permissions

package

v0.3.9 Latest Latest Go to latest Published: Oct 16, 2025 License: Apache-2.0 Imports: 6 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/stacklok/toolhive

Links

Open Source Insights

Documentation ¶

Overview ¶

Package permissions provides utilities for managing container permissions and permission profiles for the toolhive application.

Index ¶

Constants
type InboundNetworkPermissions
type MountDeclaration
- func ParseMountDeclarations(declarations []string) ([]MountDeclaration, error)
type NetworkPermissions
type OutboundNetworkPermissions
type Profile

Constants ¶

View Source

const (
	// ProfileNone is the name of the built-in profile with no permissions
	ProfileNone = "none"
	// ProfileNetwork is the name of the built-in profile with network permissions
	ProfileNetwork = "network"
)

Built-in permission profile names

Variables ¶

This section is empty.

Functions ¶

This section is empty.

Types ¶

type InboundNetworkPermissions ¶ added in v0.3.9

type InboundNetworkPermissions struct {
	// AllowHost is a list of allowed hosts for inbound connections
	AllowHost []string `json:"allow_host,omitempty" yaml:"allow_host,omitempty"`
}

InboundNetworkPermissions defines inbound network permissions

type MountDeclaration ¶

type MountDeclaration string

MountDeclaration represents a mount declaration for a container It can be in one of the following formats:

A single path: The same path will be mounted from host to container
host-path:container-path: Different paths for host and container
resource-uri:container-path: Mount a resource identified by URI to a container path (e.g., volume://name:container-path)

func ParseMountDeclarations ¶

func ParseMountDeclarations(declarations []string) ([]MountDeclaration, error)

ParseMountDeclarations parses a list of mount declarations

func (MountDeclaration) GetResourceType ¶

func (m MountDeclaration) GetResourceType() (string, error)

GetResourceType returns the resource type if the mount declaration is a resource URI For example, "volume://name" would return "volume"

func (MountDeclaration) IsResourceURI ¶

func (m MountDeclaration) IsResourceURI() bool

IsResourceURI checks if the mount declaration is a resource URI format This only checks the format, not the security of the paths

func (MountDeclaration) IsValid ¶

func (m MountDeclaration) IsValid() bool

IsValid checks if the mount declaration is valid

func (MountDeclaration) Parse ¶

func (m MountDeclaration) Parse() (source, target string, err error)

Parse parses a mount declaration and returns the source and target paths It also cleans and validates the paths

type NetworkPermissions ¶

type NetworkPermissions struct {
	// Outbound defines outbound network permissions
	Outbound *OutboundNetworkPermissions `json:"outbound,omitempty" yaml:"outbound,omitempty"`

	// Inbound defines inbound network permissions
	Inbound *InboundNetworkPermissions `json:"inbound,omitempty" yaml:"inbound,omitempty"`
}

NetworkPermissions defines network permissions for a container

type OutboundNetworkPermissions ¶

type OutboundNetworkPermissions struct {
	// InsecureAllowAll allows all outbound network connections
	InsecureAllowAll bool `json:"insecure_allow_all,omitempty" yaml:"insecure_allow_all,omitempty"`

	// AllowHost is a list of allowed hosts
	AllowHost []string `json:"allow_host,omitempty" yaml:"allow_host,omitempty"`

	// AllowPort is a list of allowed ports
	AllowPort []int `json:"allow_port,omitempty" yaml:"allow_port,omitempty"`
}

OutboundNetworkPermissions defines outbound network permissions

type Profile ¶

type Profile struct {
	// Name is the name of the profile
	Name string `json:"name,omitempty" yaml:"name,omitempty"`

	// Read is a list of mount declarations that the container can read from
	// These can be in the following formats:
	// - A single path: The same path will be mounted from host to container
	// - host-path:container-path: Different paths for host and container
	// - resource-uri:container-path: Mount a resource identified by URI to a container path
	Read []MountDeclaration `json:"read,omitempty" yaml:"read,omitempty"`

	// Write is a list of mount declarations that the container can write to
	// These follow the same format as Read mounts but with write permissions
	Write []MountDeclaration `json:"write,omitempty" yaml:"write,omitempty"`

	// Network defines network permissions
	Network *NetworkPermissions `json:"network,omitempty" yaml:"network,omitempty"`

	// Privileged indicates whether the container should run in privileged mode
	// When true, the container has access to all host devices and capabilities
	// Use with extreme caution as this removes most security isolation
	Privileged bool `json:"privileged,omitempty" yaml:"privileged,omitempty"`
}

Profile represents a permission profile for a container

func BuiltinNetworkProfile ¶

func BuiltinNetworkProfile() *Profile

BuiltinNetworkProfile returns the built-in network profile

func BuiltinNoneProfile ¶ added in v0.0.32

func BuiltinNoneProfile() *Profile

BuiltinNoneProfile returns the built-in profile with no permissions

func FromFile ¶

func FromFile(path string) (*Profile, error)

FromFile loads a permission profile from a file

func NewProfile ¶

func NewProfile() *Profile

NewProfile creates a new permission profile

Source Files ¶

View all Source files

profile.go

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL