evaluator

package
v0.25.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 13, 2024 License: Apache-2.0 Imports: 38 Imported by: 1

Documentation

Overview

Package evaluator contains rego evaluators for evaluating authorize policy.

Index

Constants

This section is empty.

Variables

View Source 
var (
	GCPIdentityTokenExpiration       = time.Minute * 45 // tokens expire after one hour according to the GCP docs
	GCPIdentityDocURL                = "http://metadata/computeMetadata/v1/instance/service-accounts/default/identity"
	GCPIdentityNow                   = time.Now
	GCPIdentityMaxBodySize     int64 = 1024 * 1024 * 10
)

GCP pre-defined values.

Functions

This section is empty.

Types

type ClientCertConstraints added in v0.23.0 

type ClientCertConstraints struct {
	// MaxVerifyDepth is the maximum allowed certificate chain depth (not
	// counting the leaf certificate). A value of 0 indicates no maximum.
	MaxVerifyDepth uint32

	// SANMatchers is a map of SAN type to regex match expression. When
	// non-empty, a client certificate must contain at least one Subject
	// Alternative Name that matches one of the expessions.
	SANMatchers SANMatchers
}

ClientCertConstraints contains additional constraints to validate when verifying a client certificate.

func ClientCertConstraintsFromConfig added in v0.23.0 

func ClientCertConstraintsFromConfig(
	cfg *config.DownstreamMTLSSettings,
) (*ClientCertConstraints, error)

ClientCertConstraintsFromConfig populates a new ClientCertConstraints struct based on the provided configuration.

type ClientCertificateInfo added in v0.23.0 

type ClientCertificateInfo struct {
	// Presented is true if the client presented a certificate.
	Presented bool `json:"presented"`

	// Leaf contains the leaf client certificate (unvalidated).
	Leaf string `json:"leaf,omitempty"`

	// Intermediates contains the remainder of the client certificate chain as
	// it was originally presented by the client (unvalidated).
	Intermediates string `json:"intermediates,omitempty"`
}

ClientCertificateInfo contains information about the certificate presented by the client (if any).

type Evaluator 

type Evaluator struct {
	// contains filtered or unexported fields
}

An Evaluator evaluates policies.

func New added in v0.10.0 

func New(
	ctx context.Context, store *store.Store, previous *Evaluator, options ...Option,
) (*Evaluator, error)

New creates a new Evaluator.

func (*Evaluator) Evaluate added in v0.10.0 

func (e *Evaluator) Evaluate(ctx context.Context, req *Request) (*Result, error)

Evaluate evaluates the rego for the given policy and generates the identity headers.

type HeadersEvaluator added in v0.15.0 

type HeadersEvaluator struct {
	// contains filtered or unexported fields
}

A HeadersEvaluator evaluates the headers.rego script.

func NewHeadersEvaluator added in v0.15.0 

func NewHeadersEvaluator(ctx context.Context, store *store.Store) (*HeadersEvaluator, error)

NewHeadersEvaluator creates a new HeadersEvaluator.

func (*HeadersEvaluator) Evaluate added in v0.15.0 

func (e *HeadersEvaluator) Evaluate(ctx context.Context, req *HeadersRequest) (*HeadersResponse, error)

Evaluate evaluates the headers.rego script.

type HeadersRequest added in v0.15.0 

type HeadersRequest struct {
	EnableGoogleCloudServerlessAuthentication bool                  `json:"enable_google_cloud_serverless_authentication"`
	EnableRoutingKey                          bool                  `json:"enable_routing_key"`
	Issuer                                    string                `json:"issuer"`
	KubernetesServiceAccountToken             string                `json:"kubernetes_service_account_token"`
	ToAudience                                string                `json:"to_audience"`
	Session                                   RequestSession        `json:"session"`
	ClientCertificate                         ClientCertificateInfo `json:"client_certificate"`
	SetRequestHeaders                         map[string]string     `json:"set_request_headers"`
}

HeadersRequest is the input to the headers.rego script.

func NewHeadersRequestFromPolicy added in v0.15.0 

func NewHeadersRequestFromPolicy(policy *config.Policy, http RequestHTTP) *HeadersRequest

NewHeadersRequestFromPolicy creates a new HeadersRequest from a policy.

type HeadersResponse added in v0.15.0 

type HeadersResponse struct {
	Headers http.Header
}

HeadersResponse is the output from the headers.rego script.

type Option added in v0.15.0 

type Option func(*evaluatorConfig)

An Option customizes the evaluator config.

func WithAddDefaultClientCertificateRule added in v0.23.0 

func WithAddDefaultClientCertificateRule(addDefaultClientCertificateRule bool) Option

WithAddDefaultClientCertificateRule sets whether to add a default invalid_client_certificate deny rule to all policies.

func WithAuthenticateURL added in v0.15.0 

func WithAuthenticateURL(authenticateURL string) Option

WithAuthenticateURL sets the authenticate URL in the config.

