117 lines
4.7 KiB
TypeScript
117 lines
4.7 KiB
TypeScript
import { TunnelAccessControlEntryType } from './tunnelAccessControlEntryType';
|
|
/**
|
|
* Data contract for an access control entry on a {@link Tunnel} or {@link TunnelPort}.
|
|
*
|
|
* An access control entry (ACE) grants or denies one or more access scopes to one or more
|
|
* subjects. Tunnel ports inherit access control entries from their tunnel, and they may
|
|
* have additional port-specific entries that augment or override those access rules.
|
|
*/
|
|
export interface TunnelAccessControlEntry {
|
|
/**
|
|
* Gets or sets the access control entry type.
|
|
*/
|
|
type: TunnelAccessControlEntryType;
|
|
/**
|
|
* Gets or sets the provider of the subjects in this access control entry. The
|
|
* provider impacts how the subject identifiers are resolved and displayed. The
|
|
* provider may be an identity provider such as AAD, or a system or standard such as
|
|
* "ssh" or "ipv4".
|
|
*
|
|
* For user, group, or org ACEs, this value is the name of the identity provider of
|
|
* the user/group/org IDs. It may be one of the well-known provider names in {@link
|
|
* TunnelAccessControlEntry.providers}, or (in the future) a custom identity provider.
|
|
* For public key ACEs, this value is the type of public key, e.g. "ssh". For IP
|
|
* address range ACEs, this value is the IP address version, "ipv4" or "ipv6", or
|
|
* "service-tag" if the range is defined by an Azure service tag. For anonymous ACEs,
|
|
* this value is null.
|
|
*/
|
|
provider?: string;
|
|
/**
|
|
* Gets or sets a value indicating whether this is an access control entry on a tunnel
|
|
* port that is inherited from the tunnel's access control list.
|
|
*/
|
|
isInherited?: boolean;
|
|
/**
|
|
* Gets or sets a value indicating whether this entry is a deny rule that blocks
|
|
* access to the specified users. Otherwise it is an allow rule.
|
|
*
|
|
* All deny rules (including inherited rules) are processed after all allow rules.
|
|
* Therefore a deny ACE cannot be overridden by an allow ACE that is later in the list
|
|
* or on a more-specific resource. In other words, inherited deny ACEs cannot be
|
|
* overridden.
|
|
*/
|
|
isDeny?: boolean;
|
|
/**
|
|
* Gets or sets a value indicating whether this entry applies to all subjects that are
|
|
* NOT in the {@link TunnelAccessControlEntry.subjects} list.
|
|
*
|
|
* Examples: an inverse organizations ACE applies to all users who are not members of
|
|
* the listed organization(s); an inverse anonymous ACE applies to all authenticated
|
|
* users; an inverse IP address ranges ACE applies to all clients that are not within
|
|
* any of the listed IP address ranges. The inverse option is often useful in policies
|
|
* in combination with {@link TunnelAccessControlEntry.isDeny}, for example a policy
|
|
* could deny access to users who are not members of an organization or are outside of
|
|
* an IP address range, effectively blocking any tunnels from allowing outside access
|
|
* (because inherited deny ACEs cannot be overridden).
|
|
*/
|
|
isInverse?: boolean;
|
|
/**
|
|
* Gets or sets an optional organization context for all subjects of this entry. The
|
|
* use and meaning of this value depends on the {@link TunnelAccessControlEntry.type}
|
|
* and {@link TunnelAccessControlEntry.provider} of this entry.
|
|
*
|
|
* For AAD users and group ACEs, this value is the AAD tenant ID. It is not currently
|
|
* used with any other types of ACEs.
|
|
*/
|
|
organization?: string;
|
|
/**
|
|
* Gets or sets the subjects for the entry, such as user or group IDs. The format of
|
|
* the values depends on the {@link TunnelAccessControlEntry.type} and {@link
|
|
* TunnelAccessControlEntry.provider} of this entry.
|
|
*/
|
|
subjects: string[];
|
|
/**
|
|
* Gets or sets the access scopes that this entry grants or denies to the subjects.
|
|
*
|
|
* These must be one or more values from {@link TunnelAccessScopes}.
|
|
*/
|
|
scopes: string[];
|
|
/**
|
|
* Gets or sets the expiration for an access control entry.
|
|
*
|
|
* If no value is set then this value is null.
|
|
*/
|
|
expiration?: Date;
|
|
}
|
|
export declare namespace TunnelAccessControlEntry {
|
|
/**
|
|
* Constants for well-known identity providers.
|
|
*/
|
|
enum Providers {
|
|
/**
|
|
* Microsoft (AAD) identity provider.
|
|
*/
|
|
Microsoft = "microsoft",
|
|
/**
|
|
* GitHub identity provider.
|
|
*/
|
|
GitHub = "github",
|
|
/**
|
|
* SSH public keys.
|
|
*/
|
|
Ssh = "ssh",
|
|
/**
|
|
* IPv4 addresses.
|
|
*/
|
|
IPv4 = "ipv4",
|
|
/**
|
|
* IPv6 addresses.
|
|
*/
|
|
IPv6 = "ipv6",
|
|
/**
|
|
* Service tags.
|
|
*/
|
|
ServiceTag = "service-tag"
|
|
}
|
|
}
|
|
//# sourceMappingURL=tunnelAccessControlEntry.d.ts.map
|