File: tunnel_access_control_entry.go

package info (click to toggle)
golang-github-microsoft-dev-tunnels 0.0.25-2
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid, trixie
  • size: 2,988 kB
  • sloc: cs: 9,969; java: 2,767; javascript: 328; xml: 186; makefile: 5
file content (104 lines) | stat: -rw-r--r-- 4,932 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
 
// Copyright (c) Microsoft Corporation.
// Licensed under the MIT license.
// Generated from ../../../cs/src/Contracts/TunnelAccessControlEntry.cs

package tunnels

import (
	"time"
)

// Data contract for an access control entry on a `Tunnel` or `TunnelPort`.
//
// An access control entry (ACE) grants or denies one or more access scopes to one or more
// subjects. Tunnel ports inherit access control entries from their tunnel, and they may
// have additional port-specific entries that augment or override those access rules.
type TunnelAccessControlEntry struct {
	// Gets or sets the access control entry type.
	Type         TunnelAccessControlEntryType `json:"type"`

	// Gets or sets the provider of the subjects in this access control entry. The provider
	// impacts how the subject identifiers are resolved and displayed. The provider may be an
	// identity provider such as AAD, or a system or standard such as "ssh" or "ipv4".
	//
	// For user, group, or org ACEs, this value is the name of the identity provider of the
	// user/group/org IDs. It may be one of the well-known provider names in
	// `TunnelAccessControlEntry.Providers`, or (in the future) a custom identity provider.
	// For public key ACEs, this value is the type of public key, e.g. "ssh".  For IP address
	// range ACEs, this value is the IP address version, "ipv4" or "ipv6", or "service-tag"
	// if the range is defined by an Azure service tag.  For anonymous ACEs, this value is
	// null.
	Provider     string `json:"provider,omitempty"`

	// Gets or sets a value indicating whether this is an access control entry on a tunnel
	// port that is inherited from the tunnel's access control list.
	IsInherited  bool `json:"isInherited,omitempty"`

	// Gets or sets a value indicating whether this entry is a deny rule that blocks access
	// to the specified users. Otherwise it is an allow rule.
	//
	// All deny rules (including inherited rules) are processed after all allow rules.
	// Therefore a deny ACE cannot be overridden by an allow ACE that is later in the list or
	// on a more-specific resource. In other words, inherited deny ACEs cannot be overridden.
	IsDeny       bool `json:"isDeny,omitempty"`

	// Gets or sets a value indicating whether this entry applies to all subjects that are
	// NOT in the `TunnelAccessControlEntry.Subjects` list.
	//
	// Examples: an inverse organizations ACE applies to all users who are not members of the
	// listed organization(s); an inverse anonymous ACE applies to all authenticated users;
	// an inverse IP address ranges ACE applies to all clients that are not within any of the
	// listed IP address ranges. The inverse option is often useful in policies in
	// combination with `TunnelAccessControlEntry.IsDeny`, for example a policy could deny
	// access to users who are not members of an organization or are outside of an IP address
	// range, effectively blocking any tunnels from allowing outside access (because
	// inherited deny ACEs cannot be overridden).
	IsInverse    bool `json:"isInverse,omitempty"`

	// Gets or sets an optional organization context for all subjects of this entry. The use
	// and meaning of this value depends on the `TunnelAccessControlEntry.Type` and
	// `TunnelAccessControlEntry.Provider` of this entry.
	//
	// For AAD users and group ACEs, this value is the AAD tenant ID. It is not currently
	// used with any other types of ACEs.
	Organization string `json:"organization,omitempty"`

	// Gets or sets the subjects for the entry, such as user or group IDs. The format of the
	// values depends on the `TunnelAccessControlEntry.Type` and
	// `TunnelAccessControlEntry.Provider` of this entry.
	Subjects     []string `json:"subjects"`

	// Gets or sets the access scopes that this entry grants or denies to the subjects.
	//
	// These must be one or more values from `TunnelAccessScopes`.
	Scopes       []string `json:"scopes"`

	// Gets or sets the expiration for an access control entry.
	//
	// If no value is set then this value is null.
	Expiration   *time.Time `json:"expiration,omitempty"`
}

// Constants for well-known identity providers.
type TunnelAccessControlEntryProviders []TunnelAccessControlEntryProvider
type TunnelAccessControlEntryProvider string

const (
	// Microsoft (AAD) identity provider.
	TunnelAccessControlEntryProviderMicrosoft  TunnelAccessControlEntryProvider = "microsoft"

	// GitHub identity provider.
	TunnelAccessControlEntryProviderGitHub     TunnelAccessControlEntryProvider = "github"

	// SSH public keys.
	TunnelAccessControlEntryProviderSsh        TunnelAccessControlEntryProvider = "ssh"

	// IPv4 addresses.
	TunnelAccessControlEntryProviderIPv4       TunnelAccessControlEntryProvider = "ipv4"

	// IPv6 addresses.
	TunnelAccessControlEntryProviderIPv6       TunnelAccessControlEntryProvider = "ipv6"

	// Service tags.
	TunnelAccessControlEntryProviderServiceTag TunnelAccessControlEntryProvider = "service-tag"
)