policy

package

v5.5.2 Latest Latest Go to latest Published: Oct 16, 2023 License: Apache-2.0 Imports: 20 Imported by: 2

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/AthenZ/athenz-authorizer

Links

Open Source Insights

Documentation ¶

Overview ¶

Package policy represents the athenz policy updater fetching and verify logic and provide an interface to verify the policy data.

Index ¶

Variables
type Assertion
- func NewAssertion(action, resource, effect string) (*Assertion, error)
type Daemon
- func New(opts ...Option) (Daemon, error)
type Fetcher
type Option
type SignedPolicy
- func (s *SignedPolicy) Verify(pkp pubkey.Provider) error
type SignedPolicyVerifier

Constants ¶

This section is empty.

Variables ¶

View Source

var (
	// ErrDomainMismatch "Access denied due to domain mismatch between Resource and RoleToken"
	ErrDomainMismatch = errors.New("Access denied due to domain mismatch between Resource and RoleToken")

	// ErrDomainNotFound "Access denied due to domain not found in library cache"
	ErrDomainNotFound = errors.New("Access denied due to domain not found in library cache")

	// ErrNoMatch "Access denied due to no match to any of the assertions defined in domain policy file"
	ErrNoMatch = errors.New("Access denied due to no match to any of the assertions defined in domain policy file")

	// ErrInvalidPolicyResource "Access denied due to invalid/empty policy resources"
	ErrInvalidPolicyResource = errors.New("Access denied due to invalid/empty policy resources")

	// ErrDenyByPolicy "Access Check was explicitly denied"
	ErrDenyByPolicy = errors.New("Access Check was explicitly denied")

	// ErrDomainExpired "Access denied due to expired domain policy file"
	ErrDomainExpired = errors.New("Access denied due to expired domain policy file")

	// ErrFetchPolicy "Error fetching athenz policy"
	ErrFetchPolicy = errors.New("Error fetching athenz policy")
)

Functions ¶

This section is empty.

Types ¶

type Assertion ¶

type Assertion struct {
	ResourceDomain string         `json:"resource_domain"`
	ActionRegexp   *regexp.Regexp `json:"-"`
	ResourceRegexp *regexp.Regexp `json:"-"`
	Effect         error          `json:"effect"`

	Action               string `json:"action"`
	Resource             string `json:"resource"`
	ActionRegexpString   string `json:"action_regexp_string"`
	ResourceRegexpString string `json:"resource_regexp_string"`
}

Assertion represents the refined assertion data use in policy checking

func NewAssertion ¶

func NewAssertion(action, resource, effect string) (*Assertion, error)

NewAssertion returns the Assertion object or error

type Daemon ¶

type Daemon interface {
	Start(context.Context) <-chan error
	Update(context.Context) error
	CheckPolicy(ctx context.Context, domain string, roles []string, action, resource string) error
	CheckPolicyRoles(ctx context.Context, domain string, roles []string, action, resource string) ([]string, error)
	GetPolicyCache(context.Context) map[string]interface{}
}

Daemon represents the daemon to retrieve policy data from Athenz.

func New ¶

func New(opts ...Option) (Daemon, error)

New represent the constructor of Policyd

type Fetcher ¶

type Fetcher interface {
	Domain() string
	Fetch(context.Context) (*SignedPolicy, error)
	FetchWithRetry(context.Context) (*SignedPolicy, error)
}

Fetcher represents fetcher object for fetching signed policy

type Option ¶

type Option func(*policyd) error

Option represents a functional option

func WithAthenzDomains ¶

func WithAthenzDomains(doms ...string) Option

WithAthenzDomains represents an AthenzDomain functional option

func WithAthenzURL ¶

func WithAthenzURL(url string) Option

WithAthenzURL returns an AthenzURL functional option

func WithExpiryMargin ¶

func WithExpiryMargin(d string) Option

WithExpiryMargin returns an ExpiryMargin functional option

func WithHTTPClient ¶

func WithHTTPClient(c *http.Client) Option

WithHTTPClient returns a HttpClient functional option

func WithPubKeyProvider ¶

func WithPubKeyProvider(pkp pubkey.Provider) Option

WithPubKeyProvider returns a PubKeyProvider functional option

func WithPurgePeriod ¶

func WithPurgePeriod(d string) Option

WithPurgePeriod returns a PurgePeriod functional option

func WithRefreshPeriod ¶

func WithRefreshPeriod(d string) Option

WithRefreshPeriod returns a RefreshPeriod functional option

func WithRetryAttempts ¶

func WithRetryAttempts(c int) Option

WithRetryAttempts returns an RetryAttempts functional option

func WithRetryDelay ¶

func WithRetryDelay(d string) Option

WithRetryDelay returns an RetryDelay functional option

type SignedPolicy ¶

type SignedPolicy struct {
	util.DomainSignedPolicyData
}

SignedPolicy represents the signed policy data

func (*SignedPolicy) Verify ¶

func (s *SignedPolicy) Verify(pkp pubkey.Provider) error

Verify verifies the signed policy and return any errors

type SignedPolicyVerifier ¶

type SignedPolicyVerifier func(*SignedPolicy) error

SignedPolicyVerifier type defines the function signature to verify a signed policy.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL