access

package
v0.11.6 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Nov 19, 2025 License: BSD-3-Clause-Clear Imports: 25 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

View Source 
var (
	ErrInvalidResource              = errors.New("access: invalid resource")
	ErrFQNNotFound                  = errors.New("access: FQN not found")
	ErrDefinitionNotFound           = errors.New("access: definition not found for FQN")
	ErrFailedEvaluation             = errors.New("access: failed to evaluate definition")
	ErrMissingRequiredSpecifiedRule = errors.New("access: AttributeDefinition rule cannot be unspecified")
	ErrUnrecognizedRule             = errors.New("access: unrecognized AttributeDefinition rule")
)
View Source 
var (
	ErrInvalidSubjectMapping          = errors.New("access: invalid subject mapping")
	ErrInvalidAttributeDefinition     = errors.New("access: invalid attribute definition")
	ErrInvalidRegisteredResource      = errors.New("access: invalid registered resource")
	ErrInvalidRegisteredResourceValue = errors.New("access: invalid registered resource value")
)
View Source 
var (
	ErrMissingRequiredSDK                       = errors.New("access: missing required SDK")
	ErrInvalidEntityType                        = errors.New("access: invalid entity type")
	ErrFailedToWithRequestTokenEntityIdentifier = errors.New("access: failed to use request token as entity identifier - none found in context")
	ErrInvalidWithRequestTokenEntityIdentifier  = errors.New("access: invalid use request token as entity identifier - must be true if provided")
	ErrResourceDecisionLengthMismatch           = errors.New("access: resource decision length mismatch")
	ErrResourceDecisionIDMismatch               = errors.New("access: resource decision ID mismatch")
)
View Source 
var (
	ErrFailedToFetchAttributes          = errors.New("failed to fetch attributes from policy service")
	ErrFailedToFetchSubjectMappings     = errors.New("failed to fetch subject mappings from policy service")
	ErrFailedToFetchRegisteredResources = errors.New("failed to fetch registered resources from policy service")
	ErrFailedToFetchObligations         = errors.New("failed to fetch obligations from policy service")
)
View Source 
var (
	ErrInvalidAction                = errors.New("access: invalid action")
	ErrInvalidEntityChain           = errors.New("access: invalid entity chain")
	ErrInvalidEntitledFQNsToActions = errors.New("access: invalid entitled FQNs to actions")
)
View Source 
var (
	ErrMissingRequiredPolicy = errors.New("access: both attribute definitions and subject mappings must be provided or neither")
)

Functions

This section is empty.

Types

type DataRuleResult 

type DataRuleResult struct {
	Passed              bool                 `json:"passed" example:"false"`
	ResourceValueFQNs   []string             `json:"resource_value_fqns"`
	Attribute           *policy.Attribute    `json:"attribute"`
	EntitlementFailures []EntitlementFailure `json:"entitlement_failures"`
}

DataRuleResult represents the result of evaluating one rule for an entity.

type Decision 

type Decision struct {
	// AllPermitted means all entities requesting to take the action on the resource(s) were entitled
	// and that any triggered obligations were satisfied by those reported as fulfillable.
	// The struct tag remains 'access' for backwards compatibility within audit records.
	AllPermitted bool `json:"access" example:"false"`
	Results      []ResourceDecision
}

Decision represents the overall access decision for an entity.

type EntitlementFailure 

type EntitlementFailure struct {
	AttributeValueFQN string `json:"attribute_value"`
	ActionName        string `json:"action"`
}

EntitlementFailure represents a failure to satisfy an entitlement of the action on the attribute value.

type EntitlementPolicyRetriever added in v0.7.0 

type EntitlementPolicyRetriever struct {
	SDK *otdfSDK.SDK
}

EntitlementPolicyRetriever satisfies the EntitlementPolicyStore interface and fetches fresh entitlement policy data from the policy services via SDK.

func NewEntitlementPolicyRetriever added in v0.7.0 

func NewEntitlementPolicyRetriever(sdk *otdfSDK.SDK) *EntitlementPolicyRetriever

func (*EntitlementPolicyRetriever) IsEnabled added in v0.7.0 

func (p *EntitlementPolicyRetriever) IsEnabled() bool

func (*EntitlementPolicyRetriever) IsReady added in v0.7.0 

func (p *EntitlementPolicyRetriever) IsReady(_ context.Context) bool

func (*EntitlementPolicyRetriever) ListAllAttributes added in v0.7.0 

func (p *EntitlementPolicyRetriever) ListAllAttributes(ctx context.Context) ([]*policy.Attribute, error)

func (*EntitlementPolicyRetriever) ListAllObligations added in v0.11.0 

func (p *EntitlementPolicyRetriever) ListAllObligations(ctx context.Context) ([]*policy.Obligation, error)

func (*EntitlementPolicyRetriever) ListAllRegisteredResources added in v0.7.0 

func (p *EntitlementPolicyRetriever) ListAllRegisteredResources(ctx context.Context) ([]*policy.RegisteredResource, error)

func (*EntitlementPolicyRetriever) ListAllSubjectMappings added in v0.7.0 

func (p *EntitlementPolicyRetriever) ListAllSubjectMappings(ctx context.Context) ([]*policy.SubjectMapping, error)

type EntitlementPolicyStore added in v0.7.0 

type EntitlementPolicyStore interface {
	ListAllAttributes(ctx context.Context) ([]*policy.Attribute, error)
	ListAllSubjectMappings(ctx context.Context) ([]*policy.SubjectMapping, error)
	ListAllRegisteredResources(ctx context.Context) ([]*policy.RegisteredResource, error)
	ListAllObligations(ctx context.Context) ([]*policy.Obligation, error)
	IsEnabled() bool
	IsReady(context.Context) bool
}

