authz

package
v0.61.1 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jun 27, 2026 License: Apache-2.0 Imports: 5 Imported by: 1

Documentation

Overview

Package authz provides network-based and principal-based access control utilities.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func IsPrincipalAuthorised added in v0.40.0

func IsPrincipalAuthorised(user string, allowList []string, denyList []string) bool

IsPrincipalAuthorised checks if a user is authorised based on allow and deny lists.

Types

type Authoriser added in v0.61.0

type Authoriser interface {
	Authorise(addr *net.TCPAddr) bool
	AuthoriseFromString(addr string) (bool, error)
	AuthoriseConn(c net.Conn) (bool, error)
}

Authoriser checks whether a network address is permitted to connect.

type GatingListener added in v0.61.0

type GatingListener struct {
	net.Listener
	// contains filtered or unexported fields
}

GatingListener wraps a net.Listener and applies a gate predicate to each accepted connection. Connections rejected by the gate are closed and the loop retries; only connections that pass the gate are returned.

gate receives the accepted conn and returns true to allow it. A false return closes the connection and retries; gate errors are the gate's responsibility to handle before returning.

func NewGatingListener added in v0.61.0

func NewGatingListener(l net.Listener, gate func(net.Conn) bool) *GatingListener

NewGatingListener creates a GatingListener that applies gate to every accepted connection. gate must be safe for concurrent use if Accept is called concurrently (in practice net.Listener.Accept is typically called from a single goroutine).

func (*GatingListener) Accept added in v0.61.0

func (g *GatingListener) Accept() (net.Conn, error)

Accept waits for and returns the next connection that passes the gate.

type Listener

type Listener struct {
	Logger zerolog.Logger
	// contains filtered or unexported fields
}

Listener is a network listener that enforces an Authoriser on all incoming connections.

func NewListener added in v0.61.0

func NewListener(l net.Listener, acl Authoriser, logger zerolog.Logger) *Listener

NewListener creates a Listener that gates incoming connections via the given Authoriser.

func (*Listener) Accept

func (l *Listener) Accept() (net.Conn, error)

Accept waits for and returns the next connection that passes the Authoriser. Rejected connections are closed; the loop retries until an authorised connection arrives.

func (*Listener) Addr

func (l *Listener) Addr() net.Addr

Addr returns the listener's network address.

func (*Listener) Close

func (l *Listener) Close() error

Close closes the listener.

type NetworkACL

type NetworkACL struct {
	AllowByDefault bool
	// contains filtered or unexported fields
}

NetworkACL describes network-based access control rules.

func NewNetworkACL

func NewNetworkACL(cfg NetworkACLConfig) (*NetworkACL, error)

NewNetworkACL creates a new NetworkACL from the provided configuration.

func (*NetworkACL) Allow

func (a *NetworkACL) Allow(n *net.IPNet)

Allow adds a network to the allow list.

func (*NetworkACL) AllowFromString

func (a *NetworkACL) AllowFromString(n string) error

AllowFromString parses a network string and adds it to the allow list.

func (*NetworkACL) Authorise

func (a *NetworkACL) Authorise(addr *net.TCPAddr) bool

Authorise checks if the provided TCP address is authorised. If both allow and deny lists are present, allow is checked first. If an IP is in the allow list but also matches a deny rule, authorisation is denied. This allows denying subsets of allowed CIDR ranges.

func (*NetworkACL) AuthoriseConn

func (a *NetworkACL) AuthoriseConn(c net.Conn) (bool, error)

AuthoriseConn checks if the provided connection is authorised.

func (*NetworkACL) AuthoriseFromString

func (a *NetworkACL) AuthoriseFromString(addr string) (bool, error)

AuthoriseFromString checks if the provided address string is authorised.

func (*NetworkACL) Deny

func (a *NetworkACL) Deny(net *net.IPNet)

Deny adds a network to the deny list.

func (*NetworkACL) DenyFromString

func (a *NetworkACL) DenyFromString(n string) error

DenyFromString parses a network string and adds it to the deny list.

type NetworkACLConfig

type NetworkACLConfig struct {
	AllowedNets    []string `json:"allow,omitzero" mapstructure:"allow"`
	DeniedNets     []string `json:"deny,omitzero" mapstructure:"deny"`
	AllowByDefault bool     `json:"allow_by_default" mapstructure:"allow-by-default"`
}

NetworkACLConfig describes the configuration for network-based access control.

type PrincipalACLConfig

type PrincipalACLConfig struct {
	AllowList []string `mapstructure:"allow-list"`
	DenyList  []string `mapstructure:"deny-list"`
}

PrincipalACLConfig describes the configuration for principal-based access control.

Directories

Path Synopsis
Package prefixlist provides utilities for fetching and managing IP prefix lists from various cloud providers.
Package prefixlist provides utilities for fetching and managing IP prefix lists from various cloud providers.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL