policy

Documentation

Index

• Constants
• Variables
• type Engine
  • func NewEngine(ctx context.Context, paths []string, opts ...EngineOption) (*Engine, error)
  • func (engine *Engine) Query(ctx context.Context, query string, input any) (rego.ResultSet, error)
  • func (engine *Engine) QueryOne(ctx context.Context, query string, input any, target any) error
• type EngineOption
  • func WithDebug() EngineOption
  • func WithRawPolicy(path, content string) EngineOption
• type Store
• type SubjectInput
  • func NewSubjectInput(ctx context.Context, ds Store, permissionResolver permission.Resolver, ...) (*SubjectInput, error)

Constants

const (
	// PackageForwardAuth is the package name for all policies related to
	// forward-authentication using a supported reverse proxy.
	PackageForwardAuth = "cisidm.forward_auth"
)

A list of common package names.

Variables

var (
	ErrNoResults         = errors.New("query returned no results")
	ErrToManyResults     = errors.New("query returned to many results")
	ErrInvalidResultType = errors.New("query returned an invalid result type")
)

Types

type Engine

type Engine struct {
	// contains filtered or unexported fields
}

func NewEngine

func NewEngine(ctx context.Context, paths []string, opts ...EngineOption) (*Engine, error)

func (*Engine) Query

func (engine *Engine) Query(
	ctx context.Context,
	query string,
	input any,
) (rego.ResultSet, error)

func (*Engine) QueryOne

func (engine *Engine) QueryOne(
	ctx context.Context,
	query string,
	input any,
	target any,
) error

type EngineOption

type EngineOption func(*option)

func WithDebug

func WithDebug() EngineOption

func WithRawPolicy

func WithRawPolicy(path, content string) EngineOption

type Store

type Store interface {
	GetUserByID(context.Context, string) (repo.User, error)
	GetRolesForUser(context.Context, string) ([]repo.Role, error)
	GetRolesForToken(context.Context, string) ([]repo.Role, error)
	GetRolePermissions(context.Context, string) ([]string, error)
	GetPrimaryEmailForUserByID(context.Context, string) (repo.UserEmail, error)
}

type SubjectInput

type SubjectInput struct {
	// ID is the unique identifier of the user.
	ID string `mapstructure:"id" json:"id"`

	// Username is the name of the user.
	// SECURITY: If cisidm is configured to allow username changes using the username
	// in rego policies is a huge security risk!
	Username string `mapstructure:"username" json:"username"`

	// Roles is a list of roles assigned to the user. Note that the permissions
	// assigned to each role are not exposed to rego policies. Use the Permissions
	// field below which contains a set of resolved permissions from all user roles.
	Roles []repo.Role `mapstructure:"roles" json:"roles"`

	// Permissions holds the resolved set of permissions this user has based on all
	// assigned roles.
	Permissions []string `mapstructure:"permissions" json:"permissions"`

	// Fields hold the additional user fields as specified in the configuration.
	Fields map[string]any `mapstructure:"fields" json:"fields"`

	// Email holds the primary email address of the user.
	Email string `mapstructure:"email" json:"email"`

	// DisplayName holds the display name of the user.
	DisplayName string `mapstructure:"display_name" json:"display_name"`

	// TokenKind reports how the access token used to perform the request was
	// obtained. Valid values are "password", "mfa" and "webauthn".
	TokenKind jwt.LoginKind `mapstructure:"token_kind" json:"token_kind"`
}

SubjectInput defines the input for rego policies under the input.subject path and is populated from the user performing the operation.

func NewSubjectInput

func NewSubjectInput(ctx context.Context, ds Store, permissionResolver permission.Resolver, userID string, tokenKind jwt.LoginKind, tokenID string) (*SubjectInput, error)