-
Notifications
You must be signed in to change notification settings - Fork 277
/
device.go
107 lines (90 loc) · 2.6 KB
/
device.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
package criteria
import (
"fmt"
"github.com/open-policy-agent/opa/ast"
"github.com/pomerium/pomerium/pkg/policy/generator"
"github.com/pomerium/pomerium/pkg/policy/parser"
"github.com/pomerium/pomerium/pkg/policy/rules"
"github.com/pomerium/pomerium/pkg/webauthnutil"
)
const (
deviceOperatorApproved = "approved"
deviceOperatorIs = "is"
deviceOperatorType = "type"
)
var deviceOperatorLookup = map[string]struct{}{
deviceOperatorApproved: {},
deviceOperatorIs: {},
deviceOperatorType: {},
}
type deviceCriterion struct {
g *Generator
}
func (deviceCriterion) DataType() CriterionDataType {
return generator.CriterionDataTypeUnknown
}
func (deviceCriterion) Name() string {
return "device"
}
func (c deviceCriterion) GenerateRule(_ string, data parser.Value) (*ast.Rule, []*ast.Rule, error) {
obj, ok := data.(parser.Object)
if !ok {
return nil, nil, fmt.Errorf("expected object for device criterion, got: %T", data)
}
for k := range obj {
_, ok := deviceOperatorLookup[k]
if !ok {
return nil, nil, fmt.Errorf("unexpected field in device criterion: %s", k)
}
}
var body ast.Body
switch {
case obj.Truthy(deviceOperatorApproved):
// must be approved
body = append(body, ast.Body{
ast.MustParseExpr(`count([x|x:=device_enrollment.approved_by]) > 0`),
}...)
case obj.Falsy(deviceOperatorApproved):
// must *not* be approved
body = append(body, ast.Body{
ast.MustParseExpr(`count([x|x:=device_enrollment.approved_by]) == 0`),
}...)
}
if v, ok := obj[deviceOperatorIs]; ok {
s, ok := v.(parser.String)
if !ok {
return nil, nil, fmt.Errorf("expected string for device criterion is operator, got %T", v)
}
body = append(body, ast.Body{
ast.Assign.Expr(ast.VarTerm("is_expect"), ast.StringTerm(string(s))),
ast.MustParseExpr(`is_expect == device_credential.id`),
}...)
}
deviceType := webauthnutil.DefaultDeviceType
if v, ok := obj[deviceOperatorType]; ok {
s, ok := v.(parser.String)
if !ok {
return nil, nil, fmt.Errorf("expected string for device criterion type operator, got %T", v)
}
deviceType = string(s)
body = append(body, ast.Body{
ast.MustParseExpr(`device_credential.id != ""`),
}...)
}
rule := NewCriterionDeviceRule(c.g, c.Name(),
ReasonDeviceOK, ReasonDeviceUnauthorized,
body, deviceType)
return rule, []*ast.Rule{
rules.GetDeviceCredential(),
rules.GetDeviceEnrollment(),
rules.GetSession(),
rules.ObjectGet(),
}, nil
}
// Device returns a Criterion based on the User's device state.
func Device(generator *Generator) Criterion {
return deviceCriterion{g: generator}
}
func init() {
Register(Device)
}