generated from coulomb/repo-seed
118 lines
5.5 KiB
Go
118 lines
5.5 KiB
Go
package markitect
|
|
|
|
import "github.com/netkingdom/flex-auth/pkg/api"
|
|
|
|
const (
|
|
ActionRead = "read"
|
|
ActionQuery = "query"
|
|
ActionSearch = "search"
|
|
ActionPackage = "package"
|
|
ActionActivateContext = "activate_context"
|
|
ActionExport = "export"
|
|
ActionWorkflowRun = "workflow_run"
|
|
ActionAdmin = "admin"
|
|
)
|
|
|
|
// ActionMapping describes the Markitect policy-gateway action contract.
|
|
type ActionMapping struct {
|
|
Action string `json:"action"`
|
|
Capabilities []api.Capability `json:"capabilities"`
|
|
Planes []api.Plane `json:"planes"`
|
|
ExposureModes []api.ExposureMode `json:"exposure_modes"`
|
|
AllowedEffects []api.DecisionEffect `json:"allowed_effects"`
|
|
RequiredContext []api.Condition `json:"required_context,omitempty"`
|
|
}
|
|
|
|
// ActionVocabulary is the canonical Markitect action vocabulary.
|
|
var ActionVocabulary = []ActionMapping{
|
|
{
|
|
Action: ActionRead,
|
|
Capabilities: []api.Capability{api.CapabilityView},
|
|
Planes: []api.Plane{api.PlaneData},
|
|
ExposureModes: []api.ExposureMode{api.ExposureModeMetadata, api.ExposureModeMasked, api.ExposureModePlaintext},
|
|
AllowedEffects: []api.DecisionEffect{api.DecisionEffectAllow, api.DecisionEffectDeny, api.DecisionEffectRedact},
|
|
},
|
|
{
|
|
Action: ActionQuery,
|
|
Capabilities: []api.Capability{api.CapabilityViewCollection, api.CapabilityObserve},
|
|
Planes: []api.Plane{api.PlaneData},
|
|
ExposureModes: []api.ExposureMode{api.ExposureModeMetadata, api.ExposureModeAggregated, api.ExposureModeMasked},
|
|
AllowedEffects: []api.DecisionEffect{api.DecisionEffectAllow, api.DecisionEffectDeny, api.DecisionEffectRedact},
|
|
},
|
|
{
|
|
Action: ActionSearch,
|
|
Capabilities: []api.Capability{api.CapabilityViewCollection, api.CapabilityObserve},
|
|
Planes: []api.Plane{api.PlaneData},
|
|
ExposureModes: []api.ExposureMode{api.ExposureModeMetadata, api.ExposureModeAggregated, api.ExposureModeMasked},
|
|
AllowedEffects: []api.DecisionEffect{api.DecisionEffectAllow, api.DecisionEffectDeny, api.DecisionEffectRedact},
|
|
},
|
|
{
|
|
Action: ActionPackage,
|
|
Capabilities: []api.Capability{api.CapabilityCreate, api.CapabilityBind, api.CapabilityViewCollection},
|
|
Planes: []api.Plane{api.PlaneIntent, api.PlaneData},
|
|
ExposureModes: []api.ExposureMode{api.ExposureModeMetadata, api.ExposureModeMasked},
|
|
AllowedEffects: []api.DecisionEffect{api.DecisionEffectAllow, api.DecisionEffectDeny, api.DecisionEffectAuditOnly},
|
|
RequiredContext: []api.Condition{api.ConditionLogged},
|
|
},
|
|
{
|
|
Action: ActionActivateContext,
|
|
Capabilities: []api.Capability{api.CapabilityUse, api.CapabilityExecute},
|
|
Planes: []api.Plane{api.PlaneIntent, api.PlanePolicy},
|
|
ExposureModes: []api.ExposureMode{api.ExposureModeMetadata, api.ExposureModeMasked},
|
|
AllowedEffects: []api.DecisionEffect{api.DecisionEffectAllow, api.DecisionEffectDeny, api.DecisionEffectAuditOnly},
|
|
RequiredContext: []api.Condition{api.ConditionLogged, api.ConditionPurposeBound},
|
|
},
|
|
{
|
|
Action: ActionExport,
|
|
Capabilities: []api.Capability{api.CapabilityExport},
|
|
Planes: []api.Plane{api.PlaneData, api.PlaneAudit},
|
|
ExposureModes: []api.ExposureMode{api.ExposureModeExportable, api.ExposureModePlaintext},
|
|
AllowedEffects: []api.DecisionEffect{api.DecisionEffectAllow, api.DecisionEffectDeny, api.DecisionEffectAuditOnly},
|
|
RequiredContext: []api.Condition{api.ConditionMFARequired, api.ConditionLogged},
|
|
},
|
|
{
|
|
Action: ActionWorkflowRun,
|
|
Capabilities: []api.Capability{api.CapabilityExecute, api.CapabilityOperate},
|
|
Planes: []api.Plane{api.PlaneExecution, api.PlaneData, api.PlaneAudit},
|
|
ExposureModes: []api.ExposureMode{api.ExposureModeMetadata, api.ExposureModeMasked, api.ExposureModePlaintext},
|
|
AllowedEffects: []api.DecisionEffect{api.DecisionEffectAllow, api.DecisionEffectDeny, api.DecisionEffectAuditOnly},
|
|
RequiredContext: []api.Condition{api.ConditionLogged},
|
|
},
|
|
{
|
|
Action: ActionAdmin,
|
|
Capabilities: []api.Capability{api.CapabilityConfigure, api.CapabilityGrant, api.CapabilityRevoke, api.CapabilityAudit},
|
|
Planes: []api.Plane{api.PlaneConfiguration, api.PlaneIdentity, api.PlanePolicy, api.PlaneAudit},
|
|
ExposureModes: []api.ExposureMode{api.ExposureModeMetadata, api.ExposureModePlaintext},
|
|
AllowedEffects: []api.DecisionEffect{api.DecisionEffectAllow, api.DecisionEffectDeny, api.DecisionEffectAuditOnly},
|
|
RequiredContext: []api.Condition{api.ConditionMFARequired, api.ConditionLogged},
|
|
},
|
|
}
|
|
|
|
// LookupAction returns the canonical mapping for an action.
|
|
func LookupAction(action string) (ActionMapping, bool) {
|
|
for _, mapping := range ActionVocabulary {
|
|
if mapping.Action == action {
|
|
return mapping, true
|
|
}
|
|
}
|
|
return ActionMapping{}, false
|
|
}
|
|
|
|
// ActionDefinitions returns protected-system action definitions for Markitect.
|
|
func ActionDefinitions() []api.ActionDefinition {
|
|
out := make([]api.ActionDefinition, 0, len(ActionVocabulary))
|
|
for _, mapping := range ActionVocabulary {
|
|
out = append(out, api.ActionDefinition{
|
|
Name: mapping.Action,
|
|
Capabilities: append([]api.Capability(nil), mapping.Capabilities...),
|
|
Planes: append([]api.Plane(nil), mapping.Planes...),
|
|
ExposureModes: append([]api.ExposureMode(nil), mapping.ExposureModes...),
|
|
Metadata: map[string]any{
|
|
"allowed_effects": append([]api.DecisionEffect(nil), mapping.AllowedEffects...),
|
|
"required_context": append([]api.Condition(nil), mapping.RequiredContext...),
|
|
},
|
|
})
|
|
}
|
|
return out
|
|
}
|