Documentation
¶
Index ¶
- Constants
- func AllSubCommandsAllowed(subCmds []string, allowRules []string) (bool, string)
- func AppendUnique(base []string, items ...string) []string
- func CheckEtcdPolicy(ctx context.Context, policy *asset_entity.EtcdPolicy, cmd string) aictx.CheckResult
- func CheckExtensionPolicy(ctx context.Context, groupIDs []string, action string) aictx.CheckResult
- func CheckGroupGenericPolicy(ctx context.Context, assetID int64, subCmds []string, matchFn MatchFunc) aictx.CheckResult
- func CheckK8sPolicy(ctx context.Context, policy *asset_entity.K8sPolicy, command string) aictx.CheckResult
- func CheckKafkaPolicy(ctx context.Context, policy *asset_entity.KafkaPolicy, command string) aictx.CheckResult
- func CheckMongoDBPolicy(ctx context.Context, p *asset_entity.MongoPolicy, operation string) aictx.CheckResult
- func CheckQueryPolicy(ctx context.Context, policy *asset_entity.QueryPolicy, stmts []StatementInfo) aictx.CheckResult
- func CheckRedisPolicy(ctx context.Context, policy *asset_entity.RedisPolicy, cmd string) aictx.CheckResult
- func DecodeCurrentPolicy(kind string, raw []byte) (any, error)
- func EffectiveEtcdPolicy(ctx context.Context, custom *asset_entity.EtcdPolicy) *asset_entity.EtcdPolicy
- func EffectiveK8sPolicy(ctx context.Context, custom *asset_entity.K8sPolicy) *asset_entity.K8sPolicy
- func EffectiveKafkaPolicy(ctx context.Context, custom *asset_entity.KafkaPolicy) *asset_entity.KafkaPolicy
- func EffectiveMongoPolicy(ctx context.Context, custom *asset_entity.MongoPolicy) *asset_entity.MongoPolicy
- func EffectiveQueryPolicy(ctx context.Context, custom *asset_entity.QueryPolicy) *asset_entity.QueryPolicy
- func EffectiveRedisPolicy(ctx context.Context, custom *asset_entity.RedisPolicy) *asset_entity.RedisPolicy
- func ExtractRedisCommand(cmd string) (fullCmd string, args string)
- func ExtractSubCommands(command string) ([]string, error)
- func FindHintRules(command string, allowRules []string) []string
- func FormatDenyMessage(_ context.Context, assetName, command, reason string, hints []string) string
- func IsZh(ctx context.Context) bool
- func MatchCommandRule(rule, command string) bool
- func MatchKafkaRule(rule, command string) bool
- func MatchRedisRule(rule, cmd string) bool
- func PolicyFmt(ctx context.Context, enFmt, zhFmt string, args ...any) string
- func PolicyMsg(ctx context.Context, en, zh string) string
- func ResolveCommandGroups(ctx context.Context, groupIDs []string) (allow, deny []string)
- func ResolveEtcdGroups(ctx context.Context, groupIDs []string) (allow, deny []string)
- func ResolveGroupChain(ctx context.Context, groupID int64) []*group_entity.Group
- func ResolveKafkaGroups(ctx context.Context, groupIDs []string) (allow, deny []string)
- func ResolveMongoGroups(ctx context.Context, groupIDs []string) (allowTypes, denyTypes []string)
- func ResolvePolicyKind(s string) (string, bool)
- func ResolveQueryGroups(ctx context.Context, groupIDs []string) (allowTypes, denyTypes, denyFlags []string)
- func ResolveRedisGroups(ctx context.Context, groupIDs []string) (allow, deny []string)
- func StmtRawTexts(stmts []StatementInfo) []string
- type ExtensionPolicyRule
- type MatchFunc
- type ParsedCommand
- type PolicyTestInput
- type PolicyTestOutput
- type StatementInfo
Constants ¶
const ( PolicyKindCommand = policyent.PolicyKindCommand PolicyKindQuery = policyent.PolicyKindQuery PolicyKindRedis = policyent.PolicyKindRedis PolicyKindMongo = policyent.PolicyKindMongo PolicyKindKafka = policyent.PolicyKindKafka PolicyKindK8s = policyent.PolicyKindK8s PolicyKindEtcd = policyent.PolicyKindEtcd )
PolicyKind 是策略逻辑的规范化种类,是 policy 测试链路统一的 dispatch key。 规范词表定义在最底层的 entity/policy(PolicyKind*),这里 alias 复用;资产类型 / 前端 policyType 经 ResolvePolicyKind(查 entity/policy 的 asset-kind 注册表)映射到它。
Variables ¶
This section is empty.
