authorize: add support for webauthn device policy enforcement (#2700)

* authorize: add support for webauthn device policy enforcement * update docs * group statuses
2025-05-21 21:17:13 +02:00 · 2021-10-25 09:41:03 -06:00 · 2021-10-25 09:41:03 -06:00 · 3497c39b9b
commit 3497c39b9b
parent 9d4ebcf871
8 changed files with 456 additions and 27 deletions
--- a/pkg/policy/rules/rules.go
+++ b/pkg/policy/rules/rules.go
@ -49,6 +49,31 @@ get_user_email(session, user) = v {
 `)
 }

+// GetDeviceCredential gets the device credential for the given session.
+func GetDeviceCredential() *ast.Rule {
+	return ast.MustParseRule(`
+get_device_credential(session, device_type_id) = v {
+	device_credential_id := [x.Credential.Id|x:=session.device_credentials[_];x.type_id==device_type_id][0]
+	v = get_databroker_record("type.googleapis.com/pomerium.device.Credential", device_credential_id)
+	v != null
+} else = {} {
+	true
+}
+`)
+}
+
+// GetDeviceEnrollment gets the device enrollment for the given device credential.
+func GetDeviceEnrollment() *ast.Rule {
+	return ast.MustParseRule(`
+get_device_enrollment(device_credential) = v {
+	v = get_databroker_record("type.googleapis.com/pomerium.device.Enrollment", device_credential.enrollment_id)
+	v != null
+} else = {} {
+	true
+}
+`)
+}
+
 // GetDirectoryUser returns the directory user for the given session.
 func GetDirectoryUser() *ast.Rule {
 	return ast.MustParseRule(`