opa

package

v1.24.1 Latest Latest Go to latest Published: Sep 18, 2023 License: Apache-2.0 Imports: 8 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/Snowflake-Labs/sansshell

Links

Open Source Insights

Documentation ¶

Overview ¶

Package opa contains code for performing authorization checks using opa/rego.

Index ¶

Constants
type AuthzPolicy
- func NewAuthzPolicy(ctx context.Context, policy string, opts ...Option) (*AuthzPolicy, error)
- func (q *AuthzPolicy) DenialHints(ctx context.Context, input interface{}) ([]string, error)
- func (q *AuthzPolicy) Eval(ctx context.Context, input interface{}) (bool, error)
type Option
- func WithAllowQuery(query string) Option
- func WithDenialHintsQuery(query string) Option

Constants ¶

View Source

const (
	// SansshellRegoPackage is the rego package used by all Sansshell policy files.
	// Any policy not using this package will be rejected.
	SansshellRegoPackage = "sansshell.authz"

	// DefaultAuthzQuery is the default query used for policy evaluation.
	DefaultAuthzQuery = "data.sansshell.authz.allow"
)

Variables ¶

This section is empty.

Functions ¶

This section is empty.

Types ¶

type AuthzPolicy ¶

type AuthzPolicy struct {
	// contains filtered or unexported fields
}

An AuthzPolicy performs policy checking by evaluating input against a sansshell rego policy file.

func NewAuthzPolicy ¶

func NewAuthzPolicy(ctx context.Context, policy string, opts ...Option) (*AuthzPolicy, error)

NewAuthzPolicy creates a new AuthzPolicy by parsing the policy given in the string `policy`. It returns an error if the policy cannot be parsed, or does not use SansshellRegoPackage in its package declaration.

func (*AuthzPolicy) DenialHints ¶ added in v1.19.2

func (q *AuthzPolicy) DenialHints(ctx context.Context, input interface{}) ([]string, error)

DenialHints evaluates this policy using the provided input, returning an array of strings with reasons for the denial. This is typically used after getting a rejection from Eval to give more hints on why the rejection happened. It is a no-op if opa.WithDenialHintsQuery was not used.

func (*AuthzPolicy) Eval ¶

func (q *AuthzPolicy) Eval(ctx context.Context, input interface{}) (bool, error)

Eval evaluates this policy using the provided input, returning 'true' iff the evaulation was successful, and the operation represented by `input` is permitted by the policy.

type Option ¶

type Option interface {
	// contains filtered or unexported methods
}

An Option controls the behavior of an AuthzPolicy

func WithAllowQuery ¶

func WithAllowQuery(query string) Option

WithAllowQuery returns an option to use `query` to evaluate the policy, instead of DefaultAuthzQuery. The supplied query should be simple evaluation expressions that creates no binding, and evaluates to 'true' iff the input satisfies the conditions of the policy.

func WithDenialHintsQuery ¶ added in v1.19.2

func WithDenialHintsQuery(query string) Option

WithDenialHintsQuery returns an option to use `query` to evaluate the policy when the AllowPolicy fails. The supplied query must be a simple evaluation expression that creates no binding and evaluates to an array of strings.

This can be used to give better error messages when Eval returns false. With a value like data.sansshell.authz.denial_hints, you can use a policy with rules like

denial_hints [msg] {
  not allow
  msg :="you need to be allowed"
}

Source Files ¶

View all Source files

opa.go

Directories ¶

Path	Synopsis
rpcauth Package rpcauth provides OPA policy authorization for Sansshell RPCs.	Package rpcauth provides OPA policy authorization for Sansshell RPCs.

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL