mirror of
https://github.com/pomerium/pomerium.git
synced 2025-06-05 20:32:57 +02:00
core/opa: update for rego 1.0 (#4895)
* core/opa: update headers rego script * core/opa: update ppl * further updates
This commit is contained in:
Caleb Doxsey
GitHub
parent
5e0079c649
commit
24b04bed35
9 changed files with 289 additions and 319 deletions
|
|
@ -53,104 +53,106 @@ func TestPolicy_ToPPL(t *testing.T) {
|
|||
require.NoError(t, err)
|
||||
assert.Equal(t, `package pomerium.policy
|
||||
|
||||
default allow = [false, set()]
|
||||
import rego.v1
|
||||
|
||||
default deny = [false, set()]
|
||||
default allow := [false, set()]
|
||||
|
||||
accept_0 = [true, {"accept"}]
|
||||
default deny := [false, set()]
|
||||
|
||||
cors_preflight_0 = [true, {"cors-request"}] {
|
||||
accept_0 := [true, {"accept"}]
|
||||
|
||||
cors_preflight_0 := [true, {"cors-request"}] if {
|
||||
input.http.method == "OPTIONS"
|
||||
count(object.get(input.http.headers, "Access-Control-Request-Method", [])) > 0
|
||||
count(object.get(input.http.headers, "Origin", [])) > 0
|
||||
}
|
||||
|
||||
else = [false, {"non-cors-request"}]
|
||||
else := [false, {"non-cors-request"}]
|
||||
|
||||
authenticated_user_0 = [true, {"user-ok"}] {
|
||||
authenticated_user_0 := [true, {"user-ok"}] if {
|
||||
session := get_session(input.session.id)
|
||||
session.user_id != null
|
||||
session.user_id != ""
|
||||
}
|
||||
|
||||
else = [false, {"user-unauthorized"}] {
|
||||
else := [false, {"user-unauthorized"}] if {
|
||||
session := get_session(input.session.id)
|
||||
session.id != ""
|
||||
}
|
||||
|
||||
else = [false, {"user-unauthenticated"}]
|
||||
else := [false, {"user-unauthenticated"}]
|
||||
|
||||
domain_0 = [true, {"domain-ok"}] {
|
||||
domain_0 := [true, {"domain-ok"}] if {
|
||||
session := get_session(input.session.id)
|
||||
user := get_user(session)
|
||||
domain := split(get_user_email(session, user), "@")[1]
|
||||
domain == "a.example.com"
|
||||
}
|
||||
|
||||
else = [false, {"domain-unauthorized"}] {
|
||||
else := [false, {"domain-unauthorized"}] if {
|
||||
session := get_session(input.session.id)
|
||||
session.id != ""
|
||||
}
|
||||
|
||||
else = [false, {"user-unauthenticated"}]
|
||||
else := [false, {"user-unauthenticated"}]
|
||||
|
||||
domain_1 = [true, {"domain-ok"}] {
|
||||
domain_1 := [true, {"domain-ok"}] if {
|
||||
session := get_session(input.session.id)
|
||||
user := get_user(session)
|
||||
domain := split(get_user_email(session, user), "@")[1]
|
||||
domain == "b.example.com"
|
||||
}
|
||||
|
||||
else = [false, {"domain-unauthorized"}] {
|
||||
else := [false, {"domain-unauthorized"}] if {
|
||||
session := get_session(input.session.id)
|
||||
session.id != ""
|
||||
}
|
||||
|
||||
else = [false, {"user-unauthenticated"}]
|
||||
else := [false, {"user-unauthenticated"}]
|
||||
|
||||
domain_2 = [true, {"domain-ok"}] {
|
||||
domain_2 := [true, {"domain-ok"}] if {
|
||||
session := get_session(input.session.id)
|
||||
user := get_user(session)
|
||||
domain := split(get_user_email(session, user), "@")[1]
