Documentation
¶
Index ¶
- Constants
- Variables
- type AccessEntry
- type Activity
- type ActivityConfig
- type AdditionalAppeal
- type Appeal
- func (a *Appeal) AdvanceApproval(policy *Policy) error
- func (a *Appeal) ApplyPolicy(p *Policy) error
- func (a *Appeal) Approve() error
- func (a *Appeal) Cancel()
- func (a *Appeal) Compare(old *Appeal, actor string) ([]*DiffItem, error)
- func (a *Appeal) GetApproval(identifier string) *Approval
- func (a *Appeal) GetApprovalByIndex(index int) *Approval
- func (a *Appeal) GetDuration() (time.Duration, error)
- func (a *Appeal) GetNextPendingApproval() *Approval
- func (a *Appeal) Init(policy *Policy)
- func (a *Appeal) IsDurationEmpty() bool
- func (a *Appeal) Reject()
- func (a *Appeal) SetDefaults()
- func (a Appeal) ToGrant() (*Grant, error)
- func (a *Appeal) ToMap() (map[string]interface{}, error)
- type AppealConfig
- type AppealDurationOption
- type AppealMetadataSource
- type AppealOptions
- type Approval
- type ApprovalAction
- type ApprovalActionType
- type ApprovalStepStrategy
- type Approver
- type Comment
- type Condition
- type Crypto
- type CustomSteps
- type CustomStepsResponse
- type Decryptor
- type DiffItem
- type DormancyCheckCriteria
- type Encryptor
- type Event
- type Grant
- func (g *Grant) Compare(old *Grant, actor string) ([]*DiffItem, error)
- func (g *Grant) GetPermissions() []string
- func (g Grant) IsEligibleForExtension(extensionDurationRule time.Duration) bool
- func (g Grant) PermissionsKey() string
- func (g *Grant) Restore(actor, reason string) error
- func (g *Grant) Revoke(actor, reason string) error
- type GrantSource
- type GrantStatus
- type GrantUpdate
- type IAMClient
- type IAMConfig
- type IAMManager
- type IAMProviderType
- type ListActivitiesFilter
- type ListAppealsFilter
- type ListApprovalsFilter
- type ListAuditLogFilter
- type ListCommentsFilter
- type ListEventsFilter
- type ListGrantsFilter
- type ListProviderActivitiesFilter
- type ListResourcesFilter
- type MapResourceAccess
- type MatchCondition
- type Notification
- type NotificationMessage
- type NotificationMessages
- type Policy
- type PolicyAppealConfig
- type PolicyConfig
- type PostAppealHook
- type Provider
- type ProviderConfig
- type ProviderParameter
- type ProviderPolicy
- type ProviderType
- type Question
- type Requirement
- type RequirementTrigger
- type Resource
- type ResourceConfig
- type ResourceIdentifier
- type Resources
- type RevokeGrantsFilter
- type Role
- type SensitiveConfig
- type SensitiveInformation
- type Step
- type SummaryGroup
- type SummaryParameters
- type SummaryResult
- type SummaryUnique
Constants ¶
View Source
const ( AppealActionNameApprove = "approve" AppealActionNameReject = "reject" AppealStatusPending = "pending" AppealStatusCanceled = "canceled" AppealStatusApproved = "approved" AppealStatusRejected = "rejected" SystemActorName = "system" DefaultAppealAccountType = "user" PermanentDurationLabel = "Permanent" ExpirationDateReasonFromAppeal = "Expiration date is set based on the appeal options" ReservedDetailsKeyProviderParameters = "__provider_parameters" ReservedDetailsKeyPolicyQuestions = "__policy_questions" ReservedDetailsKeyPolicyMetadata = "__policy_metadata" )
View Source
const ( ApprovalStatusPending = "pending" ApprovalStatusBlocked = "blocked" ApprovalStatusSkipped = "skipped" ApprovalStatusApproved = "approved" ApprovalStatusRejected = "rejected" )
View Source
const ( GrantStatusActive GrantStatus = "active" GrantStatusInactive GrantStatus = "inactive" GrantSourceAppeal GrantSource = "appeal" GrantSourceImport GrantSource = "import" GrantExpirationReasonDormant = "grant/access hasn't been used for a while" GrantExpirationReasonRestored = "grant restored with new duration" )
View Source
const ( NotificationTypeExpirationReminder = "ExpirationReminder" NotificationTypeAppealApproved = "AppealApproved" NotificationTypeOnBehalfAppealApproved = "OnBehalfAppealApproved" NotificationTypeAppealRejected = "AppealRejected" NotificationTypeAccessRevoked = "AccessRevoked" NotificationTypeApproverNotification = "ApproverNotification" NotificationTypeGrantOwnerChanged = "GrantOwnerChanged" NotificationTypeUnusedGrant = "UnusedGrant" NotificationTypeNewComment = "NewComment" NotificationTypePendingApprovalsReminder = "PendingApprovalsReminder" )
View Source
const ( ProviderTypeAliCloudRAM = "alicloud_ram" ProviderTypeAliCloudSSO = "alicloud_sso" ProviderTypeBigQuery = "bigquery" ProviderTypeMetabase = "metabase" ProviderTypeGrafana = "grafana" ProviderTypeTableau = "tableau" ProviderTypeGCloudIAM = "gcloud_iam" ProviderTypeNoOp = "noop" ProviderTypeGCS = "gcs" ProviderTypePolicyTag = "dataplex" ProviderTypeShield = "shield" ProviderTypeGitlab = "gitlab" ProviderTypeGate = "gate" ProviderTypeMaxCompute = "maxcompute" ProviderTypeOss = "oss" ProviderTypeGoogleGroup = "google_group" ProviderTypeGuardian = "guardian" )
View Source
const (
ApproversKeyResource = "$resource"
)
View Source
const (
TraceIDKey = "trace_id"
)
Variables ¶
View Source
var ( ErrFailedToGetApprovers = errors.New("failed to get approvers") ErrApproversNotFound = errors.New("approvers not found") ErrUnexpectedApproverType = errors.New("unexpected approver type") ErrInvalidApproverValue = errors.New("approver value is not a valid email") )
View Source
var ( ErrDuplicateActiveGrant = errors.New("grant already exists") ErrInvalidGrantRestoreParams = errors.New("invalid grant restore parameters") ErrInvalidGrantUpdateRequest = errors.New("invalid grant update request") )
View Source
var ( ErrInvalidUniqueInput = errors.New(`invalid unique input. valid format: "table_name.column_name"`) ErrEmptyUniqueTableName = errors.New("empty unique table name") ErrEmptyUniqueColumnName = errors.New("empty unique column name") ErrNotSupportedUniqueTableName = errors.New("not supported unique table name") ErrInvalidGroupInput = errors.New(`invalid group input. valid format: "table_name.column_name"`) ErrEmptyGroupTableName = errors.New("empty group table name") ErrEmptyGroupColumnName = errors.New("empty group column name") ErrNotSupportedGroupTableName = errors.New("not supported group table name") )
View Source
var (
ErrInvalidConditionField = errors.New("unable to parse condition's field")
)
Functions ¶
This section is empty.
