The following recursive protos allow for arbitrary nesting of logical
operators when constructing an
EnclaveIdentityExpectation-based ACL. Such
ACLs can be evaluated against a set of identities belonging to an enclave
to make authorization decisions.
An ACL is represented by a top-level
IdentityAclPredicate. A predicate can
either be a singular
EnclaveIdentityExpectation, or a nested
IdentityAclGroup, which contains a list of predicates as well as a logical
OR-group is satisfied if any of the embedded predicates are satisfied.
AND-group is satisfied if all of the embedded predicates are satisfied.
NOT-group is required to have only a single embedded predicate and is satisfied if the embedded predicate is not satisfied.
EnclaveIdentityExpectation predicate is satisfied if it is matched by
any of a given set of enclave identities.
Represents either a group of predicates or a single expectation.
Represents a group of ACL predicates.
Possible logical operators to use when evaluating the results of matching |predicates| against a set of identities.
Evaluates to true iff any predicates match.
Evaluates to true iff all predicates match.
Evaluates to true iff no predicates match. |predicates| must have exactly one element.