|
||||
domain == "c.example.com"
|
||||
}
|
||||
|
||||
else = [false, {"domain-unauthorized"}] {
|
||||
else := [false, {"domain-unauthorized"}] if {
|
||||
session := get_session(input.session.id)
|
||||
session.id != ""
|
||||
}
|
||||
|
||||
else = [false, {"user-unauthenticated"}]
|
||||
else := [false, {"user-unauthenticated"}]
|
||||
|
||||
domain_3 = [true, {"domain-ok"}] {
|
||||
domain_3 := [true, {"domain-ok"}] if {
|
||||
session := get_session(input.session.id)
|
||||
user := get_user(session)
|
||||
domain := split(get_user_email(session, user), "@")[1]
|
||||
domain == "d.example.com"
|
||||
}
|
||||
|
||||
else = [false, {"domain-unauthorized"}] {
|
||||
else := [false, {"domain-unauthorized"}] if {
|
||||
session := get_session(input.session.id)
|
||||
session.id != ""
|
||||
}
|
||||
|
||||
else = [false, {"user-unauthenticated"}]
|
||||
else := [false, {"user-unauthenticated"}]
|
||||
|
||||
domain_4 = [true, {"domain-ok"}] {
|
||||
domain_4 := [true, {"domain-ok"}] if {
|
||||
session := get_session(input.session.id)
|
||||
user := get_user(session)
|
||||
domain := split(get_user_email(session, user), "@")[1]
|
||||
domain == "e.example.com"
|
||||
}
|
||||
|
||||
else = [false, {"domain-unauthorized"}] {
|
||||
else := [false, {"domain-unauthorized"}] if {
|
||||
session := get_session(input.session.id)
|
||||
session.id != ""
|
||||
}
|
||||
|
||||
else = [false, {"user-unauthenticated"}]
|
||||
else := [false, {"user-unauthenticated"}]
|
||||
|
||||
claim_0 = [true, {"claim-ok"}] {
|
||||
claim_0 := [true, {"claim-ok"}] if {
|
||||
rule_data := "Smith"
|
||||
rule_path := "family_name"
|
||||
session := get_session(input.session.id)
|
||||
|
|
@ -162,14 +164,14 @@ claim_0 = [true, {"claim-ok"}] {
|
|||
rule_data == values[_0]
|
||||
}
|
||||
|
||||
else = [false, {"claim-unauthorized"}] {
|
||||
else := [false, {"claim-unauthorized"}] if {
|
||||
session := get_session(input.session.id)
|
||||
session.id != ""
|
||||
}
|
||||
|
||||
else = [false, {"user-unauthenticated"}]
|
||||
else := [false, {"user-unauthenticated"}]
|
||||
|
||||
claim_1 = [true, {"claim-ok"}] {
|
||||
claim_1 := [true, {"claim-ok"}] if {
|
||||
rule_data := "Jones"
|
||||
rule_path := "family_name"
|
||||
session := get_session(input.session.id)
|
||||
|
|
@ -181,14 +183,14 @@ claim_1 = [true, {"claim-ok"}] {
|
|||
rule_data == values[_0]
|
||||
}
|
||||
|
||||
else = [false, {"claim-unauthorized"}] {
|
||||
else := [false, {"claim-unauthorized"}] if {
|
||||
session := get_session(input.session.id)
|
||||
session.id != ""
|
||||
}
|
||||
|
||||
else = [false, {"user-unauthenticated"}]
|
||||
else := [false, {"user-unauthenticated"}]
|
||||
|
||||
claim_2 = [true, {"claim-ok"}] {
|
||||
claim_2 := [true, {"claim-ok"}] if {
|
||||
rule_data := "John"
|
||||
rule_path := "given_name"
|
||||
session := get_session(input.session.id)
|
||||
|
|
@ -200,14 +202,14 @@ claim_2 = [true, {"claim-ok"}] {
|
|||
rule_data == values[_0]
|
||||
}
|
||||
|
||||
else = [false, {"claim-unauthorized"}] {
|
||||
