Documentation
¶
Overview ¶
Authorization package
Index ¶
Constants ¶
View Source
const ( ActionRead = "read" ActionList = "list" ActionCreate = "create" ActionUpdate = "update" ActionDelete = "delete" ResourceWorkflowContract = "workflow_contract" ResourceCASArtifact = "cas_artifact" ResourceCASBackend = "cas_backend" ResourceReferrer = "referrer" ResourceAvailableIntegration = "integration_available" ResourceRegisteredIntegration = "integration_registered" ResourceAttachedIntegration = "integration_attached" ResourceOrgMetric = "metrics_org" ResourceRobotAccount = "robot_account" ResourceWorkflowRun = "workflow_run" ResourceWorkflow = "workflow" ResourceProject = "project" Organization = "organization" OrganizationMemberships = "organization_memberships" ResourceGroup = "group" ResourceGroupMembership = "group_membership" ResourceAPIToken = "api_token" ResourceProjectMembership = "project_membership" ResourceOrganizationInvitations = "organization_invitations" ResourceGroupProjects = "group_projects" // Top level instance admin role // this is used to know if an user is a super admin of the chainloop instance RoleInstanceAdmin Role = "role:instance:admin" // We have for now three roles, viewer, admin and owner // The owner of an org // The administrator of an org // The read only viewer of an org // These roles are hierarchical // This means that the Owner role inherits all the policies from Admin so from the Viewer Role RoleOwner Role = "role:org:owner" RoleAdmin Role = "role:org:admin" RoleViewer Role = "role:org:viewer" // RoleOrgMember cannot see projects until they are invited. However, they are able to create their own projects, // so Casbin rules (role, resource-type, action) are NOT enough to check for permission, since we must check for ownership as well. // That last check will be done at the service level. RoleOrgMember Role = "role:org:member" // RoleOrgContributor can work on projects they are invited to with scoped role ProjectAdmin or ProjectViewer, but they cannot create their own projects. RoleOrgContributor Role = "role:org:contributor" RoleProjectAdmin Role = "role:project:admin" RoleProjectViewer Role = "role:project:viewer" // RoleGroupMaintainer is a role that can manage groups in an organization. RoleGroupMaintainer Role = "role:group:maintainer" // Product roles RoleProductViewer Role = "role:product:viewer" RoleProductAdmin Role = "role:product:admin" )
View Source
const ( MembershipTypeUser MembershipType = "user" MembershipTypeGroup MembershipType = "group" ResourceTypeInstance ResourceType = "instance" ResourceTypeOrganization ResourceType = "organization" ResourceTypeProject ResourceType = "project" ResourceTypeProduct ResourceType = "product" ResourceTypeGroup ResourceType = "group" )
Variables ¶
View Source
var ( // Referrer PolicyReferrerRead = &Policy{ResourceReferrer, ActionRead} // Artifact PolicyArtifactDownload = &Policy{ResourceCASArtifact, ActionRead} PolicyArtifactUpload = &Policy{ResourceCASArtifact, ActionCreate} // CAS backend PolicyCASBackendList = &Policy{ResourceCASBackend, ActionList} PolicyCASBackendUpdate = &Policy{ResourceCASBackend, ActionUpdate} // Available integrations PolicyAvailableIntegrationList = &Policy{ResourceAvailableIntegration, ActionList} PolicyAvailableIntegrationRead = &Policy{ResourceAvailableIntegration, ActionRead} // Registered integrations PolicyRegisteredIntegrationList = &Policy{ResourceRegisteredIntegration, ActionList} PolicyRegisteredIntegrationRead = &Policy{ResourceRegisteredIntegration, ActionRead} PolicyRegisteredIntegrationAdd = &Policy{ResourceRegisteredIntegration, ActionCreate} // Attached integrations PolicyAttachedIntegrationList = &Policy{ResourceAttachedIntegration, ActionList} PolicyAttachedIntegrationAttach = &Policy{ResourceAttachedIntegration, ActionCreate} PolicyAttachedIntegrationDetach = &Policy{ResourceAttachedIntegration, ActionDelete} // Org Metrics PolicyOrgMetricsRead = &Policy{ResourceOrgMetric, ActionList} // Robot Account PolicyRobotAccountList = &Policy{ResourceRobotAccount, ActionList} PolicyRobotAccountCreate = &Policy{ResourceRobotAccount, ActionCreate} // Workflow Contract PolicyWorkflowContractList = &Policy{ResourceWorkflowContract, ActionList} PolicyWorkflowContractRead = &Policy{ResourceWorkflowContract, ActionRead} PolicyWorkflowContractUpdate = &Policy{ResourceWorkflowContract, ActionUpdate} PolicyWorkflowContractCreate = &Policy{ResourceWorkflowContract, ActionCreate} PolicyWorkflowContractDelete = &Policy{ResourceWorkflowContract, ActionDelete} // WorkflowRun PolicyWorkflowRunList = &Policy{ResourceWorkflowRun, ActionList} PolicyWorkflowRunRead = &Policy{ResourceWorkflowRun, ActionRead} PolicyWorkflowRunCreate = &Policy{ResourceWorkflowRun, ActionCreate} PolicyWorkflowRunUpdate = &Policy{ResourceWorkflowRun, ActionUpdate} // Workflow PolicyWorkflowList = &Policy{ResourceWorkflow, ActionList} PolicyWorkflowRead = &Policy{ResourceWorkflow, ActionRead} PolicyWorkflowCreate = &Policy{ResourceWorkflow, ActionCreate} PolicyWorkflowUpdate = &Policy{ResourceWorkflow, ActionUpdate} PolicyWorkflowDelete = &Policy{ResourceWorkflow, ActionDelete} // Projects PolicyProjectCreate = &Policy{ResourceProject, ActionCreate} // Organization PolicyOrganizationCreate = &Policy{Organization, ActionCreate} PolicyOrganizationDelete = &Policy{Organization, ActionDelete} // User Membership PolicyOrganizationRead = &Policy{Organization, ActionRead} PolicyOrganizationListMemberships = &Policy{OrganizationMemberships, ActionList} // Group Memberships PolicyGroupListPendingInvitations = &Policy{ResourceGroup, ActionList} PolicyGroupListMemberships = &Policy{ResourceGroupMembership, ActionList} PolicyGroupAddMemberships = &Policy{ResourceGroupMembership, ActionCreate} PolicyGroupRemoveMemberships = &Policy{ResourceGroupMembership, ActionDelete} PolicyGroupUpdateMemberships = &Policy{ResourceGroupMembership, ActionUpdate} // API Token PolicyAPITokenList = &Policy{ResourceAPIToken, ActionList} PolicyAPITokenCreate = &Policy{ResourceAPIToken, ActionCreate} PolicyAPITokenRevoke = &Policy{ResourceAPIToken, ActionDelete} // Project Memberships PolicyProjectListMemberships = &Policy{ResourceProjectMembership, ActionList} PolicyProjectAddMemberships = &Policy{ResourceProjectMembership, ActionCreate} PolicyProjectUpdateMemberships = &Policy{ResourceProjectMembership, ActionUpdate} PolicyProjectRemoveMemberships = &Policy{ResourceProjectMembership, ActionDelete} // Organization Invitations PolicyOrganizationInvitationsCreate = &Policy{ResourceOrganizationInvitations, ActionCreate} )
View Source
var RolesMap = map[Role][]*Policy{ RoleInstanceAdmin: { PolicyOrganizationCreate, }, RoleOwner: { PolicyOrganizationDelete, }, RoleAdmin: { PolicyArtifactUpload, PolicyOrganizationInvitationsCreate, }, RoleViewer: { PolicyReferrerRead, PolicyArtifactDownload, PolicyCASBackendList, PolicyAvailableIntegrationList, PolicyAvailableIntegrationRead, PolicyRegisteredIntegrationList, PolicyAttachedIntegrationList, PolicyOrgMetricsRead, PolicyRobotAccountList, PolicyWorkflowContractList, PolicyWorkflowContractRead, PolicyWorkflowRunList, PolicyWorkflowRunRead, PolicyWorkflowList, PolicyWorkflowRead, PolicyOrganizationRead, PolicyOrganizationListMemberships, }, RoleOrgContributor: { PolicyWorkflowRead, PolicyWorkflowContractList, PolicyWorkflowContractRead, PolicyWorkflowContractCreate, PolicyWorkflowContractUpdate, PolicyWorkflowContractDelete, PolicyWorkflowList, PolicyWorkflowCreate, PolicyWorkflowUpdate, PolicyWorkflowDelete, PolicyWorkflowRunList, PolicyWorkflowRunRead, PolicyArtifactDownload, PolicyArtifactUpload, PolicyCASBackendList, PolicyOrganizationRead, PolicyAvailableIntegrationList, PolicyAvailableIntegrationRead, PolicyRegisteredIntegrationList, PolicyRegisteredIntegrationRead, PolicyAttachedIntegrationList, PolicyAttachedIntegrationAttach, PolicyAttachedIntegrationDetach, PolicyOrgMetricsRead, PolicyReferrerRead, PolicyAPITokenList, PolicyAPITokenCreate, PolicyAPITokenRevoke, PolicyProjectListMemberships, PolicyProjectAddMemberships, PolicyProjectRemoveMemberships, PolicyProjectUpdateMemberships, }, RoleOrgMember: { PolicyProjectCreate, }, RoleProjectViewer: { PolicyWorkflowRead, PolicyWorkflowRunRead, PolicyWorkflowContractList, PolicyWorkflowContractRead, PolicyAPITokenList, }, RoleProjectAdmin: { PolicyWorkflowContractCreate, PolicyWorkflowContractUpdate, PolicyWorkflowContractDelete, PolicyWorkflowCreate, PolicyWorkflowRunCreate, PolicyWorkflowRunUpdate, PolicyWorkflowUpdate, PolicyWorkflowDelete, PolicyAttachedIntegrationAttach, PolicyAttachedIntegrationDetach, PolicyAPITokenCreate, PolicyAPITokenRevoke, PolicyProjectListMemberships, PolicyProjectAddMemberships, PolicyProjectRemoveMemberships, PolicyProjectUpdateMemberships, }, RoleGroupMaintainer: { PolicyGroupListMemberships, PolicyGroupListPendingInvitations, PolicyGroupAddMemberships, PolicyGroupRemoveMemberships, PolicyGroupUpdateMemberships, }, }
RolesMap The default list of policies for each role NOTE: roles are not necessarily hierarchical, however the Admin Role inherits all the policies from the Viewer Role so we do not need to add them as well.
View Source
var ServerOperationsMap = map[string][]*Policy{ "/controlplane.v1.ReferrerService/DiscoverPrivate": {PolicyReferrerRead}, "/controlplane.v1.CASCredentialsService/Get": {}, "/controlplane.v1.CASRedirectService/DownloadRedirect": {PolicyArtifactDownload}, "/controlplane.v1.CASRedirectService/GetDownloadURL": {PolicyArtifactDownload}, "/controlplane.v1.CASBackendService/List": {PolicyCASBackendList}, "/controlplane.v1.CASBackendService/Revalidate": {PolicyCASBackendUpdate}, "/controlplane.v1.IntegrationsService/ListAvailable": {PolicyAvailableIntegrationList, PolicyAvailableIntegrationRead}, "/controlplane.v1.IntegrationsService/ListRegistrations": {PolicyRegisteredIntegrationList}, "/controlplane.v1.IntegrationsService/DescribeRegistration": {PolicyRegisteredIntegrationRead}, "/controlplane.v1.IntegrationsService/Register": {PolicyRegisteredIntegrationAdd}, "/controlplane.v1.IntegrationsService/ListAttachments": {PolicyAttachedIntegrationList}, "/controlplane.v1.IntegrationsService/Attach": {PolicyAttachedIntegrationAttach}, "/controlplane.v1.IntegrationsService/Detach": {PolicyAttachedIntegrationDetach}, "/controlplane.v1.OrgMetricsService/.*": {PolicyOrgMetricsRead}, "/controlplane.v1.RobotAccountService/List": {PolicyRobotAccountList}, "/controlplane.v1.RobotAccountService/Create": {PolicyRobotAccountCreate}, "/controlplane.v1.WorkflowService/List": {PolicyWorkflowList}, "/controlplane.v1.WorkflowService/View": {PolicyWorkflowRead}, "/controlplane.v1.WorkflowService/Create": {PolicyWorkflowCreate}, "/controlplane.v1.WorkflowService/Update": {PolicyWorkflowUpdate}, "/controlplane.v1.WorkflowService/Delete": {PolicyWorkflowDelete}, "/controlplane.v1.WorkflowRunService/List": {PolicyWorkflowRunList}, "/controlplane.v1.WorkflowRunService/View": {PolicyWorkflowRunRead}, "/controlplane.v1.WorkflowContractService/List": {PolicyWorkflowContractList}, "/controlplane.v1.WorkflowContractService/Describe": {PolicyWorkflowContractRead}, "/controlplane.v1.WorkflowContractService/Update": {PolicyWorkflowContractUpdate}, "/controlplane.v1.WorkflowContractService/Create": {PolicyWorkflowContractCreate}, "/controlplane.v1.WorkflowContractService/Delete": {PolicyWorkflowContractDelete}, "/controlplane.v1.ContextService/Current": {PolicyOrganizationRead}, "/controlplane.v1.OrganizationService/Create": {}, "/controlplane.v1.OrganizationService