Types ¶
type AccessEntry ¶
func (AccessEntry) ToGrant ¶
func (ae AccessEntry) ToGrant(resource Resource) Grant
type Activity ¶
type Activity struct {
ID string `json:"id" yaml:"id"`
ProviderID string `json:"provider_id" yaml:"provider_id"`
ResourceID string `json:"resource_id" yaml:"resource_id"`
ProviderActivityID string `json:"provider_activity_id" yaml:"provider_activity_id"`
AccountType string `json:"account_type" yaml:"account_type"`
AccountID string `json:"account_id" yaml:"account_id"`
Timestamp time.Time `json:"timestamp" yaml:"timestamp"`
Authorizations []string `json:"authorizations" yaml:"authorizations"`
RelatedPermissions []string `json:"related_permissions" yaml:"related_permissions"`
Type string `json:"type" yaml:"type"`
Metadata map[string]interface{} `json:"metadata" yaml:"metadata"`
CreatedAt time.Time `json:"created_at" yaml:"created_at"`
Provider *Provider `json:"provider,omitempty" yaml:"provider,omitempty"`
Resource *Resource `json:"resource,omitempty" yaml:"resource,omitempty"`
}
type ActivityConfig ¶ added in v0.7.5
type AdditionalAppeal ¶
type AdditionalAppeal struct {
Resource *ResourceIdentifier `json:"resource" yaml:"resource" validate:"required"`
Role string `json:"role" yaml:"role" validate:"required"`
Options *AppealOptions `json:"options" yaml:"options"`
Policy *PolicyConfig `json:"policy" yaml:"policy"`
AccountType string `json:"account_type" yaml:"account_type"`
}
type Appeal ¶
type Appeal struct {
ID string `json:"id" yaml:"id"`
ResourceID string `json:"resource_id" yaml:"resource_id"`
PolicyID string `json:"policy_id" yaml:"policy_id"`
PolicyVersion uint `json:"policy_version" yaml:"policy_version"`
Status string `json:"status" yaml:"status"`
AccountID string `json:"account_id" yaml:"account_id"`
AccountType string `json:"account_type" yaml:"account_type" default:"user"`
GroupID string `json:"group_id,omitempty" yaml:"group_id,omitempty"`
GroupType string `json:"group_type,omitempty" yaml:"group_type,omitempty"`
CreatedBy string `json:"created_by" yaml:"created_by"`
Creator interface{} `json:"creator" yaml:"creator"`
Role string `json:"role" yaml:"role"`
Permissions []string `json:"permissions" yaml:"permissions"`
Options *AppealOptions `json:"options" yaml:"options"`
Details map[string]interface{} `json:"details" yaml:"details"`
Labels map[string]string `json:"labels" yaml:"labels"`
Description string `json:"description" yaml:"description"`
Policy *Policy `json:"-" yaml:"-"`
Resource *Resource `json:"resource,omitempty" yaml:"resource,omitempty"`
Approvals []*Approval `json:"approvals,omitempty" yaml:"approvals,omitempty"`
Grant *Grant `json:"grant,omitempty" yaml:"grant,omitempty"`
Revision uint `json:"revision,omitempty" yaml:"revision,omitempty"`
CreatedAt time.Time `json:"created_at,omitempty" yaml:"created_at,omitempty"`
UpdatedAt time.Time `json:"updated_at,omitempty" yaml:"updated_at,omitempty"`
}
Appeal struct
func (*Appeal) AdvanceApproval ¶
func (*Appeal) ApplyPolicy ¶
func (*Appeal) GetApproval ¶
GetApproval returns an approval within the appeal. If the ID is provided, it will return the approval with the given ID. If the name is provided, it will return the approval with the given name AND !is_stale.
