evaluator

package

v0.5.2 Latest Latest Go to latest Published: Jan 3, 2026 License: Apache-2.0, Apache-2.0 Imports: 10 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/epithet-ssh/epithet

Links

Open Source Insights

Documentation ¶

Index ¶

type Evaluator
- func New(ctx context.Context, cfg *policyserver.PolicyRulesConfig, ...) (*Evaluator, *oidc.Validator, error)
- func NewForTesting(cfg *policyserver.PolicyRulesConfig) *Evaluator
- func (e *Evaluator) Evaluate(identity string, conn policy.Connection) (*policyserver.Response, error)

Examples ¶

Evaluator

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

This section is empty.

Types ¶

type Evaluator ¶

type Evaluator struct {
	// contains filtered or unexported fields
}

Evaluator implements policyserver.PolicyEvaluator using tag-based authorization

Example ¶

Example showing how the evaluator would be used

package main

import (
	"context"

	"github.com/epithet-ssh/epithet/pkg/policy"
	"github.com/epithet-ssh/epithet/pkg/policyserver"
	"github.com/epithet-ssh/epithet/pkg/policyserver/evaluator"
	"github.com/epithet-ssh/epithet/pkg/tlsconfig"
)

func main() {
	cfg := &policyserver.PolicyRulesConfig{
		CAPublicKey: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAbCdE...",
		OIDC: policyserver.OIDCConfig{
			Issuer:   "https://accounts.google.com",
			ClientID: "test-client-id",
		},
		Users: map[string][]string{
			"alice@example.com": {"admin"},
		},
		Defaults: &policyserver.DefaultPolicy{
			Allow: map[string][]string{
				"alice": {"admin"},
			},
		},
		// Host patterns are required - defaults.Allow is merged into these
		Hosts: map[string]*policyserver.HostPolicy{
			"*.example.com": {},
		},
	}

	ctx := context.Background()
	eval, _, _ := evaluator.New(ctx, cfg, tlsconfig.Config{})

	// Evaluate would be called with a real OIDC token
	conn := policy.Connection{
		RemoteHost: "server.example.com",
		RemoteUser: "alice",
		Port:       22,
	}

	_, _ = eval.Evaluate("oidc-token-from-auth-command", conn)
}

func New ¶

func New(ctx context.Context, cfg *policyserver.PolicyRulesConfig, tlsCfg tlsconfig.Config) (*Evaluator, *oidc.Validator, error)

New creates a new policy evaluator with a new OIDC validator

func NewForTesting ¶ added in v0.3.3

func NewForTesting(cfg *policyserver.PolicyRulesConfig) *Evaluator

NewForTesting creates an evaluator without OIDC validation for unit testing. The Evaluate method doesn't use the validator (validation happens in the handler), so this is safe for testing policy logic.

func (*Evaluator) Evaluate ¶

func (e *Evaluator) Evaluate(identity string, conn policy.Connection) (*policyserver.Response, error)

Evaluate implements policyserver.PolicyEvaluator The identity has already been extracted from a validated token by the handler.

Source Files ¶

View all Source files

evaluator.go

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL