Documentation ¶
Overview ¶
Package evaluator contains rego evaluators for evaluating authorize policy.
Index ¶
- Variables
- type ClientCertConstraints
- type ClientCertificateInfo
- type Evaluator
- type HeadersEvaluator
- type HeadersRequest
- type HeadersResponse
- type Option
- func WithAddDefaultClientCertificateRule(addDefaultClientCertificateRule bool) Option
- func WithAuthenticateURL(authenticateURL string) Option
- func WithClientCA(clientCA []byte) Option
- func WithClientCRL(clientCRL []byte) Option
- func WithClientCertConstraints(constraints *ClientCertConstraints) Option
- func WithGoogleCloudServerlessAuthenticationServiceAccount(serviceAccount string) Option
- func WithJWTClaimsHeaders(headers config.JWTClaimHeaders) Option
- func WithPolicies(policies []config.Policy) Option
- func WithSigningKey(signingKey []byte) Option
- type PolicyEvaluator
- type PolicyRequest
- type PolicyResponse
- type Request
- type RequestHTTP
- type RequestSession
- type Result
- type RuleResult
- type SANMatchers
Constants ¶
This section is empty.
Variables ¶
var ( GCPIdentityTokenExpiration = time.Minute * 45 // tokens expire after one hour according to the GCP docs GCPIdentityDocURL = "http://metadata/computeMetadata/v1/instance/service-accounts/default/identity" GCPIdentityNow = time.Now GCPIdentityMaxBodySize int64 = 1024 * 1024 * 10 )
GCP pre-defined values.
Functions ¶
This section is empty.
Types ¶
type ClientCertConstraints ¶ added in v0.23.0
type ClientCertConstraints struct { // MaxVerifyDepth is the maximum allowed certificate chain depth (not // counting the leaf certificate). A value of 0 indicates no maximum. MaxVerifyDepth uint32 // SANMatchers is a map of SAN type to regex match expression. When // non-empty, a client certificate must contain at least one Subject // Alternative Name that matches one of the expessions. SANMatchers SANMatchers }
ClientCertConstraints contains additional constraints to validate when verifying a client certificate.
func ClientCertConstraintsFromConfig ¶ added in v0.23.0
func ClientCertConstraintsFromConfig( cfg *config.DownstreamMTLSSettings, ) (*ClientCertConstraints, error)
ClientCertConstraintsFromConfig populates a new ClientCertConstraints struct based on the provided configuration.
type ClientCertificateInfo ¶ added in v0.23.0
type ClientCertificateInfo struct { // Presented is true if the client presented a certificate. Presented bool `json:"presented"` // Leaf contains the leaf client certificate (unvalidated). Leaf string `json:"leaf,omitempty"` // Intermediates contains the remainder of the client certificate chain as // it was originally presented by the client (unvalidated). Intermediates string `json:"intermediates,omitempty"` }
ClientCertificateInfo contains information about the certificate presented by the client (if any).
type Evaluator ¶
type Evaluator struct {
// contains filtered or unexported fields
}
An Evaluator evaluates policies.
type HeadersEvaluator ¶ added in v0.15.0
type HeadersEvaluator struct {
// contains filtered or unexported fields
}
A HeadersEvaluator evaluates the headers.rego script.
func NewHeadersEvaluator ¶ added in v0.15.0
NewHeadersEvaluator creates a new HeadersEvaluator.
func (*HeadersEvaluator) Evaluate ¶ added in v0.15.0
func (e *HeadersEvaluator) Evaluate(ctx context.Context, req *HeadersRequest) (*HeadersResponse, error)
Evaluate evaluates the headers.rego script.
type HeadersRequest ¶ added in v0.15.0
type HeadersRequest struct { EnableGoogleCloudServerlessAuthentication bool `json:"enable_google_cloud_serverless_authentication"` EnableRoutingKey bool `json:"enable_routing_key"` Issuer string `json:"issuer"` KubernetesServiceAccountToken string `json:"kubernetes_service_account_token"` ToAudience string `json:"to_audience"` Session RequestSession `json:"session"` ClientCertificate ClientCertificateInfo `json:"client_certificate"` SetRequestHeaders map[string]string `json:"set_request_headers"` }
HeadersRequest is the input to the headers.rego script.
func NewHeadersRequestFromPolicy ¶ added in v0.15.0
func NewHeadersRequestFromPolicy(policy *config.Policy, http RequestHTTP) *HeadersRequest
NewHeadersRequestFromPolicy creates a new HeadersRequest from a policy.