func (*Appeal) GetApprovalByIndex ¶ added in v0.11.2
func (*Appeal) GetNextPendingApproval ¶
func (*Appeal) IsDurationEmpty ¶
func (*Appeal) SetDefaults ¶
func (a *Appeal) SetDefaults()
type AppealConfig ¶
type AppealConfig struct {
AllowPermanentAccess bool `json:"allow_permanent_access" yaml:"allow_permanent_access"`
AllowActiveAccessExtensionIn string `json:"allow_active_access_extension_in" yaml:"allow_active_access_extension_in" validate:"required"`
}
AppealConfig is the policy configuration of the appeal
type AppealDurationOption ¶
type AppealDurationOption struct {
// Name of the duration
// Ex: 1 Day, 3 Days, Permanent
Name string `json:"name" yaml:"name" validate:"required"`
// Value of the actual duration
// Ex: 24h, 72h, 0h
// `0h` is reserved for permanent access
Value string `json:"value" yaml:"value" validate:"required"`
}
type AppealMetadataSource ¶ added in v0.10.0
type AppealMetadataSource struct {
Name string `json:"name" yaml:"name"`
Description string `json:"description,omitempty" yaml:"description,omitempty"`
Type string `json:"type" yaml:"type"`
Config interface{} `json:"config,omitempty" yaml:"config,omitempty"`
Value interface{} `json:"value" yaml:"value"`
}
func (*AppealMetadataSource) DecryptConfig ¶ added in v0.10.0
func (c *AppealMetadataSource) DecryptConfig(dec Decryptor) error
func (*AppealMetadataSource) EncryptConfig ¶ added in v0.10.0
func (c *AppealMetadataSource) EncryptConfig(enc Encryptor) error
func (*AppealMetadataSource) EvaluateValue ¶ added in v0.10.0
func (c *AppealMetadataSource) EvaluateValue(params map[string]interface{}) (interface{}, error)
type AppealOptions ¶
type AppealOptions struct {
ExpirationDate *time.Time `json:"expiration_date,omitempty" yaml:"expiration_date,omitempty"`
Duration string `json:"duration" yaml:"duration"`
}
AppealOptions
type Approval ¶
type Approval struct {
ID string `json:"id" yaml:"id"`
Name string `json:"name" yaml:"name"`
Index int `json:"-" yaml:"-"`
AppealID string `json:"appeal_id" yaml:"appeal_id"`
Status string `json:"status" yaml:"status"`
Actor *string `json:"actor" yaml:"actor"`
Reason string `json:"reason,omitempty" yaml:"reason,omitempty"`
PolicyID string `json:"policy_id" yaml:"policy_id"`
PolicyVersion uint `json:"policy_version" yaml:"policy_version"`
AllowFailed bool `json:"allow_failed" yaml:"allow_failed"`
DontAllowSelfApproval bool `json:"dont_allow_self_approval" yaml:"dont_allow_self_approval"`
Details map[string]interface{} `json:"details" yaml:"details"`
Approvers []string `json:"approvers,omitempty" yaml:"approvers,omitempty"`
Appeal *Appeal `json:"appeal,omitempty" yaml:"appeal,omitempty"`
IsStale bool `json:"is_stale,omitempty" yaml:"is_stale,omitempty"`
AppealRevision uint `json:"appeal_revision" yaml:"appeal_revision"`
CreatedAt time.Time `json:"created_at,omitempty" yaml:"created_at,omitempty"`
UpdatedAt time.Time `json:"updated_at,omitempty" yaml:"updated_at,omitempty"`
}
func (*Approval) IsExistingApprover ¶ added in v0.12.0
func (*Approval) IsManualApproval ¶
type ApprovalAction ¶
type ApprovalAction struct {
AppealID string `validate:"required" json:"appeal_id"`
ApprovalName string `validate:"required" json:"approval_name"`
Actor string `validate:"email" json:"actor"`
Action string `validate:"required,oneof=approve reject" json:"action"`
Reason string `json:"reason"`
}
func (ApprovalAction) Validate ¶ added in v0.8.0
func (a ApprovalAction) Validate() error
type ApprovalActionType ¶
type ApprovalActionType string
const ( ApprovalActionApprove ApprovalActionType = "approve" ApprovalActionReject ApprovalActionType = "reject" )
type ApprovalStepStrategy ¶
type ApprovalStepStrategy string
const ( ApprovalStepStrategyAuto ApprovalStepStrategy = "auto" ApprovalStepStrategyManual ApprovalStepStrategy = "manual" )
type Approver ¶
type Approver struct {
ID string `json:"id" yaml:"id"`
ApprovalID string `json:"approval_id" yaml:"approval_id"`
AppealID string `json:"appeal_id" yaml:"appeal_id"`
Email string `json:"email" yaml:"email"`
CreatedAt time.Time `json:"created_at,omitempty" yaml:"created_at,omitempty"`
UpdatedAt time.Time `json:"updated_at,omitempty" yaml:"updated_at,omitempty"`
}
type Comment ¶ added in v0.10.0
type Comment struct {
ID string `json:"id" yaml:"id"`
ParentType string `json:"parent_type" yaml:"parent_type"`
ParentID string `json:"parent_id" yaml:"parent_id"`
CreatedBy string `json:"created_by" yaml:"created_by"`
Body string `json:"body" yaml:"body"`
CreatedAt time.Time `json:"created_at,omitempty" yaml:"created_at,omitempty"`
UpdatedAt time.Time `json:"updated_at,omitempty" yaml:"updated_at,omitempty"`
}
type Condition ¶
type Condition struct {
Field string `json:"field" yaml:"field" validate:"required"`
Match *MatchCondition `json:"match" yaml:"match" validate:"required"`
}
Condition gets evaluated to determine the approval step resolution whether it is success or failed
type CustomSteps ¶ added in v0.12.16
type CustomSteps struct {
Type string `json:"type" yaml:"type"`
Config interface{} `json:"config,omitempty" yaml:"config,omitempty"`
}
func (*CustomSteps) DecryptConfig ¶ added in v0.12.16
func (c *CustomSteps) DecryptConfig(dec Decryptor) error
func (*CustomSteps) EncryptConfig ¶ added in v0.12.16
func (c *CustomSteps) EncryptConfig(enc Encryptor) error
