README
¶
github.com/superfly/macaroon/flyio
This package contains fly.io-specific caveats.
Documentation
¶
Index ¶
Constants ¶
const ( CavOrganization = 0 CavVolumes = 2 CavApps = 3 CavFeatureSet = 5 CavMutations = 6 CavMachines = 7 CavConfineUser = 8 CavConfineOrganization = 9 CavIsUser = 10 CavMachineFeatureSet = 14 CavFromMachineSource = 15 CavClusters = 16 )
Variables ¶
This section is empty.
Functions ¶
Types ¶
type Access ¶
type Access struct {
OrgID uint64 `json:"orgid"`
AppID *uint64 `json:"appid"`
Action macaroon.Action `json:"action"`
Feature *string `json:"feature"`
Volume *string `json:"volume"`
Machine *string `json:"machine"`
MachineFeature *string `json:"machine_feature"`
Mutation *string `json:"mutation"`
SourceMachine *string `json:"sourceMachine"`
Cluster *string `json:"cluster"`
}
func (*Access) Validate ¶
validate checks that the Access has sensible values set. This consists of ensuring that parent-resources are specified when child-resources are present (e.g. machine requires app requires org) and ensuring that multiple child resources aren't specified for a single parent resource (e.g. machine and volume are mutually exclusive).
This ensure that a Access represents a single action taken on a single object.
type Apps ¶
type Apps struct {
Apps resource_set.ResourceSet[uint64] `json:"apps"`
// contains filtered or unexported fields
}
Apps is a set of App caveats, with their RWX access levels. A token with this set can be used only with the listed apps, regardless of what the token says. Additional Apps can be added, but they can only narrow, not expand, which apps (or access levels) can be reached from the token.
func (*Apps) CaveatType ¶
func (c *Apps) CaveatType() macaroon.CaveatType
func (Apps) IsAttestation ¶
func (a Apps) IsAttestation() bool
type Clusters ¶
type Clusters struct {
Clusters resource_set.ResourceSet[string] `json:"clusters"`
// contains filtered or unexported fields
}
Clusters is a set of Cluster caveats, with their RWX access levels.
func (*Clusters) CaveatType ¶
func (c *Clusters) CaveatType() macaroon.CaveatType
func (Clusters) IsAttestation ¶
func (a Clusters) IsAttestation() bool
type ConfineOrganization ¶
type ConfineOrganization struct {
ID uint64 `json:"id"`
// contains filtered or unexported fields
}
ConfineOrganization is a requirement placed on 3P caveats, requiring that the authenticated used be associated with OrgID. It has no meaning in a 1P setting.
func (*ConfineOrganization) CaveatType ¶
func (c *ConfineOrganization) CaveatType() macaroon.CaveatType
func (ConfineOrganization) IsAttestation ¶
func (a ConfineOrganization) IsAttestation() bool
type ConfineUser ¶
type ConfineUser struct {
ID uint64 `json:"id"`
// contains filtered or unexported fields
}
ConfineUser is a caveat limiting this token to a specific user ID.
func (*ConfineUser) CaveatType ¶
func (c *ConfineUser) CaveatType() macaroon.CaveatType
func (ConfineUser) IsAttestation ¶
func (a ConfineUser) IsAttestation() bool
type FeatureSet ¶
type FeatureSet struct {
Features resource_set.ResourceSet[string] `json:"features"`
// contains filtered or unexported fields
}
FeatureSet is a collection of organization-level "features" that are managed as single units. For example, the ability to manage wireguard networks is gated by the "wg" feature, though you could conceptually gate access to them individually with a Networks caveat. The feature name is free-form and more should be addded as it makes sense.
func (*FeatureSet) CaveatType ¶
func (c *FeatureSet) CaveatType() macaroon.CaveatType
func (FeatureSet) IsAttestation ¶
func (a FeatureSet) IsAttestation() bool
type FromMachine ¶
type FromMachine struct {
ID string `json:"id"`
// contains filtered or unexported fields
}
func (*FromMachine) CaveatType ¶
func (s *FromMachine) CaveatType() macaroon.CaveatType
func (FromMachine) IsAttestation ¶
func (a FromMachine) IsAttestation() bool
type IsUser ¶
type IsUser struct {
ID uint64 `json:"uint64"`
// contains filtered or unexported fields
}
TODO: deprecate this and replace with an attestation
func (*IsUser) CaveatType ¶
func (c *IsUser) CaveatType() macaroon.CaveatType
func (IsUser) IsAttestation ¶
func (a IsUser) IsAttestation() bool
type MachineFeatureSet ¶
type MachineFeatureSet struct {
Features resource_set.ResourceSet[string] `json:"features"`
// contains filtered or unexported fields
}
func (*MachineFeatureSet) CaveatType ¶
func (c *MachineFeatureSet) CaveatType() macaroon.CaveatType
func (MachineFeatureSet) IsAttestation ¶
func (a MachineFeatureSet) IsAttestation() bool
type Machines ¶
type Machines struct {
Machines resource_set.ResourceSet[string] `json:"machines"`
// contains filtered or unexported fields
}
func (*Machines) CaveatType ¶
func (c *Machines) CaveatType() macaroon.CaveatType
func (Machines) IsAttestation ¶
func (a Machines) IsAttestation() bool
type Mutations ¶
type Mutations struct {
Mutations []string `json:"mutations"`
// contains filtered or unexported fields
}
Mutations is a set of GraphQL mutations allowed by this token.
func (*Mutations) CaveatType ¶
func (c *Mutations) CaveatType() macaroon.CaveatType
func (Mutations) IsAttestation ¶
func (a Mutations) IsAttestation() bool
type Organization ¶
type Organization struct {
ID uint64 `json:"id"`
Mask macaroon.Action `json:"mask"`
// contains filtered or unexported fields
}
Organization is an orgid, plus RWX-style access control.
func (*Organization) CaveatType ¶
func (c *Organization) CaveatType() macaroon.CaveatType
func (Organization) IsAttestation ¶
func (a Organization) IsAttestation() bool
type Volumes ¶
type Volumes struct {
Volumes resource_set.ResourceSet[string] `json:"volumes"`
// contains filtered or unexported fields
}
func (*Volumes) CaveatType ¶
func (c *Volumes) CaveatType() macaroon.CaveatType
func (Volumes) IsAttestation ¶
func (a Volumes) IsAttestation() bool
Source Files