else := [false, {"claim-unauthorized"}] if {
|
||||
session := get_session(input.session.id)
|
||||
session.id != ""
|
||||
}
|
||||
|
||||
else = [false, {"user-unauthenticated"}]
|
||||
else := [false, {"user-unauthenticated"}]
|
||||
|
||||
claim_3 = [true, {"claim-ok"}] {
|
||||
claim_3 := [true, {"claim-ok"}] if {
|
||||
rule_data := "EST"
|
||||
rule_path := "timezone"
|
||||
session := get_session(input.session.id)
|
||||
|
|
@ -219,204 +221,204 @@ claim_3 = [true, {"claim-ok"}] {
|
|||
rule_data == values[_0]
|
||||
}
|
||||
|
||||
else = [false, {"claim-unauthorized"}] {
|
||||
else := [false, {"claim-unauthorized"}] if {
|
||||
session := get_session(input.session.id)
|
||||
session.id != ""
|
||||
}
|
||||
|
||||
else = [false, {"user-unauthenticated"}]
|
||||
else := [false, {"user-unauthenticated"}]
|
||||
|
||||
user_0 = [true, {"user-ok"}] {
|
||||
user_0 := [true, {"user-ok"}] if {
|
||||
session := get_session(input.session.id)
|
||||
user_id := session.user_id
|
||||
user_id == "user1"
|
||||
}
|
||||
|
||||
else = [false, {"user-unauthorized"}] {
|
||||
else := [false, {"user-unauthorized"}] if {
|
||||
session := get_session(input.session.id)
|
||||
session.id != ""
|
||||
}
|
||||
|
||||
else = [false, {"user-unauthenticated"}]
|
||||
else := [false, {"user-unauthenticated"}]
|
||||
|
||||
email_0 = [true, {"email-ok"}] {
|
||||
email_0 := [true, {"email-ok"}] if {
|
||||
session := get_session(input.session.id)
|
||||
user := get_user(session)
|
||||
email := get_user_email(session, user)
|
||||
email == "user1"
|
||||
}
|
||||
|
||||
else = [false, {"email-unauthorized"}] {
|
||||
else := [false, {"email-unauthorized"}] if {
|
||||
session := get_session(input.session.id)
|
||||
session.id != ""
|
||||
}
|
||||
|
||||
else = [false, {"user-unauthenticated"}]
|
||||
else := [false, {"user-unauthenticated"}]
|
||||
|
||||
user_1 = [true, {"user-ok"}] {
|
||||
user_1 := [true, {"user-ok"}] if {
|
||||
session := get_session(input.session.id)
|
||||
user_id := session.user_id
|
||||
user_id == "user2"
|
||||
}
|
||||
|
||||
else = [false, {"user-unauthorized"}] {
|
||||
else := [false, {"user-unauthorized"}] if {
|
||||
session := get_session(input.session.id)
|
||||
session.id != ""
|
||||
}
|
||||
|
||||
else = [false, {"user-unauthenticated"}]
|
||||
else := [false, {"user-unauthenticated"}]
|
||||
|
||||
email_1 = [true, {"email-ok"}] {
|
||||
email_1 := [true, {"email-ok"}] if {
|
||||
session := get_session(input.session.id)
|
||||
user := get_user(session)
|
||||
email := get_user_email(session, user)
|
||||
email == "user2"
|
||||
}
|
||||
|
||||
else = [false, {"email-unauthorized"}] {
|
||||
else := [false, {"email-unauthorized"}] if {
|
||||
session := get_session(input.session.id)
|
||||
session.id != ""
|
||||
}
|
||||
|
||||
else = [false, {"user-unauthenticated"}]
|
||||
else := [false, {"user-unauthenticated"}]
|
||||
|
||||
user_2 = [true, {"user-ok"}] {
|
||||
user_2 := [true, {"user-ok"}] if {
|
||||
session := get_session(input.session.id)
|
||||
user_id := session.user_id
|
||||
user_id == "user3"
|
||||
}
|
||||
|
||||
else = [false, {"user-unauthorized"}] {
|
||||
else := [false, {"user-unauthorized"}] if {
|
||||
session := get_session(input.session.id)
|
||||
session.id != ""
|
||||
}
|
||||
|
||||
else = [false, {"user-unauthenticated"}]
|
||||
else := [false, {"user-unauthenticated"}]
|
||||
|
||||
email_2 = [true, {"email-ok"}] {
|
||||
email_2 := [true, {"email-ok"}] if {
|
||||
session := get_session(input.session.id)
|
||||
user := get_user(session)
|
||||
email := get_user_email(session, user)
|
||||
email == "user3"
|
||||
}
|
||||
|
||||
else = [false, {"email-unauthorized"}] {
|
||||
else := [false, {"email-unauthorized"}] if {
|
||||
session := get_session(input.session.id)
|
||||
session.id != ""
|
||||
}
|
||||
|
||||
else = [false, {"user-unauthenticated"}]
|
||||
else := [false, {"user-unauthenticated"}]
|
||||
|
||||
user_3 = [true, {"user-ok"}] {
|
||||
user_3 := [true, {"user-ok"}] if {
|
||||
session := get_session(input.session.id)
|
||||
user_id := session.user_id
|
||||
user_id == "user4"
|
||||
}
|
||||
|
||||
else = [false, {"user-unauthorized"}] {
|
||||
else := [false, {"user-unauthorized"}] if {
|
||||
session := get_session(input.session.id)
|
||||
session.id != ""
|
||||
}
|
||||
|
||||
else = [false, {"user-unauthenticated"}]
|
||||
else := [false, {"user-unauthenticated"}]
|
||||
|
||||
email_3 = [true, {"email-ok"}] {
|
||||
email_3 := [true, {"email-ok"}] if {
|
||||
session := get_session(input.session.id)
|
||||
user := get_user(session)
|
||||
email := get_user_email(session, user)
|
||||
email == "user4"
|
||||
}
|
||||
|
||||
else = [false, {"email-unauthorized"}] {
|
||||
else := [false, {"email-unauthorized"}] if {
|
||||
session := get_session(input.session.id)
|
||||
session.id != ""
|
||||
}
|
||||
|
||||
else = [false, {"user-unauthenticated"}]
|
||||
else := [false, {"user-unauthenticated"}]
|
||||
|
||||
user_4 = [true, {"user-ok"}] {
|
||||
user_4 := [true, {"user-ok"}] if {
|
||||
session := get_session(input.session.id)
|
||||
user_id := session.user_id
|
||||
user_id == "user5"
|
||||
}
|
||||
|
||||
else = [false, {"user-unauthorized"}] {
|
||||
else := [false, {"user-unauthorized"}] if {
|
||||
session := get_session(input.session.id)
|
||||
session.id != ""
|
||||
}
|
||||
|
||||
else = [false, {"user-unauthenticated"}]
|
||||
else := [false, {"user-unauthenticated"}]
|
||||
|
||||
email_4 = [true, {"email-ok"}] {
|
||||
email_4 := [true, {"email-ok"}] if {
|
||||
session := get_session(input.session.id)
|
||||
user := get_user(session)
|
||||
email := get_user_email(session, user)
|
||||
email == "user5"
|
||||
}
|
||||
|
||||
else = [false, {"email-unauthorized"}] {
|
||||
else := [false, {"email-unauthorized"}] if {
|
||||
session := get_session(input.session.id)
|
||||
session.id != ""
|
||||
}
|
||||
|
||||
else = [false, {"user-unauthenticated"}]
|
||||
else := [false, {"user-unauthenticated"}]
|
||||
|
||||
or_0 = v {
|
||||
or_0 := v if {
|
||||
