Documentation
¶
Index ¶
- Constants
- Variables
- func CasbinHTTPMiddleware(next http.Handler, _ *casbin.Enforcer, _ SubjectExtractor) http.Handler
- func NewEnforcerFromFiles(modelPath, policyPath string) (*casbin.Enforcer, error)
- func NewFileRBACStore(baseDir string) *fileRBACStore
- type Assignment
- type AuditEvent
- type Auditor
- type Permission
- type RBACService
- type RBACStore
- type Role
- type ScanResult
- type Scanner
- type SubjectExtractor
- type Vulnerability
Constants ¶
const ( ResourceReports = "reports" ActionGenerate = "generate" ActionExport = "export" ResourceFocus = "focus" ActionConvert = "convert" ActionValidate = "validate" ResourceProviders = "providers" ActionConnect = "connect" ActionList = "list" ResourceAnalytics = "analytics" ActionForecast = "forecast" ActionDetectAnomalies = "anomalies" ActionRecommendations = "recommendations" ActionTrends = "trends" ActionTrainModel = "train_model" ResourceStreaming = "streaming" ActionCreateJob = "create_job" ActionStartJob = "start_job" ActionStopJob = "stop_job" ActionDeleteJob = "delete_job" )
Predefined resource & action constants (grow conservatively to limit metric cardinality)
Variables ¶
var PermissionMatrix = map[string][]string{ ResourceReports: {ActionGenerate, ActionExport}, ResourceFocus: {ActionConvert, ActionValidate}, ResourceProviders: {ActionConnect, ActionList}, ResourceAnalytics: {ActionForecast, ActionDetectAnomalies, ActionRecommendations, ActionTrends, ActionTrainModel}, ResourceStreaming: {ActionCreateJob, ActionStartJob, ActionStopJob, ActionDeleteJob}, }
PermissionMatrix documents intended resource/action pairs for validation / audit. Not enforced yet.
Functions ¶
func CasbinHTTPMiddleware ¶
CasbinHTTPMiddleware stub passes through without authorization checks.
func NewEnforcerFromFiles ¶
NewEnforcerFromFiles is a stub when Casbin PoC is disabled.
func NewFileRBACStore ¶
func NewFileRBACStore(baseDir string) *fileRBACStore
NewFileRBACStore creates a new file-backed RBAC store at data/security/roles.json
Types ¶
type Assignment ¶
Assignment represents a user-to-role mapping
type AuditEvent ¶
type AuditEvent struct {
Timestamp time.Time `json:"timestamp"`
Actor string `json:"actor"`
Action string `json:"action"`
Resource string `json:"resource"`
Result string `json:"result"`
Fields map[string]interface{} `json:"fields,omitempty"`
}
AuditEvent represents a security-relevant event
type Auditor ¶
type Auditor struct {
// contains filtered or unexported fields
}
Auditor writes audit events to an append-only JSONL file
func NewAuditor ¶
NewAuditor creates a new auditor writing to data/security/audit.log
func (*Auditor) Write ¶
func (a *Auditor) Write(evt AuditEvent) error
Write writes an audit event as a JSON line
type Permission ¶
Permission represents an action allowed on a resource
type RBACService ¶
type RBACService struct {
// contains filtered or unexported fields
}
RBACService provides RBAC operations
func NewRBACService ¶
func NewRBACService(store RBACStore, logger *logging.Logger) *RBACService
NewRBACService creates a new RBAC service
func (*RBACService) CheckPermission ¶
func (s *RBACService) CheckPermission(ctx context.Context, roleName, resource, action string) bool
CheckPermission is a tracing-enabled wrapper around HasPermission that records an OTel span. It does not introduce additional allocation heavy logic; span creation is skipped when no tracer provider is configured (noop provider). Span name: rbac.has_permission Attributes:
rbac.role - evaluated role rbac.resource - target resource rbac.action - target action rbac.allowed - boolean result
NOTE: We keep HasPermission for lightweight internal / test usage; middleware and centralized enforcement paths SHOULD prefer CheckPermission to gain observability.
func (*RBACService) CreateRole ¶
func (s *RBACService) CreateRole(name, description string, perms []Permission) (Role, error)
CreateRole creates a new role with permissions
func (*RBACService) HasPermission ¶
func (s *RBACService) HasPermission(roleName, resource, action string) bool
HasPermission checks if a role has a specific permission Deprecated: Use CheckPermission for new code to ensure tracing & metrics.
type RBACStore ¶
type RBACStore interface {
Load() error
Save() error
AddRole(role Role) error
GetRole(name string) (Role, bool)
ListRoles() []Role
}
RBACStore defines persistence for RBAC data
type Role ¶
type Role struct {
Name string `json:"name"`
Description string `json:"description,omitempty"`
Permissions []Permission `json:"permissions"`
CreatedAt time.Time `json:"created_at"`
}
Role represents a named set of permissions
type ScanResult ¶
type ScanResult struct {
Summary string `json:"summary"`
Vulnerabilities []Vulnerability `json:"vulnerabilities"`
GeneratedAt time.Time `json:"generated_at"`
}
ScanResult contains the results of a scan
type Scanner ¶
type Scanner struct {
// contains filtered or unexported fields
}
Scanner provides security scanning capabilities
func NewScanner ¶
NewScanner creates a new security scanner
func (*Scanner) ScanVulnerabilities ¶
func (s *Scanner) ScanVulnerabilities(target string) (*ScanResult, error)
ScanVulnerabilities performs a stub vulnerability scan
type SubjectExtractor ¶
SubjectExtractor extracts a subject (e.g., role or user) from request. Default stub returns nil.
func JWTSubjectExtractor ¶
func JWTSubjectExtractor(secret, issuer string) SubjectExtractor
JWTSubjectExtractor stub returns an extractor that yields no subjects.
Source Files