Documentation
¶
Overview ¶
Package policy provides authorization evaluation for OIDC subjects. It determines whether a subject is allowed to receive a bridge certificate and what capabilities they should get.
See ADR-011 for design context: the authority needs a composable policy layer between OIDC token verification and certificate issuance.
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type CapabilityMapper ¶
CapabilityMapper converts provider-specific claims into Signet capability URIs. This allows the policy evaluator to delegate capability mapping to provider-specific logic.
type EvaluationRequest ¶
type EvaluationRequest struct {
// Provider identifies the OIDC provider (e.g., "github-actions").
Provider string
// Subject is the OIDC sub claim.
Subject string
// Claims contains provider-specific claims (e.g., "repository", "workflow").
Claims map[string]any
// RequestedCaps lists capabilities the subject is requesting (optional).
RequestedCaps []string
}
EvaluationRequest contains the information needed to evaluate a policy decision.
type EvaluationResult ¶
type EvaluationResult struct {
// Allowed indicates whether the subject is authorized.
Allowed bool
// Capabilities lists granted capability URIs.
Capabilities []string
// Validity overrides the default certificate validity (zero = use default).
Validity time.Duration
// Reason explains why the subject was denied (for logging, not for the subject).
Reason string
}
EvaluationResult contains the policy decision.
type PolicyEvaluator ¶
type PolicyEvaluator interface {
// Evaluate checks if a subject is allowed and returns granted capabilities.
Evaluate(ctx context.Context, req *EvaluationRequest) (*EvaluationResult, error)
}
PolicyEvaluator determines authorization for OIDC subjects.
type StaticPolicyEvaluator ¶
type StaticPolicyEvaluator struct {
// AllowedRepositories restricts which repositories can get bridge certificates.
// Empty = allow all.
AllowedRepositories []string
// AllowedWorkflows restricts which workflow files can get bridge certificates.
// Empty = allow all.
AllowedWorkflows []string
// DefaultValidity overrides cert validity when set (zero = use provider default).
DefaultValidity time.Duration
// MapCaps maps claims to capability URIs. If nil, no capabilities are granted.
MapCaps CapabilityMapper
}
StaticPolicyEvaluator implements PolicyEvaluator using static allowlists. This wraps the existing AllowedRepositories/AllowedWorkflows config pattern from pkg/oidc/github.go into a composable interface.
func (*StaticPolicyEvaluator) Evaluate ¶
func (s *StaticPolicyEvaluator) Evaluate(_ context.Context, req *EvaluationRequest) (*EvaluationResult, error)
Evaluate checks the subject against static allowlists and maps capabilities.
Source Files