authzlib

package
v0.0.8 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jun 5, 2023 License: MIT Imports: 8 Imported by: 0

README

MongoProxy Authorization

MongoProxy Authorization is a feature in MongoProxy that can limit the ability of a user to CRUD permissions on collections/documents/fields based on the users' business needs.

API

See types.go for blackbox functions.

Schema Structure

The general schema design is as follows:

schema/
    policies/
        policy_1.json
        ...
        policy_n.json
    roles.json

Code

Related code can be found in the following files:

  • types.go (Defines Authorization, AuthorizationMethod and AuthorizationQuerier interfaces)
  • authz.go (Loads configs for querier in Authz struct)
  • querier.go (Authorization piece + implements AuthzSchema)
  • policies.go (Implements policies to be queried by the querier)
  • roles.go (Implements roles to be queried by the querier)
  • enforce.go (Handles enforce > log > authorized > default precedence for helping with authorization piece)
  • utils.go (Some useful helper functions)
  • authz_test.go (Unit tests)

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type Authorization 

type Authorization interface {
	// LoadConfig will load the given URLs of rules and
	// expand the rules using the SchemaQuerier (for annotation
	// based rules) returning an error if there was an issue
	LoadConfig(ctx context.Context, paths []string, data SchemaQuerier) error
	// Querier returns a querier of the current loaded config
	// the returned querier must provide a consistent view
	// over the data (this way we get consistent authz throughout
	// a single request)
	Querier() AuthorizationQuerier
}

Authorization is an interface that handles loading in the config and creating the querier

type AuthorizationMethod 

type AuthorizationMethod int8

AuthorizationMethod is an int8 to indicate CRUD permissions 

const (
	Create AuthorizationMethod = iota
	Read
	Update
	Delete
)

CRUD permissions

func (AuthorizationMethod) String 

func (m AuthorizationMethod) String() string

type AuthorizationQuerier 

type AuthorizationQuerier interface {
	// Authorize will authorize the given request based on the URI
	// passed in. The URI might be a subset (e.g. DB/Collection) in
	// cases where we want to pre-check permissions (e.g. if no
	// permissions on anything, just fail to avoid the subsequent
	// lookups
	Authorize(ctx context.Context, identities []string, method AuthorizationMethod, resource Resource) AuthorizeResult
}

AuthorizationQuerier is an interface that handles authorizing mongo requests.

type AuthorizeResult 

type AuthorizeResult struct {
	AuthorizationMethod
	Resource
	IdentityName string
	Rule         *Rule

	LogOnlyRules []Rule
}

type Authz 

type Authz struct {
	// contains filtered or unexported fields
}

Authz implements Authorization.

func (*Authz) GetSchema 

func (a *Authz) GetSchema() *AuthzSchema

func (*Authz) LoadConfig 

func (a *Authz) LoadConfig(ctx context.Context, paths []string, q *SchemaQuerier) error

TODO: maintain a version of the config loaded LoadConfig will load the given URLs of rules and expand the rules using the SchemaQuerier (for annotation based rules) returning an error if there was an issue

func (*Authz) Querier 

func (a *Authz) Querier() AuthorizationQuerier

Querier returns a querier of the current loaded config the returned querier must provide a consistent view over the data (this way we get consistent authz throughout a single request)

type AuthzSchema 

type AuthzSchema struct {
	Roles    map[string][]string  // Role name -> list of Policy names
	Policies map[string]*policies // Policy name -> policies object
}

AuthzSchema implements AuthorizationQuerier. It stores the information to be queried from.

func (*AuthzSchema) Authorize 

func (q *AuthzSchema) Authorize(ctx context.Context, identities []string, method AuthorizationMethod, resource Resource) AuthorizeResult

func (*AuthzSchema) String 

func (q *AuthzSchema) String() string

type EnforceMethod 

type EnforceMethod int8
const (

	// DefaultCase is when the EnforceMethod is not set
	DefaultCase EnforceMethod = iota

	// EnforceCase is when the effect is to deny and we
	// would like to enforce the outcome.
	EnforceCase

	// LogCase is when the effect is to deny and we
	// would like to log the outcome without enforcing
	LogCase

	// AuthorizedCase is when the effect is to allow
	AuthorizedCase
)

func (EnforceMethod) String 

func (m EnforceMethod) String() string

type Resource 

type Resource struct {
	Global     bool
	DB         string
	Collection string
	Field      string
}

func (*Resource) String 

func (r *Resource) String() string

type ResourceRules 

type ResourceRules struct {
	// set of Rules for each action
	Create []Rule
	Read   []Rule
	Update []Rule
	Delete []Rule

	LogOnlyCreate []Rule
	LogOnlyRead   []Rule
	LogOnlyUpdate []Rule
	LogOnlyDelete []Rule
}

func (*ResourceRules) SortRules 

func (r *ResourceRules) SortRules()

SortRules simply sorts rules based on their Effect

func (*ResourceRules) String 

func (r *ResourceRules) String() string

type Rule 

type Rule struct {
	PolicyName string // Name of the policy this rule came from
	RuleNumber int    // Ordinal (0-N) of rule within the given policy

	Effect    effectType
	Policy    policyType
	Condition map[string]string
	Message   string
}

func (*Rule) String 

func (r *Rule) String() string

type RuleSlice 

type RuleSlice []Rule

RuleSlice implements Interface for a []Rule, sorting in Effect Order (Deny first)

func (RuleSlice) Len 

func (x RuleSlice) Len() int

func (RuleSlice) Less 

func (x RuleSlice) Less(i, j int) bool

Less reports whether x[i] should be ordered before x[j], as required by the sort Interface.

func (RuleSlice) Swap 

func (x RuleSlice) Swap(i, j int)

type SchemaQuerier 

type SchemaQuerier interface{}

TODO - remove this when SchemaQuerier is actually implemented

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.