access

package
v0.6.5 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 20, 2024 License: Apache-2.0 Imports: 12 Imported by: 0

Documentation

Overview

Package access provides a simple way to manage access to resources, with a policy-based approach. It usses a simple policy language to define access rules, and URNs to express user, group and resources.

Index

Constants

View Source 
const DefaultVersion = "2023-03-28"

DefaultVersion

Variables

View Source 
var DefaultPartitions = Partitions{
	"cloud": true,
}

DefaultPartitions is the default list of partitions.

View Source 
var DefaultRegions = Regions{
	"eu-central-1": true,
}

DefaultRegions is the default list of regions.

View Source 
var DefaultServices = Services{
	// contains filtered or unexported fields
}

DefaultServices is the default list of services.

View Source 
var GroupResourceIdentifier = func(u *urn.URN) bool {
	return u.Service == defaultAccessService && strings.HasPrefix(u.Resource.String(), "groups")
}

GroupResourceIdentifier is the identifier for a group.

View Source 
var IdentityBasedMatcher = func(l *urn.URN, r *urn.URN) bool {
	return (l.Namespace == r.Namespace || (l.Namespace == urn.Wildcard && r.Namespace == urn.Wildcard) || (l.Namespace == urn.Empty && r.Namespace == urn.Empty) || r.Namespace == urn.Wildcard || r.Namespace == urn.Empty) &&
		(l.Partition == r.Partition || (l.Partition == urn.Wildcard && r.Partition == urn.Wildcard) || (l.Partition == urn.Empty && r.Partition == urn.Empty) || r.Partition == urn.Wildcard || r.Partition == urn.Empty) &&
		(l.Service == r.Service || (l.Service == urn.Wildcard && r.Service == urn.Wildcard) || (l.Service == urn.Empty && r.Service == urn.Empty) || r.Service == urn.Wildcard || r.Service == urn.Empty) &&
		(l.Region == r.Region || (l.Region == urn.Wildcard && r.Region == urn.Wildcard) || (l.Region == urn.Empty && r.Region == urn.Empty) || r.Region == urn.Wildcard || r.Region == urn.Empty) &&
		(l.Identifier == r.Identifier || (l.Identifier == urn.Wildcard && r.Identifier == urn.Wildcard) || (l.Identifier == urn.Empty && r.Identifier == urn.Empty) || r.Identifier == urn.Wildcard || r.Identifier == urn.Empty) &&
		(l.Resource == r.Resource || (l.Resource == urn.Wildcard && r.Resource == urn.Wildcard) || (l.Resource == urn.Empty && r.Resource == urn.Empty) || r.Resource == urn.Wildcard || r.Resource == urn.Empty)
}

IdentityBasedMatcher is a matcher that matches the URN based on the identity.

View Source 
var RoleResourceIdentifier = func(u *urn.URN) bool {
	return u.Service == defaultAccessService && strings.HasPrefix(u.Resource.String(), "roles")
}

RoleResourceIdentifier is the identifier for a role.

View Source 
var UserResourceIdentifier = func(u *urn.URN) bool {
	return u.Service == defaultAccessService && strings.HasPrefix(u.Resource.String(), "users")
}

UserResourceIdentifier is the identifier for a user.

Functions

func Is added in v0.5.2 

func Is(u *urn.URN, i ResourceIdentifier) bool

Is returns true if the resource matches the identifier.

func WithNoop added in v0.5.2 

func WithNoop(ctx context.Context, t *testing.T, access pb.AccessServer, f func(context.Context, *testing.T, func(context.Context, string) (net.Conn, error)))

WithNoop ...

Types

type Access 

type Access interface{}

Client is the interface for the access client.

type Accessor added in v0.5.2 

type Accessor interface {
	// Allow returns true if the user is allowed to perform the action on the resource.
	Allow(ctx context.Context, principal *urn.URN, ressource *urn.URN, action Action) (bool, error)
}

Accessor is the interface to allow or deny access.

type Action added in v0.5.2 

type Action string

Action is the action that the rule applies to.

func (Action) String added in v0.5.2 

func (a Action) String() string

String ...

type Actions added in v0.5.2 

type Actions []Action

Actions is a list of actions.

type Client 

type Client struct {
	// contains filtered or unexported fields
}

Client is the access client.

func NewClient 

func NewClient(conn *grpc.ClientConn, opts ...Opt) (*Client, error)

NewClient creates a new access client.

func (*Client) Check 

func (c *Client) Check(ctx context.Context, principal, resource, action string) (bool, error)

Check is checking the access of a principal to a resource by an action.

