetDownloadURL": {PolicyArtifactDownload}, "/controlplane.v1.CASBackendService/List": {PolicyCASBackendList}, "/controlplane.v1.IntegrationsService/ListAvailable": {PolicyAvailableIntegrationList, PolicyAvailableIntegrationRead}, "/controlplane.v1.IntegrationsService/ListRegistrations": {PolicyRegisteredIntegrationList}, "/controlplane.v1.IntegrationsService/DescribeRegistration": {PolicyRegisteredIntegrationRead}, "/controlplane.v1.IntegrationsService/Register": {PolicyRegisteredIntegrationAdd}, "/controlplane.v1.IntegrationsService/ListAttachments": {PolicyAttachedIntegrationList}, "/controlplane.v1.IntegrationsService/Attach": {PolicyAttachedIntegrationAttach}, "/controlplane.v1.IntegrationsService/Detach": {PolicyAttachedIntegrationDetach}, "/controlplane.v1.OrgMetricsService/.*": {PolicyOrgMetricsRead}, "/controlplane.v1.RobotAccountService/List": {PolicyRobotAccountList}, "/controlplane.v1.RobotAccountService/Create": {PolicyRobotAccountCreate}, "/controlplane.v1.WorkflowService/List": {PolicyWorkflowList}, "/controlplane.v1.WorkflowService/View": {PolicyWorkflowRead}, "/controlplane.v1.WorkflowService/Create": {PolicyWorkflowCreate}, "/controlplane.v1.WorkflowService/Update": {PolicyWorkflowUpdate}, "/controlplane.v1.WorkflowService/Delete": {PolicyWorkflowDelete}, "/controlplane.v1.WorkflowRunService/List": {PolicyWorkflowRunList}, "/controlplane.v1.WorkflowRunService/View": {PolicyWorkflowRunRead}, "/controlplane.v1.WorkflowContractService/List": {PolicyWorkflowContractList}, "/controlplane.v1.WorkflowContractService/Describe": {PolicyWorkflowContractRead}, "/controlplane.v1.WorkflowContractService/Update": {PolicyWorkflowContractUpdate}, "/controlplane.v1.WorkflowContractService/Create": {PolicyWorkflowContractCreate}, "/controlplane.v1.WorkflowContractService/Delete": {PolicyWorkflowContractDelete}, "/controlplane.v1.ContextService/Current": {PolicyOrganizationRead}, "/controlplane.v1.OrganizationService/Create": {}, "/controlplane.v1.UserService/ListMemberships": {}, "/controlplane.v1.UserService/SetCurrentMembership": {}, "/controlplane.v1.UserService/DeleteMembership": {}, "/controlplane.v1.AuthService/DeleteAccount": {}, "/controlplane.v1.OrganizationService/ListMemberships": {PolicyOrganizationListMemberships}, "/controlplane.v1.GroupService/List": {PolicyGroupList}, "/controlplane.v1.GroupService/Get": {PolicyGroupRead}, "/controlplane.v1.GroupService/ListMembers": {PolicyGroupListMemberships}, "/controlplane.v1.GroupService/AddMember": {}, "/controlplane.v1.GroupService/RemoveMember": {}, "/controlplane.v1.GroupService/ListPendingInvitations": {}, "/controlplane.v1.ProjectService/APITokenCreate": {PolicyProjectAPITokenCreate}, "/controlplane.v1.ProjectService/APITokenList": {PolicyProjectAPITokenList}, "/controlplane.v1.ProjectService/APITokenRevoke": {PolicyProjectAPITokenRevoke}, "/controlplane.v1.ProjectService/ListMembers": {PolicyProjectListMemberships}, "/controlplane.v1.ProjectService/AddMember": {PolicyProjectAddMemberships}, "/controlplane.v1.ProjectService/RemoveMember": {PolicyProjectRemoveMemberships}, "/controlplane.v1.ProjectService/UpdateMemberRole": {PolicyProjectUpdateMemberships}, "/controlplane.v1.ProjectService/ListPendingInvitations": {PolicyProjectListMemberships}, }
ServerOperationsMap is a map of server operations to the ResourceAction tuples that are required to perform the operation If it contains more than one policy, all of them need to be true
Functions ¶
This section is empty.
Types ¶
type Enforcer ¶
type Enforcer struct {
*casbin.Enforcer
// contains filtered or unexported fields
}
func NewDatabaseEnforcer ¶
func NewDatabaseEnforcer(c *config.DatabaseConfig, config *Config) (*Enforcer, error)
NewDatabaseEnforcer creates a new casbin authorization enforcer based on a database backend as policies storage backend
func NewFiletypeEnforcer ¶
NewFileAdapter creates a new casbin authorization enforcer based on a CSV file as policies storage backend
func (*Enforcer) AddPolicies ¶
func (e *Enforcer) AddPolicies(sub *SubjectAPIToken, policies ...*Policy) error
func (*Enforcer) ClearPolicies ¶
func (e *Enforcer) ClearPolicies(sub *SubjectAPIToken) error
Remove all the policies for the given subject
type MembershipType ¶ added in v1.11.0
type MembershipType string
MembershipType represents a polymorphic membership subject (user or group)
func (MembershipType) Values ¶ added in v1.11.0
func (MembershipType) Values() (values []string)
Values implement https://pkg.go.dev/entgo.io/ent/schema/field#EnumValues
type ResourceType ¶ added in v1.11.0
type ResourceType string
ResourceType represent a membership resource (organizations, projects)
func (ResourceType) Values ¶ added in v1.11.0
func (ResourceType) Values() (values []string)
Values implement https://pkg.go.dev/entgo.io/ent/schema/field#EnumValues
type Role ¶
type Role string
func (Role) Values ¶
Implements https://pkg.go.dev/entgo.io/ent/schema/field#EnumValues so they can be added to the database schema
type SubjectAPIToken ¶
type SubjectAPIToken struct {
ID string
}
func (*SubjectAPIToken) String ¶
func (t *SubjectAPIToken) String() string
Source Files
Directories
Click to show internal directories.
Click to hide internal directories.