puppetlabs.trapperkeeper.authorization.acl

Liking cljdoc? Tell your friends :D

Clojure only.

ACE^clj

An authorization entry matching a network or a domain

An authorization entry matching a network or a domain

source raw docstring

ace-compare^clj

(ace-compare a b)

Inputs: [a :- ACE b :- ACE] Returns: schema/Int

Compare two ACEs. Deny ACEs always come before allow ACEs.

For two ACEs of the same type - deny or allow - the 'b' entry always comes before the 'a' entry. When used as a comparator for a sorted set, this ensures that entries of the same type are ordered first-in, first-out.

Inputs: [a :- ACE b :- ACE]
Returns: schema/Int

Compare two ACEs.  Deny ACEs always come before allow ACEs.

For two ACEs of the same type - deny or allow - the 'b' entry always comes
before the 'a' entry.  When used as a comparator for a sorted set, this
ensures that entries of the same type are ordered first-in, first-out.

source raw docstring

ACEChallenge^clj

Pertinent authorization information extracted from a request used during authz rule enforcement.

Pertinent authorization information extracted from a request used during
authz rule enforcement.

source raw docstring

ACEConfig^clj

Schema for representing the configuration of an ACE.

Schema for representing the configuration of an ACE.

source raw docstring

ACEValue^clj

source

ACL^clj

An ordered list of authorization Entry

An ordered list of authorization Entry

source raw docstring

add-ace^clj

(add-ace auth-type value)

(add-ace acl auth-type value)

Inputs: ([auth-type :- AuthType value :- ACEConfig] [acl :- ACL auth-type :- AuthType value :- ACEConfig]) Returns: ACL

Add a new host ACE to this acl

Inputs: ([auth-type :- AuthType value :- ACEConfig] [acl :- ACL auth-type :- AuthType value :- ACEConfig])
Returns: ACL

Add a new host ACE to this acl

source raw docstring

allow^clj

(allow value)

(allow acl value)

Inputs: ([value :- ACEConfig] [acl :- ACL value :- ACEConfig]) Returns: ACL

Allow a new value to an ACL

Inputs: ([value :- ACEConfig] [acl :- ACL value :- ACEConfig])
Returns: ACL

Allow a new value to an ACL

source raw docstring

allow?^clj

(allow? ace)

Inputs: [ace :- ACE] Returns: schema/Bool

Inputs: [ace :- ACE]
Returns: schema/Bool

source raw docstring

allowed?^clj

(allowed? acl incoming-ace)

(allowed? acl incoming-ace options)

Inputs: ([acl :- ACL incoming-ace :- ACEChallenge] [acl :- ACL incoming-ace :- ACEChallenge options :- {(schema/optional-key :captures) [schema/Str], (schema/optional-key :oid-map) OIDMap}]) Returns: schema/Bool

Returns true if the name is allowed by acl, otherwise returns false

Inputs: ([acl :- ACL incoming-ace :- ACEChallenge] [acl :- ACL incoming-ace :- ACEChallenge options :- {(schema/optional-key :captures) [schema/Str], (schema/optional-key :oid-map) OIDMap}])
Returns: schema/Bool

Returns true if the name is allowed by acl, otherwise returns false

source raw docstring

AuthType^clj

source

default-oid-map^clj

A default map of string OIDs to keyword names. These should be standard OIDs that any user of tk-auth might be interested in using. This map should be respected anywhere oid-maps are consulted.

A default map of string OIDs to keyword names. These should be standard OIDs
that any user of tk-auth might be interested in using. This map should be
respected anywhere oid-maps are consulted.

source raw docstring

deny^clj

(deny value)

(deny acl value)

Inputs: ([value :- ACEConfig] [acl :- ACL value :- ACEConfig]) Returns: ACL

Deny a new value to an ACL

Inputs: ([value :- ACEConfig] [acl :- ACL value :- ACEConfig])
Returns: ACL

Deny a new value to an ACL

source raw docstring

deny?^clj

(deny? ace)

Inputs: [ace :- ACE] Returns: schema/Bool

Inputs: [ace :- ACE]
Returns: schema/Bool

source raw docstring

empty-acl^clj

source

ExtensionRule^clj

Schema for defining an SSL Extension auth rule.

Schema for defining an SSL Extension auth rule.

source raw docstring

Extensions^clj

Schema for representing SSL Extensions as they come in on a request's certificate. Maps from a keyword shortname to a string value by default with special casing for more complex keys. The only special key supported now is :subject-alt-name which contains a map of keyword to lists of strings (if present at all).

Schema for representing SSL Extensions as they come in on a request's
certificate. Maps from a keyword shortname to a string value by default with
special casing for more complex keys. The only special key supported now is
:subject-alt-name which contains a map of keyword to lists of strings (if
present at all).

source raw docstring

interpolate-backreference^clj

(interpolate-backreference {:keys [match auth-type] :as ace} captures)

Inputs: [{:keys [match auth-type], :as ace} :- ACE captures :- [schema/Str]] Returns: ACE

change all possible backreferences in ace patterns to values from the capture groups

Inputs: [{:keys [match auth-type], :as ace} :- ACE captures :- [schema/Str]]
Returns: ACE

change all possible backreferences in ace patterns to values from the
capture groups

source raw docstring

match-extensions?^clj

(match-extensions? oid-map ace extensions)

Inputs: [oid-map :- OIDMap ace :- ACE extensions :- Extensions] Returns: schema/Bool

Returns true if the provided SSL extension map matches the configured ACE. All of the keys in the ACE must appear in the extensions map and, if the value for a key in the ACE is a list, at least one of the listed values must be set in the incoming extensions map.

