authorize/evaluator/opa: use route policy object instead of array index (#1001)

Make the code more readable, and slightly reduce memory alloc: opa test -v --bench --count 5 --format gobench Output: name old alloc/op new alloc/op delta DataPomeriumAuthzTestEmailAllowed 109kB ± 0% 108kB ± 0% -0.89% (p=0.008 n=5+5) DataPomeriumAuthzTestExample 95.4kB ± 0% 93.4kB ± 0% -2.06% (p=0.008 n=5+5) DataPomeriumAuthzTestEmailDenied 63.6kB ± 0% 61.6kB ± 0% -3.09% (p=0.008 n=5+5) DataPomeriumAuthzTestPublicAllowed 103kB ± 0% 101kB ± 0% -1.86% (p=0.008 n=5+5) DataPomeriumAuthzTestPublicDenied 100kB ± 0% 98kB ± 0% -1.64% (p=0.008 n=5+5) DataPomeriumAuthzTestPomeriumAllowed 62.6kB ± 0% 60.7kB ± 0% -3.14% (p=0.008 n=5+5) DataPomeriumAuthzTestPomeriumDenied 64.5kB ± 0% 62.5kB ± 0% -3.11% (p=0.008 n=5+5) DataPomeriumAuthzTestCorsPreflightAllowed 66.7kB ± 0% 64.5kB ± 0% -3.33% (p=0.008 n=5+5) DataPomeriumAuthzTestCorsPreflightDenied 65.8kB ± 0% 63.3kB ± 0% -3.92% (p=0.008 n=5+5) DataPomeriumAuthzTestParseUrl 13.8kB ± 0% 13.8kB ± 0% ~ (p=0.167 n=5+5) DataPomeriumAuthzTestAllowedRouteSource 243kB ± 0% 243kB ± 0% ~ (p=1.000 n=5+5) DataPomeriumAuthzTestAllowedRoutePrefix 80.9kB ± 0% 80.9kB ± 0% ~ (p=0.690 n=5+5) DataPomeriumAuthzTestAllowedRoutePath 108kB ± 0% 108kB ± 0% ~ (p=0.452 n=5+5) DataPomeriumAuthzTestAllowedRouteRegex 90.0kB ± 0% 89.9kB ± 0% ~ (p=0.095 n=5+5) name old allocs/op new allocs/op delta DataPomeriumAuthzTestEmailAllowed 1.76k ± 0% 1.74k ± 0% -1.24% (p=0.008 n=5+5) DataPomeriumAuthzTestExample 1.54k ± 0% 1.51k ± 0% -2.18% (p=0.008 n=5+5) DataPomeriumAuthzTestEmailDenied 1.05k ± 1% 1.01k ± 1% -3.21% (p=0.008 n=5+5) DataPomeriumAuthzTestPublicAllowed 1.65k ± 0% 1.63k ± 0% -1.20% (p=0.008 n=5+5) DataPomeriumAuthzTestPublicDenied 1.61k ± 0% 1.58k ± 0% -1.42% (p=0.008 n=5+5) DataPomeriumAuthzTestPomeriumAllowed 1.04k ± 1% 1.00k ± 1% -3.27% (p=0.008 n=5+5) DataPomeriumAuthzTestPomeriumDenied 1.06k ± 1% 1.03k ± 1% -3.19% (p=0.008 n=5+5) DataPomeriumAuthzTestCorsPreflightAllowed 1.14k ± 1% 1.09k ± 0% -3.96% (p=0.008 n=5+5) DataPomeriumAuthzTestCorsPreflightDenied 1.09k ± 1% 1.05k ± 0% -4.04% (p=0.008 n=5+5) DataPomeriumAuthzTestParseUrl 222 ± 0% 222 ± 0% ~ (all equal) DataPomeriumAuthzTestAllowedRouteSource 3.66k ± 0% 3.66k ± 0% ~ (all equal) DataPomeriumAuthzTestAllowedRoutePrefix 1.23k ± 0% 1.23k ± 0% ~ (all equal) DataPomeriumAuthzTestAllowedRoutePath 1.62k ± 0% 1.62k ± 0% ~ (all equal) DataPomeriumAuthzTestAllowedRouteRegex 1.36k ± 0% 1.36k ± 0% ~ (all equal)
2025-08-03 08:50:42 +02:00 · 2020-06-25 21:28:54 +07:00 · 2020-06-25 21:28:54 +07:00 · 963e1c015a
commit 963e1c015a
parent 3ad8cbf4ec
2 changed files with 12 additions and 12 deletions
--- a/authorize/evaluator/opa/policy/authz.rego
+++ b/authorize/evaluator/opa/policy/authz.rego
@ -3,7 +3,7 @@ package pomerium.authz
 default allow = false


-route := first_allowed_route(input.http.url)
+route_policy := first_allowed_route_policy(input.http.url)
 session := input.databroker_data.session
 user := input.databroker_data.user
 directory_user := input.databroker_data.directory_user
@ -11,12 +11,12 @@ directory_user := input.databroker_data.directory_user

 # allow public
 allow {
-	data.route_policies[route].AllowPublicUnauthenticatedAccess == true
+	route_policy.AllowPublicUnauthenticatedAccess == true
 }

 # allow cors preflight
 allow {
-	data.route_policies[route].CORSAllowPreflight == true
+	route_policy.CORSAllowPreflight == true
 	input.http.method == "OPTIONS"
 	count(object.get(input.http.headers, "Access-Control-Request-Method", [])) > 0
 	count(object.get(input.http.headers, "Origin", [])) > 0
@ -24,38 +24,38 @@ allow {

 # allow by email
 allow {
-	user.email == data.route_policies[route].allowed_users[_]
+	user.email == route_policy.allowed_users[_]
 }

 # allow group
 allow {
 	some group
 	directory_user.groups[_] = group
-	data.route_policies[route].allowed_groups[_] = group
+	route_policy.allowed_groups[_] = group
 }

 # allow by impersonate email
 allow {
-	data.route_policies[route].allowed_users[_] = input.session.impersonate_email
+	route_policy.allowed_users[_] = input.session.impersonate_email
 }

 # allow by impersonate group
 allow {
 	some group
 	input.session.impersonate_groups[_] = group
-	data.route_policies[route].allowed_groups[_] = group
+	route_policy.allowed_groups[_] = group
 }

 # allow by domain
 allow {
 	some domain
-	email_in_domain(user.email, data.route_policies[route].allowed_domains[domain])
+	email_in_domain(user.email, route_policy.allowed_domains[domain])
 }

 # allow by impersonate domain
 allow {
 	some domain
-	email_in_domain(input.session.impersonate_email, data.route_policies[route].allowed_domains[domain])
+	email_in_domain(input.session.impersonate_email, route_policy.allowed_domains[domain])
 }

 # allow pomerium urls
@ -84,8 +84,8 @@ deny[reason] {
 }

 # returns the first matching route
-first_allowed_route(input_url) = route {
-	route := [route | some route ; allowed_route(input.http.url, data.route_policies[route])][0]
+first_allowed_route_policy(input_url) = first_policy {
+	first_policy := [policy | some i, policy; policy = data.route_policies[i]; allowed_route(input.http.url, policy)][0]
 }

 allowed_route(input_url, policy){