func (*CustomSteps) Validate ¶ added in v0.12.16
func (c *CustomSteps) Validate() error
type CustomStepsResponse ¶ added in v0.12.16
type CustomStepsResponse struct {
ApprovalSteps []*Step `json:"approval_steps"`
}
type DormancyCheckCriteria ¶ added in v0.7.5
type DormancyCheckCriteria struct {
ProviderID string
Period time.Duration
RetainDuration time.Duration
DryRun bool
}
func (DormancyCheckCriteria) Validate ¶ added in v0.7.5
func (c DormancyCheckCriteria) Validate() error
type Event ¶ added in v0.11.0
type Grant ¶
type Grant struct {
ID string `json:"id" yaml:"id"`
Status GrantStatus `json:"status" yaml:"status"`
StatusInProvider GrantStatus `json:"status_in_provider" yaml:"status_in_provider"`
AccountID string `json:"account_id" yaml:"account_id"`
AccountType string `json:"account_type" yaml:"account_type"`
GroupID string `json:"group_id,omitempty" yaml:"group_id,omitempty"`
GroupType string `json:"group_type,omitempty" yaml:"group_type,omitempty"`
ResourceID string `json:"resource_id" yaml:"resource_id"`
Role string `json:"role" yaml:"role"`
Permissions []string `json:"permissions" yaml:"permissions"`
IsPermanent bool `json:"is_permanent" yaml:"is_permanent"`
ExpirationDate *time.Time `json:"expiration_date" yaml:"expiration_date"`
RequestedExpirationDate *time.Time `json:"requested_expiration_date,omitempty" yaml:"requested_expiration_date,omitempty"`
ExpirationDateReason string `json:"expiration_date_reason,omitempty" yaml:"expiration_date_reason,omitempty"`
AppealID string `json:"appeal_id" yaml:"appeal_id"`
PendingAppealID string `json:"pending_appeal_id" yaml:"pending_appeal_id,omitempty" gorm:"-"`
Source GrantSource `json:"source" yaml:"source"`
RevokedBy string `json:"revoked_by,omitempty" yaml:"revoked_by,omitempty"`
RevokedAt *time.Time `json:"revoked_at,omitempty" yaml:"revoked_at,omitempty"`
RevokeReason string `json:"revoke_reason,omitempty" yaml:"revoke_reason,omitempty"`
RestoredBy string `json:"restored_by,omitempty" yaml:"restored_by,omitempty"`
RestoredAt *time.Time `json:"restored_at,omitempty" yaml:"restored_at,omitempty"`
RestoreReason string `json:"restore_reason,omitempty" yaml:"restore_reason,omitempty"`
CreatedBy string `json:"created_by" yaml:"created_by"` // Deprecated: use Owner instead
Owner string `json:"owner" yaml:"owner"`
CreatedAt time.Time `json:"created_at" yaml:"created_at"`
UpdatedAt time.Time `json:"updated_at" yaml:"updated_at"`
Resource *Resource `json:"resource,omitempty" yaml:"resource,omitempty"`
Appeal *Appeal `json:"appeal,omitempty" yaml:"appeal,omitempty"`
Activities []*Activity `json:"activities,omitempty" yaml:"activities,omitempty"`
}
func (*Grant) GetPermissions ¶
func (Grant) IsEligibleForExtension ¶
func (Grant) PermissionsKey ¶
type GrantSource ¶
type GrantSource string
type GrantStatus ¶
type GrantStatus string
type GrantUpdate ¶ added in v0.12.2
type GrantUpdate struct {
ID string `json:"id" yaml:"id"`
Owner *string `json:"owner,omitempty" yaml:"owner,omitempty"`
IsPermanent *bool `json:"is_permanent,omitempty" yaml:"is_permanent,omitempty"`
ExpirationDate *time.Time `json:"expiration_date,omitempty" yaml:"expiration_date,omitempty"`
ExpirationDateReason *string `json:"expiration_date_reason,omitempty" yaml:"expiration_date_reason,omitempty"`
Actor string `json:"actor" yaml:"actor"`
}
func (*GrantUpdate) IsUpdatingExpirationDate ¶ added in v0.12.2
func (gu *GrantUpdate) IsUpdatingExpirationDate() bool
func (*GrantUpdate) Validate ¶ added in v0.12.2
func (gu *GrantUpdate) Validate(current Grant) error
type IAMConfig ¶
type IAMConfig struct {
Provider IAMProviderType `json:"provider" yaml:"provider" validate:"required,oneof=http shield"`
Config interface{} `json:"config" yaml:"config" validate:"required"`
Schema map[string]string `json:"schema" yaml:"schema"`
}
type IAMManager ¶
type IAMManager interface {
ParseConfig(*IAMConfig) (SensitiveConfig, error)
GetClient(SensitiveConfig) (IAMClient, error)
}
type IAMProviderType ¶
type IAMProviderType string
const ( IAMProviderTypeShield IAMProviderType = "shield" IAMProviderTypeHTTP IAMProviderType = "http" )
type ListActivitiesFilter ¶ added in v0.7.5
type ListActivitiesFilter struct {
ProviderID string
ResourceIDs []string
ResourceIdentifiers []ResourceIdentifier
AccountIDs []string
TimestampGte *time.Time
TimestampLte *time.Time
// contains filtered or unexported fields
}
func (*ListActivitiesFilter) GetResources ¶ added in v0.7.5
func (f *ListActivitiesFilter) GetResources() []*Resource
func (*ListActivitiesFilter) PopulateResources ¶ added in v0.7.5
func (f *ListActivitiesFilter) PopulateResources(resources map[string]*Resource) error
type ListAppealsFilter ¶
type ListAppealsFilter struct {
Q string `mapstructure:"q" validate:"omitempty"`
AccountTypes []string `mapstructure:"account_types" validate:"omitempty,min=1"`
CreatedBy string `mapstructure:"created_by" validate:"omitempty,required"`
AccountID string `mapstructure:"account_id" validate:"omitempty,required"`
AccountIDs []string `mapstructure:"account_ids" validate:"omitempty,required"`
GroupIDs []string `mapstructure:"group_ids" validate:"omitempty,required"`
GroupTypes []string `mapstructure:"group_types" validate:"omitempty,min=1"`
ResourceID string `mapstructure:"resource_id" validate:"omitempty,required"`
