opa

package
v1.40.1 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jan 15, 2025 License: Apache-2.0 Imports: 8 Imported by: 0

Documentation

Overview

Package opa contains code for performing authorization checks using opa/rego.

Index

Constants

View Source
const (
	// SansshellRegoPackage is the rego package used by all Sansshell policy files.
	// Any policy not using this package will be rejected.
	SansshellRegoPackage = "sansshell.authz"

	// DefaultAuthzQuery is the default query used for policy evaluation.
	DefaultAuthzQuery = "data.sansshell.authz.allow"
)

Variables

This section is empty.

Functions

This section is empty.

Types

type AuthzPolicy

type AuthzPolicy struct {
	// contains filtered or unexported fields
}

An AuthzPolicy performs policy checking by evaluating input against a sansshell rego policy file.

func NewAuthzPolicy

func NewAuthzPolicy(ctx context.Context, policy string, opts ...Option) (*AuthzPolicy, error)

NewAuthzPolicy creates a new AuthzPolicy by parsing the policy given in the string `policy`. It returns an error if the policy cannot be parsed, or does not use SansshellRegoPackage in its package declaration.

func (*AuthzPolicy) DenialHints added in v1.19.2

func (q *AuthzPolicy) DenialHints(ctx context.Context, input interface{}) ([]string, error)

DenialHints evaluates this policy using the provided input, returning an array of strings with reasons for the denial. This is typically used after getting a rejection from Eval to give more hints on why the rejection happened. It is a no-op if opa.WithDenialHintsQuery was not used.

func (*AuthzPolicy) Eval

func (q *AuthzPolicy) Eval(ctx context.Context, input interface{}) (bool, error)

Eval evaluates this policy using the provided input, returning 'true' iff the evaulation was successful, and the operation represented by `input` is permitted by the policy.

type Option

type Option interface {
	// contains filtered or unexported methods
}

An Option controls the behavior of an AuthzPolicy

func WithAllowQuery

func WithAllowQuery(query string) Option

WithAllowQuery returns an option to use `query` to evaluate the policy, instead of DefaultAuthzQuery. The supplied query should be simple evaluation expressions that creates no binding, and evaluates to 'true' iff the input satisfies the conditions of the policy.

func WithDenialHintsQuery added in v1.19.2

func WithDenialHintsQuery(query string) Option

WithDenialHintsQuery returns an option to use `query` to evaluate the policy when the AllowPolicy fails. The supplied query must be a simple evaluation expression that creates no binding and evaluates to an array of strings.

This can be used to give better error messages when Eval returns false. With a value like data.sansshell.authz.denial_hints, you can use a policy with rules like

denial_hints [msg] {
  not allow
  msg :="you need to be allowed"
}

Directories

Path Synopsis
Package proxiedidentity provides a way to pass the identity of an end user through the SansShell proxy
Package proxiedidentity provides a way to pass the identity of an end user through the SansShell proxy
Package rpcauth provides OPA policy authorization for Sansshell RPCs.
Package rpcauth provides OPA policy authorization for Sansshell RPCs.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL