authz

package
v1.12.1 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jun 30, 2025 License: Apache-2.0 Imports: 12 Imported by: 0

Documentation

Overview

Authorization package

Index

Constants

View Source
const (
	ActionRead   = "read"
	ActionList   = "list"
	ActionCreate = "create"
	ActionUpdate = "update"
	ActionDelete = "delete"

	ResourceWorkflowContract      = "workflow_contract"
	ResourceCASArtifact           = "cas_artifact"
	ResourceCASBackend            = "cas_backend"
	ResourceReferrer              = "referrer"
	ResourceAvailableIntegration  = "integration_available"
	ResourceRegisteredIntegration = "integration_registered"
	ResourceAttachedIntegration   = "integration_attached"
	ResourceOrgMetric             = "metrics_org"
	ResourceRobotAccount          = "robot_account"
	ResourceWorkflowRun           = "workflow_run"
	ResourceWorkflow              = "workflow"
	Organization                  = "organization"
	ResourceGroup                 = "group"
	ResourceGroupMembership       = "group_membership"
	ResourceProjectAPIToken       = "project_api_token"

	// We have for now three roles, viewer, admin and owner
	// The owner of an org
	// The administrator of an org
	// The read only viewer of an org
	// These roles are hierarchical
	// This means that the Owner role inherits all the policies from Admin so from the Viewer Role
	RoleOwner  Role = "role:org:owner"
	RoleAdmin  Role = "role:org:admin"
	RoleViewer Role = "role:org:viewer"

	// RoleOrgMember is the role that users get by default when they join an organization.
	// They cannot see projects until they are invited. However, they are able to create their own projects,
	// so Casbin rules (role, resource-type, action) are NOT enough to check for permission, since we must check for ownership as well.
	// That last check will be done at the service level.
	RoleOrgMember Role = "role:org:member"

	RoleProjectAdmin  Role = "role:project:admin"
	RoleProjectViewer Role = "role:project:viewer"

	// RoleGroupMaintainer is a role that can manage groups in an organization.
	RoleGroupMaintainer Role = "role:group:maintainer"
)
View Source
const (
	MembershipTypeUser  MembershipType = "user"
	MembershipTypeGroup MembershipType = "group"

	ResourceTypeOrganization ResourceType = "organization"
	ResourceTypeProject      ResourceType = "project"
	ResourceTypeGroup        ResourceType = "group"
)

