mirror of
https://github.com/pomerium/pomerium.git
synced 2025-05-22 21:47:16 +02:00
42 lines
1.2 KiB
Go
42 lines
1.2 KiB
Go
package criteria
|
|
|
|
import (
|
|
"github.com/open-policy-agent/opa/ast"
|
|
|
|
"github.com/pomerium/pomerium/pkg/policy/generator"
|
|
"github.com/pomerium/pomerium/pkg/policy/parser"
|
|
)
|
|
|
|
var invalidClientCertificateBody = ast.Body{
|
|
ast.MustParseExpr(`reason = [495, "invalid client certificate"]`),
|
|
ast.MustParseExpr(`is_boolean(input.is_valid_client_certificate)`),
|
|
ast.MustParseExpr(`not input.is_valid_client_certificate`),
|
|
}
|
|
|
|
type invalidClientCertificateCriterion struct {
|
|
g *Generator
|
|
}
|
|
|
|
func (invalidClientCertificateCriterion) DataType() CriterionDataType {
|
|
return generator.CriterionDataTypeUnused
|
|
}
|
|
|
|
func (invalidClientCertificateCriterion) Name() string {
|
|
return "invalid_client_certificate"
|
|
}
|
|
|
|
func (c invalidClientCertificateCriterion) GenerateRule(_ string, _ parser.Value) (*ast.Rule, []*ast.Rule, error) {
|
|
rule := c.g.NewRule("invalid_client_certificate")
|
|
rule.Head.Value = ast.VarTerm("reason")
|
|
rule.Body = invalidClientCertificateBody
|
|
return rule, nil, nil
|
|
}
|
|
|
|
// InvalidClientCertificate returns a Criterion which returns true if the client certificate is valid.
|
|
func InvalidClientCertificate(generator *Generator) Criterion {
|
|
return invalidClientCertificateCriterion{g: generator}
|
|
}
|
|
|
|
func init() {
|
|
Register(InvalidClientCertificate)
|
|
}
|