scope

package
v0.2.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 23, 2026 License: GPL-3.0 Imports: 11 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type CreateExclusionInput 

type CreateExclusionInput struct {
	TenantID      string     `validate:"required,uuid"`
	ExclusionType string     `validate:"required"`
	Pattern       string     `validate:"required,max=500"`
	Reason        string     `validate:"required,max=1000"`
	ExpiresAt     *time.Time `validate:"omitempty"`
	CreatedBy     string     `validate:"max=200"`
}

CreateExclusionInput represents the input for creating a scope exclusion.

type CreateRuleInput 

type CreateRuleInput struct {
	GroupID            string   `json:"-"`
	TenantID           string   `json:"-"`
	Name               string   `json:"name" validate:"required,min=2,max=200"`
	Description        string   `json:"description" validate:"max=1000"`
	RuleType           string   `json:"rule_type" validate:"required,oneof=tag_match asset_group_match"`
	MatchTags          []string `json:"match_tags"`
	MatchLogic         string   `json:"match_logic" validate:"omitempty,oneof=any all"`
	MatchAssetGroupIDs []string `json:"match_asset_group_ids"`
	OwnershipType      string   `json:"ownership_type" validate:"omitempty,oneof=primary secondary stakeholder informed"`
	Priority           int      `json:"priority"`
}

CreateRuleInput represents the input for creating a scope rule.

type CreateScheduleInput 

type CreateScheduleInput struct {
	TenantID             string                 `validate:"required,uuid"`
	Name                 string                 `validate:"required,min=1,max=200"`
	Description          string                 `validate:"max=1000"`
	ScanType             string                 `validate:"required"`
	TargetScope          string                 `validate:"omitempty"`
	TargetIDs            []string               `validate:"max=100"`
	TargetTags           []string               `validate:"max=20,dive,max=50"`
	ScannerConfigs       map[string]interface{} `validate:"omitempty"`
	ScheduleType         string                 `validate:"required"`
	CronExpression       string                 `validate:"max=100"`
	IntervalHours        int                    `validate:"min=0,max=8760"`
	NotifyOnCompletion   bool
	NotifyOnFindings     bool
	NotificationChannels []string `validate:"max=10,dive,max=50"`
	CreatedBy            string   `validate:"max=200"`
}

CreateScheduleInput represents the input for creating a scan schedule.

type CreateTargetInput 

type CreateTargetInput struct {
	TenantID    string   `validate:"required,uuid"`
	TargetType  string   `validate:"required"`
	Pattern     string   `validate:"required,max=500"`
	Description string   `validate:"max=1000"`
	Priority    int      `validate:"min=0,max=100"`
	Tags        []string `validate:"max=20,dive,max=50"`
	CreatedBy   string   `validate:"max=200"`
}

CreateTargetInput represents the input for creating a scope target.

type ListExclusionsInput 

type ListExclusionsInput struct {
	TenantID       string   `validate:"omitempty,uuid"`
	ExclusionTypes []string `validate:"max=20"`
	Statuses       []string `validate:"max=3"`
	IsApproved     *bool
	Search         string `validate:"max=255"`
	Page           int    `validate:"min=0"`
	PerPage        int    `validate:"min=0,max=100"`
}

ListExclusionsInput represents the input for listing scope exclusions.

type ListSchedulesInput 

type ListSchedulesInput struct {
	TenantID      string   `validate:"omitempty,uuid"`
	ScanTypes     []string `validate:"max=20"`
	ScheduleTypes []string `validate:"max=3"`
	Enabled       *bool
	Search        string `validate:"max=255"`
	Page          int    `validate:"min=0"`
	PerPage       int    `validate:"min=0,max=100"`
}

ListSchedulesInput represents the input for listing scan schedules.

type ListTargetsInput 

type ListTargetsInput struct {
	TenantID    string   `validate:"omitempty,uuid"`
	TargetTypes []string `validate:"max=20"`
	Statuses    []string `validate:"max=3"`
	Tags        []string `validate:"max=20,dive,max=50"`
	Search      string   `validate:"max=255"`
	Page        int      `validate:"min=0"`
	PerPage     int      `validate:"min=0,max=100"`
}

ListTargetsInput represents the input for listing scope targets.

type PreviewScopeRuleResult 

type PreviewScopeRuleResult struct {
	RuleID          string `json:"rule_id"`
	RuleName        string `json:"rule_name"`
	MatchingAssets  int    `json:"matching_assets"`
	AlreadyAssigned int    `json:"already_assigned"`
	WouldAdd        int    `json:"would_add"`
}

PreviewScopeRuleResult shows what assets would be affected by a rule.