Variables

View Source
var (
	// Referrer
	PolicyReferrerRead = &Policy{ResourceReferrer, ActionRead}
	// Artifact
	PolicyArtifactDownload = &Policy{ResourceCASArtifact, ActionRead}
	PolicyArtifactUpload   = &Policy{ResourceCASArtifact, ActionCreate}
	// CAS backend
	PolicyCASBackendList = &Policy{ResourceCASBackend, ActionList}
	// Available integrations
	PolicyAvailableIntegrationList = &Policy{ResourceAvailableIntegration, ActionList}
	PolicyAvailableIntegrationRead = &Policy{ResourceAvailableIntegration, ActionRead}
	// Registered integrations
	PolicyRegisteredIntegrationList = &Policy{ResourceRegisteredIntegration, ActionList}
	PolicyRegisteredIntegrationRead = &Policy{ResourceRegisteredIntegration, ActionRead}
	PolicyRegisteredIntegrationAdd  = &Policy{ResourceRegisteredIntegration, ActionCreate}
	// Attached integrations
	PolicyAttachedIntegrationList   = &Policy{ResourceAttachedIntegration, ActionList}
	PolicyAttachedIntegrationAttach = &Policy{ResourceAttachedIntegration, ActionCreate}
	PolicyAttachedIntegrationDetach = &Policy{ResourceAttachedIntegration, ActionDelete}
	// Org Metrics
	PolicyOrgMetricsRead = &Policy{ResourceOrgMetric, ActionList}
	// Robot Account
	PolicyRobotAccountList   = &Policy{ResourceRobotAccount, ActionList}
	PolicyRobotAccountCreate = &Policy{ResourceRobotAccount, ActionCreate}
	// Workflow Contract
	PolicyWorkflowContractList   = &Policy{ResourceWorkflowContract, ActionList}
	PolicyWorkflowContractRead   = &Policy{ResourceWorkflowContract, ActionRead}
	PolicyWorkflowContractUpdate = &Policy{ResourceWorkflowContract, ActionUpdate}
	PolicyWorkflowContractCreate = &Policy{ResourceWorkflowContract, ActionCreate}
	// WorkflowRun
	PolicyWorkflowRunList   = &Policy{ResourceWorkflowRun, ActionList}
	PolicyWorkflowRunRead   = &Policy{ResourceWorkflowRun, ActionRead}
	PolicyWorkflowRunCreate = &Policy{ResourceWorkflowRun, ActionCreate}
	PolicyWorkflowRunUpdate = &Policy{ResourceWorkflowRun, ActionUpdate}
	// Workflow
	PolicyWorkflowList   = &Policy{ResourceWorkflow, ActionList}
	PolicyWorkflowRead   = &Policy{ResourceWorkflow, ActionRead}
	PolicyWorkflowCreate = &Policy{ResourceWorkflow, ActionCreate}
	PolicyWorkflowUpdate = &Policy{ResourceWorkflow, ActionUpdate}
	PolicyWorkflowDelete = &Policy{ResourceWorkflow, ActionDelete}
	// User Membership
	PolicyOrganizationRead            = &Policy{Organization, ActionRead}
	PolicyOrganizationListMemberships = &Policy{Organization, ActionRead}
	// Groups
	PolicyGroupCreate = &Policy{ResourceGroup, ActionCreate}
	PolicyGroupUpdate = &Policy{ResourceGroup, ActionUpdate}
	PolicyGroupDelete = &Policy{ResourceGroup, ActionDelete}
	PolicyGroupList   = &Policy{ResourceGroup, ActionList}
	PolicyGroupRead   = &Policy{ResourceGroup, ActionRead}
	// Group Memberships
	PolicyGroupListMemberships   = &Policy{ResourceGroupMembership, ActionList}
	PolicyGroupAddMemberships    = &Policy{ResourceGroupMembership, ActionCreate}
	PolicyGroupRemoveMemberships = &Policy{ResourceGroupMembership, ActionDelete}
	// Project API Token
	PolicyProjectAPITokenList   = &Policy{ResourceProjectAPIToken, ActionList}
	PolicyProjectAPITokenCreate = &Policy{ResourceProjectAPIToken, ActionCreate}
	PolicyProjectAPITokenRevoke = &Policy{ResourceProjectAPIToken, ActionDelete}
)

ManagedResources are the resources that are managed by Chainloop, considered during permissions sync

View Source
var RolesMap = map[Role][]*Policy{

	RoleViewer: {

		PolicyReferrerRead,

		PolicyArtifactDownload,

		PolicyCASBackendList,

		PolicyAvailableIntegrationList,
		PolicyAvailableIntegrationRead,

		PolicyRegisteredIntegrationList,

		PolicyAttachedIntegrationList,

		PolicyOrgMetricsRead,

		PolicyRobotAccountList,

		PolicyWorkflowContractList,
		PolicyWorkflowContractRead,

		PolicyWorkflowRunList,
		PolicyWorkflowRunRead,

		PolicyWorkflowList,
		PolicyWorkflowRead,

		PolicyOrganizationRead,

		PolicyGroupList,
		PolicyGroupRead,

		PolicyGroupListMemberships,
	},

	RoleAdmin: {

		PolicyArtifactUpload,
	},

	RoleOrgMember: {

		PolicyWorkflowRead,
		PolicyWorkflowContractList,
		PolicyWorkflowContractRead,
		PolicyWorkflowContractCreate,
		PolicyWorkflowContractUpdate,

		PolicyWorkflowList,
		PolicyWorkflowCreate,
		PolicyWorkflowUpdate,
		PolicyWorkflowDelete,

