Documentation ¶
Overview ¶
Package evaluator contains rego evaluators for evaluating authorize policy.
Index ¶
- Variables
- type Denial
- type Evaluator
- type HeadersEvaluator
- type HeadersRequest
- type HeadersResponse
- type Option
- func WithAuthenticateURL(authenticateURL string) Option
- func WithClientCA(clientCA []byte) Option
- func WithGoogleCloudServerlessAuthenticationServiceAccount(serviceAccount string) Option
- func WithJWTClaimsHeaders(headers config.JWTClaimHeaders) Option
- func WithPolicies(policies []config.Policy) Option
- func WithSigningKey(signingKeyAlgorithm, signingKey string) Option
- type PolicyEvaluator
- type PolicyRequest
- type PolicyResponse
- type Request
- type RequestHTTP
- type RequestSession
- type Result
- type Store
- func (s *Store) ClearRecords()
- func (s *Store) GetDataBrokerRecordOption() func(*rego.Rego)
- func (s *Store) GetDataBrokerVersions() (serverVersion, recordVersion uint64)
- func (s *Store) GetRecordData(typeURL, id string) proto.Message
- func (s *Store) UpdateGoogleCloudServerlessAuthenticationServiceAccount(serviceAccount string)
- func (s *Store) UpdateIssuer(issuer string)
- func (s *Store) UpdateJWTClaimHeaders(jwtClaimHeaders map[string]string)
- func (s *Store) UpdateRecord(serverVersion uint64, record *databroker.Record)
- func (s *Store) UpdateRoutePolicies(routePolicies []config.Policy)
- func (s *Store) UpdateSigningKey(signingKey *jose.JSONWebKey)
Constants ¶
This section is empty.
Variables ¶
var ( GCPIdentityTokenExpiration = time.Minute * 45 // tokens expire after one hour according to the GCP docs GCPIdentityDocURL = "http://metadata/computeMetadata/v1/instance/service-accounts/default/identity" GCPIdentityNow = time.Now GCPIdentityMaxBodySize int64 = 1024 * 1024 * 10 )
GCP pre-defined values.
Functions ¶
This section is empty.
Types ¶
type Denial ¶ added in v0.15.0
A Denial indicates the request should be denied (even if otherwise allowed).
type Evaluator ¶
type Evaluator struct {
// contains filtered or unexported fields
}
An Evaluator evaluates policies.
type HeadersEvaluator ¶ added in v0.15.0
type HeadersEvaluator struct {
// contains filtered or unexported fields
}
A HeadersEvaluator evaluates the headers.rego script.
func NewHeadersEvaluator ¶ added in v0.15.0
func NewHeadersEvaluator(ctx context.Context, store *Store) (*HeadersEvaluator, error)
NewHeadersEvaluator creates a new HeadersEvaluator.
func (*HeadersEvaluator) Evaluate ¶ added in v0.15.0
func (e *HeadersEvaluator) Evaluate(ctx context.Context, req *HeadersRequest) (*HeadersResponse, error)
Evaluate evaluates the headers.rego script.
type HeadersRequest ¶ added in v0.15.0
type HeadersRequest struct { EnableGoogleCloudServerlessAuthentication bool `json:"enable_google_cloud_serverless_authentication"` FromAudience string `json:"from_audience"` KubernetesServiceAccountToken string `json:"kubernetes_service_account_token"` ToAudience string `json:"to_audience"` Session RequestSession `json:"session"` }
HeadersRequest is the input to the headers.rego script.
func NewHeadersRequestFromPolicy ¶ added in v0.15.0
func NewHeadersRequestFromPolicy(policy *config.Policy) *HeadersRequest
NewHeadersRequestFromPolicy creates a new HeadersRequest from a policy.
type HeadersResponse ¶ added in v0.15.0
HeadersResponse is the output from the headers.rego script.
type Option ¶ added in v0.15.0
type Option func(*evaluatorConfig)
An Option customizes the evaluator config.
func WithAuthenticateURL ¶ added in v0.15.0
WithAuthenticateURL sets the authenticate URL in the config.
func WithClientCA ¶ added in v0.15.0
WithClientCA sets the client CA in the config.
func WithGoogleCloudServerlessAuthenticationServiceAccount ¶ added in v0.15.0
WithGoogleCloudServerlessAuthenticationServiceAccount sets the google cloud serverless authentication service account in the config.
