Documentation
¶
Index ¶
- func CheckPermission(ctx context.Context, assetType string, assetID int64, command string) aictx.CheckResult
- func CheckPolicyOnly(ctx context.Context, assetID int64, command string) aictx.CheckResult
- func CheckRedisPolicyForOpsctl(ctx context.Context, assetID int64, command string) aictx.CheckResult
- func CheckSQLPolicyForOpsctl(ctx context.Context, assetID int64, sqlText string) aictx.CheckResult
- func NormalizeGrantPatterns(approvalType, command string) []string
- func SaveGrantPattern(ctx context.Context, sessionID string, assetID int64, assetName string, ...)
- func SaveGrantPatternsForApproval(ctx context.Context, sessionID string, assetID int64, ...)
- func WithPolicyChecker(ctx context.Context, c *CommandPolicyChecker) context.Context
- type ApprovalItem
- type ApprovalResponse
- type CommandConfirmFunc
- type CommandPolicyChecker
- func (c *CommandPolicyChecker) Check(ctx context.Context, assetID int64, command string) aictx.CheckResult
- func (c *CommandPolicyChecker) CheckForAsset(ctx context.Context, assetID int64, assetType, command string) aictx.CheckResult
- func (c *CommandPolicyChecker) ConfirmFunc() CommandConfirmFunc
- func (c *CommandPolicyChecker) HandleConfirm(ctx context.Context, assetID int64, assetType, command string) aictx.CheckResult
- func (c *CommandPolicyChecker) Reset()
- func (c *CommandPolicyChecker) SetGrantRequestFunc(fn GrantRequestFunc)
- func (c *CommandPolicyChecker) SubmitGrant(ctx context.Context, assetID int64, patterns []string, reason string) aictx.CheckResult
- func (c *CommandPolicyChecker) SubmitGrantMulti(ctx context.Context, items []GrantItem, reason string) aictx.CheckResult
- type GrantItem
- type GrantRequestFunc
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func CheckPermission ¶
func CheckPermission(ctx context.Context, assetType string, assetID int64, command string) aictx.CheckResult
CheckPermission 统一权限检查(策略 + DB Grant 匹配)。 不包含用户确认逻辑 — aictx.NeedConfirm 时由调用方处理。 assetType: "ssh" | "serial" | "database" | "redis" | "mongodb" | "kafka" | "k8s" | "exec"(exec 等同于 ssh)| "sql"(sql 等同于 database)| "mongo"(mongo 等同于 mongodb)
func CheckPolicyOnly ¶
CheckPolicyOnly 只检查 allow/deny 列表 + DB Grant 匹配,不触发确认回调。 向后兼容包装器,内部委托 CheckPermission。
func CheckRedisPolicyForOpsctl ¶
func CheckRedisPolicyForOpsctl(ctx context.Context, assetID int64, command string) aictx.CheckResult
CheckRedisPolicyForOpsctl 检查 Redis 策略,向后兼容包装器,内部委托 CheckPermission。
func CheckSQLPolicyForOpsctl ¶
CheckSQLPolicyForOpsctl 检查 SQL 策略,向后兼容包装器,内部委托 CheckPermission。
func NormalizeGrantPatterns ¶
NormalizeGrantPatterns 把一条用户审批输入拆成可独立匹配的 grant pattern 列表。
设计要点:
- SSH/K8s 等 shell 类资产:按行 + policy.ExtractSubCommands 拆,复合命令必须按子命令存, 否则 `ls /tmp && cat /etc/hosts` 会被存成单条 pattern,后续 grant 子命令匹配永远命中失败。
- 非 shell 类资产(sql/redis/mongo/kafka):保留原命令,匹配规则各自处理。
- 解析失败时退回原行,让上层依旧能存下 grant;下次匹配同样会解析失败走 aictx.NeedConfirm。
所有 SaveGrantPattern 调用前都应当先经过这个归一化函数。
func SaveGrantPattern ¶
func SaveGrantPattern(ctx context.Context, sessionID string, assetID int64, assetName string, command string)
SaveGrantPattern 将命令模式保存为已批准的 GrantItem。 如果 sessionID 对应的 GrantSession 不存在,自动创建(状态: approved)。
func SaveGrantPatternsForApproval ¶
func SaveGrantPatternsForApproval(ctx context.Context, sessionID string, assetID int64, assetName, approvalType, command string)