		PolicyWorkflowRunList,
		PolicyWorkflowRunRead,

		PolicyArtifactDownload,

		PolicyCASBackendList,

		PolicyOrganizationRead,

		PolicyAvailableIntegrationList,
		PolicyAvailableIntegrationRead,
		PolicyRegisteredIntegrationList,
		PolicyRegisteredIntegrationRead,

		PolicyAttachedIntegrationList,
		PolicyAttachedIntegrationAttach,
		PolicyAttachedIntegrationDetach,

		PolicyOrgMetricsRead,
		PolicyReferrerRead,

		PolicyGroupList,
		PolicyGroupRead,

		PolicyGroupListMemberships,

		PolicyProjectAPITokenList,
		PolicyProjectAPITokenCreate,
		PolicyProjectAPITokenRevoke,
	},

	RoleProjectViewer: {
		PolicyWorkflowRead,
		PolicyWorkflowRunRead,
	},

	RoleProjectAdmin: {

		PolicyWorkflowRead,
		PolicyWorkflowCreate,
		PolicyWorkflowRunCreate,
		PolicyWorkflowRunUpdate,

		PolicyWorkflowUpdate,
		PolicyWorkflowDelete,

		PolicyWorkflowRunRead,

		PolicyAttachedIntegrationAttach,
		PolicyAttachedIntegrationDetach,

		PolicyProjectAPITokenList,
		PolicyProjectAPITokenCreate,
		PolicyProjectAPITokenRevoke,
	},

	RoleGroupMaintainer: {
		PolicyGroupAddMemberships,
		PolicyGroupRemoveMemberships,
	},
}

RolesMap The default list of policies for each role NOTE: roles are not necessarily hierarchical, however the Admin Role inherits all the policies from the Viewer Role so we do not need to add them as well.

View Source
var ServerOperationsMap = map[string][]*Policy{

	"/controlplane.v1.ReferrerService/DiscoverPrivate": {PolicyReferrerRead},

	"/controlplane.v1.CASCredentialsService/Get": {},

	"/controlplane.v1.CASRedirectService/DownloadRedirect": {PolicyArtifactDownload},

	"/controlplane.v1.CASRedirectService/GetDownloadURL": {PolicyArtifactDownload},

	"/controlplane.v1.CASBackendService/List": {PolicyCASBackendList},

	"/controlplane.v1.IntegrationsService/ListAvailable": {PolicyAvailableIntegrationList, PolicyAvailableIntegrationRead},

	"/controlplane.v1.IntegrationsService/ListRegistrations":    {PolicyRegisteredIntegrationList},
	"/controlplane.v1.IntegrationsService/DescribeRegistration": {PolicyRegisteredIntegrationRead},
	"/controlplane.v1.IntegrationsService/Register":             {PolicyRegisteredIntegrationAdd},

	"/controlplane.v1.IntegrationsService/ListAttachments": {PolicyAttachedIntegrationList},
	"/controlplane.v1.IntegrationsService/Attach":          {PolicyAttachedIntegrationAttach},
	"/controlplane.v1.IntegrationsService/Detach":          {PolicyAttachedIntegrationDetach},

	"/controlplane.v1.OrgMetricsService/.*": {PolicyOrgMetricsRead},

	"/controlplane.v1.RobotAccountService/List":   {PolicyRobotAccountList},
	"/controlplane.v1.RobotAccountService/Create": {PolicyRobotAccountCreate},

	"/controlplane.v1.WorkflowService/List":   {PolicyWorkflowList},
	"/controlplane.v1.WorkflowService/View":   {PolicyWorkflowRead},
	"/controlplane.v1.WorkflowService/Create": {PolicyWorkflowCreate},
	"/controlplane.v1.WorkflowService/Update": {PolicyWorkflowUpdate},
	"/controlplane.v1.WorkflowService/Delete": {PolicyWorkflowDelete},