func WithJWTClaimsHeaders ¶ added in v0.15.0
func WithJWTClaimsHeaders(headers config.JWTClaimHeaders) Option
WithJWTClaimsHeaders sets the JWT claims headers in the config.
func WithPolicies ¶ added in v0.15.0
WithPolicies sets the policies in the config.
func WithSigningKey ¶ added in v0.15.0
WithSigningKey sets the signing key and algorithm in the config.
type PolicyEvaluator ¶ added in v0.15.0
type PolicyEvaluator struct {
// contains filtered or unexported fields
}
A PolicyEvaluator evaluates policies.
func NewPolicyEvaluator ¶ added in v0.15.0
func NewPolicyEvaluator(ctx context.Context, store *Store, configPolicy *config.Policy) (*PolicyEvaluator, error)
NewPolicyEvaluator creates a new PolicyEvaluator.
func (*PolicyEvaluator) Evaluate ¶ added in v0.15.0
func (e *PolicyEvaluator) Evaluate(ctx context.Context, req *PolicyRequest) (*PolicyResponse, error)
Evaluate evaluates the policy rego scripts.
type PolicyRequest ¶ added in v0.15.0
type PolicyRequest struct { HTTP RequestHTTP `json:"http"` Session RequestSession `json:"session"` IsValidClientCertificate bool `json:"is_valid_client_certificate"` }
PolicyRequest is the input to policy evaluation.
type PolicyResponse ¶ added in v0.15.0
PolicyResponse is the result of evaluating a policy.
func (*PolicyResponse) Merge ¶ added in v0.15.0
func (res *PolicyResponse) Merge(other *PolicyResponse) *PolicyResponse
Merge merges another PolicyResponse into this PolicyResponse. Access is allowed if either is allowed. Access is denied if either is denied. (and denials take precedence)
type Request ¶
type Request struct { Policy *config.Policy HTTP RequestHTTP Session RequestSession }
Request contains the inputs needed for evaluation.
type RequestHTTP ¶ added in v0.10.0
type RequestHTTP struct { Method string `json:"method"` URL string `json:"url"` Headers map[string]string `json:"headers"` ClientCertificate string `json:"client_certificate"` }
RequestHTTP is the HTTP field in the request.
type RequestSession ¶ added in v0.10.0
type RequestSession struct {
ID string `json:"id"`
}
RequestSession is the session field in the request.
type Result ¶ added in v0.10.0
type Result struct { Allow bool Deny *Denial Headers http.Header DataBrokerServerVersion, DataBrokerRecordVersion uint64 }
Result is the result of evaluation.
type Store ¶ added in v0.10.0
A Store stores data for the OPA rego policy evaluation.
func NewStoreFromProtos ¶ added in v0.12.2
NewStoreFromProtos creates a new Store from an existing set of protobuf messages.
func (*Store) ClearRecords ¶ added in v0.10.0
func (s *Store) ClearRecords()
ClearRecords removes all the records from the store.
func (*Store) GetDataBrokerRecordOption ¶ added in v0.14.0
GetDataBrokerRecordOption returns a function option that can retrieve databroker data.
func (*Store) GetDataBrokerVersions ¶ added in v0.15.0
GetDataBrokerVersions gets the databroker versions.
func (*Store) GetRecordData ¶ added in v0.12.2
GetRecordData gets a record's data from the store. `nil` is returned if no record exists for the given type and id.
func (*Store) UpdateGoogleCloudServerlessAuthenticationServiceAccount ¶ added in v0.12.2
UpdateGoogleCloudServerlessAuthenticationServiceAccount updates the google cloud serverless authentication service account in the store.
func (*Store) UpdateIssuer ¶ added in v0.12.2
UpdateIssuer updates the issuer in the store. The issuer is used as part of JWT construction.
func (*Store) UpdateJWTClaimHeaders ¶ added in v0.12.2
UpdateJWTClaimHeaders updates the jwt claim headers in the store.
func (*Store) UpdateRecord ¶ added in v0.10.0
func (s *Store) UpdateRecord(serverVersion uint64, record *databroker.Record)
UpdateRecord updates a record in the store.
func (*Store) UpdateRoutePolicies ¶ added in v0.10.0
UpdateRoutePolicies updates the route policies in the store.
func (*Store) UpdateSigningKey ¶ added in v0.12.2
func (s *Store) UpdateSigningKey(signingKey *jose.JSONWebKey)
UpdateSigningKey updates the signing key stored in the database. Signing operations in rego use JWKs, so we take in that format.