README
¶
github.com/superfly/macaroon/flyio
This package contains fly.io-specific caveats.
Documentation
¶
Index ¶
Constants ¶
const ( CavOrganization = macaroon.CavFlyioOrganization CavVolumes = macaroon.CavFlyioVolumes CavApps = macaroon.CavFlyioApps CavFeatureSet = macaroon.CavFlyioFeatureSet CavMutations = macaroon.CavFlyioMutations CavMachines = macaroon.CavFlyioMachines CavConfineUser = macaroon.CavFlyioConfineUser CavConfineOrganization = macaroon.CavFlyioConfineOrganization CavIsUser = macaroon.CavFlyioIsUser CavMachineFeatureSet = macaroon.CavFlyioMachineFeatureSet CavFromMachineSource = macaroon.CavFlyioFromMachineSource CavClusters = macaroon.CavFlyioClusters )
const ( // well-known locations LocationPermission = "https://api.fly.io/v1" LocationAuthentication = "https://api.fly.io/aaa/v1" LocationSecrets = "https://api.fly.io/secrets/v1" )
Variables ¶
This section is empty.
Functions ¶
Types ¶
type Access ¶
type Access struct {
OrgSlug *string `json:"org_slug,omitempty"`
AppID *string `json:"apphid,omitempty"`
Action resset.Action `json:"action,omitempty"`
Feature *string `json:"feature,omitempty"`
Volume *string `json:"volume,omitempty"`
Machine *string `json:"machine,omitempty"`
MachineFeature *string `json:"machine_feature,omitempty"`
Mutation *string `json:"mutation,omitempty"`
SourceMachine *string `json:"sourceMachine,omitempty"`
Cluster *string `json:"cluster,omitempty"`
// deprecated
DeprecatedOrgID *uint64 `json:"orgid,omitempty"`
DeprecatedAppID *uint64 `json:"appid,omitempty"`
}
func (*Access) Validate ¶
validate checks that the Access has sensible values set. This consists of ensuring that parent-resources are specified when child-resources are present (e.g. machine requires app requires org) and ensuring that multiple child resources aren't specified for a single parent resource (e.g. machine and volume are mutually exclusive).
This ensure that a Access represents a single action taken on a single object.
type Apps ¶
type Apps struct {
Apps resset.ResourceSet[uint64] `json:"apps"`
}
Apps is a set of App caveats, with their RWX access levels. A token with this set can be used only with the listed apps, regardless of what the token says. Additional Apps can be added, but they can only narrow, not expand, which apps (or access levels) can be reached from the token.
func (*Apps) CaveatType ¶
func (c *Apps) CaveatType() macaroon.CaveatType
type Clusters ¶
type Clusters struct {
Clusters resset.ResourceSet[string] `json:"clusters"`
}
Clusters is a set of Cluster caveats, with their RWX access levels.
func (*Clusters) CaveatType ¶
func (c *Clusters) CaveatType() macaroon.CaveatType
type ConfineOrganization ¶
type ConfineOrganization struct {
ID uint64 `json:"id"`
}
ConfineOrganization is a requirement placed on 3P caveats, requiring that the authenticated used be associated with OrgID. It has no meaning in a 1P setting.
func (*ConfineOrganization) CaveatType ¶
func (c *ConfineOrganization) CaveatType() macaroon.CaveatType
func (*ConfineOrganization) Name ¶ added in v0.0.5
func (c *ConfineOrganization) Name() string
type ConfineUser ¶
type ConfineUser struct {
ID uint64 `json:"id"`
}
ConfineUser is a caveat limiting this token to a specific user ID.
func (*ConfineUser) CaveatType ¶
func (c *ConfineUser) CaveatType() macaroon.CaveatType
func (*ConfineUser) Name ¶ added in v0.0.5
func (c *ConfineUser) Name() string
type FeatureSet ¶
type FeatureSet struct {
Features resset.ResourceSet[string] `json:"features"`
}
FeatureSet is a collection of organization-level "features" that are managed as single units. For example, the ability to manage wireguard networks is gated by the "wg" feature, though you could conceptually gate access to them individually with a Networks caveat. The feature name is free-form and more should be addded as it makes sense.
func (*FeatureSet) CaveatType ¶
func (c *FeatureSet) CaveatType() macaroon.CaveatType
func (*FeatureSet) Name ¶ added in v0.0.5
func (c *FeatureSet) Name() string
type FromMachine ¶
type FromMachine struct {
ID string `json:"id"`
}
func (*FromMachine) CaveatType ¶
func (c *FromMachine) CaveatType() macaroon.CaveatType
func (*FromMachine) Name ¶ added in v0.0.5
func (c *FromMachine) Name() string
type IsUser ¶
type IsUser struct {
ID uint64 `json:"uint64"`
}
TODO: deprecate this and replace with an attestation
func (*IsUser) CaveatType ¶
func (c *IsUser) CaveatType() macaroon.CaveatType
type MachineFeatureSet ¶
type MachineFeatureSet struct {
Features resset.ResourceSet[string] `json:"features"`
}
func (*MachineFeatureSet) CaveatType ¶
func (c *MachineFeatureSet) CaveatType() macaroon.CaveatType
func (*MachineFeatureSet) Name ¶ added in v0.0.5
func (c *MachineFeatureSet) Name() string
type Machines ¶
type Machines struct {
Machines resset.ResourceSet[string] `json:"machines"`
}
func (*Machines) CaveatType ¶
func (c *Machines) CaveatType() macaroon.CaveatType
type Mutations ¶
type Mutations struct {
Mutations []string `json:"mutations"`
}
Mutations is a set of GraphQL mutations allowed by this token.
func (*Mutations) CaveatType ¶
func (c *Mutations) CaveatType() macaroon.CaveatType
type Organization ¶
Organization is an orgid, plus RWX-style access control.
func (*Organization) CaveatType ¶
func (c *Organization) CaveatType() macaroon.CaveatType
func (*Organization) Name ¶ added in v0.0.5
func (c *Organization) Name() string
type Volumes ¶
type Volumes struct {
Volumes resset.ResourceSet[string] `json:"volumes"`
}
func (*Volumes) CaveatType ¶
func (c *Volumes) CaveatType() macaroon.CaveatType
Source Files