Documentation ¶
Overview ¶
Package evaluator contains rego evaluators for evaluating authorize policy.
Index ¶
- Variables
- type Evaluator
- type HeadersEvaluator
- type HeadersRequest
- type HeadersResponse
- type Option
- func WithAuthenticateURL(authenticateURL string) Option
- func WithClientCA(clientCA []byte) Option
- func WithGoogleCloudServerlessAuthenticationServiceAccount(serviceAccount string) Option
- func WithJWTClaimsHeaders(headers config.JWTClaimHeaders) Option
- func WithPolicies(policies []config.Policy) Option
- func WithSigningKey(signingKey string) Option
- type PolicyEvaluator
- type PolicyRequest
- type PolicyResponse
- type Request
- type RequestHTTP
- type RequestSession
- type Result
- type RuleResult
- type Store
- func (s *Store) ClearRecords()
- func (s *Store) GetDataBrokerRecordOption() func(*rego.Rego)
- func (s *Store) GetDataBrokerVersions() (serverVersion, recordVersion uint64)
- func (s *Store) GetRecordData(typeURL, id string) proto.Message
- func (s *Store) UpdateGoogleCloudServerlessAuthenticationServiceAccount(serviceAccount string)
- func (s *Store) UpdateIssuer(issuer string)
- func (s *Store) UpdateJWTClaimHeaders(jwtClaimHeaders map[string]string)
- func (s *Store) UpdateRecord(serverVersion uint64, record *databroker.Record)
- func (s *Store) UpdateRoutePolicies(routePolicies []config.Policy)
- func (s *Store) UpdateSigningKey(signingKey *jose.JSONWebKey)
Constants ¶
This section is empty.
Variables ¶
var ( GCPIdentityTokenExpiration = time.Minute * 45 // tokens expire after one hour according to the GCP docs GCPIdentityDocURL = "http://metadata/computeMetadata/v1/instance/service-accounts/default/identity" GCPIdentityNow = time.Now GCPIdentityMaxBodySize int64 = 1024 * 1024 * 10 )
GCP pre-defined values.
Functions ¶
This section is empty.
Types ¶
type Evaluator ¶
type Evaluator struct {
// contains filtered or unexported fields
}
An Evaluator evaluates policies.
type HeadersEvaluator ¶ added in v0.15.0
type HeadersEvaluator struct {
// contains filtered or unexported fields
}
A HeadersEvaluator evaluates the headers.rego script.
func NewHeadersEvaluator ¶ added in v0.15.0
func NewHeadersEvaluator(ctx context.Context, store *Store) (*HeadersEvaluator, error)
NewHeadersEvaluator creates a new HeadersEvaluator.
func (*HeadersEvaluator) Evaluate ¶ added in v0.15.0
func (e *HeadersEvaluator) Evaluate(ctx context.Context, req *HeadersRequest) (*HeadersResponse, error)
Evaluate evaluates the headers.rego script.
type HeadersRequest ¶ added in v0.15.0
type HeadersRequest struct { EnableGoogleCloudServerlessAuthentication bool `json:"enable_google_cloud_serverless_authentication"` EnableRoutingKey bool `json:"enable_routing_key"` FromAudience string `json:"from_audience"` KubernetesServiceAccountToken string `json:"kubernetes_service_account_token"` ToAudience string `json:"to_audience"` Session RequestSession `json:"session"` PassAccessToken bool `json:"pass_access_token"` PassIDToken bool `json:"pass_id_token"` }
HeadersRequest is the input to the headers.rego script.
func NewHeadersRequestFromPolicy ¶ added in v0.15.0
func NewHeadersRequestFromPolicy(policy *config.Policy) *HeadersRequest
NewHeadersRequestFromPolicy creates a new HeadersRequest from a policy.
type HeadersResponse ¶ added in v0.15.0
HeadersResponse is the output from the headers.rego script.
type Option ¶ added in v0.15.0
type Option func(*evaluatorConfig)
An Option customizes the evaluator config.
func WithAuthenticateURL ¶ added in v0.15.0
WithAuthenticateURL sets the authenticate URL in the config.
func WithClientCA ¶ added in v0.15.0
WithClientCA sets the client CA in the config.
func WithGoogleCloudServerlessAuthenticationServiceAccount ¶ added in v0.15.0
WithGoogleCloudServerlessAuthenticationServiceAccount sets the google cloud serverless authentication service account in the config.
func WithJWTClaimsHeaders ¶ added in v0.15.0
func WithJWTClaimsHeaders(headers config.JWTClaimHeaders) Option
WithJWTClaimsHeaders sets the JWT claims headers in the config.
func WithPolicies ¶ added in v0.15.0
WithPolicies sets the policies in the config.
func WithSigningKey ¶ added in v0.15.0
WithSigningKey sets the signing key and algorithm in the config.
