aclmodels

package
v1.19.4 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jun 15, 2026 License: Apache-2.0 Imports: 9 Imported by: 3

Documentation

Index

Constants

View Source 
const (
	Acl2ScopeUnknown        = aclscope.ScopeUnknown
	Acl2ScopeRor            = aclscope.ScopeRor
	Acl2ScopeCluster        = aclscope.ScopeCluster
	Acl2ScopeProject        = aclscope.ScopeProject
	Acl2ScopeDatacenter     = aclscope.ScopeDatacenter
	Acl2ScopeVirtualMachine = aclscope.ScopeVirtualMachine
	Acl2ScopeMachine        = aclscope.ScopeMachine
	Acl2ScopeBackup         = aclscope.ScopeBackup
	Acl2ScopeAll            = aclscope.ScopeAll
	Acl2ScopeSpam           = aclscope.ScopeSpam
)
View Source 
const (
	Acl2RorSubjecUnknown         = aclscope.SubjectUnknown
	Acl2RorSubjectCluster        = aclscope.SubjectCluster
	Acl2RorSubjectProject        = aclscope.SubjectProject
	Acl2RorSubjectGlobal         = aclscope.SubjectGlobal
	Acl2RorSubjectAcl            = aclscope.SubjectAcl
	Acl2RorSubjectApiKey         = aclscope.SubjectApiKey
	Acl2RorSubjectDatacenter     = aclscope.SubjectDatacenter
	Acl2RorSubjectWorkspace      = aclscope.SubjectWorkspace
	Acl2RorSubjectPrice          = aclscope.SubjectPrice
	Acl2RorSubjectVirtualMachine = aclscope.SubjectVirtualMachine
	Acl2RorSubjectBackup         = aclscope.SubjectBackup
	Acl2RorSubjectAll            = aclscope.SubjectAll
	Acl2SpamSubjectGit           = aclscope.SubjectSpamGit
)

Variables

View Source 
var Acl2RorValidSubjects []Acl2Subject = GetAcl2RorValidSubjects()

Deprecated: Use function GetAcl2RorValidSubjects() as dropin replacement instead. This variable gives the possiblity of being overwritten on accident.

View Source 
var ClusterIdToUidResolver func(clusterID string) string

ClusterIdToUidResolver is an optional function that resolves a cluster ID (human-readable name) to its UID (UUID). Set this at init time in the application that has database access (e.g. ror-api). Returns the UID string, or empty string if not found.

View Source 
var ValidSystems = map[string]bool{
	"ror":   true,
	"spam":  true,
	"alarm": true,
	"all":   true,
}
View Source 
var ValidVerbs = map[Verb]bool{
	VerbRead:     true,
	VerbWrite:    true,
	VerbCreate:   true,
	VerbUpdate:   true,
	VerbDelete:   true,
	VerbAdmin:    true,
	VerbLogon:    true,
	VerbOwner:    true,
	VerbReadonly: true,
}

ValidVerbs is the set of all valid verbs that can appear as the last segment of an AccessTypeV3.

Functions

func AllowedKinds added in v1.19.0 

func AllowedKinds(access []AccessTypeV3, verb Verb) []string

AllowedKinds extracts all explicitly granted resource kinds for a given verb from the access list. Returns nil if wildcard access is granted (resource:*:<verb>), meaning all kinds are allowed. Returns an empty slice if no resource kind access is granted for the verb.

func CanAccessKind added in v1.19.0 

func CanAccessKind(access []AccessTypeV3, kind string, verb Verb) bool

CanAccessKind checks if the access list grants the given verb on a resource kind. Returns true if either the wildcard "resource:*:<verb>" or the specific "resource:<kind>:<verb>" is present in the access list.

func ValidScope added in v1.19.0 

func ValidScope(scope aclscope.Scope) error

ValidScope checks if a scope is either a known resource kind or a known system. Resource kinds are resolved at runtime from rordefs.Resourcedefs.

func ValidateACLEntry added in v1.19.0 

func ValidateACLEntry(entry AclV3ListItem) error

ValidateACLEntry validates the scope and all access entries of an AclV3ListItem.

func ValidateAccess added in v1.19.0 

func ValidateAccess(access AccessTypeV3) error

ValidateAccess validates that an AccessTypeV3 string follows the system:component:verb convention and that the path and verb are registered in the access tree.

