aclengine

package
v0.7.3 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Dec 24, 2025 License: MIT Imports: 15 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func HashCanonicalString added in v0.6.7

func HashCanonicalString(s string) []byte

Types

type ByCanonicalSort

type ByCanonicalSort []SortableRule

ByCanonicalSort implements sort.Interface for []SortableRule based on the canonical order.

func (ByCanonicalSort) Len

func (a ByCanonicalSort) Len() int

func (ByCanonicalSort) Less

func (a ByCanonicalSort) Less(i, j int) bool

func (ByCanonicalSort) Swap

func (a ByCanonicalSort) Swap(i, j int)

type Effect

type Effect string

Effect indicates whether a rule grants or denies permission.

const (
	Grant Effect = "grant"
	Deny  Effect = "deny"

	EnvACLPubkey = "YUKINET_ACL_PUBKEY"
)

type Engine

type Engine struct {
	// contains filtered or unexported fields
}

func NewEngine

func NewEngine() *Engine

NewEngine creates a new, empty ACL engine.

func (*Engine) Check

func (e *Engine) Check(principalRef string, permission Permission, accessPath string) bool

Check determines if the principal has the requested permission for the path. principalRef can be an alias or a key ID.

func (*Engine) ExportCanonicalString

func (e *Engine) ExportCanonicalString(stripSignature bool) string

ExportCanonicalString generates a formatted string representation of the loaded ACL policies in a deterministic, canonical order. Suitable for display or signing.

func (*Engine) Hash added in v0.5.0

func (e *Engine) Hash() []byte

func (*Engine) ListPrincipals

func (e *Engine) ListPrincipals() []string

func (*Engine) MightAllow

func (e *Engine) MightAllow(key string) bool

`key` should start with `@key:`. Returns true if there is at least rule associated with that key. Note that this will not check the policy directly, it is just a precondition check.

func (*Engine) RegisterUpdateCallback

func (e *Engine) RegisterUpdateCallback(fn func()) int64

Must be lightweight because it is single threaded.

func (*Engine) UnregisterUpdateCallback

func (e *Engine) UnregisterUpdateCallback(token int64)

func (*Engine) Update

func (e *Engine) Update(reader io.Reader) error

Update parses rules from the reader and atomically updates the engine. Performs validation (syntax, cycles, alias resolution).

type Permission

type Permission string

Permission represents the capability being checked (e.g., "file:read", "task:*").

type Result added in v0.6.9

type Result struct {
	Rule   *Rule
	Reason string
}

type Rule

type Rule struct {
	PrincipalRef      string     // Original reference (alias, key ID, or @group:name) used in the rule definition
	PermissionPattern Permission // Permission pattern (e.g., "file:read", "task:*", "*")
	PathPattern       string     // Resource path pattern (e.g., "/data/*", "/home/...")
	Effect            Effect     // Grant or Deny
	SourceLine        int        // Line number in the source file for debugging
}

Rule defines a single policy statement.

func (*Rule) Match added in v0.6.9

func (r *Rule) Match(perm Permission, resourcePath string) bool

func (*Rule) String

func (r *Rule) String() string

type SortableRule

type SortableRule struct {
	Rule
	ResolvedPrincipalID string // Canonical ID for sorting
}

SortableRule adds sorting info to a Rule.

Source Files

  • canonical.go
  • engine.go
  • parse.go

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL