Documentation
¶
Index ¶
- Constants
- Variables
- func CheckAuthz[TResourceTypeName, TAction comparable](ctx context.Context, authzHandler *Handler[TResourceTypeName, TAction], ...) (bool, error)
- func LogDecision[TResourceTypeName, TAction comparable](ctx context.Context, request Request[TResourceTypeName, TAction], ...)
- type APIAction
- type APIMethod
- type APIResourceType
- type APIResourceTypeName
- type AllowList
- type Allowed
- type AuthorizationKey
- type BasePolicy
- type BaseResourceType
- type Entity
- type Handler
- type Reason
- type RepoAction
- type RepoResourceType
- type RepoResourceTypeName
- type Request
- type Restricted
- type TenantID
- type User
Constants ¶
View Source
const EmptyTenantID = TenantID("")
Variables ¶
View Source
var ( RestrictionsByAPI = make(map[string]Restricted) AllowListByAPI = make(map[string]Allowed) )
View Source
var ( ErrInvalidRequest = errors.New("invalid request") ErrEmptyRequest = errors.New("empty request") ErrAuthorizationDecision = errors.New("authorization decision error") ErrAuthorizationDenied = errors.New("authorization denied") ErrWrongTenantID = errors.New("wrong tenant ID in request") ErrExtractClientData = errors.New("error extracting client data from context") ErrCreateAuthzRequest = errors.New("error creating authorization request") ErrExtractTenantID = errors.New("error extracting tenant ID from context") ErrAuthzDecision = errors.New("error making authorization decision") ErrActionInvalid = errors.New("action is invalid") ErrResourceTypeInvalid = errors.New("resource type is invalid") ErrActionInvalidForResource = errors.New("action is invalid for resource type") )
View Source
var ( ErrValidation = errors.New("validation failed") ErrUserEmpty = errors.New("user is empty") )
View Source
var APIResourceTypeActions = map[APIResourceTypeName][]APIAction{ APIResourceTypeKeyConfiguration: { APIActionRead, APIActionCreate, APIActionDelete, APIActionUpdate, }, APIResourceTypeKey: { APIActionRead, APIActionCreate, APIActionDelete, APIActionUpdate, APIActionKeyRotate, }, APIResourceTypeSystem: { APIActionRead, APIActionSystemModifyLink, }, APIResourceTypeWorkFlow: { APIActionRead, APIActionCreate, APIActionDelete, APIActionUpdate, }, APIResourceTypeTenantSettings: { APIActionRead, APIActionUpdate, }, APIResourceTypeUserGroup: { APIActionRead, APIActionCreate, APIActionDelete, APIActionUpdate, }, APIResourceTypeTenant: { APIActionRead, APIActionUpdate, }, }
View Source
var APIRolePolicies = make(map[constants.Role][]BasePolicy[APIResourceTypeName, APIAction])
View Source
var ErrInvalidRole = errors.New("invalid role")
View Source
var InfoAuthorizationPassed = "Authorization check passed"
View Source
var PolicyData = policies{ Roles: []constants.Role{ constants.KeyAdminRole, constants.TenantAdminRole, constants.TenantAuditorRole, }, Policies: []BasePolicy[APIResourceTypeName, APIAction]{ NewPolicy( "AuditorPolicy", constants.TenantAuditorRole, []BaseResourceType[APIResourceTypeName, APIAction]{ { ID: APIResourceTypeKeyConfiguration, Actions: []APIAction{ APIActionRead, }, }, { ID: APIResourceTypeKey, Actions: []APIAction{ APIActionRead, }, }, { ID: APIResourceTypeSystem, Actions: []APIAction{ APIActionRead, }, }, { ID: APIResourceTypeWorkFlow, Actions: []APIAction{ APIActionRead, }, }, { ID: APIResourceTypeTenantSettings, Actions: []APIAction{ APIActionRead, }, }, { ID: APIResourceTypeUserGroup, Actions: []APIAction{ APIActionRead, }, }, { ID: