acl

package
v0.8.4 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Sep 4, 2025 License: Apache-2.0 Imports: 18 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	ACLMaxDepth   = 1<<8 - 1
	ACLMaxVersion = 1<<16 - 1
)
View Source 
const ACLPathSep = "/"

The ACL system follows the Unix file system hierarchy.

Variables

View Source 
var (
	ErrNoAdminAccess      = errors.New("no admin access")
	ErrNoWriteAccess      = errors.New("no write access")
	ErrNoReadAccess       = errors.New("no read access")
	ErrDirsNotAllowed     = errors.New("directories not allowed")
	ErrSymlinksNotAllowed = errors.New("symlinks not allowed")
	ErrFileSizeExceeded   = errors.New("file size exceeds limits")
	ErrInvalidAccessLevel = errors.New("invalid access level")
)
View Source 
var (
	ErrInvalidRuleset   = errors.New("invalid ruleset")
	ErrMaxDepthExceeded = errors.New("maximum depth exceeded")
	ErrNoRuleSet        = errors.New("no ruleset found")
	ErrNoRule           = errors.New("no rules available")
)

Functions

func ACLJoinPath 

func ACLJoinPath(parts ...string) string

ACLJoinPath joins multiple path segments into a single normalized path string. It uses the ACL path separator and ensures forward slashes are used consistently across different operating systems. Each part can be a sub-path, so the result is normalized using filepath.ToSlash to handle any internal path separators.

func ACLNormPath 

func ACLNormPath(path string) string

ACLNormPath normalizes a file system path for use in ACL operations by: 1. Converting all path separators to forward slashes 2. Cleaning the path (resolving . and ..) 3. Removing leading path separators This ensures consistent path handling across different operating systems and compatibility with glob pattern matching.

func ACLPathSegments 

func ACLPathSegments(path string) []string

ACLPathSegments splits a file system path into its component segments. It first normalizes the path using ACLNormPath to ensure consistent handling across operating systems, then splits it into segments using the ACL path separator.

Types

type ACLCache 

type ACLCache struct {
	// contains filtered or unexported fields
}

ACLCache stores the access level for a given path and user.

func NewACLCache 

func NewACLCache() *ACLCache

NewACLCache creates a new ACLCache.

func (*ACLCache) Clear added in v0.8.4 

func (c *ACLCache) Clear()

Clear removes all entries from the cache

func (*ACLCache) Count added in v0.7.0 

func (c *ACLCache) Count() int

func (*ACLCache) Delete 

func (c *ACLCache) Delete(path string) int

Delete deletes the access level for the given path and user.

func (*ACLCache) DeletePrefix 

func (c *ACLCache) DeletePrefix(path string) int

DeletePrefix deletes the access level for all paths that match the given prefix.

func (*ACLCache) Get 

func (c *ACLCache) Get(req *ACLRequest) (bool, bool)

Get returns the access level for the given path and user.

func (*ACLCache) Set 

func (c *ACLCache) Set(req *ACLRequest, canAccess bool)

Set sets the access level for the given path and user.

type ACLDepth 

type ACLDepth = uint8

ACLDepth is the depth of the node in the tree.

type ACLNode 

type ACLNode struct {
	// contains filtered or unexported fields
}

ACLNode represents a node in the ACL tree. Each node corresponds to a part of the path and contains rules for that part.

func NewACLNode 

func NewACLNode(path string, owner string, terminal bool, depth ACLDepth) *ACLNode

NewACLNode creates a new ACLNode.

func (*ACLNode) ClearRules 

func (n *ACLNode) ClearRules()

ClearRules clears the rules for the node.

func (*ACLNode) DeleteChild 

func (n *ACLNode) DeleteChild(key string)

DeleteChild deletes the child for the node.

func (*ACLNode) Equal 

func (n *ACLNode) Equal(other *ACLNode) bool

Equal checks if the node is equal to another node.

func (*ACLNode) GetChild 

func (n *ACLNode) GetChild(key string) (*ACLNode, bool)

GetChild returns the child for the node.

func (*ACLNode) GetChildCount 

func (n *ACLNode) GetChildCount() int

GetChildCount returns the number of children for the node.

func (*ACLNode) GetDepth 

func (n *ACLNode) GetDepth() ACLDepth

GetDepth returns the depth of the node.

func (*ACLNode) GetOwner 

func (n *ACLNode) GetOwner() string

GetOwner returns the owner of the node.

func (*ACLNode) GetRules 

func (n *ACLNode) GetRules() []*ACLRule

GetRules returns the rules for the node.

func (*ACLNode) GetTerminal 

func (n *ACLNode) GetTerminal() bool

GetTerminal returns true if the node is a terminal node.

func (*ACLNode) GetVersion 

func (n *ACLNode) GetVersion() ACLVersion

GetVersion returns the version of the node.

func (*ACLNode) SetChild 

func (n *ACLNode) SetChild(key string, child *ACLNode)

SetChild sets the child for the node.

func (*ACLNode) SetRules 

func (n *ACLNode) SetRules(rules []*aclspec.Rule, terminal bool)

SetRules the rules, terminal flag and depth for the node. Increments the version counter for repeated operation.

func (*ACLNode) String added in v0.8.4 

func (n *ACLNode) String() string

type ACLRequest added in v0.8.4 

type ACLRequest struct {
	Path  string
	Level AccessLevel
	User  *User
	File  *File
}

func NewRequest added in v0.8.4 

func NewRequest(path string, user *User, level AccessLevel) *ACLRequest

func NewRequestWithFile added in v0.8.4 

func NewRequestWithFile(path string, user *User, level AccessLevel, file *File) *ACLRequest

type ACLRule 

type ACLRule struct {
	// contains filtered or unexported fields
}

ACLRule represents an access control rule for a file or directory in an ACL Node. It contains the full pattern of the rule, the rule itself, and the node it applies to todo decouple this from aclspec.Rule

func NewACLRule added in v0.8.4 

func NewACLRule(rule *aclspec.Rule, node *ACLNode) (*ACLRule, error)

NewACLRule creates a new ACLRule with template compilation

func (*ACLRule) CheckAccess 

func (r *ACLRule) CheckAccess(req *ACLRequest) error

CheckAccess checks if the user has permission to perform the specified action on the node.

func (*ACLRule) CheckLimits 

func (r *ACLRule) CheckLimits(req *ACLRequest) error

CheckLimits checks if the file is within the limits specified by the rule.

func (*ACLRule) Clone added in v0.8.4 

func (r *ACLRule) Clone() *ACLRule

func (*ACLRule) Compile added in v0.8.4 

func (r *ACLRule) Compile(user *User) *ACLRule

Compile creates a user-specific copy of a rule with USER tokens resolved

func (*ACLRule) GetAccess added in v0.8.4 

func (r *ACLRule) GetAccess() *aclspec.Access

func (*ACLRule) GetLimits added in v0.8.4 

func (r *ACLRule) GetLimits() *aclspec.Limits

func (*ACLRule) Match added in v0.8.4 

func (r *ACLRule) Match(path string, user *User) (bool, error)

Match checks if this rule matches the given path for the given user

func (*ACLRule) Owner 

func (r *ACLRule) Owner() string

Owner returns the owner of the rule (inherited from the node)

func (*ACLRule) String added in v0.8.4 

func (r *ACLRule) String() string

func (*ACLRule) Version 

func (r *ACLRule) Version() ACLVersion

Version returns the version of the rule (inherited from the node)s

type ACLService 

type ACLService struct {
	// contains filtered or unexported fields
}

ACLService helps to manage and enforce access control rules for file system operations.

func NewACLService 

func NewACLService(blob blob.Service) *ACLService

NewACLService creates a new ACL service instance

func (*ACLService) AddRuleSet 

func (s *ACLService) AddRuleSet(ruleSet *aclspec.RuleSet) (ACLVersion, error)

AddRuleSet adds or updates a new set of rules to the service.

func (*ACLService) CanAccess 

func (s *ACLService) CanAccess(req *ACLRequest) error

CanAccess checks if a user has the specified access permission for a file.

func (*ACLService) RemoveRuleSet 

func (s *ACLService) RemoveRuleSet(path string) bool

RemoveRuleSet removes a ruleset at the specified path. Returns true if a ruleset was removed, false otherwise. path must be a dir or dir/syft.pub.yaml

func (*ACLService) Shutdown added in v0.6.1 

func (s *ACLService) Shutdown(ctx context.Context) error

func (*ACLService) Start added in v0.6.1 

func (s *ACLService) Start(ctx context.Context) error

func (*ACLService) String 

func (s *ACLService) String() string

String returns a string representation of the ACL service's rule tree.

type ACLTree 

type ACLTree struct {
	// contains filtered or unexported fields
}

ACLTree stores the ACL rules in a n-ary tree for efficient lookups.

func NewACLTree 

func NewACLTree() *ACLTree

NewACLTree creates a new ACLTree.

func (*ACLTree) AddRuleSet 

func (t *ACLTree) AddRuleSet(ruleset *aclspec.RuleSet) (*ACLNode, error)

Add or update a ruleset in the tree.

func (*ACLTree) GetCompiledRule added in v0.8.4 

func (t *ACLTree) GetCompiledRule(req *ACLRequest) (*ACLRule, error)

func (*ACLTree) GetNearestNode added in v0.8.4 

func (t *ACLTree) GetNearestNode(path string) *ACLNode

GetNearestNode returns the nearest node in the tree that has associated rules for the given path. It returns nil if no such node is found.

func (*ACLTree) GetNode 

func (t *ACLTree) GetNode(path string) *ACLNode

GetNode finds the exact node applicable for the given path.

func (*ACLTree) RemoveRuleSet 

func (t *ACLTree) RemoveRuleSet(path string) bool

Removes a ruleset at the specified path

func (*ACLTree) String 

func (t *ACLTree) String() string

String implements the Stringer interface for PTree

type ACLVersion 

type ACLVersion = uint16

ACLVersion is the version of the node. overflow will reset it to 0.

type AccessLevel 

type AccessLevel uint8

AccessLevel represents a permission bit flag for different file operations. 

const (
	AccessRead AccessLevel = 1 << iota
	AccessCreate
	AccessWrite
	AccessAdmin
)

Action constants define different types of file permissions

func (AccessLevel) String 

func (a AccessLevel) String() string

type ExactMatcher added in v0.8.4 

type ExactMatcher struct {
	Value string
}

func (*ExactMatcher) Match added in v0.8.4 

func (e *ExactMatcher) Match(path string, ctx MatchContext) (bool, error)

func (*ExactMatcher) Type added in v0.8.4 

func (e *ExactMatcher) Type() MatcherType

type File 

type File struct {
	IsDir     bool
	IsSymlink bool
	Size      int64
}

type GlobMatcher added in v0.8.4 

type GlobMatcher struct {
	// contains filtered or unexported fields
}

func (*GlobMatcher) Match added in v0.8.4 

func (g *GlobMatcher) Match(path string, ctx MatchContext) (bool, error)

func (*GlobMatcher) Type added in v0.8.4 

func (g *GlobMatcher) Type() MatcherType

type MatchContext added in v0.8.4 

type MatchContext any // i don't know what all we'll need, so just putting it as any

type Matcher added in v0.8.4 

type Matcher interface {
	Match(path string, ctx MatchContext) (bool, error)
	Type() MatcherType
}

type MatcherType added in v0.8.4 

type MatcherType int
const (
	MatcherTypeExact MatcherType = iota
	MatcherTypeGlob
	MatcherTypeTemplate
)

type Service added in v0.6.1 

type Service interface {
	AddRuleSet(ruleSet *aclspec.RuleSet) (ACLVersion, error)
	RemoveRuleSet(path string) bool
	CanAccess(ctx *ACLRequest) error
}

type TemplateMatcher added in v0.8.4 

type TemplateMatcher struct {
	// contains filtered or unexported fields
}

func (*TemplateMatcher) Match added in v0.8.4 

func (t *TemplateMatcher) Match(path string, ctx MatchContext) (bool, error)

func (*TemplateMatcher) Type added in v0.8.4 

func (t *TemplateMatcher) Type() MatcherType

type User 

type User struct {
	ID string
}

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.