SaveGrantPatternsForApproval 用 NormalizeGrantPatterns 拆出 patterns 后依次落库。 适合 app 层在多种审批回调(opsctl 单审批、AI grant 流)里调用,避免每个路径重复拆分逻辑。
func WithPolicyChecker ¶
func WithPolicyChecker(ctx context.Context, c *CommandPolicyChecker) context.Context
WithPolicyChecker 将 PolicyChecker 注入 context
Types ¶
type ApprovalItem ¶
type ApprovalItem struct {
Type string `json:"type"` // "exec", "k8s", "sql", "redis", "mongo", "kafka", "cp", "grant"
AssetID int64 `json:"asset_id"`
AssetName string `json:"asset_name"`
GroupID int64 `json:"group_id,omitempty"`
GroupName string `json:"group_name,omitempty"`
Command string `json:"command"`
Detail string `json:"detail,omitempty"`
}
ApprovalItem 统一审批项,AI 和 opsctl 共用
type ApprovalResponse ¶
type ApprovalResponse struct {
Decision string `json:"decision"` // "allow", "deny", "allowAll"
EditedItems []ApprovalItem `json:"edited_items,omitempty"` // grant: 用户可能编辑了 items
}
ApprovalResponse 统一审批响应
type CommandConfirmFunc ¶
type CommandConfirmFunc func(ctx context.Context, kind string, items []ApprovalItem) ApprovalResponse
CommandConfirmFunc 命令确认回调,发送审批请求并阻塞等待前端响应 ctx 携带会话 ID 等上下文(通过 aictx.GetConversationID 获取) kind: "single", "batch", "grant" items: 审批项列表 返回 ApprovalResponse
type CommandPolicyChecker ¶
type CommandPolicyChecker struct {
// contains filtered or unexported fields
}
CommandPolicyChecker 命令权限检查器,通过 context 注入到两条执行路径
func GetPolicyChecker ¶
func GetPolicyChecker(ctx context.Context) *CommandPolicyChecker
GetPolicyChecker 从 context 中获取 PolicyChecker
func NewCommandPolicyChecker ¶
func NewCommandPolicyChecker(confirmFunc CommandConfirmFunc) *CommandPolicyChecker
NewCommandPolicyChecker 创建权限检查器
func (*CommandPolicyChecker) Check ¶
func (c *CommandPolicyChecker) Check(ctx context.Context, assetID int64, command string) aictx.CheckResult
Check 检查命令是否允许执行
func (*CommandPolicyChecker) CheckForAsset ¶
func (c *CommandPolicyChecker) CheckForAsset(ctx context.Context, assetID int64, assetType, command string) aictx.CheckResult
CheckForAsset 按资产类型分发权限检查
func (*CommandPolicyChecker) ConfirmFunc ¶
func (c *CommandPolicyChecker) ConfirmFunc() CommandConfirmFunc
ConfirmFunc 返回确认回调,供 batch_command 聚合多条审批项一次性调用。
func (*CommandPolicyChecker) HandleConfirm ¶
func (c *CommandPolicyChecker) HandleConfirm(ctx context.Context, assetID int64, assetType, command string) aictx.CheckResult
HandleConfirm 处理需要用户确认的情况
func (*CommandPolicyChecker) Reset ¶
func (c *CommandPolicyChecker) Reset()
Reset 重置会话级白名单(已迁移到 DB Grant,无需内存清理)
func (*CommandPolicyChecker) SetGrantRequestFunc ¶
func (c *CommandPolicyChecker) SetGrantRequestFunc(fn GrantRequestFunc)
SetGrantRequestFunc 设置 Grant 审批回调
func (*CommandPolicyChecker) SubmitGrant ¶
func (c *CommandPolicyChecker) SubmitGrant(ctx context.Context, assetID int64, patterns []string, reason string) aictx.CheckResult
SubmitGrant 提交 grant 审批请求(request_permission 工具调用)
func (*CommandPolicyChecker) SubmitGrantMulti ¶
func (c *CommandPolicyChecker) SubmitGrantMulti(ctx context.Context, items []GrantItem, reason string) aictx.CheckResult
SubmitGrantMulti 提交多资产 grant 审批请求
type GrantRequestFunc ¶
type GrantRequestFunc func(ctx context.Context, items []ApprovalItem, reason string) (approved bool, finalPatterns []string)
GrantRequestFunc Grant 审批回调,创建 grant 并等待用户审批 ctx 携带会话 ID 等上下文(通过 aictx.GetConversationID 获取) items 为多资产的审批条目列表,用户可能在审批弹窗中编辑 返回 (approved, 用户编辑后的 patterns)