51 lines
1.6 KiB
Go
51 lines
1.6 KiB
Go
|
package trustgraph
|
||
|
|
||
|
import "github.com/docker/libtrust"
|
||
|
|
||
|
// TrustGraph represents a graph of authorization mapping
|
||
|
// public keys to nodes and grants between nodes.
|
||
|
type TrustGraph interface {
|
||
|
// Verifies that the given public key is allowed to perform
|
||
|
// the given action on the given node according to the trust
|
||
|
// graph.
|
||
|
Verify(libtrust.PublicKey, string, uint16) (bool, error)
|
||
|
|
||
|
// GetGrants returns an array of all grant chains which are used to
|
||
|
// allow the requested permission.
|
||
|
GetGrants(libtrust.PublicKey, string, uint16) ([][]*Grant, error)
|
||
|
}
|
||
|
|
||
|
// Grant represents a transfer of permission from one part of the
|
||
|
// trust graph to another. This is the only way to delegate
|
||
|
// permission between two different sub trees in the graph.
|
||
|
type Grant struct {
|
||
|
// Subject is the namespace being granted
|
||
|
Subject string
|
||
|
|
||
|
// Permissions is a bit map of permissions
|
||
|
Permission uint16
|
||
|
|
||
|
// Grantee represents the node being granted
|
||
|
// a permission scope. The grantee can be
|
||
|
// either a namespace item or a key id where namespace
|
||
|
// items will always start with a '/'.
|
||
|
Grantee string
|
||
|
|
||
|
// statement represents the statement used to create
|
||
|
// this object.
|
||
|
statement *Statement
|
||
|
}
|
||
|
|
||
|
// Permissions
|
||
|
// Read node 0x01 (can read node, no sub nodes)
|
||
|
// Write node 0x02 (can write to node object, cannot create subnodes)
|
||
|
// Read subtree 0x04 (delegates read to each sub node)
|
||
|
// Write subtree 0x08 (delegates write to each sub node, included create on the subject)
|
||
|
//
|
||
|
// Permission shortcuts
|
||
|
// ReadItem = 0x01
|
||
|
// WriteItem = 0x03
|
||
|
// ReadAccess = 0x07
|
||
|
// WriteAccess = 0x0F
|
||
|
// Delegate = 0x0F
|