resources

Documentation

Overview

Package resources provides extendable service Handler for managing resource-policy based data.

Index

• type PoliciesCleaner
  • func (c *PoliciesCleaner) Handle(ctx context.Context, msg *idm.ChangeEvent) error
• type PoliciesCleanerOptions
• type PoliciesLoaderFunc
• type ResourceProviderHandler
  • func (r *ResourceProviderHandler) IsAllowed(ctx context.Context, resourceId string, action service.ResourcePolicyAction, ...) (err error)
  • func (r *ResourceProviderHandler) IsContextEditable(ctx context.Context, resourceId string, policies []*service.ResourcePolicy) bool
  • func (r *ResourceProviderHandler) MatchPolicies(ctx context.Context, resourceId string, policies []*service.ResourcePolicy, ...) bool
  • func (r *ResourceProviderHandler) RestToServiceResourcePolicy(ctx context.Context, input *rest.ResourcePolicyQuery) (output *service.ResourcePolicyQuery, e error)

Types

type PoliciesCleaner

type PoliciesCleaner struct {
	Dao     dao.DAO
	Options PoliciesCleanerOptions
	LogCtx  context.Context
}

func (*PoliciesCleaner) Handle

func (c *PoliciesCleaner) Handle(ctx context.Context, msg *idm.ChangeEvent) error

Handle cleans resources in the current DAO based on the delete events

type PoliciesCleanerOptions

type PoliciesCleanerOptions struct {
	SubscribeRoles bool
	SubscribeUsers bool
}

type PoliciesLoaderFunc

type PoliciesLoaderFunc func(ctx context.Context, resourceId string, resourceClient interface{}) (policies []*service.ResourcePolicy, e error)

PoliciesLoaderFunc is a signature for a function that can load policies from a given resource

type ResourceProviderHandler

type ResourceProviderHandler struct {
	ResourceName   string
	ServiceName    string
	PoliciesLoader PoliciesLoaderFunc
}

ResourceProviderHandler abstracts class that can be implemented by REST handlers to add Policies checking capabilities

func (*ResourceProviderHandler) IsAllowed

func (r *ResourceProviderHandler) IsAllowed(ctx context.Context, resourceId string, action service.ResourcePolicyAction, resourceClient interface{}) (err error)

IsAllowed matches a resourceId against a policy Action It uses the PoliciesLoader function to first grab the policies associated to this resource, then use an in-memory warden to check the policies stack.

func (*ResourceProviderHandler) IsContextEditable

func (r *ResourceProviderHandler) IsContextEditable(ctx context.Context, resourceId string, policies []*service.ResourcePolicy) bool

IsContextEditable can be used for outputting results with a flag telling wether this resource can be edited by the currently logged user

func (*ResourceProviderHandler) MatchPolicies

func (r *ResourceProviderHandler) MatchPolicies(ctx context.Context, resourceId string, policies []*service.ResourcePolicy, action service.ResourcePolicyAction, subjects ...string) bool

MatchPolicies creates an memory-based policy stack checker to check if action is allowed or denied. It uses a DenyByDefault strategy

func (*ResourceProviderHandler) RestToServiceResourcePolicy

func (r *ResourceProviderHandler) RestToServiceResourcePolicy(ctx context.Context, input *rest.ResourcePolicyQuery) (output *service.ResourcePolicyQuery, e error)

RestToServiceResourcePolicy transforms input rest.ResourcePolicy to service.ResourcePolicy that can be used internally