access

package
v0.10.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Sep 17, 2025 License: BSD-3-Clause-Clear Imports: 21 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

View Source 
var (
	ErrInvalidResource              = errors.New("access: invalid resource")
	ErrFQNNotFound                  = errors.New("access: attribute value FQN not found")
	ErrDefinitionNotFound           = errors.New("access: definition not found for FQN")
	ErrFailedEvaluation             = errors.New("access: failed to evaluate definition")
	ErrMissingRequiredSpecifiedRule = errors.New("access: AttributeDefinition rule cannot be unspecified")
	ErrUnrecognizedRule             = errors.New("access: unrecognized AttributeDefinition rule")
)
View Source 
var (
	ErrInvalidSubjectMapping          = errors.New("access: invalid subject mapping")
	ErrInvalidAttributeDefinition     = errors.New("access: invalid attribute definition")
	ErrInvalidRegisteredResource      = errors.New("access: invalid registered resource")
	ErrInvalidRegisteredResourceValue = errors.New("access: invalid registered resource value")
)
View Source 
var (
	ErrMissingRequiredSDK = errors.New("access: missing required SDK")
	ErrInvalidEntityType  = errors.New("access: invalid entity type")
)
View Source 
var (
	ErrFailedToFetchAttributes          = errors.New("failed to fetch attributes from policy service")
	ErrFailedToFetchSubjectMappings     = errors.New("failed to fetch subject mappings from policy service")
	ErrFailedToFetchRegisteredResources = errors.New("failed to fetch registered resources from policy service")
)
View Source 
var (
	ErrInvalidAction                = errors.New("access: invalid action")
	ErrInvalidEntityChain           = errors.New("access: invalid entity chain")
	ErrInvalidEntitledFQNsToActions = errors.New("access: invalid entitled FQNs to actions")
)
View Source 
var (
	ErrMissingRequiredPolicy = errors.New("access: both attribute definitions and subject mappings must be provided or neither")
)

Functions

This section is empty.

Types

type DataRuleResult 

type DataRuleResult struct {
	Passed              bool                 `json:"passed" example:"false"`
	ResourceValueFQNs   []string             `json:"resource_value_fqns"`
	Attribute           *policy.Attribute    `json:"attribute"`
	EntitlementFailures []EntitlementFailure `json:"entitlement_failures"`
}

DataRuleResult represents the result of evaluating one rule for an entity.

type Decision 

type Decision struct {
	Access  bool               `json:"access" example:"false"`
	Results []ResourceDecision `json:"entity_rule_result"`
}

Decision represents the overall access decision for an entity.

type EntitlementFailure 

type EntitlementFailure struct {
	AttributeValueFQN string `json:"attribute_value"`
	ActionName        string `json:"action"`
}

EntitlementFailure represents a failure to satisfy an entitlement of the action on the attribute value.

type EntitlementPolicyRetriever added in v0.7.0 

type EntitlementPolicyRetriever struct {
	SDK *otdfSDK.SDK
}

EntitlementPolicyRetriever satisfies the EntitlementPolicyStore interface and fetches fresh entitlement policy data from the policy services via SDK.

func NewEntitlementPolicyRetriever added in v0.7.0 

func NewEntitlementPolicyRetriever(sdk *otdfSDK.SDK) *EntitlementPolicyRetriever

func (*EntitlementPolicyRetriever) IsEnabled added in v0.7.0 

func (p *EntitlementPolicyRetriever) IsEnabled() bool

func (*EntitlementPolicyRetriever) IsReady added in v0.7.0 

func (p *EntitlementPolicyRetriever) IsReady(_ context.Context) bool

func (*EntitlementPolicyRetriever) ListAllAttributes added in v0.7.0 

func (p *EntitlementPolicyRetriever) ListAllAttributes(ctx context.Context) ([]*policy.Attribute, error)

func (*EntitlementPolicyRetriever) ListAllRegisteredResources added in v0.7.0 

func (p *EntitlementPolicyRetriever) ListAllRegisteredResources(ctx context.Context) ([]*policy.RegisteredResource, error)

func (*EntitlementPolicyRetriever) ListAllSubjectMappings added in v0.7.0 

func (p *EntitlementPolicyRetriever) ListAllSubjectMappings(ctx context.Context) ([]*policy.SubjectMapping, error)

type EntitlementPolicyStore added in v0.7.0 

type EntitlementPolicyStore interface {
	ListAllAttributes(ctx context.Context) ([]*policy.Attribute, error)
	ListAllSubjectMappings(ctx context.Context) ([]*policy.SubjectMapping, error)
	ListAllRegisteredResources(ctx context.Context) ([]*policy.RegisteredResource, error)
	IsEnabled() bool
	IsReady(context.Context) bool
}