Shared interface for a cache or the connected retriever below to implement to provide entitlement policy data.

type JustInTimePDP 

type JustInTimePDP struct {
	// contains filtered or unexported fields
}

func NewJustInTimePDP 

func NewJustInTimePDP(
	ctx context.Context,
	log *logger.Logger,
	sdk *otdfSDK.SDK,
	store EntitlementPolicyStore,
) (*JustInTimePDP, error)

NewJustInTimePDP creates a new Policy Decision Point instance with no in-memory policy and a remote connection via authenticated SDK, then fetches all entitlement policy from provided store interface or policy services directly.

func (*JustInTimePDP) GetDecision 

func (p *JustInTimePDP) GetDecision(
	ctx context.Context,
	entityIdentifier *authzV2.EntityIdentifier,
	action *policy.Action,
	resources []*authzV2.Resource,
	requestContext *policy.RequestContext,
	fulfillableObligationValueFQNs []string,
) (*Decision, error)

GetDecision retrieves the decision for the provided entity identifier, action, and resources.

Obligations are not entity-driven, so the actions, attributes, and decision request context are checked against Policy to determine which are triggered. The triggered obligations are compared against those the caller (PEP) reports that it can fulfill to ensure all can be satisfied.

Then, it resolves the Entity Identifier into either the Registered Resource or a Token/Entity Chain and roundtrips to ERS for their representations. In the case of multiple entity representations, entitlement means ALL representations are entitled.

The result is a single consolidated Decision object with one resource decision per requested resource: where access means full entitlement + all triggered obligations fulfillable.

Individual entity representation decisions are audited separately to maintain visibility into the decision process.

| Entity entitled | Triggered obligations are fulfillable | Decision | Required Obligations Returned | | --------------- | ------------------------------------- | -------- | ------------------------------ | | Yes | Yes | Permit | Yes | | Yes | No | Deny | Yes (allows corrective action) | | No | Yes | Deny | No | | No | No | Deny | No |

func (*JustInTimePDP) GetEntitlements 

func (p *JustInTimePDP) GetEntitlements(
	ctx context.Context,
	entityIdentifier *authzV2.EntityIdentifier,
	withComprehensiveHierarchy bool,
) ([]*authzV2.EntityEntitlements, error)

GetEntitlements retrieves the entitlements for the provided entity identifier. It resolves the entity identifier to get the entity representations and then calls the embedded PDP to get the entitlements.

type PolicyDecisionPoint 

type PolicyDecisionPoint struct {
	// contains filtered or unexported fields
}

PolicyDecisionPoint represents the Policy Decision Point component with all of policy passed in by the caller. All decisions and entitlements are evaluated against the in-memory policy.

func NewPolicyDecisionPoint 

func NewPolicyDecisionPoint(
	ctx context.Context,
	l *logger.Logger,
	allAttributeDefinitions []*policy.Attribute,
	allSubjectMappings []*policy.SubjectMapping,
	allRegisteredResources []*policy.RegisteredResource,
) (*PolicyDecisionPoint, error)

NewPolicyDecisionPoint creates a new Policy Decision Point instance. It is presumed that all Attribute Definitions and Subject Mappings are valid and contain the entirety of entitlement policy. Attribute Values without Subject Mappings will be ignored in decisioning.

func (*PolicyDecisionPoint) GetDecision 

func (p *PolicyDecisionPoint) GetDecision(
	ctx context.Context,
	entityRepresentation *entityresolutionV2.EntityRepresentation,
	action *policy.Action,
	resources []*authz.Resource,
) (*Decision, map[string][]*policy.Action, error)

GetDecision evaluates the action on the resources for the entity and returns a decision along with entitlements.

func (*PolicyDecisionPoint) GetDecisionRegisteredResource added in v0.7.0 

func (p *PolicyDecisionPoint) GetDecisionRegisteredResource(
	ctx context.Context,
	entityRegisteredResourceValueFQN string,
	action *policy.Action,
	resources []*authz.Resource,
) (*Decision, map[string][]*policy.Action, error)

func (*PolicyDecisionPoint) GetEntitlements 

func (p *PolicyDecisionPoint) GetEntitlements(
	ctx context.Context,
	entityRepresentations []*entityresolutionV2.EntityRepresentation,
	optionalMatchedSubjectMappings []*policy.SubjectMapping,
	withComprehensiveHierarchy bool,
) ([]*authz.EntityEntitlements, error)

func (*PolicyDecisionPoint) GetEntitlementsRegisteredResource added in v0.6.0 

func (p *PolicyDecisionPoint) GetEntitlementsRegisteredResource(
	ctx context.Context,
	registeredResourceValueFQN string,
	withComprehensiveHierarchy bool,
) ([]*authz.EntityEntitlements, error)

type ResourceDecision 

type ResourceDecision struct {
	// An overall result representing a roll-up of ObligationsSatisfied && Entitled
	Passed bool `json:"passed" example:"false"`
	// FulfillableObligations >= TriggeredObligations
	ObligationsSatisfied        bool             `json:"obligations_satisfied" example:"false"`
	Entitled                    bool             `json:"entitled" example:"false"`
	ResourceID                  string           `json:"resource_id,omitempty"`
	ResourceName                string           `json:"resource_name,omitempty"`
	DataRuleResults             []DataRuleResult `json:"data_rule_results"`
	RequiredObligationValueFQNs []string         `json:"required_obligation_value_fqns"`
}

ResourceDecision represents the result of evaluating the action on one resource for an entity.

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.