README
¶
abac
Simple implementation for Attribute-Based Access Control (ABAC).
Install
go get github.com/yuriiiz/abac
Example
policy := Policy{
Name: "Name",
Description: "Description",
Statements: []Statement{
{
Effect: Allow,
Actions: []string{"read", "write", "audit"},
Resources: Resources{
ResourceType: "resource_type_1",
ResourceNames: []string{"*"},
CompareFunc: StrGlob,
},
},
{
Effect: Allow,
Actions: []string{"read", "write", "audit"},
Resources: Resources{
ResourceType: "resource_type_2",
ResourceNames: []string{"prefix_.*"},
CompareFunc: StrRegex,
},
},
{
Effect: Deny,
Actions: []string{"write"},
Resources: Resources{
ResourceType: "resource_type_1",
ResourceNames: []string{"resource_name_1", "resource_name_2", "resource_name_3"},
CompareFunc: StrEqual,
},
Conditions: Conditions{
Items: []Condition{
{
Operator: "gt",
AttributeType: AttributeTypeEnv,
AttributeKey: "current_timestamp",
Value: 1600000000,
},
{
Operator: "lt",
AttributeType: AttributeTypeEnv,
AttributeKey: "current_timestamp",
Value: 1700000000,
},
{
Operator: "eq",
AttributeType: AttributeTypeResource,
AttributeKey: "environment",
Value: "production",
},
},
Formula: "$0 and $1 and $2", // TODO: to be supported
},
},
},
}
var resource Resource
var attributes Attributes
resource = Resource{
ResourceType: "resource_type_1",
ResourceName: "resource_name",
}
fmt.Println(policy.Validate("read", resource, attributes)) // -> nil
resource = Resource{
ResourceType: "resource_type_2",
ResourceName: "prefix_resource_name",
}
fmt.Println(policy.Validate("read", resource, attributes)) // -> nil
resource = Resource{
ResourceType: "resource_type_2",
ResourceName: "resource_name",
}
fmt.Println(policy.Validate("read", resource, attributes)) // -> ErrStatementNotMatch
resource = Resource{
ResourceType: "resource_type_1",
ResourceName: "resource_name_1",
}
attributes = []Attribute{
{
Type: AttributeTypeResource,
Key: "environment",
ValueType: "string",
Value: "production",
},
{
Type: AttributeTypeEnv,
Key: "current_timestamp",
ValueType: "number",
Value: 1650000000,
},
}
fmt.Println(policy.Validate("write", resource, attributes)) // -> ErrDeniedByStatement
Documentation
¶
Index ¶
- Constants
- Variables
- func Compare(valueType, operator string, originValue, compareValue interface{}) (bool, error)
- func MatchStrPatterns(patterns []string, subj string, compareFunc StrComparable) bool
- func StrEqual(pattern, subj string) bool
- func StrGlob(pattern, subj string) bool
- func StrRegex(pattern, subj string) bool
- type Attribute
- type Attributes
- type Condition
- type Conditions
- type Identity
- type Permission
- type Policies
- type Policy
- type Resource
- type Resources
- type Statement
- type StrComparable
Constants ¶
View Source
const ( AttributeTypeSubject = "AttributeTypeSubject" AttributeTypeResource = "AttributeTypeResource" AttributeTypeEnv = "AttributeTypeEnv" )
View Source
const ( OperatorEQ = "eq" OperatorLT = "lt" OperatorLTE = "lte" OperatorGT = "gt" OperatorGTE = "gte" OperatorNEQ = "neq" OperatorGlobMatch = "glob_match" OperatorRegexMatch = "regex_match" )
View Source
const ( Allow = "allow" Deny = "deny" )
Variables ¶
View Source
var ( ErrDeniedByStatement = errors.New("action denied as statement declared") ErrStatementNotMatch = errors.New("statement does not match the action") )
Functions ¶
func MatchStrPatterns ¶
func MatchStrPatterns(patterns []string, subj string, compareFunc StrComparable) bool
Types ¶
type Attributes ¶
type Attributes []Attribute
type Conditions ¶
func (Conditions) Judge ¶
func (cs Conditions) Judge(attributes Attributes) (bool, error)
type Permission ¶
type Policy ¶
type Resources ¶
type Resources struct {
ResourceType string
ResourceNames []string
CompareFunc StrComparable
}
type Statement ¶
type Statement struct {
Resources
Effect string
Actions []string
Conditions Conditions
}
type StrComparable ¶
Source Files
Click to show internal directories.
Click to hide internal directories.