Documentation
¶
Overview ¶
Package authz provides network-based and principal-based access control utilities.
Index ¶
- func IsPrincipalAuthorised(user string, allowList []string, denyList []string) bool
- type Authoriser
- type GatingListener
- type Listener
- type NetworkACL
- func (a *NetworkACL) Allow(n *net.IPNet)
- func (a *NetworkACL) AllowFromString(n string) error
- func (a *NetworkACL) Authorise(addr *net.TCPAddr) bool
- func (a *NetworkACL) AuthoriseConn(c net.Conn) (bool, error)
- func (a *NetworkACL) AuthoriseFromString(addr string) (bool, error)
- func (a *NetworkACL) Deny(net *net.IPNet)
- func (a *NetworkACL) DenyFromString(n string) error
- type NetworkACLConfig
- type PrincipalACLConfig
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
Types ¶
type Authoriser ¶ added in v0.61.0
type Authoriser interface {
Authorise(addr *net.TCPAddr) bool
AuthoriseFromString(addr string) (bool, error)
AuthoriseConn(c net.Conn) (bool, error)
}
Authoriser checks whether a network address is permitted to connect.
type GatingListener ¶ added in v0.61.0
GatingListener wraps a net.Listener and applies a gate predicate to each accepted connection. Connections rejected by the gate are closed and the loop retries; only connections that pass the gate are returned.
gate receives the accepted conn and returns true to allow it. A false return closes the connection and retries; gate errors are the gate's responsibility to handle before returning.
func NewGatingListener ¶ added in v0.61.0
NewGatingListener creates a GatingListener that applies gate to every accepted connection. gate must be safe for concurrent use if Accept is called concurrently (in practice net.Listener.Accept is typically called from a single goroutine).
type Listener ¶
Listener is a network listener that enforces an Authoriser on all incoming connections.
func NewListener ¶ added in v0.61.0
NewListener creates a Listener that gates incoming connections via the given Authoriser.
func (*Listener) Accept ¶
Accept waits for and returns the next connection that passes the Authoriser. Rejected connections are closed; the loop retries until an authorised connection arrives.
type NetworkACL ¶
type NetworkACL struct {
AllowByDefault bool
// contains filtered or unexported fields
}
NetworkACL describes network-based access control rules.
func NewNetworkACL ¶
func NewNetworkACL(cfg NetworkACLConfig) (*NetworkACL, error)
NewNetworkACL creates a new NetworkACL from the provided configuration.
func (*NetworkACL) Allow ¶
func (a *NetworkACL) Allow(n *net.IPNet)
Allow adds a network to the allow list.
func (*NetworkACL) AllowFromString ¶
func (a *NetworkACL) AllowFromString(n string) error
AllowFromString parses a network string and adds it to the allow list.
func (*NetworkACL) Authorise ¶
func (a *NetworkACL) Authorise(addr *net.TCPAddr) bool
Authorise checks if the provided TCP address is authorised. If both allow and deny lists are present, allow is checked first. If an IP is in the allow list but also matches a deny rule, authorisation is denied. This allows denying subsets of allowed CIDR ranges.
func (*NetworkACL) AuthoriseConn ¶
func (a *NetworkACL) AuthoriseConn(c net.Conn) (bool, error)
AuthoriseConn checks if the provided connection is authorised.
func (*NetworkACL) AuthoriseFromString ¶
func (a *NetworkACL) AuthoriseFromString(addr string) (bool, error)
AuthoriseFromString checks if the provided address string is authorised.
func (*NetworkACL) Deny ¶
func (a *NetworkACL) Deny(net *net.IPNet)
Deny adds a network to the deny list.
func (*NetworkACL) DenyFromString ¶
func (a *NetworkACL) DenyFromString(n string) error
DenyFromString parses a network string and adds it to the deny list.
type NetworkACLConfig ¶
type NetworkACLConfig struct {
AllowedNets []string `json:"allow,omitzero" mapstructure:"allow"`
DeniedNets []string `json:"deny,omitzero" mapstructure:"deny"`
AllowByDefault bool `json:"allow_by_default" mapstructure:"allow-by-default"`
}
NetworkACLConfig describes the configuration for network-based access control.
type PrincipalACLConfig ¶
type PrincipalACLConfig struct {
AllowList []string `mapstructure:"allow-list"`
DenyList []string `mapstructure:"deny-list"`
}
PrincipalACLConfig describes the configuration for principal-based access control.
Source Files
¶
Directories
¶
| Path | Synopsis |
|---|---|
|
Package prefixlist provides utilities for fetching and managing IP prefix lists from various cloud providers.
|
Package prefixlist provides utilities for fetching and managing IP prefix lists from various cloud providers. |