Types

type AccessNode added in v1.19.0 

type AccessNode struct {
	Verbs    map[string]bool        // valid verbs at this level
	Children map[string]*AccessNode // sub-components
}

AccessNode represents a node in the access type validation tree. Each node can have valid verbs and child components.

type AccessType 

type AccessType string
const (
	AccessTypeRead             AccessType = "read"
	AccessTypeCreate           AccessType = "create"
	AccessTypeUpdate           AccessType = "update"
	AccessTypeDelete           AccessType = "delete"
	AccessTypeOwner            AccessType = "owner"
	AccessTypeRorMetadata      AccessType = "rormetadata"
	AccessTypeRorVulnerability AccessType = "rorvulnerability"
	AccessTypeClusterLogon     AccessType = "clusterlogon"
)

func ParseAcl2AccessType added in v1.18.8 

func ParseAcl2AccessType(access string) (AccessType, bool)

type AccessTypeV3 added in v1.16.0 

type AccessTypeV3 string

AccessTypeV3 represents a hierarchical capability string. Format: system:component[:subcomponent...]:verb The last segment is always the verb. Everything before it is the path. 

const (
	AccessRorRead  AccessTypeV3 = "ror:read"
	AccessRorWrite AccessTypeV3 = "ror:write"
	AccessRorOwner AccessTypeV3 = "ror:owner"

	AccessRorMetadataWrite      AccessTypeV3 = "ror:metadata:write"
	AccessRorVulnerabilityRead  AccessTypeV3 = "ror:vulnerability:read"
	AccessRorVulnerabilityWrite AccessTypeV3 = "ror:vulnerability:write"

	AccessRorConfigRead  AccessTypeV3 = "ror:config:read"
	AccessRorConfigWrite AccessTypeV3 = "ror:config:write"
)

Access type constants for the ror system 

const (
	AccessKubernetesLogon    AccessTypeV3 = "kubernetes:logon"
	AccessKubernetesAdmin    AccessTypeV3 = "kubernetes:admin"
	AccessKubernetesReadonly AccessTypeV3 = "kubernetes:readonly"

	AccessKubernetesArgocdAdmin        AccessTypeV3 = "kubernetes:argocd:admin"
	AccessKubernetesArgocdProjectAdmin AccessTypeV3 = "kubernetes:argocd:project:admin"
	AccessKubernetesGrafanaAdmin       AccessTypeV3 = "kubernetes:grafana:admin"
)

Access type constants for kubernetes 

const (
	AccessVirtualmachineDelete AccessTypeV3 = "virtualmachine:delete"
)

Access type constants for virtual machines

func CompileAccess added in v1.19.0 

func CompileAccess(entries []AclV3ListItem, scope aclscope.Scope, subject aclscope.Subject) []AccessTypeV3

CompileAccess merges access from multiple ACL entries that match the given scope and subject, returning the union of all granted access types.

func MatchPrefix added in v1.19.0 

func MatchPrefix(access []AccessTypeV3, prefix string) []AccessTypeV3

MatchPrefix returns all access types from the slice that start with the given prefix. Example: MatchPrefix(access, "resource:") returns all resource-kind entries.

func MergeAccess added in v1.19.0 

func MergeAccess(a, b []AccessTypeV3) []AccessTypeV3

MergeAccess returns the union of two access slices, deduplicated.

func (AccessTypeV3) Parse added in v1.19.0 

func (a AccessTypeV3) Parse() (Capability, Verb)

Parse splits an AccessTypeV3 into its Capability and Verb parts. The verb is the last colon-separated segment; everything before it is the capability.

type Acl2Scope 

type Acl2Scope = aclscope.Scope

Acl2Scope is an alias for backward compatibility. Use aclscope.Scope for new code.

func GetScopes 

func GetScopes() []Acl2Scope

GetScopes is an alias for backward compatibility. Use aclscope.GetScopes for new code.

type Acl2Subject 

type Acl2Subject = aclscope.Subject

Acl2Subject is an alias for backward compatibility. Use aclscope.Subject for new code.

func GetAcl2RorValidSubjects added in v1.11.0 

func GetAcl2RorValidSubjects() []Acl2Subject

GetAcl2RorValidSubjects is an alias for backward compatibility. Use aclscope.GetValidSubjects for new code.

