authorize: custom rego policies (#1123)

* add support for custom rego policies * add support for passing custom policies
2025-05-31 01:47:33 +02:00 · 2020-07-21 12:09:26 -06:00 · 2020-07-21 12:09:26 -06:00 · 858077b3b6
commit 858077b3b6
parent d5433f8431
4 changed files with 197 additions and 5 deletions
--- a/authorize/evaluator/custom_test.go
+++ b/authorize/evaluator/custom_test.go
@ -0,0 +1,57 @@
+package evaluator
+
+import (
+	"context"
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestCustomEvaluator(t *testing.T) {
+	ctx, clearTimeout := context.WithTimeout(context.Background(), time.Second*10)
+	defer clearTimeout()
+
+	store := NewStore()
+	t.Run("bool deny", func(t *testing.T) {
+		ce := NewCustomEvaluator(store.opaStore)
+		res, err := ce.Evaluate(ctx, &CustomEvaluatorRequest{
+			RegoPolicy: `
+				package pomerium.custom_policy
+
+				deny = true
+			`,
+		})
+		if !assert.NoError(t, err) {
+			return
+		}
+		assert.Equal(t, true, res.Denied)
+		assert.Empty(t, res.Reason)
+	})
+	t.Run("set deny", func(t *testing.T) {
+		ce := NewCustomEvaluator(store.opaStore)
+		res, err := ce.Evaluate(ctx, &CustomEvaluatorRequest{
+			RegoPolicy: `
+				package pomerium.custom_policy
+
+				deny["test"] = true
+			`,
+		})
+		if !assert.NoError(t, err) {
+			return
+		}
+		assert.Equal(t, true, res.Denied)
+		assert.Equal(t, "test", res.Reason)
+	})
+	t.Run("missing package", func(t *testing.T) {
+		ce := NewCustomEvaluator(store.opaStore)
+		res, err := ce.Evaluate(ctx, &CustomEvaluatorRequest{
+			RegoPolicy: `allow = true`,
+		})
+		if !assert.NoError(t, err) {
+			return
+		}
+		assert.NotNil(t, res)
+	})
+
+}