Documentation
¶
Index ¶
Examples ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Evaluator ¶
type Evaluator struct {
// contains filtered or unexported fields
}
Evaluator implements policyserver.PolicyEvaluator using tag-based authorization
Example ¶
Example showing how the evaluator would be used
package main
import (
"context"
"github.com/epithet-ssh/epithet/pkg/policy"
"github.com/epithet-ssh/epithet/pkg/policyserver"
"github.com/epithet-ssh/epithet/pkg/policyserver/evaluator"
"github.com/epithet-ssh/epithet/pkg/tlsconfig"
)
func main() {
cfg := &policyserver.PolicyRulesConfig{
CAPublicKey: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAbCdE...",
OIDC: policyserver.OIDCConfig{
Issuer: "https://accounts.google.com",
Audience: "test-client-id",
},
Users: map[string][]string{
"alice@example.com": {"admin"},
},
Defaults: &policyserver.DefaultPolicy{
Allow: map[string][]string{
"alice": {"admin"},
},
},
}
ctx := context.Background()
eval, _, _ := evaluator.New(ctx, cfg, tlsconfig.Config{})
// Evaluate would be called with a real OIDC token
conn := policy.Connection{
RemoteHost: "server.example.com",
RemoteUser: "alice",
Port: 22,
}
_, _ = eval.Evaluate("oidc-token-from-auth-command", conn)
}
func New ¶
func New(ctx context.Context, cfg *policyserver.PolicyRulesConfig, tlsCfg tlsconfig.Config) (*Evaluator, *oidc.Validator, error)
New creates a new policy evaluator with a new OIDC validator
func (*Evaluator) Evaluate ¶
func (e *Evaluator) Evaluate(identity string, conn policy.Connection) (*policyserver.Response, error)
Evaluate implements policyserver.PolicyEvaluator The identity has already been extracted from a validated token by the handler.
Source Files
Click to show internal directories.
Click to hide internal directories.