policy

package

v0.64.7 Latest Latest Go to latest Published: May 27, 2026 License: MIT Imports: 5 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/GoCodeAlone/workflow

Links

Open Source Insights

Documentation ¶

Index ¶

Constants
Variables
func MatchPattern(pattern, name string) bool
func Serialize(p *Policy) ([]string, error)
type Adapter
type DNSPolicyReader
type DNSRecordWriter
type Entry
type Policy
- func Parse(zone string, txtRRs []string) (*Policy, error)
- func (p *Policy) CheckAllowed(name, recordType, owner string) error

Constants ¶

View Source

const HeritageV1 = "wfinfra-v1"

Variables ¶

View Source

var (
	ErrMultipleDefaults = errors.New("dnspolicy: multiple RRs set d=true")
	ErrEmptyOwner       = errors.New("dnspolicy: o= field is empty")
	// ErrUnknownHeritage is reserved for future use. Parse() currently silently
	// skips RRs with unknown heritage values to preserve forward-compatibility;
	// a future stricter parser variant may return this error.
	ErrUnknownHeritage = errors.New("dnspolicy: unknown heritage value (parser ignored RR)")
)

Functions ¶

func MatchPattern ¶

func MatchPattern(pattern, name string) bool

MatchPattern returns true if name matches pattern. Pattern syntax:

"@"   matches the apex literal "@"
"*"   matches a SINGLE DNS label segment
"**"  matches one or more label segments
"<literal>.<rest>" matches recursively

All matches are case-sensitive (DNS names are case-insensitive by spec but our pattern compare requires lowercase normalization at call sites).

func Serialize ¶

func Serialize(p *Policy) ([]string, error)

Serialize emits Policy as deterministically-ordered TXT RR strings. Refuses to emit if multiple entries have Default=true.

Types ¶

type Adapter ¶

type Adapter interface {
	DNSPolicyReader
	DNSRecordWriter
}

Adapter combines policy R/W and record R/W in one type. dnsprovider.NewAdapter returns this combined interface.

type DNSPolicyReader ¶

type DNSPolicyReader interface {
	GetTXT(ctx context.Context, name string) ([]string, error)
	UpsertTXT(ctx context.Context, name string, values []string, ttl int) error
}

DNSPolicyReader is the narrow interface the gate needs. Tests mock this directly; only 2 methods to fake.

type DNSRecordWriter ¶

type DNSRecordWriter interface {
	UpsertRecord(ctx context.Context, zone, name, recordType, data string, ttl, priority int32) (recordID string, err error)
	DeleteRecord(ctx context.Context, zone, name, recordType string) error
}

DNSRecordWriter performs arbitrary DNS record mutations (post-gate).

type Entry ¶

type Entry struct {
	Owner    string
	Patterns []string
	Types    []string
	Default  bool
}

type Policy ¶

type Policy struct {
	Zone    string
	Entries []Entry
}

func Parse ¶

func Parse(zone string, txtRRs []string) (*Policy, error)

Parse parses TXT RR strings (one per RR) into a Policy. Unknown heritage values are silently skipped (forward-compat).

func (*Policy) CheckAllowed ¶

func (p *Policy) CheckAllowed(name, recordType, owner string) error

CheckAllowed returns nil if owner may upsert (name, recordType) under this policy. Returns an error describing the denial otherwise.

Priority semantics (closes plan-cycle-1 C-3):

Explicit pattern claims take precedence over default-owner fallback.
If any owner (including non-caller) has an explicit pattern matching (name, recordType), only that owner may mutate.
Default owner catches only unmatched records.
SOA/NS protected unless explicitly listed in the owner's Types.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL