Documentation ¶
Overview ¶
Package parser contains a parser for Pomerium Policy Language.
The Pomerium Policy Language is a JSON or YAML document containing rules, actions, logical operators and criteria.
The document contains zero or more rules.
A rule has an action and zero or more logical operators.
An action is either "allow" or "deny".
The logical operators are "and", "or" and "not" and contain zero or more criteria.
A criterion has a name and arbitrary JSON data.
An example policy:
allow: and: - domain: example.com - group: admin deny: or: - user: user1@example.com - user: user2@example.com
The JSON Schema for the language:
{ "$ref": "#/definitions/policy", "definitions": { "policy": { "anyOf": [ { "$ref": "#/definitions/rules" }, { "type": "array", "items": { "$ref": "#/definitions/rules" } } ] }, "rules": { "type": "object", "properties": { "allow": { "$ref": "#/definitions/rule_body" }, "deny": { "$ref": "#/definitions/rule_body" } } }, "rule_body": { "type": "object", "properties": { "and": { "type": "array", "items": { "$ref": "#/definitions/criteria" } }, "not": { "type": "array", "items": { "$ref": "#/definitions/criteria" } }, "or": { "type": "array", "items": { "$ref": "#/definitions/criteria" } } }, "additionalProperties": false }, "criteria": { "type": "object", "additionalProperties": true, "minProperties": 1, "maxProperties": 1 } } }
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Action ¶
type Action string
An Action describe what to do when a rule matches, either "allow" or "deny".
func ActionFromValue ¶
ActionFromValue converts a Value into an Action.
type Array ¶
type Array []Value
An Array is a slice of values.
type Boolean ¶
type Boolean bool
A Boolean is either true or false.
type Criterion ¶
A Criterion is used by a rule to determine if the rule matches or not.
Criteria RegoRulesGenerators are registered based on the specified name. Data is arbitrary JSON data sent to the generator.
func CriteriaFromArray ¶
CriteriaFromArray converts an Array into Criteria. Each element of the Array is converted using CriterionFromObject.
func CriteriaFromValue ¶
CriteriaFromValue converts a Value into Criteria. Only Arrays are supported.
func CriterionFromObject ¶
CriterionFromObject converts an Object into a Criterion.
One form is supported:
- An object where the keys are the names with a sub path and the values are the corresponding data for each Criterion: `{ "groups": "group1" }`
func (*Criterion) MarshalJSON ¶
MarshalJSON marshals the criterion as JSON.
type Null ¶
type Null struct{}
A Null is the nil value.
type Number ¶
type Number string
A Number is an integer or a floating point value stored in string representation.
func (Number) MarshalJSON ¶
MarshalJSON marshals the number as JSON.
type Object ¶
An Object is a map of strings to values.
func (Object) Falsy ¶ added in v0.15.6
Falsy returns true if the value is considered Javascript falsy:
https://developer.mozilla.org/en-US/docs/Glossary/Falsy.
If the field is not found in the object it is *not* falsy.
type Parser ¶
type Parser struct{}
A Parser parses raw policy definitions into a Policy.
type Policy ¶
type Policy struct {
Rules []Rule
}
A Policy is a policy made up of multiple allow or deny rules.
func PolicyFromValue ¶
PolicyFromValue converts a value into a Policy.
func (*Policy) AddDefaultClientCertificateRule ¶ added in v0.23.0
func (p *Policy) AddDefaultClientCertificateRule()
AddDefaultClientCertificateRule adds a deny rule to the policy with the criterion invalid_client_certificate.
func (*Policy) MarshalJSON ¶
MarshalJSON marshals the policy as JSON.
type Rule ¶
A Rule is a policy rule with a corresponding action ("allow" or "deny"), and conditionals to determine if the rule matches or not.
func RulesFromArray ¶
RulesFromArray converts an Array into a slice of Rules. Each element of the Array is converted using RulesFromObject and merged together.
func RulesFromObject ¶
RulesFromObject converts an Object into a slice of Rules.
One form is supported:
- An object where the keys are the actions and the values are an object with "and", "or", or "not" fields: `{ "allow": { "and": [ {"groups": "group1"} ] } }`
func RulesFromValue ¶
RulesFromValue converts a Value into a slice of Rules. Only Arrays or Objects are supported.
func (*Rule) MarshalJSON ¶
MarshalJSON marshals the rule as JSON.