3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-07-20 10:08:38 +02:00
Code Issues Projects Releases Packages Wiki Activity

ppl: bubble up values, bug fixes (#2213)

Browse source
This commit is contained in:
Caleb Doxsey 2021-05-18 14:01:36 -06:00 committed by GitHub
parent e138054cb9
commit bdccd4f785
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
10 changed files with 218 additions and 118 deletions
Download patch file Download diff file Expand all files Collapse all files

55
pkg/policy/rules/rules.go
View file

@ -7,11 +7,13 @@ import "github.com/open-policy-agent/opa/ast"
func GetSession() *ast.Rule {
return ast.MustParseRule(`
get_session(id) = v {
v := get_databroker_record("type.googleapis.com/user.ServiceAccount", id)
v = get_databroker_record("type.googleapis.com/user.ServiceAccount", id)
v != null
} else = v {
v := get_databroker_record("type.googleapis.com/session.Session", id)
} else = v {
v := {}
v = get_databroker_record("type.googleapis.com/session.Session", id)
v != null
} else = {} {
true
}
`)
}
@ -20,11 +22,13 @@ get_session(id) = v {
func GetUser() *ast.Rule {
return ast.MustParseRule(`
get_user(session) = v {
v := get_databroker_record("type.googleapis.com/user.User", session.impersonate_user_id)
v = get_databroker_record("type.googleapis.com/user.User", session.impersonate_user_id)
v != null
} else = v {
v := get_databroker_record("type.googleapis.com/user.User", session.user_id)
} else = v {
v := {}
v = get_databroker_record("type.googleapis.com/user.User", session.user_id)
v != null
} else = {} {
true
}
`)
}
@ -33,11 +37,11 @@ get_user(session) = v {
func GetUserEmail() *ast.Rule {
return ast.MustParseRule(`
get_user_email(session, user) = v {
v := session.impersonate_email
v = session.impersonate_email
} else = v {
v := user.email
} else = v {
v := ""
v = user.email
} else = "" {
true
}
`)
}
@ -46,11 +50,13 @@ get_user_email(session, user) = v {
func GetDirectoryUser() *ast.Rule {
return ast.MustParseRule(`
get_directory_user(session) = v {
v := get_databroker_record("type.googleapis.com/directory.User", session.impersonate_user_id)
v = get_databroker_record("type.googleapis.com/directory.User", session.impersonate_user_id)
v != null
} else = v {
v := get_databroker_record("type.googleapis.com/directory.User", session.user_id)
} else = v {
v := {}
v = get_databroker_record("type.googleapis.com/directory.User", session.user_id)
v != null
} else = "" {
true
}
`)
}
@ -59,9 +65,10 @@ get_directory_user(session) = v {
func GetDirectoryGroup() *ast.Rule {
return ast.MustParseRule(`
get_directory_group(id) = v {
v := get_databroker_record("type.googleapis.com/directory.Group", id)
} else = v {
v := {}
v = get_databroker_record("type.googleapis.com/directory.Group", id)
v != null
} else = {} {
true
}
`)
}
@ -70,11 +77,13 @@ get_directory_group(id) = v {
func GetGroupIDs() *ast.Rule {
return ast.MustParseRule(`
get_group_ids(session, directory_user) = v {
v := session.impersonate_groups
v = session.impersonate_groups
v != null
} else = v {
v := directory_user.group_ids
} else = v {
v := []
v = directory_user.group_ids
v != null
} else = [] {
true
}
`)
}