mirror of
https://github.com/pomerium/pomerium.git
synced 2025-05-02 11:56:02 +02:00
8d1732582e
authenticate: unmarshal and verify state from jwt, instead of middleware
authorize: embed opa policy using statik
authorize: have IsAuthorized handle authorization for all routes
authorize: if no signing key is provided, one is generated
authorize: remove IsAdmin grpc endpoint
authorize/client: return authorize decision struct
cmd/pomerium: main logger no longer contains email and group
cryptutil: add ECDSA signing methods
dashboard: have impersonate form show up for all users, but have api gated by authz
docs: fix typo in signed jwt header
encoding/jws: remove unused es256 signer
frontend: namespace static web assets
internal/sessions: remove leeway to match authz policy
proxy: move signing functionality to authz
proxy: remove jwt attestation from proxy (authZ does now)
proxy: remove non-signed headers from headers
proxy: remove special handling of x-forwarded-host
sessions: do not verify state in middleware
sessions: remove leeway from state to match authz
sessions/{all}: store jwt directly instead of state
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
52 lines
1.9 KiB
Go
52 lines
1.9 KiB
Go
//go:generate mockgen -destination mock_evaluator/mock.go github.com/pomerium/pomerium/authorize/evaluator Evaluator
|
|
|
|
// Package evaluator defines a Evaluator interfaces that can be implemented by
|
|
// a policy evaluator framework.
|
|
package evaluator
|
|
|
|
import (
|
|
"context"
|
|
|
|
pb "github.com/pomerium/pomerium/internal/grpc/authorize"
|
|
)
|
|
|
|
// Evaluator specifies the interface for a policy engine.
|
|
type Evaluator interface {
|
|
IsAuthorized(ctx context.Context, input interface{}) (*pb.IsAuthorizedReply, error)
|
|
PutData(ctx context.Context, data map[string]interface{}) error
|
|
}
|
|
|
|
// A Request represents an evaluable request with an associated user, device,
|
|
// and request context.
|
|
type Request struct {
|
|
// User context
|
|
//
|
|
// User contains the associated user's JWT created by the authenticate
|
|
// service
|
|
User string `json:"user,omitempty"`
|
|
|
|
// Request context
|
|
//
|
|
// Method specifies the HTTP method (GET, POST, PUT, etc.).
|
|
Method string `json:"method,omitempty"`
|
|
// URL specifies either the URI being requested.
|
|
URL string `json:"url,omitempty"`
|
|
// The protocol version for incoming server requests.
|
|
Proto string `json:"proto,omitempty"` // "HTTP/1.0"
|
|
// Header contains the request header fields either received
|
|
// by the server or to be sent by the client.
|
|
Header map[string][]string `json:"headers,omitempty"`
|
|
// Host specifies the host on which the URL is sought.
|
|
Host string `json:"host,omitempty"`
|
|
// RemoteAddr is the network address that sent the request.
|
|
RemoteAddr string `json:"remote_addr,omitempty"`
|
|
// RequestURI is the unmodified request-target of the
|
|
// Request-Line (RFC 7230, Section 3.1.1) as sent by the client
|
|
// to a server. Usually the URL field should be used instead.
|
|
// It is an error to set this field in an HTTP client request.
|
|
RequestURI string `json:"request_uri,omitempty"`
|
|
|
|
// Device context
|
|
//
|
|
// todo(bdd): Use the peer TLS certificate to bind device state with a request
|
|
}
|