Shared interface for a cache or the connected retriever below to implement to provide entitlement policy data.

type JustInTimePDP 

type JustInTimePDP struct {
	// contains filtered or unexported fields
}

func NewJustInTimePDP 

func NewJustInTimePDP(
	ctx context.Context,
	l *logger.Logger,
	sdk *otdfSDK.SDK,
	store EntitlementPolicyStore,
) (*JustInTimePDP, error)

JustInTimePDP creates a new Policy Decision Point instance with no in-memory policy and a remote connection via authenticated SDK, then fetches all entitlement policy from provided store interface or policy services directly.

func (*JustInTimePDP) GetDecision 

func (p *JustInTimePDP) GetDecision(
	ctx context.Context,
	entityIdentifier *authzV2.EntityIdentifier,
	action *policy.Action,
	resources []*authzV2.Resource,
) ([]*Decision, bool, error)

GetDecision retrieves the decision for the provided entity chain, action, and resources. It resolves the entity chain to get the entity representations and then calls the embedded PDP to get the decision. The decision is returned as a slice of Decision objects, along with a global boolean indicating whether or not all decisions are allowed.

func (*JustInTimePDP) GetEntitlements 

func (p *JustInTimePDP) GetEntitlements(
	ctx context.Context,
	entityIdentifier *authzV2.EntityIdentifier,
	withComprehensiveHierarchy bool,
) ([]*authzV2.EntityEntitlements, error)

GetEntitlements retrieves the entitlements for the provided entity chain. It resolves the entity chain to get the entity representations and then calls the embedded PDP to get the entitlements.

type PolicyDecisionPoint 

type PolicyDecisionPoint struct {
	// contains filtered or unexported fields
}

PolicyDecisionPoint represents the Policy Decision Point component with all of policy passed in by the caller. All decisions and entitlements are evaluated against the in-memory policy.

func NewPolicyDecisionPoint 

func NewPolicyDecisionPoint(
	ctx context.Context,
	l *logger.Logger,
	allAttributeDefinitions []*policy.Attribute,
	allSubjectMappings []*policy.SubjectMapping,
	allRegisteredResources []*policy.RegisteredResource,
) (*PolicyDecisionPoint, error)

PolicyDecisionPoint creates a new Policy Decision Point instance. It is presumed that all Attribute Definitions and Subject Mappings are valid and contain the entirety of entitlement policy. Attribute Values without Subject Mappings will be ignored in decisioning.

func (*PolicyDecisionPoint) GetDecision 

func (p *PolicyDecisionPoint) GetDecision(
	ctx context.Context,
	entityRepresentation *entityresolutionV2.EntityRepresentation,
	action *policy.Action,
	resources []*authz.Resource,
) (*Decision, error)

GetDecision evaluates the action on the resources for the entity and returns a decision.

func (*PolicyDecisionPoint) GetDecisionRegisteredResource added in v0.7.0 

func (p *PolicyDecisionPoint) GetDecisionRegisteredResource(
	ctx context.Context,
	entityRegisteredResourceValueFQN string,
	action *policy.Action,
	resources []*authz.Resource,
) (*Decision, error)

func (*PolicyDecisionPoint) GetEntitlements 

func (p *PolicyDecisionPoint) GetEntitlements(
	ctx context.Context,
	entityRepresentations []*entityresolutionV2.EntityRepresentation,
	optionalMatchedSubjectMappings []*policy.SubjectMapping,
	withComprehensiveHierarchy bool,
) ([]*authz.EntityEntitlements, error)

func (*PolicyDecisionPoint) GetEntitlementsRegisteredResource added in v0.6.0 

func (p *PolicyDecisionPoint) GetEntitlementsRegisteredResource(
	ctx context.Context,
	registeredResourceValueFQN string,
	withComprehensiveHierarchy bool,
) ([]*authz.EntityEntitlements, error)

type ResourceDecision 

type ResourceDecision struct {
	Passed          bool             `json:"passed" example:"false"`
	ResourceID      string           `json:"resource_id,omitempty"`
	ResourceName    string           `json:"resource_name,omitempty"`
	DataRuleResults []DataRuleResult `json:"data_rule_results"`
}

ResourceDecision represents the result of evaluating the action on one resource for an entity.

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.