-
Notifications
You must be signed in to change notification settings - Fork 279
/
claims.go
68 lines (59 loc) · 1.59 KB
/
claims.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
package criteria
import (
"github.com/open-policy-agent/opa/ast"
"github.com/pomerium/pomerium/pkg/policy/generator"
"github.com/pomerium/pomerium/pkg/policy/parser"
"github.com/pomerium/pomerium/pkg/policy/rules"
)
var claimsBody = ast.Body{
ast.MustParseExpr(`
session := get_session(input.session.id)
`),
ast.MustParseExpr(`
session_claims := object.get(session, "claims", {})
`),
ast.MustParseExpr(`
user := get_user(session)
`),
ast.MustParseExpr(`
user_claims := object.get(user, "claims", {})
`),
ast.MustParseExpr(`
all_claims := object.union(session_claims, user_claims)
`),
ast.MustParseExpr(`
values := object_get(all_claims, rule_path, [])
`),
ast.MustParseExpr(`
rule_data == values[_]
`),
}
type claimsCriterion struct {
g *Generator
}
func (claimsCriterion) DataType() CriterionDataType {
return generator.CriterionDataTypeUnknown
}
func (claimsCriterion) Name() string {
return "claim"
}
func (c claimsCriterion) GenerateRule(subPath string, data parser.Value) (*ast.Rule, []*ast.Rule, error) {
rule := NewCriterionSessionRule(c.g, c.Name(),
ReasonClaimOK, ReasonClaimUnauthorized,
append(ast.Body{
ast.Assign.Expr(ast.VarTerm("rule_data"), ast.NewTerm(data.RegoValue())),
ast.Assign.Expr(ast.VarTerm("rule_path"), ast.NewTerm(ast.MustInterfaceToValue(subPath))),
}, claimsBody...))
return rule, []*ast.Rule{
rules.GetSession(),
rules.GetUser(),
rules.ObjectGet(),
}, nil
}
// Claims returns a Criterion on allowed IDP claims.
func Claims(generator *Generator) Criterion {
return claimsCriterion{g: generator}
}
func init() {
Register(Claims)
}