Functions ¶
func AllSubCommandsAllowed ¶
AllSubCommandsAllowed 检查所有子命令是否都匹配 allow 规则,返回是否全部匹配及命中的规则
func AppendUnique ¶
AppendUnique 按精确字符串去重。 不能按 ToUpper 折叠 —— Redis key、Kafka resource、shell 命令模式都是大小写敏感的, `GET User:*` 与 `GET user:*` 是两条不同的规则,合并会让其中一条静默失效。
func CheckEtcdPolicy ¶
func CheckEtcdPolicy(ctx context.Context, policy *asset_entity.EtcdPolicy, cmd string) aictx.CheckResult
CheckEtcdPolicy 检查 etcd 命令是否符合策略(EtcdPolicy 是 RedisPolicy 的类型别名, 命令格式 "op [key] [value]" 与 Redis "cmd [args]" 同构,复用 MatchRedisRule 匹配)。
func CheckExtensionPolicy ¶
CheckExtensionPolicy resolves ext: prefixed policy groups and checks allow/deny action lists. Logic:
- If no groupIDs → aictx.NeedConfirm
- Fetch policy groups via fetchPolicyGroups (handles ext: prefix)
- Unmarshal each group's Policy JSON into ExtensionPolicyRule
- aictx.Deny takes precedence: if action in any deny_list → aictx.Deny
- Then check allow: if action in any allow_list → aictx.Allow
- Otherwise → aictx.NeedConfirm
func CheckGroupGenericPolicy ¶
func CheckGroupGenericPolicy(ctx context.Context, assetID int64, subCmds []string, matchFn MatchFunc) aictx.CheckResult
CheckGroupGenericPolicy 在真实执行路径中检查组的通用策略(CmdPolicy)。 subCmds 是已经按资产语义拆好的执行单元:对 K8s/SSH 这类 shell 类资产应传入 ExtractSubCommands 的结果;对 Database/Redis/Mongo/Kafka 等单语句类资产传入 单元素切片即可。aictx.Deny 优先:任一子命令命中即拒绝;aictx.Allow 必须所有子命令都命中。
func CheckK8sPolicy ¶
func CheckK8sPolicy(ctx context.Context, policy *asset_entity.K8sPolicy, command string) aictx.CheckResult
func CheckKafkaPolicy ¶
func CheckKafkaPolicy(ctx context.Context, policy *asset_entity.KafkaPolicy, command string) aictx.CheckResult
func CheckMongoDBPolicy ¶
func CheckMongoDBPolicy(ctx context.Context, p *asset_entity.MongoPolicy, operation string) aictx.CheckResult
policy.CheckMongoDBPolicy 检查 MongoDB 操作是否符合策略(合并默认策略后检查)
func CheckQueryPolicy ¶
func CheckQueryPolicy(ctx context.Context, policy *asset_entity.QueryPolicy, stmts []StatementInfo) aictx.CheckResult
CheckQueryPolicy 检查 SQL 语句是否符合策略(合并默认策略后检查)
func CheckRedisPolicy ¶
