UnionAllowLists merges multiple allow lists, returning the set of resources permitted by any input. A global wildcard short-circuits the merge. When no entries are present across all inputs, the result is an empty allow list.
(lists ...[]AllowListElement)
| 129 | // permitted by any input. A global wildcard short-circuits the merge. When no |
| 130 | // entries are present across all inputs, the result is an empty allow list. |
| 131 | func UnionAllowLists(lists ...[]AllowListElement) ([]AllowListElement, error) { |
| 132 | union := make([]AllowListElement, 0) |
| 133 | seen := make(map[string]struct{}) |
| 134 | |
| 135 | for _, list := range lists { |
| 136 | for _, elem := range list { |
| 137 | if elem.Type == policy.WildcardSymbol && elem.ID == policy.WildcardSymbol { |
| 138 | return []AllowListElement{AllowListAll()}, nil |
| 139 | } |
| 140 | key := elem.String() |
| 141 | if _, ok := seen[key]; ok { |
| 142 | continue |
| 143 | } |
| 144 | seen[key] = struct{}{} |
| 145 | union = append(union, elem) |
| 146 | } |
| 147 | } |
| 148 | |
| 149 | return NormalizeAllowList(union) |
| 150 | } |
| 151 | |
| 152 | // IntersectAllowLists combines the allow list produced by RBAC expansion with the |
| 153 | // API key's stored allow list. The result enforces both constraints: any |