Documentation
¶
Overview ¶
Package opa contains code for performing authorization checks using opa/rego.
Index ¶
Constants ¶
const ( // SansshellRegoPackage is the rego package used by all Sansshell policy files. // Any policy not using this package will be rejected. SansshellRegoPackage = "sansshell.authz" // DefaultAuthzQuery is the default query used for policy evaluation. DefaultAuthzQuery = "data.sansshell.authz.allow" )
Variables ¶
This section is empty.
Functions ¶
func NewOpaAuthzPolicy ¶ added in v1.43.0
func NewOpaAuthzPolicy(ctx context.Context, policy string, opts ...Option) (rpcauth.AuthzPolicy, error)
NewOpaAuthzPolicy creates a new opaAuthzPolicy by parsing the policy given in the string `policy`. It returns an error if the policy cannot be parsed, or does not use SansshellRegoPackage in its package declaration.
func NewOpaRPCAuthorizer ¶ added in v1.43.0
func NewOpaRPCAuthorizer(ctx context.Context, opaPolicy string, authzHooks ...rpcauth.RPCAuthzHook) (rpcauth.RPCAuthorizer, error)
NewOpaRPCAuthorizer creates a new Authorizer from a policy string. Any supplied authorization hooks will be executed, in the order provided, on each policy evaluation. NOTE: The policy is used for both client and server hooks below. If you need distinct policy for client vs server, create 2 Authorizer's.
Types ¶
type Option ¶
type Option interface {
// contains filtered or unexported methods
}
An Option controls the behavior of an opaAuthzPolicy
func WithAllowQuery ¶
WithAllowQuery returns an option to use `query` to evaluate the policy, instead of DefaultAuthzQuery. The supplied query should be simple evaluation expressions that creates no binding, and evaluates to 'true' iff the input satisfies the conditions of the policy.
func WithDenialHintsQuery ¶ added in v1.19.2
WithDenialHintsQuery returns an option to use `query` to evaluate the policy when the AllowPolicy fails. The supplied query must be a simple evaluation expression that creates no binding and evaluates to an array of strings.
This can be used to give better error messages when Eval returns false. With a value like data.sansshell.authz.denial_hints, you can use a policy with rules like
denial_hints [msg] {
not allow
msg :="you need to be allowed"
}
func WithStore ¶ added in v1.62.0
WithStore returns an option that exposes the contents of `store` to the policy as the `data` document during evaluation. This allows a single policy file to be parameterized with external configuration instead of hard-coding values, for example:
store := inmem.NewFromObject(map[string]any{
"config": map[string]any{"allowed_method": "/Foo.Bar/Baz"},
})
p, _ := opa.NewOpaAuthzPolicy(ctx, policy, opa.WithStore(store))
and a policy that references data.config.allowed_method. The same store is used for both the allow query and the denial-hints query.