Replace regex with rego to implement authorization #42
Assignees
Labels
enhancement
New feature or request
Comments
|
I've was testing this (OPA as a Go library) a while ago together with nginx, you can find that code here: https://github.com/simongottschlag/opa-nginx-authz/tree/main/opa-nginx-external-auth |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Currently the authorization is implemented with the help of regex. A set of regex rules are constructed for each possible org, project, and repo. They are then run for each request to validate that the token is allowed for the requested path. Relevant code can be found here.
https://github.com/XenitAB/git-auth-proxy/blob/main/pkg/auth/auth.go
Regex is not a great tool for path validation, a better option may instead be to use Rego as it is a purpose built tool. All of the regex would be replaced by a single Rego policy which should be executed for each request.
Here is an example how the Rego could be written to validate the HTTP requests.
https://www.openpolicyagent.org/docs/latest/http-api-authorization/
Here is the documentation for how to execute Rego from Go.
https://www.openpolicyagent.org/docs/latest/integration/#integrating-with-the-go-api
The text was updated successfully, but these errors were encountered: