-
Notifications
You must be signed in to change notification settings - Fork 3
/
Copy pathpolicy.go
272 lines (226 loc) · 6.12 KB
/
policy.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
package redtape
import (
"context"
"encoding/json"
"github.com/fatih/structs"
)
// PolicyEffect type is returned by Enforcer to describe the outcome of a policy evaluation.
type PolicyEffect string
const (
// PolicyEffectAllow indicates explicit permission of the request.
PolicyEffectAllow PolicyEffect = "allow"
// PolicyEffectDeny indicates explicit denial of the request.
PolicyEffectDeny PolicyEffect = "deny"
)
// NewPolicyEffect returns a PolicyEffect for a given string.
func NewPolicyEffect(s string) PolicyEffect {
switch s {
case "allow":
return PolicyEffectAllow
case "deny":
return PolicyEffectDeny
default:
return PolicyEffectDeny
}
}
// Policy provides methods to return data about a configured policy.
type Policy interface {
ID() string
Description() string
Roles() []*Role
Resources() []string
Actions() []string
Scopes() []string
Conditions() Conditions
Effect() PolicyEffect
Context() context.Context
}
type policy struct {
id string
desc string
roles []*Role
resources []string
actions []string
scopes []string
conditions Conditions
effect PolicyEffect
ctx context.Context
}
// NewPolicy returns a default policy implementation from a set of provided options.
func NewPolicy(opts ...PolicyOption) (Policy, error) {
o := NewPolicyOptions(opts...)
p := &policy{
id: o.Name,
desc: o.Description,
roles: o.Roles,
resources: o.Resources,
actions: o.Actions,
effect: NewPolicyEffect(o.Effect),
ctx: o.Context,
}
conds, err := NewConditions(o.Conditions, nil)
if err != nil {
return nil, err
}
p.conditions = conds
return p, nil
}
// MustNewPolicy returns a default policy implementation or panics on error.
func MustNewPolicy(opts ...PolicyOption) Policy {
p, err := NewPolicy(opts...)
if err != nil {
panic("failed to create new policy: " + err.Error())
}
return p
}
// MarshalJSON returns a JSON byte slice representation of the default policy implementation.
func (p *policy) MarshalJSON() ([]byte, error) {
opts := PolicyOptions{
Name: p.id,
Description: p.desc,
Roles: p.roles,
Resources: p.resources,
Actions: p.actions,
Effect: string(p.effect),
}
structs.DefaultTagName = "json"
copts := make([]ConditionOptions, 0, len(p.conditions))
for k, c := range p.conditions {
cov := structs.Map(c)
co := ConditionOptions{
Name: k,
Type: c.Name(),
Options: cov,
}
copts = append(copts, co)
}
opts.Conditions = copts
return json.Marshal(opts)
}
// ID returns the policy ID.
func (p *policy) ID() string {
return p.id
}
// Description returns the policy Description.
func (p *policy) Description() string {
return p.desc
}
// Roles returns the roles the policy applies to.
func (p *policy) Roles() []*Role {
return p.roles
}
// Resources returns the resources the policy applies to.
func (p *policy) Resources() []string {
return p.resources
}
// Actions returns the actions the policy applies to.
func (p *policy) Actions() []string {
return p.actions
}
// Scopes returns the scopes the policy applies to.
func (p *policy) Scopes() []string {
return p.scopes
}
func (p *policy) Context() context.Context {
return p.ctx
}
// Conditions returns the Conditions used to apply the policy.
func (p *policy) Conditions() Conditions {
return p.conditions
}
// Effect returns the configured PolicyEffect.
func (p *policy) Effect() PolicyEffect {
return p.effect
}
// PolicyOptions struct allows different Policy implementations to be configured with marshalable data.
type PolicyOptions struct {
Name string `json:"name"`
Description string `json:"description"`
Roles []*Role `json:"roles"`
Resources []string `json:"resources"`
Actions []string `json:"actions"`
Scopes []string `json:"scopes"`
Conditions []ConditionOptions `json:"conditions"`
Effect string `json:"effect"`
Context context.Context `json:"-"`
}
// PolicyOption is a typed function allowing updates to PolicyOptions through functional options.
type PolicyOption func(*PolicyOptions)
// NewPolicyOptions returns PolicyOptions configured with the provided functional options.
func NewPolicyOptions(opts ...PolicyOption) PolicyOptions {
options := PolicyOptions{}
for _, o := range opts {
o(&options)
}
return options
}
// SetPolicyOptions is a PolicyOption setting all PolicyOptions to the provided values.
func SetPolicyOptions(opts PolicyOptions) PolicyOption {
return func(o *PolicyOptions) {
*o = opts
}
}
// PolicyName sets the policy Name Option.
func PolicyName(n string) PolicyOption {
return func(o *PolicyOptions) {
o.Name = n
}
}
// PolicyDescription sets the policy description Option.
func PolicyDescription(d string) PolicyOption {
return func(o *PolicyOptions) {
o.Description = d
}
}
func SetPolicyEffect(s string) PolicyOption {
return func(o *PolicyOptions) {
o.Effect = s
}
}
// PolicyDeny sets the PolicyEffect to deny.
func PolicyDeny() PolicyOption {
return func(o *PolicyOptions) {
o.Effect = "deny"
}
}
// PolicyAllow sets the PolicyEffect to allow.
func PolicyAllow() PolicyOption {
return func(o *PolicyOptions) {
o.Effect = "allow"
}
}
// SetResources replaces the option Resources with the provided values.
func SetResources(s ...string) PolicyOption {
return func(o *PolicyOptions) {
o.Resources = s
}
}
// SetActions replaces the option Actions with the provided values.
func SetActions(s ...string) PolicyOption {
return func(o *PolicyOptions) {
o.Actions = s
}
}
func SetScopes(s ...string) PolicyOption {
return func(o *PolicyOptions) {
o.Scopes = s
}
}
// SetContext sets the Context option.
func SetContext(ctx context.Context) PolicyOption {
return func(o *PolicyOptions) {
o.Context = ctx
}
}
// WithCondition adds a Condition to the Conditions option.
func WithCondition(co ConditionOptions) PolicyOption {
return func(o *PolicyOptions) {
o.Conditions = append(o.Conditions, co)
}
}
// WithRole adds a Role to the Roles option.
func WithRole(r *Role) PolicyOption {
return func(o *PolicyOptions) {
o.Roles = append(o.Roles, r)
}
}