func WithClientCA added in v0.15.0 

func WithClientCA(clientCA []byte) Option

WithClientCA sets the client CA in the config.

func WithClientCRL added in v0.23.0 

func WithClientCRL(clientCRL []byte) Option

WithClientCRL sets the client CRL in the config.

func WithClientCertConstraints added in v0.23.0 

func WithClientCertConstraints(constraints *ClientCertConstraints) Option

WithClientCertConstraints sets addition client certificate constraints.

func WithGoogleCloudServerlessAuthenticationServiceAccount added in v0.15.0 

func WithGoogleCloudServerlessAuthenticationServiceAccount(serviceAccount string) Option

WithGoogleCloudServerlessAuthenticationServiceAccount sets the google cloud serverless authentication service account in the config.

func WithJWTClaimsHeaders added in v0.15.0 

func WithJWTClaimsHeaders(headers config.JWTClaimHeaders) Option

WithJWTClaimsHeaders sets the JWT claims headers in the config.

func WithPolicies added in v0.15.0 

func WithPolicies(policies []config.Policy) Option

WithPolicies sets the policies in the config.

func WithSigningKey added in v0.15.0 

func WithSigningKey(signingKey []byte) Option

WithSigningKey sets the signing key and algorithm in the config.

type PolicyEvaluator added in v0.15.0 

type PolicyEvaluator struct {
	// contains filtered or unexported fields
}

A PolicyEvaluator evaluates policies.

func NewPolicyEvaluator added in v0.15.0 

func NewPolicyEvaluator(
	ctx context.Context, store *store.Store, configPolicy *config.Policy,
	addDefaultClientCertificateRule bool,
) (*PolicyEvaluator, error)

NewPolicyEvaluator creates a new PolicyEvaluator.

func (*PolicyEvaluator) Evaluate added in v0.15.0 

func (e *PolicyEvaluator) Evaluate(ctx context.Context, req *PolicyRequest) (*PolicyResponse, error)

Evaluate evaluates the policy rego scripts.

type PolicyRequest added in v0.15.0 

type PolicyRequest struct {
	HTTP                     RequestHTTP    `json:"http"`
	Session                  RequestSession `json:"session"`
	IsValidClientCertificate bool           `json:"is_valid_client_certificate"`
}

PolicyRequest is the input to policy evaluation.

type PolicyResponse added in v0.15.0 

type PolicyResponse struct {
	Allow, Deny RuleResult
	Traces      []contextutil.PolicyEvaluationTrace
}

PolicyResponse is the result of evaluating a policy.

func NewPolicyResponse added in v0.15.6 

func NewPolicyResponse() *PolicyResponse

NewPolicyResponse creates a new PolicyResponse.

type Request 

type Request struct {
	IsInternal bool
	Policy     *config.Policy
	HTTP       RequestHTTP
	Session    RequestSession
}

Request contains the inputs needed for evaluation.

type RequestHTTP added in v0.10.0 

type RequestHTTP struct {
	Method            string                `json:"method"`
	Hostname          string                `json:"hostname"`
	Path              string                `json:"path"`
	URL               string                `json:"url"`
	Headers           map[string]string     `json:"headers"`
	ClientCertificate ClientCertificateInfo `json:"client_certificate"`
	IP                string                `json:"ip"`
}

RequestHTTP is the HTTP field in the request.

func NewRequestHTTP added in v0.16.0 

func NewRequestHTTP(
	method string,
	requestURL url.URL,
	headers map[string]string,
	clientCertificate ClientCertificateInfo,
	ip string,
) RequestHTTP

NewRequestHTTP creates a new RequestHTTP.

type RequestSession added in v0.10.0 

type RequestSession struct {
	ID string `json:"id"`
}

RequestSession is the session field in the request.

type Result added in v0.10.0 

type Result struct {
	Allow   RuleResult
	Deny    RuleResult
	Headers http.Header
	Traces  []contextutil.PolicyEvaluationTrace
}

Result is the result of evaluation.

type RuleResult added in v0.15.6 

type RuleResult struct {
	Value          bool
	Reasons        criteria.Reasons
	AdditionalData map[string]interface{}
}

A RuleResult is the result of evaluating a rule.

func MergeRuleResultsWithOr added in v0.15.6 

func MergeRuleResultsWithOr(results ...RuleResult) RuleResult

MergeRuleResultsWithOr merges all the results using `or`.

func NewRuleResult added in v0.15.6 

func NewRuleResult(value bool, reasons ...criteria.Reason) RuleResult

NewRuleResult creates a new RuleResult.

type SANMatchers added in v0.23.0 

type SANMatchers = map[config.SANType]*regexp.Regexp

SANMatchers is a map of SAN type to regex match expression.

Source Files

View all Source files

Directories

Path Synopsis
Package opa implements the policy evaluator interface to make authorization decisions.
 Package opa implements the policy evaluator interface to make authorization decisions.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.