APIResourceTypeTenant, Actions: []APIAction{ APIActionRead, }, }, }, ), NewPolicy( "KeyAdminPolicy", constants.KeyAdminRole, []BaseResourceType[APIResourceTypeName, APIAction]{ { ID: APIResourceTypeKeyConfiguration, Actions: []APIAction{ APIActionRead, APIActionCreate, APIActionDelete, APIActionUpdate, }, }, { ID: APIResourceTypeKey, Actions: []APIAction{ APIActionRead, APIActionCreate, APIActionDelete, APIActionUpdate, APIActionKeyRotate, }, }, { ID: APIResourceTypeUserGroup, Actions: []APIAction{ APIActionRead, }, }, { ID: APIResourceTypeSystem, Actions: []APIAction{ APIActionSystemModifyLink, APIActionRead, APIActionUpdate, }, }, { ID: APIResourceTypeWorkFlow, Actions: []APIAction{ APIActionRead, APIActionCreate, APIActionDelete, APIActionUpdate, }, }, { ID: APIResourceTypeTenantSettings, Actions: []APIAction{ APIActionRead, }, }, }, ), NewPolicy( "TenantAdminPolicy", constants.TenantAdminRole, []BaseResourceType[APIResourceTypeName, APIAction]{ { ID: APIResourceTypeTenant, Actions: []APIAction{ APIActionRead, APIActionUpdate, }, }, { ID: APIResourceTypeUserGroup, Actions: []APIAction{ APIActionRead, APIActionCreate, APIActionDelete, APIActionUpdate, }, }, { ID: APIResourceTypeTenantSettings, Actions: []APIAction{ APIActionRead, APIActionUpdate, }, }, }, ), }, }
View Source
var RepoPolicyData = repoPolicies{ Roles: []constants.Role{ constants.KeyAdminRole, constants.TenantAdminRole, constants.TenantAuditorRole, }, Policies: []BasePolicy[RepoResourceTypeName, RepoAction]{ NewPolicy( "AuditorPolicy", constants.TenantAuditorRole, []BaseResourceType[RepoResourceTypeName, RepoAction]{ { ID: RepoResourceTypeCertificate, Actions: []RepoAction{ RepoActionList, RepoActionFirst, RepoActionCount, }, }, { ID: RepoResourceTypeEvent, Actions: []RepoAction{ RepoActionList, RepoActionFirst, RepoActionCount, }, }, { ID: RepoResourceTypeGroup, Actions: []RepoAction{ RepoActionList, RepoActionFirst, RepoActionCount, }, }, { ID: RepoResourceTypeImportparam, Actions: []RepoAction{ RepoActionList, RepoActionFirst, RepoActionCount, }, }, { ID: RepoResourceTypeKey, Actions: []RepoAction{ RepoActionList, RepoActionFirst, RepoActionCount, }, }, { ID: RepoResourceTypeKeyconfiguration, Actions: []RepoAction{ RepoActionList, RepoActionFirst, RepoActionCount, }, }, { ID: RepoResourceTypeKeystore, Actions: []RepoAction{ RepoActionList, RepoActionFirst, RepoActionCount, }, }, { ID: RepoResourceTypeKeyversion, Actions: []RepoAction{ RepoActionList, RepoActionFirst, RepoActionCount, }, }, { ID: RepoResourceTypeKeyLabel, Actions: []RepoAction{ RepoActionList, RepoActionFirst, RepoActionCount, }, }, { ID: RepoResourceTypeSystem, Actions: []RepoAction{ RepoActionList, RepoActionFirst, RepoActionCount, }, }, { ID: RepoResourceTypeSystemProperty, Actions: []RepoAction{ RepoActionList, RepoActionFirst, RepoActionCount, }, }, { ID: RepoResourceTypeTag, Actions: []RepoAction{ RepoActionList, RepoActionFirst, RepoActionCount, }, }, { ID: RepoResourceTypeTenant, Actions: []RepoAction{ RepoActionList, RepoActionFirst, RepoActionCount, }, }, { ID: RepoResourceTypeTenantconfig, Actions: []RepoAction{ RepoActionList, RepoActionFirst, RepoActionCount, }, }, { ID: RepoResourceTypeWorkflow, Actions: []RepoAction{ RepoActionList, RepoActionFirst, RepoActionCount, }, }, { ID: RepoResourceTypeWorkflowApprover, Actions: []RepoAction{ RepoActionList, RepoActionFirst, RepoActionCount, }, }, }, ), NewPolicy( "KeyAdminPolicy", constants.KeyAdminRole, []BaseResourceType[RepoResourceTypeName, RepoAction]{ { ID: RepoResourceTypeCertificate, Actions: []RepoAction{ RepoActionList, RepoActionFirst, RepoActionCount, RepoActionCreate, RepoActionUpdate, RepoActionDelete, }, }, { ID: RepoResourceTypeEvent, Actions: []RepoAction{ RepoActionList, RepoActionFirst, RepoActionCount, RepoActionCreate, RepoActionUpdate, RepoActionDelete, }, }, { ID: RepoResourceTypeGroup, Actions: []RepoAction{ RepoActionList, RepoActionFirst, RepoActionCount, }, }, { ID: RepoResourceTypeImportparam, Actions: []RepoAction{ RepoActionList, RepoActionFirst, RepoActionCount, RepoActionCreate, RepoActionUpdate, RepoActionDelete, }, }, { ID: RepoResourceTypeKey, Actions: []RepoAction{ RepoActionList, RepoActionFirst, RepoActionCount, RepoActionCreate, RepoActionUpdate, RepoActionDelete, }, }, { ID: RepoResourceTypeKeyconfiguration, Actions: []RepoAction{ RepoActionList, RepoActionFirst, RepoActionCount, RepoActionCreate, RepoActionUpdate, RepoActionDelete, }, }, { ID: RepoResourceTypeKeystore, Actions: []RepoAction{ RepoActionList, RepoActionFirst, RepoActionCount, RepoActionCreate, RepoActionUpdate, RepoActionDelete, }, }, { ID: RepoResourceTypeKeyversion, Actions: []RepoAction{ RepoActionList, RepoActionFirst, RepoActionCount, RepoActionCreate, RepoActionUpdate, RepoActionDelete, }, }, { ID: RepoResourceTypeKeyLabel, Actions: []RepoAction{ RepoActionList, RepoActionFirst, RepoActionCount, RepoActionCreate, RepoActionUpdate, RepoActionDelete, }, }, { ID: RepoResourceTypeSystem, Actions: []RepoAction{ RepoActionList, RepoActionFirst, RepoActionCount, RepoActionCreate, RepoActionUpdate, RepoActionDelete, }, }, { ID: RepoResourceTypeSystemProperty, Actions: []RepoAction{ RepoActionList, RepoActionFirst, RepoActionCount, RepoActionCreate, RepoActionUpdate, RepoActionDelete, }, }, { ID: RepoResourceTypeTag, Actions: []RepoAction{ RepoActionList, RepoActionFirst, RepoActionCount, RepoActionCreate, RepoActionUpdate, RepoActionDelete, }, }, { ID: RepoResourceTypeTenant, Actions: []RepoAction{ RepoActionList, RepoActionFirst, RepoActionCount, }, }, { ID: RepoResourceTypeTenantconfig, Actions: []RepoAction{ RepoActionList, RepoActionFirst, RepoActionCount, RepoActionCreate, RepoActionDelete, }, }, { ID: RepoResourceTypeWorkflow, Actions: []RepoAction{ RepoActionList, RepoActionFirst, RepoActionCount, RepoActionCreate, RepoActionUpdate, RepoActionDelete, }, }, { ID: RepoResourceTypeWorkflowApprover, Actions: []RepoAction{ RepoActionList, RepoActionFirst, RepoActionCount, RepoActionCreate, RepoActionUpdate, RepoActionDelete, }, }, }, ), NewPolicy( "TenantAdminPolicy", constants.TenantAdminRole, []BaseResourceType[RepoResourceTypeName, RepoAction]{ { ID: RepoResourceTypeGroup, Actions: []RepoAction{ RepoActionList, RepoActionFirst, RepoActionCount, RepoActionCreate, RepoActionUpdate, RepoActionDelete, }, }, { ID: RepoResourceTypeKeyconfiguration, Actions: []RepoAction{ RepoActionFirst, }, }, { ID: RepoResourceTypeTenant, Actions: []RepoAction{ RepoActionList, RepoActionFirst, RepoActionCount, RepoActionCreate, RepoActionUpdate, RepoActionDelete, }, }, { ID: RepoResourceTypeTenantconfig, Actions: []RepoAction{ RepoActionList, RepoActionFirst, RepoActionCount, RepoActionCreate, RepoActionUpdate, RepoActionDelete, }, }, }, ), }, }
View Source