Role string `mapstructure:"role" validate:"omitempty,required"`
Roles []string `mapstructure:"role" validate:"omitempty,required"`
Statuses []string `mapstructure:"statuses" validate:"omitempty,min=1"`
ExpirationDateLessThan time.Time `mapstructure:"expiration_date_lt" validate:"omitempty,required"`
ExpirationDateGreaterThan time.Time `mapstructure:"expiration_date_gt" validate:"omitempty,required"`
ProviderTypes []string `mapstructure:"provider_types" validate:"omitempty,min=1"`
ProviderURNs []string `mapstructure:"provider_urns" validate:"omitempty,min=1"`
ResourceTypes []string `mapstructure:"resource_types" validate:"omitempty,min=1"`
ResourceURNs []string `mapstructure:"resource_urns" validate:"omitempty,min=1"`
OrderBy []string `mapstructure:"order_by" validate:"omitempty,min=1"`
Size int `mapstructure:"size" validate:"omitempty"`
Offset int `mapstructure:"offset" validate:"omitempty"`
ResourceIDs []string `mapstructure:"resource_ids" validate:"omitempty,min=1"`
SummaryGroupBys []string `mapstructure:"summary_group_bys" validate:"omitempty"`
SummaryUniques []string `mapstructure:"summary_uniques" validate:"omitempty"`
FieldMasks []string `mapstructure:"field_masks" validate:"omitempty"`
RoleStartsWith string `mapstructure:"role_starts_with" validate:"omitempty"`
RoleEndsWith string `mapstructure:"role_ends_with" validate:"omitempty"`
RoleContains string `mapstructure:"role_contains" validate:"omitempty"`
StartTime time.Time `mapstructure:"start_time" validate:"omitempty"`
EndTime time.Time `mapstructure:"end_time" validate:"omitempty"`
WithApprovals bool `mapstructure:"with_approvals" validate:"omitempty"`
}
func (ListAppealsFilter) WithAppeals ¶ added in v0.12.16
func (af ListAppealsFilter) WithAppeals() bool
func (ListAppealsFilter) WithSummary ¶ added in v0.12.16
func (af ListAppealsFilter) WithSummary() bool
func (ListAppealsFilter) WithTotal ¶ added in v0.12.16
func (af ListAppealsFilter) WithTotal() bool
type ListApprovalsFilter ¶
type ListApprovalsFilter struct {
Q string `mapstructure:"q" json:"q,omitempty" validate:"omitempty"`
AccountID string `mapstructure:"account_id" json:"account_id,omitempty" validate:"omitempty,required"`
AccountTypes []string `mapstructure:"account_types" json:"account_types,omitempty" validate:"omitempty,min=1"`
ResourceTypes []string `mapstructure:"resource_types" json:"resource_types,omitempty" validate:"omitempty,min=1"`
CreatedBy string `mapstructure:"created_by" json:"created_by,omitempty" validate:"omitempty,required"`
Statuses []string `mapstructure:"statuses" json:"statuses,omitempty" validate:"omitempty,min=1"`
OrderBy []string `mapstructure:"order_by" json:"order_by,omitempty" validate:"omitempty,min=1"`
Size int `mapstructure:"size" json:"size,omitempty" validate:"omitempty"`
Offset int `mapstructure:"offset" json:"offset,omitempty" validate:"omitempty"`
AppealStatuses []string `mapstructure:"appeal_statuses" json:"appeal_statuses,omitempty" validate:"omitempty,min=1"`
Stale bool `mapstructure:"stale" json:"stale,omitempty" validate:"omitempty"`
RoleStartsWith string `mapstructure:"role_starts_with" json:"role_starts_with,omitempty" validate:"omitempty"`
RoleEndsWith string `mapstructure:"role_ends_with" json:"role_ends_with,omitempty" validate:"omitempty"`
RoleContains string `mapstructure:"role_contains" json:"role_contains,omitempty" validate:"omitempty"`
StepNames []string `mapstructure:"step_names" json:"step_names,omitempty" validate:"omitempty,min=1"`
ProviderTypes []string `mapstructure:"provider_types" json:"provider_types,omitempty" validate:"omitempty,min=1"`
ProviderURNs []string `mapstructure:"provider_urns" json:"provider_urns,omitempty" validate:"omitempty,min=1"`
Actors []string `mapstructure:"actors" json:"actors,omitempty" validate:"omitempty,min=1"`
StartTime time.Time `mapstructure:"start_time" json:"start_time,omitempty"`
EndTime time.Time `mapstructure:"end_time" json:"end_time,omitempty"`
FieldMasks []string `mapstructure:"field_masks" json:"field_masks,omitempty"`
SummaryGroupBys []string `mapstructure:"summary_group_bys" json:"summary_group_bys,omitempty"`
SummaryUniques []string `mapstructure:"summary_uniques" json:"summary_uniques,omitempty"`
ResourceUrns []string `mapstructure:"resource_urns" json:"resource_urns,omitempty"`
Roles []string `mapstructure:"roles" json:"roles,omitempty"`
Requestors []string `mapstructure:"requestors" json:"requestors,omitempty"`
AccountIDs []string `mapstructure:"account_ids" json:"account_ids,omitempty"`
}
func (ListApprovalsFilter) WithApprovals ¶ added in v0.12.15
func (af ListApprovalsFilter) WithApprovals() bool
func (ListApprovalsFilter) WithSummary ¶ added in v0.12.15
func (af ListApprovalsFilter) WithSummary() bool
func (ListApprovalsFilter) WithTotal ¶ added in v0.12.15
func (af ListApprovalsFilter) WithTotal() bool
type ListAuditLogFilter ¶ added in v0.11.0
type ListCommentsFilter ¶ added in v0.10.0
type ListEventsFilter ¶ added in v0.11.0
type ListGrantsFilter ¶
type ListGrantsFilter struct {
NotIDs []string
Statuses []string
AccountIDs []string
AccountTypes []string
GroupIDs []string
GroupTypes []string
ResourceIDs []string
Roles []string
Permissions []string
ProviderTypes []string
ProviderURNs []string
ResourceTypes []string
ResourceURNs []string
