Documentation
¶
Overview ¶
Package evaluator contains rego evaluators for evaluating authorize policy.
Index ¶
- Variables
- type Evaluator
- type HeadersEvaluator
- type HeadersRequest
- type HeadersResponse
- type Option
- func WithAuthenticateURL(authenticateURL string) Option
- func WithClientCA(clientCA []byte) Option
- func WithGoogleCloudServerlessAuthenticationServiceAccount(serviceAccount string) Option
- func WithJWTClaimsHeaders(headers config.JWTClaimHeaders) Option
- func WithPolicies(policies []config.Policy) Option
- func WithSigningKey(signingKey string) Option
- type PolicyEvaluator
- type PolicyRequest
- type PolicyResponse
- type Request
- type RequestHTTP
- type RequestSession
- type Result
- type RuleResult
Constants ¶
This section is empty.
Variables ¶
var ( GCPIdentityTokenExpiration = time.Minute * 45 // tokens expire after one hour according to the GCP docs GCPIdentityDocURL = "http://metadata/computeMetadata/v1/instance/service-accounts/default/identity" GCPIdentityNow = time.Now GCPIdentityMaxBodySize int64 = 1024 * 1024 * 10 )
GCP pre-defined values.
Functions ¶
This section is empty.
Types ¶
type Evaluator ¶
type Evaluator struct {
// contains filtered or unexported fields
}
An Evaluator evaluates policies.
type HeadersEvaluator ¶ added in v0.15.0
type HeadersEvaluator struct {
// contains filtered or unexported fields
}
A HeadersEvaluator evaluates the headers.rego script.
func NewHeadersEvaluator ¶ added in v0.15.0
NewHeadersEvaluator creates a new HeadersEvaluator.
func (*HeadersEvaluator) Evaluate ¶ added in v0.15.0
func (e *HeadersEvaluator) Evaluate(ctx context.Context, req *HeadersRequest) (*HeadersResponse, error)
Evaluate evaluates the headers.rego script.
type HeadersRequest ¶ added in v0.15.0
type HeadersRequest struct {
EnableGoogleCloudServerlessAuthentication bool `json:"enable_google_cloud_serverless_authentication"`
EnableRoutingKey bool `json:"enable_routing_key"`
FromAudience string `json:"from_audience"`
KubernetesServiceAccountToken string `json:"kubernetes_service_account_token"`
ToAudience string `json:"to_audience"`
Session RequestSession `json:"session"`
PassAccessToken bool `json:"pass_access_token"`
PassIDToken bool `json:"pass_id_token"`
}
HeadersRequest is the input to the headers.rego script.
func NewHeadersRequestFromPolicy ¶ added in v0.15.0
func NewHeadersRequestFromPolicy(policy *config.Policy) *HeadersRequest
NewHeadersRequestFromPolicy creates a new HeadersRequest from a policy.
type HeadersResponse ¶ added in v0.15.0
HeadersResponse is the output from the headers.rego script.
type Option ¶ added in v0.15.0
type Option func(*evaluatorConfig)
An Option customizes the evaluator config.
func WithAuthenticateURL ¶ added in v0.15.0
WithAuthenticateURL sets the authenticate URL in the config.
func WithClientCA ¶ added in v0.15.0
WithClientCA sets the client CA in the config.
func WithGoogleCloudServerlessAuthenticationServiceAccount ¶ added in v0.15.0
WithGoogleCloudServerlessAuthenticationServiceAccount sets the google cloud serverless authentication service account in the config.
func WithJWTClaimsHeaders ¶ added in v0.15.0
func WithJWTClaimsHeaders(headers config.JWTClaimHeaders) Option
WithJWTClaimsHeaders sets the JWT claims headers in the config.
func WithPolicies ¶ added in v0.15.0
WithPolicies sets the policies in the config.
func WithSigningKey ¶ added in v0.15.0
WithSigningKey sets the signing key and algorithm in the config.
type PolicyEvaluator ¶ added in v0.15.0
type PolicyEvaluator struct {
// contains filtered or unexported fields
}
A PolicyEvaluator evaluates policies.
func NewPolicyEvaluator ¶ added in v0.15.0
func NewPolicyEvaluator(ctx context.Context, store *store.Store, configPolicy *config.Policy) (*PolicyEvaluator, error)
NewPolicyEvaluator creates a new PolicyEvaluator.
func (*PolicyEvaluator) Evaluate ¶ added in v0.15.0
func (e *PolicyEvaluator) Evaluate(ctx context.Context, req *PolicyRequest) (*PolicyResponse, error)
Evaluate evaluates the policy rego scripts.
type PolicyRequest ¶ added in v0.15.0
type PolicyRequest struct {
HTTP RequestHTTP `json:"http"`
Session RequestSession `json:"session"`
IsValidClientCertificate bool `json:"is_valid_client_certificate"`
}
PolicyRequest is the input to policy evaluation.
type PolicyResponse ¶ added in v0.15.0
type PolicyResponse struct {
Allow, Deny RuleResult
Traces []contextutil.PolicyEvaluationTrace
}
PolicyResponse is the result of evaluating a policy.
func NewPolicyResponse ¶ added in v0.15.6
func NewPolicyResponse() *PolicyResponse
NewPolicyResponse creates a new PolicyResponse.
type Request ¶
type Request struct {
Policy *config.Policy
HTTP RequestHTTP
Session RequestSession
}
Request contains the inputs needed for evaluation.
type RequestHTTP ¶ added in v0.10.0
type RequestHTTP struct {
Method string `json:"method"`
Path string `json:"path"`
URL string `json:"url"`
Headers map[string]string `json:"headers"`
ClientCertificate string `json:"client_certificate"`
IP string `json:"ip"`
}
RequestHTTP is the HTTP field in the request.
func NewRequestHTTP ¶ added in v0.16.0
func NewRequestHTTP( method string, requestURL url.URL, headers map[string]string, rawClientCertificate string, ip string, ) RequestHTTP
NewRequestHTTP creates a new RequestHTTP.
type RequestSession ¶ added in v0.10.0
type RequestSession struct {
ID string `json:"id"`
}
RequestSession is the session field in the request.
type Result ¶ added in v0.10.0
type Result struct {
Allow RuleResult
Deny RuleResult
Headers http.Header
Traces []contextutil.PolicyEvaluationTrace
}
Result is the result of evaluation.
type RuleResult ¶ added in v0.15.6
type RuleResult struct {
Value bool
Reasons criteria.Reasons
AdditionalData map[string]interface{}
}
A RuleResult is the result of evaluating a rule.
func MergeRuleResultsWithOr ¶ added in v0.15.6
func MergeRuleResultsWithOr(results ...RuleResult) RuleResult
MergeRuleResultsWithOr merges all the results using `or`.
func NewRuleResult ¶ added in v0.15.6
func NewRuleResult(value bool, reasons ...criteria.Reason) RuleResult
NewRuleResult creates a new RuleResult.
Source Files
Directories