	"/controlplane.v1.WorkflowRunService/List": {PolicyWorkflowRunList},
	"/controlplane.v1.WorkflowRunService/View": {PolicyWorkflowRunRead},

	"/controlplane.v1.WorkflowContractService/List":     {PolicyWorkflowContractList},
	"/controlplane.v1.WorkflowContractService/Describe": {PolicyWorkflowContractRead},
	"/controlplane.v1.WorkflowContractService/Update":   {PolicyWorkflowContractUpdate},
	"/controlplane.v1.WorkflowContractService/Create":   {PolicyWorkflowContractCreate},

	"/controlplane.v1.ContextService/Current": {PolicyOrganizationRead},

	"/controlplane.v1.OrganizationService/Create": {},

	"/controlplane.v1.UserService/ListMemberships": {},

	"/controlplane.v1.UserService/SetCurrentMembership": {},

	"/controlplane.v1.UserService/DeleteMembership": {},
	"/controlplane.v1.AuthService/DeleteAccount":    {},

	"/controlplane.v1.OrganizationService/ListMemberships": {PolicyOrganizationListMemberships},

	"/controlplane.v1.GroupService/List": {PolicyGroupList},

	"/controlplane.v1.GroupService/ListMembers": {PolicyGroupListMemberships},

	"/controlplane.v1.GroupService/AddMember":    {},
	"/controlplane.v1.GroupService/RemoveMember": {},

	"/controlplane.v1.ProjectService/APITokenCreate": {PolicyProjectAPITokenCreate},
	"/controlplane.v1.ProjectService/APITokenList":   {PolicyProjectAPITokenList},
	"/controlplane.v1.ProjectService/APITokenRevoke": {PolicyProjectAPITokenRevoke},
}

ServerOperationsMap is a map of server operations to the ResourceAction tuples that are required to perform the operation If it contains more than one policy, all of them need to be true

Functions

This section is empty.

Types

type Config added in v1.12.0

type Config struct {
	ManagedResources []string
	RolesMap         map[Role][]*Policy
}

type Enforcer

type Enforcer struct {
	*casbin.Enforcer
	// contains filtered or unexported fields
}

func NewDatabaseEnforcer

func NewDatabaseEnforcer(c *config.DatabaseConfig, config *Config) (*Enforcer, error)

NewDatabaseEnforcer creates a new casbin authorization enforcer based on a database backend as policies storage backend

func NewFiletypeEnforcer

func NewFiletypeEnforcer(path string, config *Config) (*Enforcer, error)

NewFileAdapter creates a new casbin authorization enforcer based on a CSV file as policies storage backend

func (*Enforcer) AddPolicies

func (e *Enforcer) AddPolicies(sub *SubjectAPIToken, policies ...*Policy) error

func (*Enforcer) ClearPolicies

func (e *Enforcer) ClearPolicies(sub *SubjectAPIToken) error

Remove all the policies for the given subject

func (*Enforcer) Enforce

func (e *Enforcer) Enforce(sub string, p *Policy) (bool, error)

type MembershipType added in v1.11.0

type MembershipType string

MembershipType represents a polymorphic membership subject (user or group)

func (MembershipType) Values added in v1.11.0

func (MembershipType) Values() (values []string)

Values implement https://pkg.go.dev/entgo.io/ent/schema/field#EnumValues

type Policy

type Policy struct {
	Resource string
	Action   string
}

resource, action tuple

type ResourceType added in v1.11.0

type ResourceType string

ResourceType represent a membership resource (organizations, projects)

func (ResourceType) Values added in v1.11.0

func (ResourceType) Values() (values []string)

Values implement https://pkg.go.dev/entgo.io/ent/schema/field#EnumValues

type Role

type Role string

func (Role) Values

func (Role) Values() (roles []string)

Implements https://pkg.go.dev/entgo.io/ent/schema/field#EnumValues so they can be added to the database schema

type SubjectAPIToken

type SubjectAPIToken struct {
	ID string
}

func (*SubjectAPIToken) String

func (t *SubjectAPIToken) String() string

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL