opa

package
v1.27.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 3, 2024 License: Apache-2.0 Imports: 8 Imported by: 0

Documentation

Overview

Package opa contains code for performing authorization checks using opa/rego.

Index

Constants

View Source 
const (
	// SansshellRegoPackage is the rego package used by all Sansshell policy files.
	// Any policy not using this package will be rejected.
	SansshellRegoPackage = "sansshell.authz"

	// DefaultAuthzQuery is the default query used for policy evaluation.
	DefaultAuthzQuery = "data.sansshell.authz.allow"
)

Variables

This section is empty.

Functions

This section is empty.

Types

type AuthzPolicy 

type AuthzPolicy struct {
	// contains filtered or unexported fields
}

An AuthzPolicy performs policy checking by evaluating input against a sansshell rego policy file.

func NewAuthzPolicy 

func NewAuthzPolicy(ctx context.Context, policy string, opts ...Option) (*AuthzPolicy, error)

NewAuthzPolicy creates a new AuthzPolicy by parsing the policy given in the string `policy`. It returns an error if the policy cannot be parsed, or does not use SansshellRegoPackage in its package declaration.

func (*AuthzPolicy) DenialHints added in v1.19.2 

func (q *AuthzPolicy) DenialHints(ctx context.Context, input interface{}) ([]string, error)

DenialHints evaluates this policy using the provided input, returning an array of strings with reasons for the denial. This is typically used after getting a rejection from Eval to give more hints on why the rejection happened. It is a no-op if opa.WithDenialHintsQuery was not used.

func (*AuthzPolicy) Eval 

func (q *AuthzPolicy) Eval(ctx context.Context, input interface{}) (bool, error)

Eval evaluates this policy using the provided input, returning 'true' iff the evaulation was successful, and the operation represented by `input` is permitted by the policy.

type Option 

type Option interface {
	// contains filtered or unexported methods
}

An Option controls the behavior of an AuthzPolicy

func WithAllowQuery 

func WithAllowQuery(query string) Option

WithAllowQuery returns an option to use `query` to evaluate the policy, instead of DefaultAuthzQuery. The supplied query should be simple evaluation expressions that creates no binding, and evaluates to 'true' iff the input satisfies the conditions of the policy.

func WithDenialHintsQuery added in v1.19.2 

func WithDenialHintsQuery(query string) Option

WithDenialHintsQuery returns an option to use `query` to evaluate the policy when the AllowPolicy fails. The supplied query must be a simple evaluation expression that creates no binding and evaluates to an array of strings.

This can be used to give better error messages when Eval returns false. With a value like data.sansshell.authz.denial_hints, you can use a policy with rules like 

denial_hints [msg] {
  not allow
  msg :="you need to be allowed"
}

Source Files

View all Source files

Directories

Path Synopsis
Package proxiedidentity provides a way to pass the identity of an end user through the SansShell proxy
 Package proxiedidentity provides a way to pass the identity of an end user through the SansShell proxy
Package rpcauth provides OPA policy authorization for Sansshell RPCs.
 Package rpcauth provides OPA policy authorization for Sansshell RPCs.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.