type AclLookupResponse added in v1.18.8 

type AclLookupResponse struct {
	Scopes map[Acl2Scope]AclLookupResponseScope `json:"scopes"`
}

type AclLookupResponseScope added in v1.18.8 

type AclLookupResponseScope struct {
	Subject map[Acl2Subject]AclV2ListItemAccess `json:"subject"`
}

type AclV2ListItem 

type AclV2ListItem struct {
	Id         string                  `json:"id" bson:"_id,omitempty"`                   // Id
	Version    int                     `json:"version" default:"2" validate:"eq=2" `      // Acl Version, must be 2
	Group      string                  `json:"group" validate:"required,min=1,rortext" `  // The group which the acces is granted
	Scope      Acl2Scope               `json:"scope" validate:"required,min=1,rortext"`   // Type of object ['cluster','project']
	Subject    Acl2Subject             `json:"subject" validate:"required,min=1,rortext"` // The subject eg. clusterid, projectid (can be 'All')
	Access     AclV2ListItemAccess     `json:"access" validate:"required"`                // v2 access model for ror api
	Kubernetes AclV2ListItemKubernetes `json:"kubernetes" validate:""`                    // v2 access model for kubernetes
	Created    time.Time               `json:"created"`
	IssuedBy   string                  `json:"issuedBy,omitempty" validate:"email"` // expects an email
}

Full acl v2 model

func NewAclV2ListItem added in v1.11.0 

func NewAclV2ListItem(group string,
	scope Acl2Scope,
	subject Acl2Subject,
	access AclV2ListItemAccess,
	kubernetesLogon bool,
	issuedBy string,
) *AclV2ListItem

func V3ToV2 added in v1.19.0 

func V3ToV2(v3 AclV3ListItem) AclV2ListItem

V3ToV2 converts a V3 ACL entry to a V2 representation. Only V3 access types that have a corresponding v3 struct tag on the V2 struct are mapped. V3-only capabilities (e.g. "kubernetes:admin", "resource:Deployment:read") are silently dropped since V2 has no way to represent them.

type AclV2ListItemAccess 

type AclV2ListItemAccess struct {
	Read            bool `json:"read" validate:"boolean" v3:"ror:read"`     // Read metadata of subject
	Create          bool `json:"create" validate:"boolean" v3:"ror:create"` // Write metadata of subject
	Update          bool `json:"update" validate:"boolean" v3:"ror:update"` // Update metadata of subject
	Delete          bool `json:"delete" validate:"boolean" v3:"ror:delete"` // Delete metadata of subject
	Owner           bool `json:"owner" validate:"boolean" v3:"ror:owner"`   // Delete metadata of subject
	KubernetesLogon bool `json:"kuberneteslogon" validate:"boolean"`        // Logon to cluster
}

v2 access model for ror api

func NewAclV2ListItemAccess added in v1.11.0 

func NewAclV2ListItemAccess(read, create, update, delete, owner bool) AclV2ListItemAccess

NewAclV2ListItemAccess construct a new AclV2ListItemAccess object.

func NewAclV2ListItemAccessAll added in v1.11.0 

func NewAclV2ListItemAccessAll() AclV2ListItemAccess

NewAclV2ListItemAccessAll gives you Read, Create, Update, Delete, and Owner access.

func NewAclV2ListItemAccessContributor added in v1.11.0 

func NewAclV2ListItemAccessContributor() AclV2ListItemAccess

NewAclV2ListItemAccessContributor gives you Read, Create, and Update access.

func NewAclV2ListItemAccessCreateOnly added in v1.11.0 

func NewAclV2ListItemAccessCreateOnly() AclV2ListItemAccess

NewAclV2ListItemAccessCreateOnly gives you Read and Create access.

func NewAclV2ListItemAccessEditor added in v1.11.0 

func NewAclV2ListItemAccessEditor() AclV2ListItemAccess

NewAclV2ListItemAccessEditor gives you Read and Update access.

func NewAclV2ListItemAccessOperator added in v1.11.0 

func NewAclV2ListItemAccessOperator() AclV2ListItemAccess

NewAclV2ListItemAccessContributor gives you Read, Create, Update, and Delete access.

func NewAclV2ListItemAccessReadOnly added in v1.11.0 

func NewAclV2ListItemAccessReadOnly() AclV2ListItemAccess

NewAclV2ListItemAccessReadOnly gives you Read access.

