policy

Documentation

Overview

Package policy provides VORTEX's authorization policy engine (build plan M3.4): it embeds the Open Policy Agent (OPA) Rego evaluator so operators can express request-authorization rules as .rego policies, hot-reloaded without a restart. When no policy is supplied the engine falls back to a built-in allow-all policy, so policy enforcement is opt-in and never blocks a fresh install.

Index

• func NewMiddleware(engine *Engine) func(http.Handler) http.Handler
• func RouteNameFromContext(ctx context.Context) string
• func SetRouteName(ctx context.Context, name string) context.Context
• type Engine
  • func NewEngine(cfg EngineConfig) (*Engine, error)
  • func (e *Engine) DefaultPolicy() string
  • func (e *Engine) Eval(ctx context.Context, input map[string]any) (allowed bool, err error)
  • func (e *Engine) Reload(ctx context.Context) error
  • func (e *Engine) UsingDefault() bool
• type EngineConfig

Functions

func NewMiddleware

func NewMiddleware(engine *Engine) func(http.Handler) http.Handler

NewMiddleware returns an HTTP middleware that evaluates engine's policy on every request. On allow it calls the next handler; on deny it returns 403; on an evaluation error it returns 500. Both error responses carry a JSON body.

func RouteNameFromContext

func RouteNameFromContext(ctx context.Context) string

RouteNameFromContext returns the route name stored by SetRouteName, or "" if none was set.

func SetRouteName

func SetRouteName(ctx context.Context, name string) context.Context

SetRouteName returns a copy of ctx carrying the matched route name, so the policy middleware can expose it to Rego policies as input.route.

Types

type Engine

type Engine struct {
	// contains filtered or unexported fields
}

Engine evaluates Rego authorization policies. It is safe for concurrent use: Eval takes a read lock and Reload swaps the compiled query under a write lock, so evaluations never observe a half-built policy.

func NewEngine

func NewEngine(cfg EngineConfig) (*Engine, error)

NewEngine builds an Engine, loading every .rego file under cfg.PolicyDir (and any JSON data under cfg.DataDir). If no policy files are found it compiles the built-in allow-all policy. A policy that fails to compile is a fatal error.

func (*Engine) DefaultPolicy

func (e *Engine) DefaultPolicy() string

DefaultPolicy returns the built-in allow-all policy text, useful for scaffolding a starter policy file.

func (*Engine) Eval

func (e *Engine) Eval(ctx context.Context, input map[string]any) (allowed bool, err error)

Eval evaluates the policy query against input and reports whether the request is allowed. The decision is truthy: an explicit boolean true (or any non-false defined result) allows; false or an undefined/empty result denies. It returns an error only when evaluation itself fails, and never panics.

func (*Engine) Reload

func (e *Engine) Reload(ctx context.Context) error

Reload re-reads the policy directory and recompiles. On success it atomically swaps in the new query; on failure it returns the error and leaves the previously-compiled policy in place, so a bad edit cannot take down enforcement.

func (*Engine) UsingDefault

func (e *Engine) UsingDefault() bool

UsingDefault reports whether the built-in allow-all policy is currently in effect (i.e. no operator .rego files were loaded).

type EngineConfig

type EngineConfig struct {
	PolicyDir string // directory of .rego files; empty → built-in allow-all
	DataDir   string // optional directory of JSON data files
	QueryPath string // query to evaluate; default "data.vortex.allow"
}

EngineConfig configures an Engine.