CreatedBy string
Owner string
OrderBy []string
ExpirationDateLessThan time.Time
ExpirationDateGreaterThan time.Time
IsPermanent *bool
CreatedAtLte time.Time
WithApprovals bool
Size int `mapstructure:"size" validate:"omitempty"`
Offset int `mapstructure:"offset" validate:"omitempty"`
Q string `mapstructure:"q" validate:"omitempty"`
StartTime time.Time
EndTime time.Time
SummaryGroupBys []string
SummaryUniques []string
SummaryDistinctCounts []string
ExpiringInDays int
FieldMasks []string
WithPendingAppeal bool
RoleStartsWith string
RoleEndsWith string
RoleContains string
UserInactiveGrantPolicy guardianv1beta1.ListUserGrantsRequest_InactiveGrantPolicy
}
func (ListGrantsFilter) WithGrants ¶ added in v0.12.15
func (gf ListGrantsFilter) WithGrants() bool
func (ListGrantsFilter) WithSummary ¶ added in v0.12.15
func (gf ListGrantsFilter) WithSummary() bool
func (ListGrantsFilter) WithTotal ¶ added in v0.12.15
func (gf ListGrantsFilter) WithTotal() bool
type ListResourcesFilter ¶
type ListResourcesFilter struct {
IDs []string `mapstructure:"ids" validate:"omitempty,min=1"`
IsDeleted bool `mapstructure:"is_deleted" validate:"omitempty"`
ProviderType string `mapstructure:"provider_type" validate:"omitempty"`
ProviderURN string `mapstructure:"provider_urn" validate:"omitempty"`
ProviderTypes []string `mapstructure:"provider_types" validate:"omitempty"`
ProviderURNs []string `mapstructure:"provider_urns" validate:"omitempty"`
Name string `mapstructure:"name" validate:"omitempty"`
ResourceURN string `mapstructure:"urn" validate:"omitempty"`
ResourceType string `mapstructure:"type" validate:"omitempty"`
ResourceURNs []string `mapstructure:"urns" validate:"omitempty"`
ResourceTypes []string `mapstructure:"types" validate:"omitempty"`
Details map[string]string `mapstructure:"details"`
Size uint32 `mapstructure:"size" validate:"omitempty"`
Offset uint32 `mapstructure:"offset" validate:"omitempty"`
OrderBy []string `mapstructure:"order_by" validate:"omitempty"`
Q string `mapstructure:"q" validate:"omitempty"`
GroupIDs []string `mapstructure:"group_ids" validate:"omitempty"`
GroupTypes []string `mapstructure:"group_types" validate:"omitempty"`
}
type MapResourceAccess ¶
type MapResourceAccess map[string][]AccessEntry
MapResourceAccess is list of UserAccess grouped by resource urn
type MatchCondition ¶
type MatchCondition struct {
Eq interface{} `json:"eq" yaml:"eq"`
}
MatchCondition is for determining the requirement of the condition
type Notification ¶
type Notification struct {
User string
Message NotificationMessage
Labels map[string]string
}
type NotificationMessage ¶
type NotificationMessages ¶
type NotificationMessages struct {
ExpirationReminder string `mapstructure:"expiration_reminder"`
AppealApproved string `mapstructure:"appeal_approved"`
AppealRejected string `mapstructure:"appeal_rejected"`
AccessRevoked string `mapstructure:"access_revoked"`
ApproverNotification string `mapstructure:"approver_notification"`
OthersAppealApproved string `mapstructure:"others_appeal_approved"`
GrantOwnerChanged string `mapstructure:"grant_owner_changed"`
UnusedGrant string `mapstructure:"unused_grant"`
NewComment string `mapstructure:"new_comment"`
PendingApprovalsReminder string `mapstructure:"pending_approvals_reminder"`
}
type Policy ¶
type Policy struct {
ID string `json:"id" yaml:"id" validate:"required"`
Version uint `json:"version" yaml:"version" validate:"required"`
Description string `json:"description" yaml:"description"`
Steps []*Step `json:"steps" yaml:"steps" validate:"required,min=1,dive"`
CustomSteps *CustomSteps `json:"custom_steps" yaml:"custom_steps"`
AppealConfig *PolicyAppealConfig `json:"appeal" yaml:"appeal" validate:"omitempty,dive"`
Requirements []*Requirement `json:"requirements,omitempty" yaml:"requirements,omitempty" validate:"omitempty,min=1,dive"`
Labels map[string]string `json:"labels,omitempty" yaml:"labels,omitempty"`
IAM *IAMConfig `json:"iam,omitempty" yaml:"iam,omitempty" validate:"omitempty,dive"`
CreatedAt time.Time `json:"created_at,omitempty" yaml:"created_at,omitempty"`
UpdatedAt time.Time `json:"updated_at,omitempty" yaml:"updated_at,omitempty"`
}
Policy is the approval policy configuration
func (*Policy) GetStepByName ¶ added in v0.12.2
func (*Policy) HasAppealMetadataSources ¶ added in v0.10.0
func (*Policy) HasCustomSteps ¶ added in v0.12.16
func (*Policy) HasIAMConfig ¶
func (*Policy) RemoveSensitiveValues ¶ added in v0.10.0
func (p *Policy) RemoveSensitiveValues()
type PolicyAppealConfig ¶
type PolicyAppealConfig struct {
DurationOptions []AppealDurationOption `json:"duration_options" yaml:"duration_options" validate:"omitempty,min=1,dive"`
AllowOnBehalf bool `json:"allow_on_behalf" yaml:"allow_on_behalf"`
AllowPermanentAccess bool `json:"allow_permanent_access" yaml:"allow_permanent_access"`
AllowActiveAccessExtensionIn string `json:"allow_active_access_extension_in" yaml:"allow_active_access_extension_in"`
Questions []Question `json:"questions" yaml:"questions"`
// AllowCreatorDetailsFailure is a flag that lets the appeal creation to continue when the request to the identity
// provider (Policy.IAM) fails. If this is set to true and request to the identity provider fails (4xx or 5xx), the
// value of `creator` field in the appeal will be nil.