func CheckRedisPolicy(ctx context.Context, policy *asset_entity.RedisPolicy, cmd string) aictx.CheckResult
CheckRedisPolicy 检查 Redis 命令是否符合策略(合并默认策略后检查)
func DecodeCurrentPolicy ¶ added in v1.9.0
DecodeCurrentPolicy 用对应 kind 的 handler 把策略 JSON 还原为具体策略指针。
func EffectiveEtcdPolicy ¶
func EffectiveEtcdPolicy(ctx context.Context, custom *asset_entity.EtcdPolicy) *asset_entity.EtcdPolicy
func EffectiveK8sPolicy ¶
func EffectiveK8sPolicy(ctx context.Context, custom *asset_entity.K8sPolicy) *asset_entity.K8sPolicy
func EffectiveKafkaPolicy ¶
func EffectiveKafkaPolicy(ctx context.Context, custom *asset_entity.KafkaPolicy) *asset_entity.KafkaPolicy
func EffectiveMongoPolicy ¶
func EffectiveMongoPolicy(ctx context.Context, custom *asset_entity.MongoPolicy) *asset_entity.MongoPolicy
func EffectiveQueryPolicy ¶
func EffectiveQueryPolicy(ctx context.Context, custom *asset_entity.QueryPolicy) *asset_entity.QueryPolicy
func EffectiveRedisPolicy ¶
func EffectiveRedisPolicy(ctx context.Context, custom *asset_entity.RedisPolicy) *asset_entity.RedisPolicy
func ExtractRedisCommand ¶
ExtractRedisCommand 提取 Redis 命令名(含子命令)和参数
func ExtractSubCommands ¶
ExtractSubCommands 从 shell 命令中提取所有可执行子命令。
处理:
- `&&` `||` `;` `|` 等 BinaryCmd 拆分
- CallExpr:Args 作为命令本体;Assigns 的右值仍要扫,因为 `PAYLOAD=$(rm -rf /) echo` 里的 CmdSubst 会先于命令执行
- Stmt.Redirs:目标 word 里若有 CmdSubst/ProcSubst 要递归提取;输出重定向(>、>>、&>…) 除目标是 /dev/null 等公认安全目标外,还要作为合成 sub-command 强制策略覆盖, 否则 `echo pwned > /etc/cron.d/x` 会被 `echo *` 静默放行写文件
- `$()`、反引号、`<(...)`/`>(...)` 进程替换、`${VAR:-$(...)}` 参数展开默认值都会执行
- 双引号内的 `$()` 同样递归;单引号内不展开
- FuncDecl:函数声明体不触发执行,跳过,避免 `cleanup() { rm -rf /tmp/foo; }; echo ok` 这种仅定义不调用的脚本被误判
- 其他控制结构(Subshell、Block、IfClause、ForClause…)走 Walk 兜底
func FindHintRules ¶
FindHintRules 从 allow 规则中找同程序名的规则作为提示
func FormatDenyMessage ¶
FormatDenyMessage 生成拒绝命令的用户提示,含资产名、命令和提示规则。
func MatchCommandRule ¶
MatchCommandRule 检查实际命令是否匹配规则字符串
func MatchKafkaRule ¶
MatchKafkaRule matches canonical Kafka permission commands. Both rule and command must be exactly "<action> <resource>", for example: "topic.read orders-*" or "topic.config.write orders".