type ReconcileGroupResult 

type ReconcileGroupResult struct {
	RulesEvaluated int `json:"rules_evaluated"`
	AssetsAdded    int `json:"assets_added"`
	AssetsRemoved  int `json:"assets_removed"`
}

ReconcileGroupResult shows the result of a reconciliation run.

type RuleBroadcaster 

type RuleBroadcaster interface {
	BroadcastScopeChange(channel string, data any, tenantID string)
}

RuleBroadcaster broadcasts scope rule membership change events via WebSocket.

type RuleEvaluatorFunc 

type RuleEvaluatorFunc func(ctx context.Context, tenantID, assetID shared.ID, tags []string, assetGroupIDs []shared.ID) error

RuleEvaluatorFunc is the callback type for scope rule evaluation. Used by AssetService to trigger evaluation when asset tags change.

type RuleGroupReconcilerFunc 

type RuleGroupReconcilerFunc func(ctx context.Context, assetGroupID shared.ID)

RuleGroupReconcilerFunc is the callback type for asset group membership changes. Called when assets are added/removed from an asset group.

type RuleService 

type RuleService struct {
	// contains filtered or unexported fields
}

RuleService handles scope rule business operations.

func NewRuleService 

func NewRuleService(
	acRepo accesscontrol.Repository,
	groupRepo group.Repository,
	log *logger.Logger,
) *RuleService

NewRuleService creates a new RuleService.

func (*RuleService) CreateRule 

func (s *RuleService) CreateRule(ctx context.Context, input CreateRuleInput, createdBy string) (*accesscontrol.ScopeRule, error)

CreateRule creates a new scope rule and runs initial reconciliation.

func (*RuleService) DeleteRule 

func (s *RuleService) DeleteRule(ctx context.Context, tenantID, ruleID string) error

DeleteRule deletes a scope rule and removes its auto-assignments atomically.

func (*RuleService) EvaluateAsset 

func (s *RuleService) EvaluateAsset(ctx context.Context, tenantID shared.ID, assetID shared.ID, tags []string, assetGroupIDs []shared.ID) error

EvaluateAsset evaluates all active scope rules in a tenant against a single asset. Called when an asset is created or its tags change. It both adds new matches and removes stale auto-assignments for groups that no longer match.

func (*RuleService) GetRule 

func (s *RuleService) GetRule(ctx context.Context, tenantID, ruleID string) (*accesscontrol.ScopeRule, error)

GetRule retrieves a scope rule by ID with tenant isolation.

func (*RuleService) ListRules 

func (s *RuleService) ListRules(ctx context.Context, tenantID, groupID string, filter accesscontrol.ScopeRuleFilter) ([]*accesscontrol.ScopeRule, int64, error)

ListRules lists scope rules for a group with tenant isolation.

func (*RuleService) PreviewScopeRule 

func (s *RuleService) PreviewScopeRule(ctx context.Context, tenantID, ruleID string) (*PreviewScopeRuleResult, error)

PreviewScopeRule shows what assets would match a rule without applying changes.

func (*RuleService) ReconcileByAssetGroup 

func (s *RuleService) ReconcileByAssetGroup(ctx context.Context, assetGroupID shared.ID)

ReconcileByAssetGroup finds all access control groups that have scope rules referencing the given asset group, and reconciles each one. Called when asset group membership changes (assets added/removed).

func (*RuleService) ReconcileGroup 

func (s *RuleService) ReconcileGroup(ctx context.Context, tenantID, groupID string) (*ReconcileGroupResult, error)

ReconcileGroup re-evaluates all active scope rules for a group. It adds newly matching assets AND removes stale auto-assigned assets that no longer match.

func (*RuleService) ReconcileGroupByIDs 

func (s *RuleService) ReconcileGroupByIDs(ctx context.Context, tenantID, groupID shared.ID) error

ReconcileGroupByIDs reconciles a group using parsed IDs (for use by background controller).

func (*RuleService) SetAssetGroupValidator 

func (s *RuleService) SetAssetGroupValidator(v assetGroupValidator)

SetAssetGroupValidator sets the validator for cross-tenant asset group validation. The AccessControlRepository implements this interface.

func (*RuleService) SetBroadcaster 

func (s *RuleService) SetBroadcaster(b RuleBroadcaster)

SetBroadcaster sets the WebSocket broadcaster for real-time UI updates.

func (*RuleService) UpdateRule 

func (s *RuleService) UpdateRule(ctx context.Context, tenantID, ruleID string, input UpdateRuleInput) (*accesscontrol.ScopeRule, error)

UpdateRule updates an existing scope rule.

type Service 

type Service struct {
	// contains filtered or unexported fields
}

Service handles scope configuration business operations.