var RepoResourceTypeActions = map[RepoResourceTypeName][]RepoAction{ RepoResourceTypeCertificate: fullActionList, RepoResourceTypeEvent: fullActionList, RepoResourceTypeGroup: fullActionList, RepoResourceTypeImportparam: fullActionList, RepoResourceTypeKey: fullActionList, RepoResourceTypeKeyconfiguration: fullActionList, RepoResourceTypeKeystore: fullActionList, RepoResourceTypeKeyversion: fullActionList, RepoResourceTypeKeyLabel: fullActionList, RepoResourceTypeSystem: fullActionList, RepoResourceTypeSystemProperty: fullActionList, RepoResourceTypeTag: fullActionList, RepoResourceTypeTenant: fullActionList, RepoResourceTypeTenantconfig: fullActionList, RepoResourceTypeWorkflow: fullActionList, RepoResourceTypeWorkflowApprover: fullActionList, }
View Source
var RepoRolePolicies = make(map[constants.Role][]BasePolicy[RepoResourceTypeName, RepoAction])
Functions ¶
func CheckAuthz ¶
func LogDecision ¶
func LogDecision[TResourceTypeName, TAction comparable]( ctx context.Context, request Request[TResourceTypeName, TAction], auditor *auditor.Auditor, isAllowed bool, reason Reason)
LogDecision logs the authorization decision made for a request. It logs the request ID, tenant ID, resource type, action, decision, and reason. The decision is logged as an Info log if it is "Allow", otherwise as a Warn log. Additionally, it sends an audit log for unauthorized requests using the provided auditor.
Types ¶
type APIAction ¶ added in v0.5.0
type APIAction string
const ( APIActionRead APIAction = "read" APIActionCreate APIAction = "create" APIActionUpdate APIAction = "update" APIActionDelete APIAction = "delete" APIActionKeyRotate APIAction = "KeyRotate" APIActionSystemModifyLink APIAction = "ModifySystemLink" )
all actions which are used in policies which can be performed on resource types
type APIResourceType ¶ added in v0.5.0
type APIResourceType struct {
ID APIResourceTypeName
APIActions []APIAction
}
type APIResourceTypeName ¶ added in v0.5.0
type APIResourceTypeName string
const ( APIResourceTypeKeyConfiguration APIResourceTypeName = "KeyConfiguration" APIResourceTypeKey APIResourceTypeName = "Key" APIResourceTypeSystem APIResourceTypeName = "System" APIResourceTypeWorkFlow APIResourceTypeName = "Workflow" APIResourceTypeUserGroup APIResourceTypeName = "UserGroup" APIResourceTypeTenant APIResourceTypeName = "Tenant" APIResourceTypeTenantSettings APIResourceTypeName = "TenantSettings" APIResourceTypeEvent APIResourceTypeName = "Event" APIResourceTypeImportParams APIResourceTypeName = "ImportParams" APIResourceTypeKeyStoreConfig APIResourceTypeName = "KeyStoreConfig" )
all resource types which are used in policies
type AllowList ¶
type AllowList[TResourceTypeName, TAction comparable] struct { AuthzKeys map[AuthorizationKey[TResourceTypeName, TAction]]struct{} TenantIDs map[TenantID]struct{} }
func NewAuthorizationData ¶
func (AllowList[TResourceTypeName, TAction]) ContainsTenant ¶
type AuthorizationKey ¶
type AuthorizationKey[TResourceTypeName, TAction comparable] struct { TenantID TenantID UserGroup string ResourceTypeName TResourceTypeName Action TAction }
type BasePolicy ¶ added in v0.5.0
type BasePolicy[TResourceTypeName, TAction comparable] struct { ID string Role constants.Role ResourceTypes []BaseResourceType[TResourceTypeName, TAction] }
func NewPolicy ¶ added in v0.5.0
func NewPolicy[TResourceTypeName, TAction comparable](id string, role constants.Role, resourceTypes []BaseResourceType[TResourceTypeName, TAction]) BasePolicy[ TResourceTypeName, TAction]
type BaseResourceType ¶ added in v0.5.0
type BaseResourceType[TResourceTypeName, TAction comparable] struct { ID TResourceTypeName Actions []TAction }