type PolicyEvaluator ¶ added in v0.15.0
type PolicyEvaluator struct {
// contains filtered or unexported fields
}
A PolicyEvaluator evaluates policies.
func NewPolicyEvaluator ¶ added in v0.15.0
func NewPolicyEvaluator(ctx context.Context, store *Store, configPolicy *config.Policy) (*PolicyEvaluator, error)
NewPolicyEvaluator creates a new PolicyEvaluator.
func (*PolicyEvaluator) Evaluate ¶ added in v0.15.0
func (e *PolicyEvaluator) Evaluate(ctx context.Context, req *PolicyRequest) (*PolicyResponse, error)
Evaluate evaluates the policy rego scripts.
type PolicyRequest ¶ added in v0.15.0
type PolicyRequest struct { HTTP RequestHTTP `json:"http"` Session RequestSession `json:"session"` IsValidClientCertificate bool `json:"is_valid_client_certificate"` }
PolicyRequest is the input to policy evaluation.
type PolicyResponse ¶ added in v0.15.0
type PolicyResponse struct {
Allow, Deny RuleResult
}
PolicyResponse is the result of evaluating a policy.
func NewPolicyResponse ¶ added in v0.15.6
func NewPolicyResponse() *PolicyResponse
NewPolicyResponse creates a new PolicyResponse.
type Request ¶
type Request struct { Policy *config.Policy HTTP RequestHTTP Session RequestSession }
Request contains the inputs needed for evaluation.
type RequestHTTP ¶ added in v0.10.0
type RequestHTTP struct { Method string `json:"method"` Path string `json:"path"` URL string `json:"url"` Headers map[string]string `json:"headers"` ClientCertificate string `json:"client_certificate"` }
RequestHTTP is the HTTP field in the request.
func NewRequestHTTP ¶ added in v0.16.0
func NewRequestHTTP(method string, requestURL url.URL, headers map[string]string, rawClientCertificate string) RequestHTTP
NewRequestHTTP creates a new RequestHTTP.
type RequestSession ¶ added in v0.10.0
type RequestSession struct {
ID string `json:"id"`
}
RequestSession is the session field in the request.
type Result ¶ added in v0.10.0
type Result struct { Allow RuleResult Deny RuleResult Headers http.Header DataBrokerServerVersion, DataBrokerRecordVersion uint64 }
Result is the result of evaluation.
type RuleResult ¶ added in v0.15.6
type RuleResult struct { Value bool Reasons criteria.Reasons AdditionalData map[string]interface{} }
A RuleResult is the result of evaluating a rule.
func MergeRuleResultsWithOr ¶ added in v0.15.6
func MergeRuleResultsWithOr(results ...RuleResult) RuleResult
MergeRuleResultsWithOr merges all the results using `or`.
func NewRuleResult ¶ added in v0.15.6
func NewRuleResult(value bool, reasons ...criteria.Reason) RuleResult
NewRuleResult creates a new RuleResult.
type Store ¶ added in v0.10.0
A Store stores data for the OPA rego policy evaluation.
func NewStoreFromProtos ¶ added in v0.12.2
NewStoreFromProtos creates a new Store from an existing set of protobuf messages.
func (*Store) ClearRecords ¶ added in v0.10.0
func (s *Store) ClearRecords()
ClearRecords removes all the records from the store.
func (*Store) GetDataBrokerRecordOption ¶ added in v0.14.0
GetDataBrokerRecordOption returns a function option that can retrieve databroker data.
func (*Store) GetDataBrokerVersions ¶ added in v0.15.0
GetDataBrokerVersions gets the databroker versions.
func (*Store) GetRecordData ¶ added in v0.12.2
GetRecordData gets a record's data from the store. `nil` is returned if no record exists for the given type and id.
func (*Store) UpdateGoogleCloudServerlessAuthenticationServiceAccount ¶ added in v0.12.2
UpdateGoogleCloudServerlessAuthenticationServiceAccount updates the google cloud serverless authentication service account in the store.
func (*Store) UpdateIssuer ¶ added in v0.12.2
UpdateIssuer updates the issuer in the store. The issuer is used as part of JWT construction.
func (*Store) UpdateJWTClaimHeaders ¶ added in v0.12.2
UpdateJWTClaimHeaders updates the jwt claim headers in the store.
func (*Store) UpdateRecord ¶ added in v0.10.0
func (s *Store) UpdateRecord(serverVersion uint64, record *databroker.Record)
UpdateRecord updates a record in the store.
func (*Store) UpdateRoutePolicies ¶ added in v0.10.0
UpdateRoutePolicies updates the route policies in the store.
func (*Store) UpdateSigningKey ¶ added in v0.12.2
func (s *Store) UpdateSigningKey(signingKey *jose.JSONWebKey)
UpdateSigningKey updates the signing key stored in the database. Signing operations in rego use JWKs, so we take in that format.