func NewService 

func NewService(
	targetRepo scopedom.TargetRepository,
	exclusionRepo scopedom.ExclusionRepository,
	scheduleRepo scopedom.ScheduleRepository,
	assetRepo asset.Repository,
	log *logger.Logger,
) *Service

NewService creates a new Service.

func (*Service) ActivateExclusion 

func (s *Service) ActivateExclusion(ctx context.Context, exclusionID string, tenantID string) (*scopedom.Exclusion, error)

ActivateExclusion activates a scope exclusion.

func (*Service) ActivateTarget 

func (s *Service) ActivateTarget(ctx context.Context, targetID string, tenantID string) (*scopedom.Target, error)

ActivateTarget activates a scope target.

func (*Service) ApproveExclusion 

func (s *Service) ApproveExclusion(ctx context.Context, exclusionID string, tenantID string, approvedBy string) (*scopedom.Exclusion, error)

ApproveExclusion approves a scope exclusion.

func (*Service) CheckPatternOverlaps 

func (s *Service) CheckPatternOverlaps(ctx context.Context, tenantID string, targetType string, pattern string) ([]string, error)

CheckPatternOverlaps checks if a new target pattern overlaps with existing patterns. Returns a list of warning messages describing the overlaps (non-blocking).

func (*Service) CheckScope 

func (s *Service) CheckScope(ctx context.Context, tenantID string, assetType string, value string) (*scopedom.MatchResult, error)

CheckScope checks if an asset value is in scope.

func (*Service) CreateExclusion 

func (s *Service) CreateExclusion(ctx context.Context, input CreateExclusionInput) (*scopedom.Exclusion, error)

CreateExclusion creates a new scope exclusion.

func (*Service) CreateSchedule 

func (s *Service) CreateSchedule(ctx context.Context, input CreateScheduleInput) (*scopedom.Schedule, error)

CreateSchedule creates a new scan schedule.

func (*Service) CreateTarget 

func (s *Service) CreateTarget(ctx context.Context, input CreateTargetInput) (*scopedom.Target, error)

CreateTarget creates a new scope target.

func (*Service) DeactivateExclusion 

func (s *Service) DeactivateExclusion(ctx context.Context, exclusionID string, tenantID string) (*scopedom.Exclusion, error)

DeactivateExclusion deactivates a scope exclusion.

func (*Service) DeactivateTarget 

func (s *Service) DeactivateTarget(ctx context.Context, targetID string, tenantID string) (*scopedom.Target, error)

DeactivateTarget deactivates a scope target.

func (*Service) DeleteExclusion 

func (s *Service) DeleteExclusion(ctx context.Context, exclusionID string, tenantID string) error

DeleteExclusion deletes a scope exclusion by ID with atomic tenant verification.

func (*Service) DeleteSchedule 

func (s *Service) DeleteSchedule(ctx context.Context, scheduleID string, tenantID string) error

DeleteSchedule deletes a scan schedule by ID with atomic tenant verification.

func (*Service) DeleteTarget 

func (s *Service) DeleteTarget(ctx context.Context, targetID string, tenantID string) error

DeleteTarget deletes a scope target by ID with atomic tenant verification.

func (*Service) DisableSchedule 

func (s *Service) DisableSchedule(ctx context.Context, scheduleID string, tenantID string) (*scopedom.Schedule, error)

DisableSchedule disables a scan schedule.

func (*Service) EnableSchedule 

func (s *Service) EnableSchedule(ctx context.Context, scheduleID string, tenantID string) (*scopedom.Schedule, error)

EnableSchedule enables a scan schedule.

func (*Service) ExpireOldExclusions 

func (s *Service) ExpireOldExclusions(ctx context.Context) error

ExpireOldExclusions marks expired exclusions as expired.

func (*Service) GetExclusion 

func (s *Service) GetExclusion(ctx context.Context, tenantID string, exclusionID string) (*scopedom.Exclusion, error)

GetExclusion retrieves a scope exclusion by tenant ID and ID.

func (*Service) GetSchedule 

func (s *Service) GetSchedule(ctx context.Context, tenantID string, scheduleID string) (*scopedom.Schedule, error)

GetSchedule retrieves a scan schedule by tenant ID and ID.

func (*Service) GetStats 

func (s *Service) GetStats(ctx context.Context, tenantID string) (*scopedom.Stats, error)

GetStats retrieves scope configuration statistics for a tenant.

func (*Service) GetTarget 

func (s *Service) GetTarget(ctx context.Context, tenantID string, targetID string) (*scopedom.Target, error)

GetTarget retrieves a scope target by tenant ID and ID.

func (*Service) ListActiveExclusions 

func (s *Service) ListActiveExclusions(ctx context.Context, tenantID string) ([]*scopedom.Exclusion, error)

