Pomerium Policy Language (#2202)

* policy: add parser and generator for Pomerium Policy Language * add criteria * add additional criteria
2025-08-04 01:09:36 +02:00 · 2021-05-17 15:30:51 -06:00 · 2021-05-17 15:30:51 -06:00 · e138054cb9
commit e138054cb9
parent 9fe941ccee
33 changed files with 2758 additions and 0 deletions
--- a/pkg/policy/criteria/claims.go
+++ b/pkg/policy/criteria/claims.go
@ -0,0 +1,64 @@
+package criteria
+
+import (
+	"github.com/open-policy-agent/opa/ast"
+
+	"github.com/pomerium/pomerium/pkg/policy/parser"
+	"github.com/pomerium/pomerium/pkg/policy/rules"
+)
+
+var claimsBody = ast.Body{
+	ast.MustParseExpr(`
+		session := get_session(input.session.id)
+	`),
+	ast.MustParseExpr(`
+		session_claims := object.get(session, "claims", {})
+	`),
+	ast.MustParseExpr(`
+		user := get_user(session)
+	`),
+	ast.MustParseExpr(`
+		user_claims := object.get(user, "claims", {})
+	`),
+	ast.MustParseExpr(`
+		all_claims := object.union(session_claims, user_claims)
+	`),
+	ast.MustParseExpr(`
+		values := object_get(all_claims, rule_path, [])
+	`),
+	ast.MustParseExpr(`
+		rule_data == values[_]
+	`),
+}
+
+type claimsCriterion struct {
+	g *Generator
+}
+
+func (claimsCriterion) Names() []string {
+	return []string{"claim", "claims"}
+}
+
+func (c claimsCriterion) GenerateRule(subPath string, data parser.Value) (*ast.Rule, []*ast.Rule, error) {
+	r := c.g.NewRule("claims")
+	r.Body = append(r.Body,
+		ast.Assign.Expr(ast.VarTerm("rule_data"), ast.NewTerm(data.RegoValue())),
+		ast.Assign.Expr(ast.VarTerm("rule_path"), ast.NewTerm(ast.MustInterfaceToValue(subPath))),
+	)
+	r.Body = append(r.Body, claimsBody...)
+
+	return r, []*ast.Rule{
+		rules.GetSession(),
+		rules.GetUser(),
+		rules.ObjectGet(),
+	}, nil
+}
+
+// Claims returns a Criterion on allowed IDP claims.
+func Claims(generator *Generator) Criterion {
+	return claimsCriterion{g: generator}
+}
+
+func init() {
+	Register(Claims)
+}