results := [accept_0, cors_preflight_0, authenticated_user_0, domain_0, domain_1, domain_2, domain_3, domain_4, claim_0, claim_1, claim_2, claim_3, user_0, email_0, user_1, email_1, user_2, email_2, user_3, email_3, user_4, email_4]
|
||||
normalized := [normalize_criterion_result(x) | x := results[i]]
|
||||
v := merge_with_or(normalized)
|
||||
}
|
||||
|
||||
user_5 = [true, {"user-ok"}] {
|
||||
user_5 := [true, {"user-ok"}] if {
|
||||
session := get_session(input.session.id)
|
||||
user_id := session.user_id
|
||||
user_id == "user6"
|
||||
}
|
||||
|
||||
else = [false, {"user-unauthorized"}] {
|
||||
else := [false, {"user-unauthorized"}] if {
|
||||
session := get_session(input.session.id)
|
||||
session.id != ""
|
||||
}
|
||||
|
||||
else = [false, {"user-unauthenticated"}]
|
||||
else := [false, {"user-unauthenticated"}]
|
||||
|
||||
or_1 = v {
|
||||
or_1 := v if {
|
||||
results := [user_5]
|
||||
normalized := [normalize_criterion_result(x) | x := results[i]]
|
||||
v := merge_with_or(normalized)
|
||||
}
|
||||
|
||||
allow = v {
|
||||
allow := v if {
|
||||
results := [or_0, or_1]
|
||||
normalized := [normalize_criterion_result(x) | x := results[i]]
|
||||
v := merge_with_or(normalized)
|
||||
}
|
||||
|
||||
invert_criterion_result(in) = out {
|
||||
in[0]
|
||||
out = array.concat([false], array.slice(in, 1, count(in)))
|
||||
invert_criterion_result(v) := out if {
|
||||
v[0]
|
||||
out = array.concat([false], array.slice(v, 1, count(v)))
|
||||
}
|
||||
|
||||
else = out {
|
||||
not in[0]
|
||||
out = array.concat([true], array.slice(in, 1, count(in)))
|
||||
else := out if {
|
||||
not v[0]
|
||||
out = array.concat([true], array.slice(v, 1, count(v)))
|
||||
}
|
||||
|
||||
normalize_criterion_result(result) = v {
|
||||
normalize_criterion_result(result) := v if {
|
||||
is_boolean(result)
|
||||
v = [result, set()]
|
||||
}
|
||||
|
||||
else = v {
|
||||
else := v if {
|
||||
is_array(result)
|
||||
v = result
|
||||
}
|
||||
|
||||
else = v {
|
||||
else := v if {
|
||||
v = [false, set()]
|
||||
}
|
||||
|
||||
object_union(xs) = merged {
|
||||
object_union(xs) := merged if {
|
||||
merged = {k: v |
|
||||
some k
|
||||
xs[_0][k]
|
||||
|
|
@ -425,38 +427,38 @@ object_union(xs) = merged {
|
|||
}
|
||||
}
|
||||
|
||||
merge_with_and(results) = [true, reasons, additional_data] {
|
||||
merge_with_and(results) := [true, reasons, additional_data] if {
|
||||
true_results := [x | x := results[i]; x[0]]
|
||||
count(true_results) == count(results)
|
||||
reasons := union({x | x := true_results[i][1]})
|
||||
additional_data := object_union({x | x := true_results[i][2]})
|
||||
}
|
||||
|
||||
else = [false, reasons, additional_data] {
|
||||
else := [false, reasons, additional_data] if {
|
||||
false_results := [x | x := results[i]; not x[0]]
|
||||
reasons := union({x | x := false_results[i][1]})
|
||||
additional_data := object_union({x | x := false_results[i][2]})
|
||||
}
|
||||
|
||||
merge_with_or(results) = [true, reasons, additional_data] {
|
||||
merge_with_or(results) := [true, reasons, additional_data] if {
|
||||
true_results := [x | x := results[i]; x[0]]
