rbac

package
v0.6.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 17, 2026 License: Apache-2.0 Imports: 8 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type Decision 

type Decision int

Decision represents an authorization decision 

const (
	DecisionDeny Decision = iota
	DecisionAllow
)

func (Decision) String 

func (d Decision) String() string

type EvaluateOption 

type EvaluateOption func(*EvaluateOptions)

EvaluateOption is a functional option for Evaluate

func WithExplainer 

func WithExplainer(explainer Explainer) EvaluateOption

WithExplainer adds an explainer to track the evaluation process

type EvaluateOptions 

type EvaluateOptions struct {
	Explainer Explainer
}

EvaluateOptions contains options for the Evaluate method

type Evaluator 

type Evaluator struct {
	// contains filtered or unexported fields
}

Evaluator evaluates RBAC policies using a PolicyProvider

func NewEvaluator 

func NewEvaluator(ctx context.Context, provider PolicyProvider, logger *slog.Logger) *Evaluator

NewEvaluator creates a new RBAC evaluator with a PolicyProvider

func (*Evaluator) ClearCache 

func (e *Evaluator) ClearCache()

ClearCache clears the decision cache

func (*Evaluator) Evaluate 

func (e *Evaluator) Evaluate(req *Request, opts ...EvaluateOption) Decision

Evaluate evaluates a request considering groups and tags

func (*Evaluator) Stop 

func (e *Evaluator) Stop()

Stop stops any background tasks (for compatibility)

type Explainer 

type Explainer interface {
	// RuleConsidered is called for each rule that is evaluated
	RuleConsidered(rule *Rule)

	// RuleSkipped is called when a rule is skipped with the reason
	RuleSkipped(rule *Rule, reason string)

	// RuleMatched is called when a rule matches and grants permission
	RuleMatched(rule *Rule, resource string, action string)

	// NoRulesMatched is called when no rules grant the requested permission
	NoRulesMatched()
}

Explainer receives information about the evaluation process

type Permission 

type Permission struct {
	Resource string   `json:"resource"`
	Actions  []string `json:"actions"`
}

Permission represents a permission in a rule

type Policy 

type Policy struct {
	Rules       []Rule `json:"rules"`
	ClusterID   string `json:"cluster_id,omitempty"`
	ClusterName string `json:"cluster_name,omitempty"`
}

Policy represents the RBAC policy document from miren.cloud

type PolicyProvider 

type PolicyProvider interface {
	// GetPolicy returns the current policy
	GetPolicy() *Policy
}

PolicyProvider is an interface for providing RBAC policies

type Request 

type Request struct {
	Subject  string         // Subject identifier (from JWT)
	Groups   []string       // Group IDs the subject belongs to
	Resource string         // Resource being accessed
	Action   string         // Action being performed
	Tags     map[string]any // Tags to match against rule selectors
	Context  map[string]any // Additional context
}

Request represents an authorization request with tags

type Rule 

type Rule struct {
	ID          string       `json:"id"`
	Name        string       `json:"name"`
	Description string       `json:"description,omitempty"`
	TagSelector TagSelector  `json:"tag_selector"`
	Groups      []string     `json:"groups"`
	Permissions []Permission `json:"permissions"`
	CreatedAt   string       `json:"created_at"`
	UpdatedAt   string       `json:"updated_at"`
}

Rule represents a single RBAC rule from miren.cloud

func (*Rule) AppliesTo 

func (r *Rule) AppliesTo(groups []string) bool

AppliesTo checks if the rule applies to given groups

func (*Rule) HasPermission 

func (r *Rule) HasPermission(resource, action string) bool

HasPermission checks if the rule grants permission for a resource and action

func (*Rule) MatchesTags 

func (r *Rule) MatchesTags(tags map[string]any) bool

MatchesTags checks if a rule's tag selector matches the provided tags

type TagExpression 

type TagExpression struct {
	Tag      string `json:"tag"`
	Value    any    `json:"value"`    // Can be a string, number, boolean, or array
	Operator string `json:"operator"` // "equals", "not_equals", "in", "not_in", "exists", "not_exists"
}

TagExpression represents a single tag matching expression

type TagSelector 

type TagSelector struct {
	Expressions []TagExpression `json:"expressions"`
}

TagSelector defines tag matching criteria using expressions

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.