func (AclV2ListItemAccess) HasAccessType added in v1.18.8 

func (a AclV2ListItemAccess) HasAccessType(at AccessType) bool

type AclV2ListItemKubernetes 

type AclV2ListItemKubernetes struct {
	Logon bool `json:"logon,omitempty" validate:"boolean" v3:"kubernetes:logon"` // Logon to subject if 'cluster'
}

v2 access model for kubernetes

type AclV2ListItems 

type AclV2ListItems struct {
	Scope   Acl2Scope           // Type of object ['cluster','project']
	Subject Acl2Subject         // The subject eg. clusterid, projectid (can be 'All')
	Global  AclV2ListItemAccess //If global access granted
	Items   []AclV2ListItem     // v2 access model for ror api
}

type AclV2QueryAccessScope 

type AclV2QueryAccessScope struct {
	Scope Acl2Scope
}

type AclV2QueryAccessScopeSubject 

type AclV2QueryAccessScopeSubject struct {
	Scope   Acl2Scope
	Subject Acl2Subject
}

v2 querymodel for access

func NewAclV2QueryAccessScopeSubject 

func NewAclV2QueryAccessScopeSubject(scope any, subject any) AclV2QueryAccessScopeSubject

func (AclV2QueryAccessScopeSubject) IsValid 

func (q AclV2QueryAccessScopeSubject) IsValid() bool

type AclV3ListItem added in v1.16.0 

type AclV3ListItem struct {
	Id       string           `json:"id" bson:"_id,omitempty"`
	Version  int              `json:"version" default:"3" validate:"eq=3"`
	Group    string           `json:"group" validate:"required,min=1,rortext"`
	Scope    aclscope.Scope   `json:"scope" validate:"required,min=1,rortext"`
	Subject  aclscope.Subject `json:"subject" validate:"required,min=1,rortext"`
	Access   []AccessTypeV3   `json:"access" bson:"access" validate:"required"`
	Created  time.Time        `json:"created"`
	IssuedBy string           `json:"issuedBy,omitempty" validate:"email"`
}

AclV3ListItem is the full ACL v3 model.

Scope is a resource kind or system identifier. Subject is the name/id of the object, e.g. clusterid, projectid, "All". Access is a list of granted capabilities — presence means granted, absence means denied.

Example: 

Group: "dev-team", Scope: "KubernetesCluster", Subject: "prod-cluster-1",
Access: ["ror:read", "ror:write", "kubernetes:logon", "resource:Deployment:read"]

func V2ToV3 added in v1.19.0 

func V2ToV3(v2 AclV2ListItem) AclV3ListItem

V2ToV3 converts a V2 ACL entry to a V3 representation. The V3 access list is derived from the v3 struct tags on AclV2ListItemAccess and AclV2ListItemKubernetes. Only boolean fields that are true are included. V3 capabilities that have no V2 equivalent (e.g. "kubernetes:admin") cannot be represented and are absent from the result.

func (*AclV3ListItem) HasAccess added in v1.19.0 

func (a *AclV3ListItem) HasAccess(access AccessTypeV3) bool

HasAccess checks if the given access type is granted in this ACL entry.

type Capability added in v1.19.0 

type Capability string

Capability represents the system:component path of an access type, without the verb. Example: "ror", "ror:vulnerability", "kubernetes:argocd", "resource:Deployment" 

const (
	CapRor              Capability = "ror"
	CapRorMetadata      Capability = "ror:metadata"
	CapRorVulnerability Capability = "ror:vulnerability"
	CapRorConfig        Capability = "ror:config"

	CapKubernetes              Capability = "kubernetes"
	CapKubernetesArgocd        Capability = "kubernetes:argocd"
	CapKubernetesArgocdProject Capability = "kubernetes:argocd:project"
	CapKubernetesGrafana       Capability = "kubernetes:grafana"

	CapVirtualmachine Capability = "virtualmachine"
)

Well-known capabilities (without verb).

func (Capability) WithVerb added in v1.19.0 

func (c Capability) WithVerb(v Verb) AccessTypeV3

WithVerb builds a full AccessTypeV3 by appending the verb. Example: CapRorConfig.WithVerb(VerbRead) → "ror:config:read"

type Verb added in v1.19.0 

type Verb string

Verb represents the action part of an access type. 

const (
	VerbRead     Verb = "read"
	VerbWrite    Verb = "write"
	VerbCreate   Verb = "create"
	VerbUpdate   Verb = "update"
	VerbDelete   Verb = "delete"
	VerbAdmin    Verb = "admin"
	VerbLogon    Verb = "logon"
	VerbOwner    Verb = "owner"
	VerbReadonly Verb = "readonly"
)

Well-known verbs.

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.