|
||||
count(true_results) > 0
|
||||
reasons := union({x | x := true_results[i][1]})
|
||||
additional_data := object_union({x | x := true_results[i][2]})
|
||||
}
|
||||
|
||||
else = [false, reasons, additional_data] {
|
||||
else := [false, reasons, additional_data] if {
|
||||
false_results := [x | x := results[i]; not x[0]]
|
||||
reasons := union({x | x := false_results[i][1]})
|
||||
additional_data := object_union({x | x := false_results[i][2]})
|
||||
}
|
||||
|
||||
get_session(id) = v {
|
||||
get_session(id) := v if {
|
||||
v = get_databroker_record("type.googleapis.com/user.ServiceAccount", id)
|
||||
v != null
|
||||
}
|
||||
|
||||
else = iv {
|
||||
else := iv if {
|
||||
v = get_databroker_record("type.googleapis.com/session.Session", id)
|
||||
v != null
|
||||
object.get(v, "impersonate_session_id", "") != ""
|
||||
|
|
@ -465,41 +467,41 @@ else = iv {
|
|||
iv != null
|
||||
}
|
||||
|
||||
else = v {
|
||||
else := v if {
|
||||
v = get_databroker_record("type.googleapis.com/session.Session", id)
|
||||
v != null
|
||||
object.get(v, "impersonate_session_id", "") == ""
|
||||
}
|
||||
|
||||
else = {}
|
||||
else := {}
|
||||
|
||||
get_user(session) = v {
|
||||
get_user(session) := v if {
|
||||
v = get_databroker_record("type.googleapis.com/user.User", session.user_id)
|
||||
v != null
|
||||
}
|
||||
|
||||
else = {}
|
||||
else := {}
|
||||
|
||||
get_user_email(session, user) = v {
|
||||
get_user_email(session, user) := v if {
|
||||
v = user.email
|
||||
}
|
||||
|
||||
else = ""
|
||||
else := ""
|
||||
|
||||
object_get(obj, key, def) = value {
|
||||
object_get(obj, key, def) := value if {
|
||||
undefined := "10a0fd35-0f1a-4e5b-97ce-631e89e1bafa"
|
||||
value = object.get(obj, key, undefined)
|
||||
value != undefined
|
||||
}
|
||||
|
||||
else = value {
|
||||
else := value if {
|
||||
segments := split(replace(key, ".", "/"), "/")
|
||||
count(segments) == 2
|
||||
o1 := object.get(obj, segments[0], {})
|
||||
value = object.get(o1, segments[1], def)
|
||||
}
|
||||
|
||||
else = value {
|
||||
else := value if {
|
||||
segments := split(replace(key, ".", "/"), "/")
|
||||
count(segments) == 3
|
||||
o1 := object.get(obj, segments[0], {})
|
||||
|
|
@ -507,7 +509,7 @@ else = value {
|
|||
value = object.get(o2, segments[2], def)
|
||||
}
|
||||
|
||||
else = value {
|
||||
else := value if {
|
||||
segments := split(replace(key, ".", "/"), "/")
|
||||
count(segments) == 4
|
||||
o1 := object.get(obj, segments[0], {})
|
||||
|
|
@ -516,7 +518,7 @@ else = value {
|
|||
value = object.get(o3, segments[3], def)
|
||||
}
|
||||
|
||||
else = value {
|
||||
else := value if {
|
||||
segments := split(replace(key, ".", "/"), "/")
|
||||
count(segments) == 5
|
||||
o1 := object.get(obj, segments[0], {})
|
||||
|
|
@ -526,7 +528,7 @@ else = value {
|
|||
value = object.get(o4, segments[4], def)
|
||||
}
|
||||
|
||||
else = value {
|
||||
else := value if {
|
||||
value = object.get(obj, key, def)
|
||||
}
|
||||
`, str)
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue