Documentation
¶
Index ¶
- Variables
- type BatchEvaluateRequest
- type BatchEvaluateResponse
- type Context
- type Decision
- type DecisionContext
- type EvaluateRequest
- type PAP
- type PDP
- type PolicyEffectType
- type ProfileRequest
- type ProfileResourceNode
- type Resource
- type ResourceHierarchy
- type Role
- type RoleEntitlementMapping
- type Subject
- type SubjectContext
- type SubjectProfile
- type SubjectType
Constants ¶
This section is empty.
Variables ¶
View Source
var ( ErrAuthzDisabled = fmt.Errorf("authorization is disabled - policy management operations are not available") ErrRoleAlreadyExists = fmt.Errorf("role already exists") ErrRoleNotFound = fmt.Errorf("role not found") ErrRolePolicyMappingAlreadyExists = fmt.Errorf("role policy mapping already exists") ErrRolePolicyMappingNotFound = fmt.Errorf("role policy mapping not found") ErrInvalidRequest = fmt.Errorf("invalid request") )
Functions ¶
This section is empty.
Types ¶
type BatchEvaluateRequest ¶
type BatchEvaluateRequest struct {
Requests []EvaluateRequest `json:"requests"`
}
BatchEvaluateRequest represents a batch of authorization requests
type BatchEvaluateResponse ¶
type BatchEvaluateResponse struct {
Decisions []Decision `json:"decisions"`
}
BatchEvaluateResponse represents a batch of authorization decisions
type Decision ¶
type Decision struct {
Decision bool `json:"decision"`
Context *DecisionContext `json:"context,omitempty"`
}
Decision represents the authorization decision response
type DecisionContext ¶
type DecisionContext struct {
Reason string `json:"reason,omitempty"`
}
DecisionContext contains additional context about the decision
type EvaluateRequest ¶
type EvaluateRequest struct {
Subject Subject `json:"subject"`
Resource Resource `json:"resource"`
Action string `json:"action"`
Context Context `json:"context"`
}
EvaluateRequest represents a single authorization request
type PAP ¶
type PAP interface {
// AddRole creates a new role with the specified name and actions
AddRole(ctx context.Context, role *Role) error
// RemoveRole deletes a role by name
RemoveRole(ctx context.Context, roleName string) error
// GetRole retrieves a role by name
GetRole(ctx context.Context, roleName string) (*Role, error)
// ListRoles returns all defined roles
ListRoles(ctx context.Context) ([]*Role, error)
// AddRoleEntitlementMapping creates a new role-entitlement mapping with optional conditions
AddRoleEntitlementMapping(ctx context.Context, mapping *RoleEntitlementMapping) error
// RemoveRoleEntitlementMapping removes a role-entitlement mapping
RemoveRoleEntitlementMapping(ctx context.Context, mapping *RoleEntitlementMapping) error
// GetRoleMappings retrieves all entitlement mappings for a specific role
GetRoleMappings(ctx context.Context, roleName string) ([]*RoleEntitlementMapping, error)
// ListRoleEntitlementMappings lists all role-entitlement mappings
ListRoleEntitlementMappings(ctx context.Context) ([]*RoleEntitlementMapping, error)
// ListActions lists all defined actions in the system
ListActions(ctx context.Context) ([]string, error)
}
PAP (Policy Administration Point) interface defines the contract for policy management
type PDP ¶
type PDP interface {
// Evaluate evaluates a single authorization request and returns a decision
Evaluate(ctx context.Context, request *EvaluateRequest) (*Decision, error)
// BatchEvaluate evaluates multiple authorization requests and returns corresponding decisions
BatchEvaluate(ctx context.Context, request *BatchEvaluateRequest) (*BatchEvaluateResponse, error)
// GetSubjectProfile retrieves the authorization profile for a given subject
GetSubjectProfile(ctx context.Context, request *ProfileRequest) (*SubjectProfile, error)
}
PDP (Policy Decision Point) interface defines the contract for authorization evaluation
type PolicyEffectType ¶
type PolicyEffectType string
PolicyEffectType defines the effect of a policy: allow or deny
const ( PolicyEffectAllow PolicyEffectType = "allow" PolicyEffectDeny PolicyEffectType = "deny" )
type ProfileRequest ¶
type ProfileRequest struct {
// Subject is the actor whose profile is being requested
Subject Subject `json:"subject"`
// Scope is the resource hierarchy scope for the profile
Scope ResourceHierarchy `json:"scope"`
}
ProfileRequest represents a request to retrieve a subject's authorization profile
type ProfileResourceNode ¶
type ProfileResourceNode struct {
// Type is the resource type (e.g., org, ou, project, component)
Type string `json:"type"`
// ID is the unique identifier for this resource
ID string `json:"id"`
// Actions are the actions the subject can perform at this node
Actions []string `json:"actions,omitempty"`
// Children are the child nodes in the hierarchy (no children means end of tree)
Children []ProfileResourceNode `json:"children,omitempty"`
}
ProfileResourceNode represents a node in the resource hierarchy tree
type Resource ¶
type Resource struct {
Type string `json:"type"`
ID string `json:"id,omitempty"`
Hierarchy ResourceHierarchy `json:"hierarchy"`
}
Resource represents a resource in the authorization request
type ResourceHierarchy ¶
type ResourceHierarchy struct {
Organization string `json:"organization,omitempty"`
OrganizationUnits []string `json:"organization_units,omitempty"`
Project string `json:"project,omitempty"`
Component string `json:"component,omitempty"`
}
ResourceHierarchy represents a single item in a resource hierarchy
type Role ¶
type Role struct {
// Name is the unique identifier for the role
Name string `json:"name"`
// Actions is the list of actions this role permits
Actions []string `json:"actions"`
}
Role represents a role with a set of allowed actions
type RoleEntitlementMapping ¶
type RoleEntitlementMapping struct {
// RoleName is the name of the role being assigned
RoleName string `json:"role_name"`
// EntitlementValue is the identifier of the entitlement (e.g. groups)
EntitlementValue string `json:"entitlement_value"`
// Hierarchy defines the resource hierarchy scope where this role applies
Hierarchy ResourceHierarchy `json:"hierarchy"`
// Effect indicates whether the mapping is to allow or deny access
Effect PolicyEffectType `json:"effect"`
// Context provides optional additional context metadata for this mapping
Context Context `json:"context"`
}
RoleEntitlementMapping represents the assignment of a role to an entitlement within a hierarchical scope
type Subject ¶
type Subject struct {
JwtToken string `json:"jwt_token"`
}
Subject represents the actor making the authorization request
type SubjectContext ¶
type SubjectContext struct {
Type SubjectType
EntitlementClaim string
EntitlementValues []string
}
SubjectContext - internal auth context for the subject NOTE: This needs to be moved to subject extraction layer later
type SubjectProfile ¶
type SubjectProfile struct {
// Hierarchy is the root node of the resource hierarchy tree
Hierarchy ProfileResourceNode `json:"hierarchy"`
}
SubjectProfile represents the authorization profile response with resource hierarchy tree
type SubjectType ¶
type SubjectType string
SubjectType defines the type of subject making the authorization request
const ( SubjectTypeUser SubjectType = "user" SubjectTypeServiceAccount SubjectType = "service_account" )
Source Files
Click to show internal directories.
Click to hide internal directories.