type Condition added in v0.5.2 

type Condition struct {
	// Key is the key of the condition.
	Key string `json:"key" yaml:"key"`
	// Value is the value of the condition.
	Value string `json:"value" yaml:"value"`
	// Operator is the operator of the condition.
	Operator string `json:"operator" yaml:"operator"`
}

Condition is a set of key-value pairs that define how a user can access a resource.

type Conditions added in v0.5.2 

type Conditions []Condition

Conditions is a list of conditions.

type Effect added in v0.5.2 

type Effect string

Effect is the effect of the rule, it can be allow or deny. 

const Allow Effect = "allow"

Allow effect. 

const Deny Effect = "deny"

Deny effect.

type Matcher added in v0.5.2 

type Matcher func(l *urn.URN, r *urn.URN) bool

Matcher is a function that returns true if the URN matches.

type Opt 

type Opt func(*Client)

Opt is the option for the access client.

type Partition added in v0.5.2 

type Partition urn.Match

Partition is the partition name of the access service.

type Partitions added in v0.5.2 

type Partitions map[Partition]bool

Partitions is the list of partitions.

func (Partitions) Add added in v0.5.2 

func (p Partitions) Add(partition Partition)

Add adds a partition to the list.

type Policer added in v0.5.2 

type Policer interface {
	// Policies returns the policy for the given user.
	Policies(ctx context.Context, principal *urn.URN) ([]*Policy, error)
}

Policer returns the policy for the given user.

type Policy added in v0.5.2 

type Policy struct {
	// Version is the version of the policy.
	Version string `json:"version" yaml:"version"`
	// ID is the unique identifier of the policy.
	ID string `json:"id" yaml:"id"`
	// Name is the name of the policy.
	Name string `json:"name" yaml:"name"`
	// Description is the description of the policy.
	Description string `json:"description" yaml:"description"`
	// Rules is the list of rules that define how a user can access a resource.
	Rules Rules `json:"rules" yaml:"rules"`
}

Policy is a set of rules that define how a user can access a resource.

func DefaultPolicy added in v0.5.2 

func DefaultPolicy() *Policy

DefaultPolicy returns the default policy.

func (*Policy) UnmarshalJSON added in v0.5.2 

func (p *Policy) UnmarshalJSON(data []byte) error

UnmarshalJSON overwrite own policy with values of the given in policy in JSON format

func (*Policy) UnmarshalYAML added in v0.5.2 

func (p *Policy) UnmarshalYAML(data []byte) error

UnmarshalYAML overwrite own policy with values of the given policy in YAML format.

type Region added in v0.5.2 

type Region urn.Match

Region is the region name of the access service.

type Regions added in v0.5.2 

type Regions map[Region]bool

Regions is the list of regions.

func (Regions) Add added in v0.5.2 

func (r Regions) Add(region Region)

Add adds a region to the list.

type Resource added in v0.5.2 

type Resource string

Resource is the resource that the rule applies to.

func (Resource) String added in v0.5.2 

func (r Resource) String() string

String returns the string representation of the resource.

func (Resource) URN added in v0.5.2 

func (r Resource) URN() (*urn.URN, error)

URN returns the URN representation of the resource.

type ResourceIdentifier added in v0.5.2 

type ResourceIdentifier func(*urn.URN) bool

ResourceIdentifier is the unique identifier of a resource.

type Resources added in v0.5.2 

type Resources []Resource

Resources is a list of resources.

type Rule added in v0.5.2 

type Rule struct {
	// ID is the unique identifier of the rule.
	ID string `json:"id" yaml:"id"`
	// Resources is the list of resources that the rule applies to.
	Resources Resources `json:"resources" yaml:"resources"`
	// Actions is the list of actions that the rule applies to.
	Actions Actions `json:"actions" yaml:"actions"`
	// Effect is the effect of the rule, it can be allow or deny.
	Effect Effect `json:"effect" yaml:"effect"`
	// Conditions is the list of conditions that the rule applies to.
	Conditions Conditions `json:"conditions" yaml:"conditions"`
}

Rule is a set of conditions that define how a user can access a resource.

type Rules added in v0.5.2 

type Rules []Rule

Rules is a list of rules.

type Service added in v0.5.2 

type Service urn.Match

Servide is the service name of the access service.

type Services added in v0.5.2 

type Services map[Service]bool

Services is the list of services.

func (Services) Add added in v0.5.2 

func (s Services) Add(service Service)

Add adds a service to the list.

type UnimplementedAccessor added in v0.5.2 

type UnimplementedAccessor struct{}

UnimplementedAccessor is the default implementation of the Accessor interface.

func (*UnimplementedAccessor) Allow added in v0.5.2 

func (u *UnimplementedAccessor) Allow(principal *urn.URN, ressource *urn.URN, action Action) (bool, error)

Allow returns true if the user is allowed to perform the action on the resource.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.