Note the behavior in the following scenario: If an ACE specifies {:deny {:extensions {:pp_env 'test' :pp_image 'bad image'}}}

ONLY a request with both :pp_env set to 'test' and :pp_image set to 'bad image' would be denied. If any request with :pp_env set to 'test' is to be denied, it needs a standalone deny rule.

If the :subject-alt-name key is present in the extension map, a match is done for each givenName key in the incoming request. For example, given a rule like this:

{:extensions {:subject-alt-name {:dns-name ["foobar.org" "barbaz.net"] :ip "192.168.0.1"}}}

these requests would match:

{:extensions {:subject-alt-name {:dns-name ["foobar.org" "slimjim.net"]}}}

{:extensions {:subject-alt-name {:dns-name ["snapinto.org" "slimjim.net"] :ip ["192.168.0.1"]}}}

and these would not match:

{:extensions {:subject-alt-name {:dns-name ["snapinto.org" "slimjim.net"] :ip ["192.168.0.0"]}}}

{:extensions {:subject-alt-name {:ip ["192.168.0.0"]}}}

Inputs: [oid-map :- OIDMap ace :- ACE extensions :- Extensions]
Returns: schema/Bool

Returns true if the provided SSL extension map matches the configured ACE.
All of the keys in the ACE must appear in the extensions map and, if the value
for a key in the ACE is a list, at least one of the listed values must be set
in the incoming extensions map.

Note the behavior in the following scenario: If an ACE specifies
{:deny {:extensions {:pp_env 'test'
                     :pp_image 'bad image'}}}

*ONLY* a request with both :pp_env set to 'test' and :pp_image set to 'bad
image' would be denied. If *any* request with :pp_env set to 'test' is to be
denied, it needs a standalone deny rule.

If the :subject-alt-name key is present in the extension map, a match is done
for each givenName key in the incoming request. For example, given a rule like
this:

{:extensions {:subject-alt-name {:dns-name ["foobar.org" "barbaz.net"]
                                 :ip "192.168.0.1"}}}

these requests would match:

{:extensions {:subject-alt-name {:dns-name ["foobar.org" "slimjim.net"]}}}

{:extensions {:subject-alt-name {:dns-name ["snapinto.org" "slimjim.net"]
                                 :ip       ["192.168.0.1"]}}}

and these would not match:

{:extensions {:subject-alt-name {:dns-name ["snapinto.org" "slimjim.net"]
                                 :ip       ["192.168.0.0"]}}}

{:extensions {:subject-alt-name {:ip       ["192.168.0.0"]}}}

source raw docstring

match?^clj

(match? acl-ace incoming-ace)

(match? {:keys [match] :as acl-ace} {:keys [certname extensions]} oid-map)

Inputs: ([acl-ace :- ACE incoming-ace :- ACEChallenge] [{:keys [match], :as acl-ace} :- ACE {:keys [certname extensions]} :- ACEChallenge oid-map :- OIDMap]) Returns: schema/Bool

Returns true if the given value matches the given ace

Inputs: ([acl-ace :- ACE incoming-ace :- ACEChallenge] [{:keys [match], :as acl-ace} :- ACE {:keys [certname extensions]} :- ACEChallenge oid-map :- OIDMap])
Returns: schema/Bool

Returns true if the given value matches the given ace

source raw docstring

new-domain^clj

(new-domain auth-type {:keys [certname extensions rbac]})

Inputs: [auth-type :- AuthType {:keys [certname extensions rbac]} :- ACEConfig] Returns: ACE

Creates a new ACE for a domain

Inputs: [auth-type :- AuthType {:keys [certname extensions rbac]} :- ACEConfig]
Returns: ACE

Creates a new ACE for a domain

source raw docstring

OIDMap^clj

Mapping of string OIDs to shortname keywords. Used to update an incoming request with a shortname -> value extensions map.

Mapping of string OIDs to shortname keywords. Used to update an incoming
request with a shortname -> value extensions map.

source raw docstring

rbac-allowed?^clj

(rbac-allowed? acl subject rbac-is-permitted?)

Inputs: [acl :- ACL subject rbac-is-permitted? :- (schema/maybe IFn)] Returns: schema/Bool

Returns true if the acl permits the rbac subject via rbac permissions

Inputs: [acl :- ACL subject rbac-is-permitted? :- (schema/maybe IFn)]
Returns: schema/Bool

Returns true if the acl permits the rbac subject via rbac permissions

source raw docstring

RBACRule^clj

Schema for defining an RBAC Permission

Schema for defining an RBAC Permission

source raw docstring

cljdoc is a website building & hosting documentation for Clojure/Script libraries

Keyboard shortcuts Report a problem cljdoc on GitHub

× close