Documentation
¶
Index ¶
- Constants
- Variables
- func NewContextWithCallID(ctx context.Context, id ID) context.Context
- func NewUnaryInterceptor(log Log, store storage.Store, exclude ExcludeMethod) (grpc.UnaryServerInterceptor, error)
- func PeerFromContext(ctx context.Context) *auditv1.Peer
- func RegisterBackend(name string, cons Constructor)
- type AccessLogEntryMaker
- type AccessLogIterator
- type CheckResourcesFilter
- type Conf
- type Constructor
- type DecisionLogEntryFilter
- type DecisionLogEntryMaker
- type DecisionLogFilters
- type DecisionLogIterator
- type ExcludeMethod
- type ID
- type IDBytes
- type IDGen
- type IncludeKeysMethod
- type Info
- type Log
- type MetadataExtractor
- type PlanResourcesFilter
- type QueryableLog
Constants ¶
View Source
const ( SetByGRPCGatewayKey = "x-cerbos-set-by-grpc-gateway" HTTPRemoteAddrKey = "x-cerbos-http-remote-addr" )
View Source
const ( KindAccess = "access" KindDecision = "decision" )
View Source
const (
ConfKey = "audit"
)
Variables ¶
View Source
var (
ErrIteratorClosed = errors.New("iterator closed")
)
View Source
var SetByGRPCGatewayVal string
Functions ¶
func NewUnaryInterceptor ¶
func NewUnaryInterceptor(log Log, store storage.Store, exclude ExcludeMethod) (grpc.UnaryServerInterceptor, error)
func RegisterBackend ¶
func RegisterBackend(name string, cons Constructor)
RegisterBackend registers an audit log backend.
Types ¶
type AccessLogEntryMaker ¶
type AccessLogEntryMaker func() (*auditv1.AccessLogEntry, error)
AccessLogEntryMaker is a lazy constructor for access log entries.
type AccessLogIterator ¶
type AccessLogIterator interface {
Next() (*auditv1.AccessLogEntry, error)
}
type CheckResourcesFilter ¶ added in v0.24.0
type CheckResourcesFilter struct {
// IgnoreAllowAll ignores responses that don't contain an EFFECT_DENY.
IgnoreAllowAll bool `yaml:"ignoreAllowAll" conf:",example=false"`
}
type Conf ¶
type Conf struct {
// contains filtered or unexported fields
}
Conf is optional configuration for Audit.
func (*Conf) SetDefaults ¶
func (c *Conf) SetDefaults()
type Constructor ¶
Constructor for backends.
func GetBackend ¶ added in v0.49.0
func GetBackend(name string) (Constructor, error)
GetBackend returns the constructor for the given driver.
type DecisionLogEntryFilter ¶ added in v0.24.0
type DecisionLogEntryFilter func(*auditv1.DecisionLogEntry) *auditv1.DecisionLogEntry
func NewDecisionLogEntryFilter ¶ added in v0.24.0
func NewDecisionLogEntryFilter() (DecisionLogEntryFilter, error)
func NewDecisionLogEntryFilterFromConf ¶ added in v0.24.0
func NewDecisionLogEntryFilterFromConf(conf *Conf) DecisionLogEntryFilter
type DecisionLogEntryMaker ¶
type DecisionLogEntryMaker func() (*auditv1.DecisionLogEntry, error)
DecisionLogEntryMaker is a lazy constructor for decision log entries.
type DecisionLogFilters ¶ added in v0.24.0
type DecisionLogFilters struct {
// CheckResources defines the filters that apply to CheckResources calls.
CheckResources CheckResourcesFilter `yaml:"checkResources"`
// PlanResources defines the filters that apply to PlanResources calls.
PlanResources PlanResourcesFilter `yaml:"planResources"`
}
type DecisionLogIterator ¶
type DecisionLogIterator interface {
Next() (*auditv1.DecisionLogEntry, error)
}
type ExcludeMethod ¶
type ID ¶
type ID string
func NewIDForTS ¶
NewIDForTS generates a new ULID for the given timestamp.
func NewIDForTime ¶
NewIDForTime generates a new ULID using the given time.
type IDGen ¶
type IDGen struct {
// contains filtered or unexported fields
}
IDGen is a generator for ULIDs without the monotonicity guarantee. Monotonicity adds overhead that we don't really need because approximate order is good enough for decision logs.
type IncludeKeysMethod ¶ added in v0.21.0
type Log ¶
type Log interface {
Info
io.Closer
WriteAccessLogEntry(context.Context, AccessLogEntryMaker) error
WriteDecisionLogEntry(context.Context, DecisionLogEntryMaker) error
}
func NewLogFromConf ¶ added in v0.15.0
type MetadataExtractor ¶ added in v0.24.0
type MetadataExtractor func(context.Context) map[string]*auditv1.MetaValues
func NewMetadataExtractor ¶ added in v0.24.0
func NewMetadataExtractor() (MetadataExtractor, error)
func NewMetadataExtractorFromConf ¶ added in v0.24.0
func NewMetadataExtractorFromConf(conf *Conf) MetadataExtractor
type PlanResourcesFilter ¶ added in v0.24.0
type PlanResourcesFilter struct {
// IgnoreAll prevents any plan responses from being logged. Takes precedence over other filters.
IgnoreAll bool `yaml:"ignoreAll" conf:",example=false"`
// IgnoreAlwaysAllow ignores ALWAYS_ALLOWED plans.
IgnoreAlwaysAllow bool `yaml:"ignoreAlwaysAllow" conf:",example=false"`
}
type QueryableLog ¶ added in v0.17.0
type QueryableLog interface {
Log
LastNAccessLogEntries(context.Context, uint) AccessLogIterator
LastNDecisionLogEntries(context.Context, uint) DecisionLogIterator
AccessLogEntriesBetween(context.Context, time.Time, time.Time) AccessLogIterator
DecisionLogEntriesBetween(context.Context, time.Time, time.Time) DecisionLogIterator
AccessLogEntryByID(context.Context, ID) AccessLogIterator
DecisionLogEntryByID(context.Context, ID) DecisionLogIterator
}
Source Files
¶
Directories
Click to show internal directories.
Click to hide internal directories.