type HeadersResponse ¶ added in v0.15.0
HeadersResponse is the output from the headers.rego script.
type Option ¶ added in v0.15.0
type Option func(*evaluatorConfig)
An Option customizes the evaluator config.
func WithAddDefaultClientCertificateRule ¶ added in v0.23.0
WithAddDefaultClientCertificateRule sets whether to add a default invalid_client_certificate deny rule to all policies.
func WithAuthenticateURL ¶ added in v0.15.0
WithAuthenticateURL sets the authenticate URL in the config.
func WithClientCA ¶ added in v0.15.0
WithClientCA sets the client CA in the config.
func WithClientCRL ¶ added in v0.23.0
WithClientCRL sets the client CRL in the config.
func WithClientCertConstraints ¶ added in v0.23.0
func WithClientCertConstraints(constraints *ClientCertConstraints) Option
WithClientCertConstraints sets addition client certificate constraints.
func WithGoogleCloudServerlessAuthenticationServiceAccount ¶ added in v0.15.0
WithGoogleCloudServerlessAuthenticationServiceAccount sets the google cloud serverless authentication service account in the config.
func WithJWTClaimsHeaders ¶ added in v0.15.0
func WithJWTClaimsHeaders(headers config.JWTClaimHeaders) Option
WithJWTClaimsHeaders sets the JWT claims headers in the config.
func WithPolicies ¶ added in v0.15.0
WithPolicies sets the policies in the config.
func WithSigningKey ¶ added in v0.15.0
WithSigningKey sets the signing key and algorithm in the config.
type PolicyEvaluator ¶ added in v0.15.0
type PolicyEvaluator struct {
// contains filtered or unexported fields
}
A PolicyEvaluator evaluates policies.
func NewPolicyEvaluator ¶ added in v0.15.0
func NewPolicyEvaluator( ctx context.Context, store *store.Store, configPolicy *config.Policy, addDefaultClientCertificateRule bool, ) (*PolicyEvaluator, error)
NewPolicyEvaluator creates a new PolicyEvaluator.
func (*PolicyEvaluator) Evaluate ¶ added in v0.15.0
func (e *PolicyEvaluator) Evaluate(ctx context.Context, req *PolicyRequest) (*PolicyResponse, error)
Evaluate evaluates the policy rego scripts.
type PolicyRequest ¶ added in v0.15.0
type PolicyRequest struct { HTTP RequestHTTP `json:"http"` Session RequestSession `json:"session"` IsValidClientCertificate bool `json:"is_valid_client_certificate"` }
PolicyRequest is the input to policy evaluation.
type PolicyResponse ¶ added in v0.15.0
type PolicyResponse struct {
Allow, Deny RuleResult
Traces []contextutil.PolicyEvaluationTrace
}
PolicyResponse is the result of evaluating a policy.
func NewPolicyResponse ¶ added in v0.15.6
func NewPolicyResponse() *PolicyResponse
NewPolicyResponse creates a new PolicyResponse.
type Request ¶
type Request struct { IsInternal bool Policy *config.Policy HTTP RequestHTTP Session RequestSession }
Request contains the inputs needed for evaluation.
type RequestHTTP ¶ added in v0.10.0
type RequestHTTP struct { Method string `json:"method"` Hostname string `json:"hostname"` Path string `json:"path"` URL string `json:"url"` Headers map[string]string `json:"headers"` ClientCertificate ClientCertificateInfo `json:"client_certificate"` IP string `json:"ip"` }
RequestHTTP is the HTTP field in the request.
func NewRequestHTTP ¶ added in v0.16.0
func NewRequestHTTP( method string, requestURL url.URL, headers map[string]string, clientCertificate ClientCertificateInfo, ip string, ) RequestHTTP
NewRequestHTTP creates a new RequestHTTP.
type RequestSession ¶ added in v0.10.0
type RequestSession struct {
ID string `json:"id"`
}
RequestSession is the session field in the request.
type Result ¶ added in v0.10.0
type Result struct { Allow RuleResult Deny RuleResult Headers http.Header Traces []contextutil.PolicyEvaluationTrace }
Result is the result of evaluation.
type RuleResult ¶ added in v0.15.6
A RuleResult is the result of evaluating a rule.
func MergeRuleResultsWithOr ¶ added in v0.15.6
func MergeRuleResultsWithOr(results ...RuleResult) RuleResult
MergeRuleResultsWithOr merges all the results using `or`.
func NewRuleResult ¶ added in v0.15.6
func NewRuleResult(value bool, reasons ...criteria.Reason) RuleResult
NewRuleResult creates a new RuleResult.