opa

Documentation

Overview

Package opa contains code for performing authorization checks using opa/rego.

Index

• Constants
• type AuthzPolicy
  • func NewAuthzPolicy(ctx context.Context, policy string, opts ...Option) (*AuthzPolicy, error)
  • func (q *AuthzPolicy) Eval(ctx context.Context, input interface{}) (bool, error)
• type Option
  • func WithAllowQuery(query string) Option

Constants

const (
	// SansshellRegoPackage is the rego package used by all Sansshell policy files.
	// Any policy not using this package will be rejected.
	SansshellRegoPackage = "sansshell.authz"

	// DefaultAuthzQuery is the default query used for policy evaluation.
	DefaultAuthzQuery = "data.sansshell.authz.allow"
)

Types

type AuthzPolicy

type AuthzPolicy struct {
	// contains filtered or unexported fields
}

An AuthzPolicy performs policy checking by evaluating input against a sansshell rego policy file.

func NewAuthzPolicy

func NewAuthzPolicy(ctx context.Context, policy string, opts ...Option) (*AuthzPolicy, error)

NewAuthzPolicy creates a new AuthzPolicy by parsing the policy given in the string `policy`. It returns an error if the policy cannot be parsed, or does not use SansshellRegoPackage in its package declaration.

func (*AuthzPolicy) Eval

func (q *AuthzPolicy) Eval(ctx context.Context, input interface{}) (bool, error)

Eval evaluates this policy using the provided input, returning 'true' iff the evaulation was successful, and the operation represented by `input` is permitted by the policy.

type Option

type Option interface {
	// contains filtered or unexported methods
}

An Option controls the behavior of an AuthzPolicy

func WithAllowQuery

func WithAllowQuery(query string) Option

WithAllowQuery returns an option to use `query` to evaulate the policy, instead of DefaultAuthzQuery. The supplied query should be simple evaluation expressions that creates no binding, and evaluates to 'true' iff the input satisfies the conditions of the policy.