evaluator

package
v0.4.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Dec 28, 2025 License: Apache-2.0, Apache-2.0 Imports: 10 Imported by: 0

Documentation

Index

Examples

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type Evaluator 

type Evaluator struct {
	// contains filtered or unexported fields
}

Evaluator implements policyserver.PolicyEvaluator using tag-based authorization

Example

Example showing how the evaluator would be used 

package main

import (
	"context"

	"github.com/epithet-ssh/epithet/pkg/policy"
	"github.com/epithet-ssh/epithet/pkg/policyserver"
	"github.com/epithet-ssh/epithet/pkg/policyserver/evaluator"
	"github.com/epithet-ssh/epithet/pkg/tlsconfig"
)

func main() {
	cfg := &policyserver.PolicyRulesConfig{
		CAPublicKey: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAbCdE...",
		OIDC: policyserver.OIDCConfig{
			Issuer:   "https://accounts.google.com",
			Audience: "test-client-id",
		},
		Users: map[string][]string{
			"alice@example.com": {"admin"},
		},
		Defaults: &policyserver.DefaultPolicy{
			Allow: map[string][]string{
				"alice": {"admin"},
			},
		},
		// Host patterns are required - defaults.Allow is merged into these
		Hosts: map[string]*policyserver.HostPolicy{
			"*.example.com": {},
		},
	}

	ctx := context.Background()
	eval, _, _ := evaluator.New(ctx, cfg, tlsconfig.Config{})

	// Evaluate would be called with a real OIDC token
	conn := policy.Connection{
		RemoteHost: "server.example.com",
		RemoteUser: "alice",
		Port:       22,
	}

	_, _ = eval.Evaluate("oidc-token-from-auth-command", conn)
}

func New 

func New(ctx context.Context, cfg *policyserver.PolicyRulesConfig, tlsCfg tlsconfig.Config) (*Evaluator, *oidc.Validator, error)

New creates a new policy evaluator with a new OIDC validator

func NewForTesting added in v0.3.3 

func NewForTesting(cfg *policyserver.PolicyRulesConfig) *Evaluator

NewForTesting creates an evaluator without OIDC validation for unit testing. The Evaluate method doesn't use the validator (validation happens in the handler), so this is safe for testing policy logic.

func (*Evaluator) Evaluate 

func (e *Evaluator) Evaluate(identity string, conn policy.Connection) (*policyserver.Response, error)

Evaluate implements policyserver.PolicyEvaluator The identity has already been extracted from a validated token by the handler.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.