Documentation ¶
Overview ¶
Package celtransformer is an implementation of upstream-to-downstream identity transformations and policies using CEL scripts.
The CEL language is documented in https://github.com/google/cel-spec/blob/master/doc/langdef.md with optional extensions documented in https://github.com/google/cel-go/tree/master/ext.
Index ¶
Constants ¶
const (
DefaultPolicyRejectedAuthMessage = "authentication was rejected by a configured policy"
)
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type AllowAuthenticationPolicy ¶
AllowAuthenticationPolicy is a CEL expression that can allow the authentication to proceed by returning true. It implements CELTransformation. When the CEL expression returns false, the authentication is rejected and the RejectedAuthenticationMessage is used. When RejectedAuthenticationMessage is empty, a default message will be used for rejected authentications.
type CELTransformation ¶
type CELTransformation interface {
// contains filtered or unexported methods
}
CELTransformation can be compiled into an IdentityTransformation.
type CELTransformationSource ¶
type CELTransformationSource struct { Expr CELTransformation Consts *TransformationConstants }
type CELTransformer ¶
type CELTransformer struct {
// contains filtered or unexported fields
}
CELTransformer can compile any number of transformation expression pipelines. Each compiled pipeline can be cached in memory for later thread-safe evaluation.
func NewCELTransformer ¶
func NewCELTransformer(maxExpressionRuntime time.Duration) (*CELTransformer, error)
NewCELTransformer returns a CELTransformer. A running process should only need one instance of a CELTransformer.
func (*CELTransformer) CompileTransformation ¶
func (c *CELTransformer) CompileTransformation(t CELTransformation, consts *TransformationConstants) (idtransform.IdentityTransformation, error)
CompileTransformation compiles a CEL-based identity transformation expression. The compiled transform can be cached in memory and executed repeatedly and in a thread-safe way. The caller must not modify the consts param struct after calling this function to allow the returned IdentityTransformation to use it as a thread-safe read-only structure.
type GroupsTransformation ¶
type GroupsTransformation struct {
Expression string
}
GroupsTransformation is a CEL expression that can transform a list of group names (or leave it unchanged). It implements CELTransformation.
type TransformationConstants ¶
type TransformationConstants struct { // A map of variable names to their string values. If a key "x" has value "123", then it will be available // to CEL expressions as the variable `strConst.x` with value `"123"`. StringConstants map[string]string // A map of variable names to their string list values. If a key "x" has value []string{"123","456"}, // then it will be available to CEL expressions as the variable `strListConst.x` with value `["123","456"]`. StringListConstants map[string][]string }
TransformationConstants can be used to make more variables available to compiled CEL expressions for convenience.
type UsernameTransformation ¶
type UsernameTransformation struct {
Expression string
}
UsernameTransformation is a CEL expression that can transform a username (or leave it unchanged). It implements CELTransformation.