// Note: any expression that tries to access `$appeal.creator.*` is still evaluated as usual, it might need to have
// proper nil checking to avoid accessing nil value.
AllowCreatorDetailsFailure bool `json:"allow_creator_details_failure" yaml:"allow_creator_details_failure"`
MetadataSources map[string]*AppealMetadataSource `json:"metadata_sources,omitempty" yaml:"metadata_sources,omitempty"`
TermsAndConditions string `json:"terms_and_conditions,omitempty" yaml:"terms_and_conditions,omitempty"`
}
type PolicyConfig ¶
type PolicyConfig struct {
ID string `json:"id" yaml:"id" validate:"required"`
Version int `json:"version" yaml:"version" validate:"required"`
}
PolicyConfig is the configuration that defines which policy is being used in the provider
type PostAppealHook ¶ added in v0.12.16
type PostAppealHook struct {
Name string `json:"name" yaml:"name" validate:"required"`
Description string `json:"description,omitempty" yaml:"description,omitempty"`
Type string `json:"type" yaml:"type" validate:"required,oneof=http"`
Config interface{} `json:"config,omitempty" yaml:"config,omitempty"`
AllowFailed bool `json:"allow_failed" yaml:"allow_failed"`
}
PostAppealHook defines a hook that executes after requirement appeals are created
func (*PostAppealHook) DecryptConfig ¶ added in v0.12.16
func (h *PostAppealHook) DecryptConfig(dec Decryptor) error
func (*PostAppealHook) EncryptConfig ¶ added in v0.12.16
func (h *PostAppealHook) EncryptConfig(enc Encryptor) error
type Provider ¶
type Provider struct {
ID string `json:"id" yaml:"id"`
Type string `json:"type" yaml:"type"`
URN string `json:"urn" yaml:"urn"`
Config *ProviderConfig `json:"config" yaml:"config"`
CreatedAt time.Time `json:"created_at,omitempty" yaml:"created_at,omitempty"`
UpdatedAt time.Time `json:"updated_at,omitempty" yaml:"updated_at,omitempty"`
}
type ProviderConfig ¶
type ProviderConfig struct {
Type string `` /* 143-byte string literal not displayed */
URN string `json:"urn" yaml:"urn" validate:"required"`
AllowedAccountTypes []string `json:"allowed_account_types" yaml:"allowed_account_types" validate:"omitempty,min=1"`
Labels map[string]string `json:"labels,omitempty" yaml:"labels,omitempty"`
Credentials interface{} `json:"credentials,omitempty" yaml:"credentials" validate:"required"`
Appeal *AppealConfig `json:"appeal,omitempty" yaml:"appeal,omitempty" validate:"required"`
Resources []*ResourceConfig `json:"resources" yaml:"resources" validate:"required"`
Parameters []*ProviderParameter `json:"parameters,omitempty" yaml:"parameters,omitempty"`
Activity *ActivityConfig `json:"activity,omitempty" yaml:"activity,omitempty"`
Policies []*ProviderPolicy `json:"policies,omitempty" yaml:"policies,omitempty"`
}
func (ProviderConfig) GetFilterForResourceType ¶ added in v0.7.8
func (pc ProviderConfig) GetFilterForResourceType(resourceType string) string
func (ProviderConfig) GetParameterKeys ¶ added in v0.12.8
func (pc ProviderConfig) GetParameterKeys() (keys []string)
func (ProviderConfig) GetResourceTypes ¶
func (pc ProviderConfig) GetResourceTypes() (resourceTypes []string)
type ProviderParameter ¶
type ProviderPolicy ¶ added in v0.12.7
type ProviderType ¶
type Requirement ¶
type Requirement struct {
On *RequirementTrigger `json:"on" yaml:"on" validate:"required"`
Appeals []*AdditionalAppeal `json:"appeals,omitempty" yaml:"appeals,omitempty" validate:"omitempty,dive"`
PostHooks []*PostAppealHook `json:"post_hooks,omitempty" yaml:"post_hooks,omitempty" validate:"omitempty,dive"`
}
type RequirementTrigger ¶
type RequirementTrigger struct {
ProviderType string `` /* 137-byte string literal not displayed */
ProviderURN string `` /* 136-byte string literal not displayed */
ResourceType string `` /* 137-byte string literal not displayed */
ResourceURN string `` /* 136-byte string literal not displayed */
Role string `` /* 128-byte string literal not displayed */
// Deprecated: use Expression instead
Conditions []*Condition `` /* 134-byte string literal not displayed */
Expression string `` /* 134-byte string literal not displayed */
}
type Resource ¶
type Resource struct {
ID string `json:"id" yaml:"id"`
ProviderType string `json:"provider_type" yaml:"provider_type"`
ProviderURN string `json:"provider_urn" yaml:"provider_urn"`
Type string `json:"type" yaml:"type"`
URN string `json:"urn" yaml:"urn"`
Name string `json:"name" yaml:"name"`
Details map[string]interface{} `json:"details" yaml:"details"`
Labels map[string]string `json:"labels,omitempty" yaml:"labels,omitempty"`
CreatedAt time.Time `json:"created_at,omitempty" yaml:"created_at,omitempty"`
UpdatedAt time.Time `json:"updated_at,omitempty" yaml:"updated_at,omitempty"`
IsDeleted bool `json:"is_deleted,omitempty" yaml:"is_deleted,omitempty"`
ParentID *string `json:"parent_id,omitempty" yaml:"parent_id,omitempty"`
Children []*Resource `json:"children,omitempty" yaml:"children,omitempty"`
