mirror of
https://github.com/pomerium/pomerium.git
synced 2025-05-04 04:46:01 +02:00
efffe57bf0
* ppl: pass contextual information through policy * maybe fix nginx * fix nginx * pr comments * go mod tidy
42 lines
1.1 KiB
Go
42 lines
1.1 KiB
Go
package criteria
|
|
|
|
import (
|
|
"github.com/open-policy-agent/opa/ast"
|
|
|
|
"github.com/pomerium/pomerium/pkg/policy/generator"
|
|
"github.com/pomerium/pomerium/pkg/policy/parser"
|
|
)
|
|
|
|
var corsPreflightBody = ast.Body{
|
|
ast.MustParseExpr(`input.http.method == "OPTIONS"`),
|
|
ast.MustParseExpr(`count(object.get(input.http.headers, "Access-Control-Request-Method", [])) > 0`),
|
|
ast.MustParseExpr(`count(object.get(input.http.headers, "Origin", [])) > 0`),
|
|
}
|
|
|
|
type corsPreflightCriterion struct {
|
|
g *Generator
|
|
}
|
|
|
|
func (corsPreflightCriterion) DataType() CriterionDataType {
|
|
return generator.CriterionDataTypeUnused
|
|
}
|
|
|
|
func (corsPreflightCriterion) Name() string {
|
|
return "cors_preflight"
|
|
}
|
|
|
|
func (c corsPreflightCriterion) GenerateRule(_ string, _ parser.Value) (*ast.Rule, []*ast.Rule, error) {
|
|
rule := NewCriterionRule(c.g, c.Name(),
|
|
ReasonCORSRequest, ReasonNonCORSRequest,
|
|
corsPreflightBody)
|
|
return rule, nil, nil
|
|
}
|
|
|
|
// CORSPreflight returns a Criterion which returns true if the input request is a CORS preflight request.
|
|
func CORSPreflight(generator *Generator) Criterion {
|
|
return corsPreflightCriterion{g: generator}
|
|
}
|
|
|
|
func init() {
|
|
Register(CORSPreflight)
|
|
}
|