func MatchRedisRule ¶
MatchRedisRule 检查 Redis 命令是否匹配规则 规则格式: "FLUSHDB", "CONFIG SET *", "DEL user:*"
func ResolveCommandGroups ¶
ResolveCommandGroups 解析引用的权限组,返回合并后的 allow/deny 规则
func ResolveEtcdGroups ¶
ResolveEtcdGroups 解析引用的 etcd 权限组,返回合并后的 allow/deny 规则
func ResolveGroupChain ¶
func ResolveGroupChain(ctx context.Context, groupID int64) []*group_entity.Group
ResolveGroupChain 递归获取组链(组 → 父组 → ... → 根),最大深度 5
func ResolveKafkaGroups ¶
ResolveKafkaGroups 解析引用的 Kafka 权限组,返回合并后的 allow/deny 规则
func ResolveMongoGroups ¶
ResolveMongoGroups 解析引用的 MongoDB 权限组,返回合并后的 allowTypes/denyTypes
func ResolvePolicyKind ¶ added in v1.9.0
ResolvePolicyKind 把资产类型 / 前端 policyType 解析为已注册的 policyKind。 先解别名,再查 assettype handler 注册的 asset-kind 表,最后允许直接传 kind; 仅当目标 kind 有注册 handler 时返回 ok=true,未注册返回 false, 调用方据此保持 "unsupported policy type" 的既有行为。
func ResolveQueryGroups ¶
func ResolveQueryGroups(ctx context.Context, groupIDs []string) (allowTypes, denyTypes, denyFlags []string)
ResolveQueryGroups 解析引用的 Query 权限组,返回合并后的规则
func ResolveRedisGroups ¶
ResolveRedisGroups 解析引用的 Redis 权限组,返回合并后的 allow/deny 规则
func StmtRawTexts ¶
func StmtRawTexts(stmts []StatementInfo) []string
StmtRawTexts 从 policy.ClassifyStatements 结果里取每条语句的原始 SQL 文本(含 trim), 用于按 statement 粒度送进组通用策略与 Grant 匹配。
Types ¶
type ExtensionPolicyRule ¶
type ExtensionPolicyRule struct {
AllowList []string `json:"allow_list"`
DenyList []string `json:"deny_list"`
}
ExtensionPolicyRule represents the allow/deny action lists in an extension policy group's Policy JSON.
type ParsedCommand ¶
type ParsedCommand struct {
Program string
SubCommands []string
Flags map[string]string
Wildcard bool
}
ParsedCommand 解析后的命令结构
func ParseActualCommand ¶
func ParseActualCommand(command string, _ *ParsedCommand) *ParsedCommand
ParseActualCommand 解析实际命令。rule 参数当前未参与判定(保留以备未来按规则提示 区分 flag 是否带值),现行规则是:下一个 token 不是 flag 就视为该 flag 的值。
func ParseCommandRule ¶
func ParseCommandRule(rule string) *ParsedCommand
ParseCommandRule 将规则字符串解析为结构化表示
type PolicyTestInput ¶
type PolicyTestInput struct {
PolicyKind string // 规范 policyKind(command/query/redis/mongo/kafka/k8s/etcd);由 ResolvePolicyKind 得到,取值见 policy_kind.go
AssetID int64 // 资产ID(从资产的 groupID 开始解析组链)
GroupID int64 // 资产组ID(从父组开始解析,当前组策略由 Current 提供)
// Current 当前编辑中的策略(DecodeCurrentPolicy 的产物,具体类型 *CommandPolicy 等),可为 nil。
Current any
}
PolicyTestInput 策略测试入参
type PolicyTestOutput ¶
type PolicyTestOutput struct {
Decision aictx.Decision
MatchedPattern string
MatchedSource string // "" 当前策略, "default" 默认规则, 组名
Message string
}
PolicyTestOutput 策略测试结果
func TestPolicy ¶
func TestPolicy(ctx context.Context, input PolicyTestInput, command string) PolicyTestOutput
TestPolicy 统一的策略测试入口,按 policyKind 查表分发,解析资产组链并合并策略后检查命令。
type StatementInfo ¶
type StatementInfo struct {
Type string // SELECT, INSERT, UPDATE, DELETE, DROP TABLE, TRUNCATE, ...
Raw string
Dangerous bool
Reason string // no_where_delete, no_where_update, prepare, call
}
StatementInfo 解析后的 SQL 语句分类信息
func ClassifyStatements ¶
func ClassifyStatements(sqlText string) ([]StatementInfo, error)
ClassifyStatements 解析 SQL 并返回每条语句的类型