func NewResourceTypes ¶ added in v0.5.0
func NewResourceTypes[TResourceTypeName, TAction comparable](id TResourceTypeName, actions []TAction) BaseResourceType[ TResourceTypeName, TAction]
type Handler ¶
type Handler[TResourceTypeName, TAction comparable] struct { RolePolicies map[constants.Role][]BasePolicy[TResourceTypeName, TAction] Entities []Entity AuthorizationData AllowList[TResourceTypeName, TAction] Auditor *auditor.Auditor // contains filtered or unexported fields }
func NewAuthorizationHandler ¶
type RepoAction ¶ added in v0.5.0
type RepoAction string
const ( RepoActionList RepoAction = "list" RepoActionFirst RepoAction = "first" RepoActionCount RepoAction = "count" RepoActionCreate RepoAction = "create" RepoActionUpdate RepoAction = "update" RepoActionDelete RepoAction = "delete" )
all actions which are used in policies which can be performed on resource types
type RepoResourceType ¶ added in v0.5.0
type RepoResourceType struct {
ID RepoResourceTypeName
Actions []RepoAction
}
type RepoResourceTypeName ¶ added in v0.5.0
type RepoResourceTypeName string
const ( RepoResourceTypeCertificate RepoResourceTypeName = RepoResourceTypeName(constants.CertificateTable) RepoResourceTypeEvent RepoResourceTypeName = RepoResourceTypeName(constants.EventTable) RepoResourceTypeGroup RepoResourceTypeName = RepoResourceTypeName(constants.GroupTable) RepoResourceTypeImportparam RepoResourceTypeName = RepoResourceTypeName(constants.ImportparamTable) RepoResourceTypeKey RepoResourceTypeName = RepoResourceTypeName(constants.KeyTable) RepoResourceTypeKeyconfiguration RepoResourceTypeName = RepoResourceTypeName(constants.KeyconfigurationTable) RepoResourceTypeKeystore RepoResourceTypeName = RepoResourceTypeName(constants.KeystoreTable) RepoResourceTypeKeyversion RepoResourceTypeName = RepoResourceTypeName(constants.KeyVersionTable) RepoResourceTypeKeyLabel RepoResourceTypeName = RepoResourceTypeName(constants.KeyLabelTable) RepoResourceTypeSystem RepoResourceTypeName = RepoResourceTypeName(constants.SystemTable) RepoResourceTypeSystemProperty RepoResourceTypeName = RepoResourceTypeName(constants.SystemPropertyTable) RepoResourceTypeTag RepoResourceTypeName = RepoResourceTypeName(constants.TagTable) RepoResourceTypeTenant RepoResourceTypeName = RepoResourceTypeName(constants.TenantTable) RepoResourceTypeTenantconfig RepoResourceTypeName = RepoResourceTypeName(constants.TenantconfigTable) RepoResourceTypeWorkflow RepoResourceTypeName = RepoResourceTypeName(constants.WorkflowTable) RepoResourceTypeWorkflowApprover RepoResourceTypeName = RepoResourceTypeName(constants.WorkflowApproverTable) )
all resource types which are used in policies These are linked to table names, so will require a migration if changed. Having this linkage ensures that tables are more coupled to the authz resource identifiers
type Request ¶
type Request[TResourceTypeName, TAction comparable] struct { ID string // required User User // required ResourceTypeName TResourceTypeName // optional Action TAction // optional TenantID TenantID // required }
func NewRequest ¶
func (Request[TResourceTypeName, TAction]) GetActionString ¶ added in v0.5.0
func (Request[TResourceTypeName, TAction]) GetResourceTypeNameString ¶ added in v0.5.0
type Restricted ¶
type Restricted struct {
APIPath string
APIMethod APIMethod
APIResourceTypeName APIResourceTypeName
APIAction APIAction
}
Source Files
¶
Directories
Click to show internal directories.
Click to hide internal directories.