mirror of
https://github.com/pomerium/pomerium.git
synced 2025-04-29 18:36:30 +02:00
dad35bcfb0
* ppl: refactor authorize to evaluate PPL * remove opa test step * add log statement * simplify assignment * deny with forbidden if logged in * add safeEval function * create evaluator-specific config and options * embed the headers rego file directly
70 lines
2.1 KiB
Go
70 lines
2.1 KiB
Go
package evaluator
|
|
|
|
import (
|
|
"github.com/pomerium/pomerium/config"
|
|
)
|
|
|
|
type evaluatorConfig struct {
|
|
policies []config.Policy
|
|
clientCA []byte
|
|
signingKey string
|
|
signingKeyAlgorithm string
|
|
authenticateURL string
|
|
googleCloudServerlessAuthenticationServiceAccount string
|
|
jwtClaimsHeaders config.JWTClaimHeaders
|
|
}
|
|
|
|
// An Option customizes the evaluator config.
|
|
type Option func(*evaluatorConfig)
|
|
|
|
func getConfig(options ...Option) *evaluatorConfig {
|
|
cfg := new(evaluatorConfig)
|
|
for _, o := range options {
|
|
o(cfg)
|
|
}
|
|
return cfg
|
|
}
|
|
|
|
// WithPolicies sets the policies in the config.
|
|
func WithPolicies(policies []config.Policy) Option {
|
|
return func(cfg *evaluatorConfig) {
|
|
cfg.policies = policies
|
|
}
|
|
}
|
|
|
|
// WithClientCA sets the client CA in the config.
|
|
func WithClientCA(clientCA []byte) Option {
|
|
return func(cfg *evaluatorConfig) {
|
|
cfg.clientCA = clientCA
|
|
}
|
|
}
|
|
|
|
// WithSigningKey sets the signing key and algorithm in the config.
|
|
func WithSigningKey(signingKeyAlgorithm, signingKey string) Option {
|
|
return func(cfg *evaluatorConfig) {
|
|
cfg.signingKeyAlgorithm = signingKeyAlgorithm
|
|
cfg.signingKey = signingKey
|
|
}
|
|
}
|
|
|
|
// WithAuthenticateURL sets the authenticate URL in the config.
|
|
func WithAuthenticateURL(authenticateURL string) Option {
|
|
return func(cfg *evaluatorConfig) {
|
|
cfg.authenticateURL = authenticateURL
|
|
}
|
|
}
|
|
|
|
// WithGoogleCloudServerlessAuthenticationServiceAccount sets the google cloud serverless authentication service
|
|
// account in the config.
|
|
func WithGoogleCloudServerlessAuthenticationServiceAccount(serviceAccount string) Option {
|
|
return func(cfg *evaluatorConfig) {
|
|
cfg.googleCloudServerlessAuthenticationServiceAccount = serviceAccount
|
|
}
|
|
}
|
|
|
|
// WithJWTClaimsHeaders sets the JWT claims headers in the config.
|
|
func WithJWTClaimsHeaders(headers config.JWTClaimHeaders) Option {
|
|
return func(cfg *evaluatorConfig) {
|
|
cfg.jwtClaimsHeaders = headers
|
|
}
|
|
}
|