authz

package
v0.5.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Dec 15, 2025 License: MPL-2.0 Imports: 7 Imported by: 0

Documentation

Overview

Package authz handles all things authorization, policing who (subjects) can do what (actions) on what (resources).

Index

Constants

This section is empty.

Variables

View Source 
var (
	// OrganizationMinPermissions are permissions granted to all team
	// members within an organization.
	OrganizationMinPermissions = Role{
								// contains filtered or unexported fields
	}

	// WorkspaceReadRole is scoped to a workspace and permits read-only actions
	// on the workspace.
	WorkspaceReadRole = Role{
						// contains filtered or unexported fields
	}

	// WorkspacePlanRole is scoped to a workspace and permits creating plans on
	// the workspace.
	WorkspacePlanRole = Role{
						// contains filtered or unexported fields
	}

	// WorkspaceWriteRole is scoped to a workspace and permits write actions on
	// the workspace.
	WorkspaceWriteRole = Role{
						// contains filtered or unexported fields
	}

	// WorkspaceAdminRole is scoped to a workspace and permits management of the
	// workspace.
	WorkspaceAdminRole = Role{
						// contains filtered or unexported fields
	}

	// WorkspaceManagerRole is scoped to an organization and permits management
	// of workspaces.
	WorkspaceManagerRole = Role{
							// contains filtered or unexported fields
	}

	// VCSManagerRole is scoped to an organization and permits management of VCS
	// providers.
	VCSManagerRole = Role{
					// contains filtered or unexported fields
	}

	// RegistryManagerRole is scoped to an organization and permits management
	// of registry of modules and providers
	RegistryManagerRole = Role{
						// contains filtered or unexported fields
	}
)

Functions

func AddSkipAuthz 

func AddSkipAuthz(ctx context.Context) context.Context

AddSkipAuthz adds to the context an instruction to skip authorization. Authorizers should obey this instruction using SkipAuthz

func AddSubjectToContext 

func AddSubjectToContext(ctx context.Context, subj Subject) context.Context

AddSubjectToContext adds a subject to a context

func NewAllowAllAuthorizer 

func NewAllowAllAuthorizer() *allowAllAuthorizer

func SkipAuthz 

func SkipAuthz(ctx context.Context) bool

SkipAuthz determines whether the context contains an instruction to skip authorization.

Types

type Action 

type Action int

Action identifies an action a subject carries out on a resource for authorization purposes. 

const (
	WatchAction Action = iota
	CreateOrganizationAction
	UpdateOrganizationAction
	GetOrganizationAction
	ListOrganizationsAction
	GetEntitlementsAction
	DeleteOrganizationAction

	CreateVCSProviderAction
	GetVCSProviderAction
	ListVCSProvidersAction
	DeleteVCSProviderAction

	CreateAgentPoolAction
	UpdateAgentPoolAction
	ListAgentPoolsAction
	GetAgentPoolAction
	DeleteAgentPoolAction

	CreateAgentTokenAction
	ListAgentTokensAction
	GetAgentTokenAction
	DeleteAgentTokenAction

	ListRunnersAction
	WatchRunnersAction

	CreateOrganizationTokenAction
	DeleteOrganizationTokenAction

	CreateRunTokenAction

	CreateTeamTokenAction
	GetTeamTokenAction
	DeleteTeamTokenAction

	CreateModuleAction
	CreateModuleVersionAction
	UpdateModuleAction
	ListModulesAction
	GetModuleAction
	DeleteModuleAction
	DeleteModuleVersionAction

	CreateWorkspaceVariableAction
	UpdateWorkspaceVariableAction
	ListWorkspaceVariablesAction
	GetWorkspaceVariableAction
	DeleteWorkspaceVariableAction

	CreateVariableSetAction
	UpdateVariableSetAction
	ListVariableSetsAction
	GetVariableSetAction
	DeleteVariableSetAction

	CreateVariableSetVariableAction
	UpdateVariableSetVariableAction
	GetVariableSetVariableAction
	DeleteVariableSetVariableAction

	AddVariableToSetAction
	RemoveVariableFromSetAction

	ApplyVariableSetToWorkspacesAction
	DeleteVariableSetFromWorkspacesAction

	GetRunAction
	ListRunsAction
	ApplyRunAction
	CreateRunAction
	DiscardRunAction
	DeleteRunAction
	CancelRunAction
	ForceCancelRunAction
	EnqueuePlanAction
	PutChunkAction
	TailLogsAction

	GetPlanFileAction
	UploadPlanFileAction

	GetLockFileAction
	UploadLockFileAction

	ListWorkspacesAction
	GetWorkspaceAction
	CreateWorkspaceAction
	DeleteWorkspaceAction
	SetWorkspacePermissionAction
	UnsetWorkspacePermissionAction
	UpdateWorkspaceAction

	ListTagsAction
	DeleteTagsAction
	TagWorkspacesAction
	AddTagsAction
	RemoveTagsAction
	ListWorkspaceTags

	LockWorkspaceAction
	UnlockWorkspaceAction
	ForceUnlockWorkspaceAction

	CreateStateVersionAction
	ListStateVersionsAction
	GetStateVersionAction
	DeleteStateVersionAction
	RollbackStateVersionAction
	UploadStateAction
	DownloadStateAction
	GetStateVersionOutputAction

	CreateConfigurationVersionAction
	ListConfigurationVersionsAction
	GetConfigurationVersionAction
	DownloadConfigurationVersionAction
	DeleteConfigurationVersionAction

	CreateUserAction
	UpdateUserAction
	ListUsersAction
	GetUserAction
	DeleteUserAction

	CreateTeamAction
	UpdateTeamAction
	GetTeamAction
	ListTeamsAction
	DeleteTeamAction
	AddTeamMembershipAction
	RemoveTeamMembershipAction

	CreateNotificationConfigurationAction
	UpdateNotificationConfigurationAction
	ListNotificationConfigurationsAction
	GetNotificationConfigurationAction
	DeleteNotificationConfigurationAction

	CreateGithubAppAction
	UpdateGithubAppAction
	GetGithubAppAction
	ListGithubAppsAction
	DeleteGithubAppAction
	CreateGithubAppInstallAction
	DeleteGithubAppInstallAction
)

func (Action) String 

func (i Action) String() string

type Authorizer 

type Authorizer struct {
	logr.Logger
	WorkspacePolicyGetter
	// contains filtered or unexported fields
}

Authorizer intermediates authorization between subjects (entities requesting access) and resources (the entities to which access is being requested).

func NewAuthorizer 

func NewAuthorizer(logger logr.Logger) *Authorizer

func (*Authorizer) Authorize 

func (a *Authorizer) Authorize(ctx context.Context, action Action, resourceID resource.ID, opts ...CanAccessOption) (Subject, error)

Authorize determines whether the subject can carry out an action on a resource. The subject is expected to be contained within the context. If the access request is nil then it's assumed the request is for access to the entire site (the highest level).

func (*Authorizer) CanAccess 

func (a *Authorizer) CanAccess(ctx context.Context, action Action, id resource.ID) bool

CanAccess is a helper to boil down an access request to a true/false decision, with any error encountered interpreted as false.

func (*Authorizer) RegisterParentResolver added in v0.3.17 

func (a *Authorizer) RegisterParentResolver(kind resource.Kind, resolver ParentResolver)

RegisterParentResolver registers with the authorizer a means of resolving the parent of a resource.

type CanAccessOption 

type CanAccessOption func(*canAccessConfig)

func WithoutErrorLogging 

func WithoutErrorLogging() CanAccessOption

WithoutErrorLogging disables logging an unauthorized error. This can be useful if just checking if a user can do something.

type Interface 

type Interface interface {
	Authorize(ctx context.Context, action Action, id resource.ID, opts ...CanAccessOption) (Subject, error)
	CanAccess(ctx context.Context, action Action, id resource.ID) bool
}

Interface provides an interface for services to use to permit swapping out the authorizer for tests.

type ParentResolver added in v0.3.17 

type ParentResolver func(ctx context.Context, id resource.ID) (resource.ID, error)

type Request added in v0.3.17 

type Request struct {
	// ID of resource to which access is being requested.
	resource.ID
	// WorkspacePolicy provides a means of checking workspace-specific
	// permissions for the resource specified by the ID above. If this is nil
	// then the resource is not a workspace or does not belong to a workspace.
	WorkspacePolicy WorkspacePolicy
	// contains filtered or unexported fields
}

Request for authorization.

func (Request) Organization added in v0.3.17 

func (r Request) Organization() resource.ID

Organization identifies the organization that the requested resource belongs to, or the organization itself if access to an organization is being requested.

func (Request) Workspace added in v0.3.17 

func (r Request) Workspace() resource.ID

Workspace identifies the workspace that the requested resource belongs to, or the workspace itself if access to an workspace is being requested.

type Role 

type Role struct {
	// contains filtered or unexported fields
}

Role is a set of permitted actions

func WorkspaceRoleFromString 

func WorkspaceRoleFromString(role string) (Role, error)

func (Role) IsAllowed 

func (r Role) IsAllowed(action Action) bool

func (Role) String 

func (r Role) String() string

type Subject 

type Subject interface {
	CanAccess(action Action, req Request) bool
	String() string
}

Subject is an entity that carries out actions on resources.

func SubjectFromContext 

func SubjectFromContext(ctx context.Context) (Subject, error)

SubjectFromContext retrieves a subject from a context

type Superuser 

type Superuser struct {
	Username string
}

Superuser is a subject with unlimited privileges.

func (*Superuser) CanAccess 

func (*Superuser) CanAccess(Action, Request) bool

func (*Superuser) String 

func (s *Superuser) String() string

type WorkspacePolicy 

type WorkspacePolicy interface {
	Check(subject resource.ID, action Action) bool
}

WorkspacePolicy checks whether a subject is permitted to carry out an action on a workspace.

type WorkspacePolicyGetter 

type WorkspacePolicyGetter func(ctx context.Context, workspaceID resource.ID) (WorkspacePolicy, error)

WorkspacePolicyGetter retrieves a workspace's policy.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.