ListActiveExclusions retrieves all active scope exclusions for a tenant.

func (*Service) ListActiveTargets 

func (s *Service) ListActiveTargets(ctx context.Context, tenantID string) ([]*scopedom.Target, error)

ListActiveTargets retrieves all active scope targets for a tenant.

func (*Service) ListDueSchedules 

func (s *Service) ListDueSchedules(ctx context.Context) ([]*scopedom.Schedule, error)

ListDueSchedules retrieves all enabled schedules that are due to run.

func (*Service) ListExclusions 

func (s *Service) ListExclusions(ctx context.Context, input ListExclusionsInput) (pagination.Result[*scopedom.Exclusion], error)

ListExclusions retrieves scope exclusions with filtering and pagination.

func (*Service) ListSchedules 

func (s *Service) ListSchedules(ctx context.Context, input ListSchedulesInput) (pagination.Result[*scopedom.Schedule], error)

ListSchedules retrieves scan schedules with filtering and pagination.

func (*Service) ListTargets 

func (s *Service) ListTargets(ctx context.Context, input ListTargetsInput) (pagination.Result[*scopedom.Target], error)

ListTargets retrieves scope targets with filtering and pagination.

func (*Service) RecordScheduleRun 

func (s *Service) RecordScheduleRun(ctx context.Context, tenantID string, scheduleID string, status string, nextRunAt *time.Time) (*scopedom.Schedule, error)

RecordScheduleRun records a scan run for a schedule.

func (*Service) RunScheduleNow 

func (s *Service) RunScheduleNow(ctx context.Context, scheduleID string, tenantID string) (*scopedom.Schedule, error)

RunScheduleNow triggers an immediate run of a scan schedule.

func (*Service) UpdateExclusion 

func (s *Service) UpdateExclusion(ctx context.Context, exclusionID string, tenantID string, input UpdateExclusionInput) (*scopedom.Exclusion, error)

UpdateExclusion updates an existing scope exclusion.

func (*Service) UpdateSchedule 

func (s *Service) UpdateSchedule(ctx context.Context, scheduleID string, tenantID string, input UpdateScheduleInput) (*scopedom.Schedule, error)

UpdateSchedule updates an existing scan schedule.

func (*Service) UpdateTarget 

func (s *Service) UpdateTarget(ctx context.Context, targetID string, tenantID string, input UpdateTargetInput) (*scopedom.Target, error)

UpdateTarget updates an existing scope target.

type UpdateExclusionInput 

type UpdateExclusionInput struct {
	Reason    *string    `validate:"omitempty,max=1000"`
	ExpiresAt *time.Time `validate:"omitempty"`
}

UpdateExclusionInput represents the input for updating a scope exclusion.

type UpdateRuleInput 

type UpdateRuleInput struct {
	Name               *string  `json:"name" validate:"omitempty,min=2,max=200"`
	Description        *string  `json:"description" validate:"omitempty,max=1000"`
	MatchTags          []string `json:"match_tags"`
	MatchLogic         *string  `json:"match_logic" validate:"omitempty,oneof=any all"`
	MatchAssetGroupIDs []string `json:"match_asset_group_ids"`
	OwnershipType      *string  `json:"ownership_type" validate:"omitempty,oneof=primary secondary stakeholder informed"`
	Priority           *int     `json:"priority"`
	IsActive           *bool    `json:"is_active"`
}

UpdateRuleInput represents the input for updating a scope rule.

type UpdateScheduleInput 

type UpdateScheduleInput struct {
	Name                 *string                `validate:"omitempty,min=1,max=200"`
	Description          *string                `validate:"omitempty,max=1000"`
	TargetScope          *string                `validate:"omitempty"`
	TargetIDs            []string               `validate:"omitempty,max=100"`
	TargetTags           []string               `validate:"omitempty,max=20,dive,max=50"`
	ScannerConfigs       map[string]interface{} `validate:"omitempty"`
	ScheduleType         *string                `validate:"omitempty"`
	CronExpression       *string                `validate:"omitempty,max=100"`
	IntervalHours        *int                   `validate:"omitempty,min=0,max=8760"`
	NotifyOnCompletion   *bool
	NotifyOnFindings     *bool
	NotificationChannels []string `validate:"omitempty,max=10,dive,max=50"`
}

UpdateScheduleInput represents the input for updating a scan schedule.

type UpdateTargetInput 

type UpdateTargetInput struct {
	Description *string  `validate:"omitempty,max=1000"`
	Priority    *int     `validate:"omitempty,min=0,max=100"`
	Tags        []string `validate:"omitempty,max=20,dive,max=50"`
}

UpdateTargetInput represents the input for updating a scope target.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.