/Delete": {}, "/controlplane.v1.OrganizationService/ListMemberships": {PolicyOrganizationListMemberships}, "/controlplane.v1.UserService/ListMemberships": {}, "/controlplane.v1.UserService/SetCurrentMembership": {}, "/controlplane.v1.UserService/DeleteMembership": {}, "/controlplane.v1.AuthService/DeleteAccount": {}, "/controlplane.v1.GroupService/List": {}, "/controlplane.v1.GroupService/Get": {}, "/controlplane.v1.GroupService/ListMembers": {}, "/controlplane.v1.GroupService/ListProjects": {}, "/controlplane.v1.GroupService/AddMember": {}, "/controlplane.v1.GroupService/RemoveMember": {}, "/controlplane.v1.GroupService/ListPendingInvitations": {}, "/controlplane.v1.GroupService/UpdateMemberMaintainerStatus": {}, "/controlplane.v1.ProjectService/ListMembers": {PolicyProjectListMemberships}, "/controlplane.v1.ProjectService/AddMember": {PolicyProjectAddMemberships}, "/controlplane.v1.ProjectService/RemoveMember": {PolicyProjectRemoveMemberships}, "/controlplane.v1.ProjectService/UpdateMemberRole": {PolicyProjectUpdateMemberships}, "/controlplane.v1.ProjectService/ListPendingInvitations": {PolicyProjectListMemberships}, "/controlplane.v1.APITokenService/List": {PolicyAPITokenList}, "/controlplane.v1.APITokenService/Create": {PolicyAPITokenCreate}, "/controlplane.v1.APITokenService/Revoke": {PolicyAPITokenRevoke}, }
ServerOperationsMap is a map of server operations to the ResourceAction tuples that are required to perform the operation If it contains more than one policy, all of them need to be true
Functions ¶
This section is empty.
Types ¶
type Enforcer ¶
type Enforcer struct {
*casbin.Enforcer
RestrictOrgCreation bool
// contains filtered or unexported fields
}
func NewFiletypeEnforcer ¶
NewFileAdapter creates a new casbin authorization enforcer based on a CSV file as policies storage backend
func NewInMemoryEnforcer ¶ added in v1.54.0
NewInMemoryEnforcer creates a new casbin authorization enforcer with in-memory storage. Only static role policies from RolesMap are loaded. API token policies are checked separately using EnforceWithPolicies and are not stored in Casbin.
func (*Enforcer) EnforceWithPolicies ¶ added in v1.54.0
func (e *Enforcer) EnforceWithPolicies(_ string, p *Policy, allowedPolicies []*Policy) (bool, error)
EnforceWithPolicies checks if the required policy exists in the provided list of allowed policies. This is used for ACL-based authorization (e.g., API tokens) where policies are stored in the database rather than in Casbin. Returns true if the required policy is found in the allowed list. in the future we will use this function to check if the policy is allowed for the subject by running the enforcer with the subject
type MembershipType ¶ added in v1.11.0
type MembershipType string
MembershipType represents a polymorphic membership subject (user or group)
func (MembershipType) Values ¶ added in v1.11.0
func (MembershipType) Values() (values []string)
Values implement https://pkg.go.dev/entgo.io/ent/schema/field#EnumValues
type ResourceType ¶ added in v1.11.0
type ResourceType string
ResourceType represent a membership resource (organizations, projects)
func (ResourceType) Values ¶ added in v1.11.0
func (ResourceType) Values() (values []string)
Values implement https://pkg.go.dev/entgo.io/ent/schema/field#EnumValues
type Role ¶
type Role string
func (Role) RBACEnabled ¶ added in v1.35.0
RBACEnabled returns whether an org-scoped role has RBAC enabled and needs resource-scoped enforcement.
func (Role) Values ¶
Implements https://pkg.go.dev/entgo.io/ent/schema/field#EnumValues so they can be added to the database schema
type SubjectAPIToken ¶
type SubjectAPIToken struct {
ID string
}
func (*SubjectAPIToken) String ¶
func (t *SubjectAPIToken) String() string
Source Files
Directories
Click to show internal directories.
Click to hide internal directories.