Documentation
¶
Index ¶
- type AWSIAMProvider
- func (a *AWSIAMProvider) CheckPermission(ctx context.Context, subject, resource, action string) (bool, error)
- func (a *AWSIAMProvider) ListPermissions(ctx context.Context, subject string) ([]auth.Permission, error)
- func (a *AWSIAMProvider) Name() string
- func (a *AWSIAMProvider) SyncRoles(ctx context.Context, roles []auth.RoleDefinition) error
- type BuiltinProvider
- func (b *BuiltinProvider) CheckPermission(_ context.Context, subject, resource, action string) (bool, error)
- func (b *BuiltinProvider) ListPermissions(_ context.Context, subject string) ([]auth.Permission, error)
- func (b *BuiltinProvider) Name() string
- func (b *BuiltinProvider) SyncRoles(_ context.Context, roles []auth.RoleDefinition) error
- type IAMClient
- type PermitProvider
- func (p *PermitProvider) CheckPermission(_ context.Context, _, _, _ string) (bool, error)
- func (p *PermitProvider) ListPermissions(_ context.Context, _ string) ([]auth.Permission, error)
- func (p *PermitProvider) Name() string
- func (p *PermitProvider) SyncRoles(_ context.Context, _ []auth.RoleDefinition) error
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type AWSIAMProvider ¶
type AWSIAMProvider struct {
// contains filtered or unexported fields
}
AWSIAMProvider implements PermissionProvider via AWS IAM policy simulation.
func NewAWSIAMProvider ¶
func NewAWSIAMProvider(region, roleARN string) *AWSIAMProvider
NewAWSIAMProvider creates an AWSIAMProvider for the given region and role ARN. It loads the default AWS configuration for the region. Use NewAWSIAMProviderWithClient to inject a custom IAM client (e.g. in tests).
func NewAWSIAMProviderWithClient ¶ added in v0.1.5
func NewAWSIAMProviderWithClient(region, roleARN string, client IAMClient) *AWSIAMProvider
NewAWSIAMProviderWithClient creates an AWSIAMProvider with an injectable IAM client, useful for testing.
func (*AWSIAMProvider) CheckPermission ¶
func (a *AWSIAMProvider) CheckPermission(ctx context.Context, subject, resource, action string) (bool, error)
CheckPermission evaluates whether the subject (IAM principal ARN) is allowed to perform action on resource by calling SimulatePrincipalPolicy.
func (*AWSIAMProvider) ListPermissions ¶
func (a *AWSIAMProvider) ListPermissions(ctx context.Context, subject string) ([]auth.Permission, error)
ListPermissions lists IAM permissions for the subject by inspecting attached policies. The subject must be a user ARN (containing ":user/") or a role ARN.
func (*AWSIAMProvider) Name ¶
func (a *AWSIAMProvider) Name() string
Name returns the provider identifier.
func (*AWSIAMProvider) SyncRoles ¶
func (a *AWSIAMProvider) SyncRoles(ctx context.Context, roles []auth.RoleDefinition) error
SyncRoles creates or updates IAM managed policies for each RoleDefinition and attaches them to the configured IAM role.
type BuiltinProvider ¶
type BuiltinProvider struct {
// contains filtered or unexported fields
}
BuiltinProvider wraps the existing PolicyEngine to implement PermissionProvider.
func NewBuiltinProvider ¶
func NewBuiltinProvider(engine *coreRBAC.PolicyEngine) *BuiltinProvider
NewBuiltinProvider creates a BuiltinProvider backed by the given PolicyEngine.
func (*BuiltinProvider) CheckPermission ¶
func (b *BuiltinProvider) CheckPermission(_ context.Context, subject, resource, action string) (bool, error)
CheckPermission maps the PermissionProvider interface to PolicyEngine.Allowed. The subject is treated as a role name.
func (*BuiltinProvider) ListPermissions ¶
func (b *BuiltinProvider) ListPermissions(_ context.Context, subject string) ([]auth.Permission, error)
ListPermissions returns all permissions for the given role.
func (*BuiltinProvider) Name ¶
func (b *BuiltinProvider) Name() string
Name returns the provider identifier.
func (*BuiltinProvider) SyncRoles ¶
func (b *BuiltinProvider) SyncRoles(_ context.Context, roles []auth.RoleDefinition) error
SyncRoles registers role definitions in the underlying PolicyEngine. This allows dynamic role creation beyond the 4 built-in roles.
type IAMClient ¶ added in v0.1.5
type IAMClient interface {
SimulatePrincipalPolicy(ctx context.Context, params *iam.SimulatePrincipalPolicyInput, optFns ...func(*iam.Options)) (*iam.SimulatePrincipalPolicyOutput, error)
ListAttachedRolePolicies(ctx context.Context, params *iam.ListAttachedRolePoliciesInput, optFns ...func(*iam.Options)) (*iam.ListAttachedRolePoliciesOutput, error)
ListAttachedUserPolicies(ctx context.Context, params *iam.ListAttachedUserPoliciesInput, optFns ...func(*iam.Options)) (*iam.ListAttachedUserPoliciesOutput, error)
GetPolicy(ctx context.Context, params *iam.GetPolicyInput, optFns ...func(*iam.Options)) (*iam.GetPolicyOutput, error)
GetPolicyVersion(ctx context.Context, params *iam.GetPolicyVersionInput, optFns ...func(*iam.Options)) (*iam.GetPolicyVersionOutput, error)
CreatePolicy(ctx context.Context, params *iam.CreatePolicyInput, optFns ...func(*iam.Options)) (*iam.CreatePolicyOutput, error)
CreatePolicyVersion(ctx context.Context, params *iam.CreatePolicyVersionInput, optFns ...func(*iam.Options)) (*iam.CreatePolicyVersionOutput, error)
AttachRolePolicy(ctx context.Context, params *iam.AttachRolePolicyInput, optFns ...func(*iam.Options)) (*iam.AttachRolePolicyOutput, error)
}
IAMClient defines the AWS IAM operations used by AWSIAMProvider.
type PermitProvider ¶
type PermitProvider struct {
// contains filtered or unexported fields
}
PermitProvider is a stub for permit.io integration. It defines the interface shape; the full SDK integration is left for when the permit.io dependency is added.
func NewPermitProvider ¶
func NewPermitProvider(apiKey, endpoint string) *PermitProvider
NewPermitProvider creates a PermitProvider with the given API key and endpoint.
func (*PermitProvider) CheckPermission ¶
CheckPermission calls the permit.io PDP to evaluate access.
func (*PermitProvider) ListPermissions ¶
func (p *PermitProvider) ListPermissions(_ context.Context, _ string) ([]auth.Permission, error)
ListPermissions retrieves permissions from permit.io for the subject.
func (*PermitProvider) Name ¶
func (p *PermitProvider) Name() string
Name returns the provider identifier.
func (*PermitProvider) SyncRoles ¶
func (p *PermitProvider) SyncRoles(_ context.Context, _ []auth.RoleDefinition) error
SyncRoles pushes role definitions to permit.io.
Source Files