GlobalURN string `json:"global_urn" yaml:"global_urn"`
GroupID string `json:"group_id,omitempty" yaml:"group_id,omitempty"`
GroupType string `json:"group_type,omitempty" yaml:"group_type,omitempty"`
}
Resource struct
type ResourceConfig ¶
type ResourceConfig struct {
Type string `json:"type" yaml:"type" validate:"required"`
Filter string `json:"filter" yaml:"filter"`
Policy *PolicyConfig `json:"policy" yaml:"policy"`
Roles []*Role `json:"roles" yaml:"roles" validate:"required"`
}
ResourceConfig is the configuration for a resource type within a provider
type ResourceIdentifier ¶
type ResourceIdentifier struct {
ProviderType string `json:"provider_type" yaml:"provider_type" validate:"required_with=ProviderURN Type URN"`
ProviderURN string `json:"provider_urn" yaml:"provider_urn" validate:"required_with=ProviderType Type URN"`
Type string `json:"type" yaml:"type" validate:"required_with=ProviderType ProviderURN URN"`
URN string `json:"urn" yaml:"urn" validate:"required_with=ProviderType ProviderURN Type"`
ID string `json:"id" yaml:"id" validate:"required_without_all=ProviderType ProviderURN Type URN"`
}
type RevokeGrantsFilter ¶
type Role ¶
type Role struct {
ID string `json:"id" yaml:"id" validate:"required"`
Name string `json:"name" yaml:"name" validate:"required"`
Description string `json:"description,omitempty" yaml:"description"`
Permissions []interface{} `json:"permissions" yaml:"permissions" validate:"required"`
}
Role is the configuration to define a role and mapping the permissions in the provider
func (Role) GetOrderedPermissions ¶
GetOrderedPermissions returns the permissions as a string slice
type SensitiveConfig ¶
type SensitiveConfig interface {
SensitiveInformation
Validate() error
}
type SensitiveInformation ¶
type Step ¶
type Step struct {
// Name used as the step identifier
Name string `json:"name" yaml:"name" validate:"required"`
// Description tells more details about the step
Description string `json:"description" yaml:"description"`
// AllowFailed lets the approval flow continue to the next step even the current step is rejected.
// If the last step has AllowFailed equal to true, and it's getting rejected,
// the appeal status will resolve as approved or success.
AllowFailed bool `json:"allow_failed" yaml:"allow_failed"`
// When is an Expression that determines whether the step should be evaluated or it can be skipped at the beginning.
// If it evaluates to be falsy, the step will automatically skipped. Otherwise, step become pending/blocked (normal).
//
// Accessible parameters:
// $appeal = Appeal object
When string `json:"when,omitempty" yaml:"when,omitempty"`
// Strategy defines if the step requires manual approval or not
Strategy ApprovalStepStrategy `json:"strategy" yaml:"strategy" validate:"required,oneof=auto manual"`
// RejectionReason message fills `Approval.Reason` if the approval step gets rejected based on `ApproveIf` expression.
RejectionReason string `json:"rejection_reason" yaml:"rejection_reason"`
// Approvers is an Expression that if the evaluation returns string or []string that contains email address of the approvers.
// If human approval (manual) is required, use this field.
//
// Accessible parameters:
// $appeal = Appeal object
Approvers []string `json:"approvers,omitempty" yaml:"approvers,omitempty" validate:"required_if=Strategy manual,omitempty,min=1"`
// ApproveIf is an Expression to determines the resolution of the step. If automatic approval is needed for the step,
// use this field.
//
// Accessible parameters:
// $appeal = Appeal object
ApproveIf string `json:"approve_if,omitempty" yaml:"approve_if,omitempty" validate:"required_if=Strategy auto"`
// DontAllowSelfApproval is a boolean flag to detemine if the approver can approve their own request.
DontAllowSelfApproval bool `json:"dont_allow_self_approval,omitempty" yaml:"dont_allow_self_approval,omitempty"`
// Details storing the additional details of the step.
Details map[string]interface{} `json:"details,omitempty" yaml:"details,omitempty"`
// TermsAndConditions optional fields for storing custom ste[ terms & conditions during approvals
TermsAndConditions string `json:"terms_and_conditions,omitempty" yaml:"terms_and_conditions,omitempty"`
}
Step is an individual process within an approval flow
type SummaryGroup ¶ added in v0.12.15
type SummaryParameters ¶ added in v0.12.15
type SummaryResult ¶ added in v0.12.15
type SummaryResult struct {
AppliedParameters *SummaryParameters `json:"applied_parameters,omitempty"`
SummaryGroups []*SummaryGroup `json:"summary_groups,omitempty"`
SummaryUniques []*SummaryUnique `json:"summary_uniques,omitempty"`
Count int32 `json:"count,omitempty"`
GroupsCount int32 `json:"groups_count,omitempty"`
UniquesCount int32 `json:"uniques_count,omitempty"`
}
type SummaryUnique ¶ added in v0.12.15
Source Files
Click to show internal directories.
Click to hide internal directories.