evaluator

package

v0.8.0 Latest Latest Go to latest Published: Jan 31, 2026 License: Apache-2.0, Apache-2.0 Imports: 10 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/epithet-ssh/epithet

Links

Open Source Insights

Documentation ¶

Index ¶

type Evaluator
- func (e *Evaluator) Evaluate(ctx context.Context, identity string, conn policy.Connection) (*policyserver.Response, error)

Examples ¶

Evaluator

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

This section is empty.

Types ¶

type Evaluator ¶

type Evaluator struct {
	// contains filtered or unexported fields
}

Evaluator implements policyserver.PolicyEvaluator using tag-based authorization. It can load policy either from a static config or dynamically via PolicyProvider.

Example ¶

Example showing how the evaluator would be used

package main

import (
	"context"

	"github.com/epithet-ssh/epithet/pkg/policy"
	"github.com/epithet-ssh/epithet/pkg/policyserver"
	"github.com/epithet-ssh/epithet/pkg/policyserver/evaluator"
	"github.com/epithet-ssh/epithet/pkg/tlsconfig"
)

func main() {
	cfg := &policyserver.PolicyRulesConfig{
		CAPublicKey: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAbCdE...",
		OIDC: policyserver.OIDCConfig{
			Issuer:   "https://accounts.google.com",
			ClientID: "test-client-id",
		},
		Users: map[string][]string{
			"alice@example.com": {"admin"},
		},
		Defaults: &policyserver.DefaultPolicy{
			Allow: map[string][]string{
				"alice": {"admin"},
			},
		},
		// Host patterns are required - defaults.Allow is merged into these
		Hosts: map[string]*policyserver.HostPolicy{
			"*.example.com": {},
		},
	}

	ctx := context.Background()
	eval, _, _ := evaluator.New(ctx, cfg, tlsconfig.Config{})

	// Evaluate would be called with a real OIDC token
	conn := policy.Connection{
		RemoteHost: "server.example.com",
		RemoteUser: "alice",
		Port:       22,
	}

	_, _ = eval.Evaluate(ctx, "oidc-token-from-auth-command", conn)
}

func New ¶

func New(ctx context.Context, cfg *policyserver.PolicyRulesConfig, tlsCfg tlsconfig.Config) (*Evaluator, *oidc.Validator, error)

New creates a new policy evaluator with a new OIDC validator. This constructor uses static policy from PolicyRulesConfig for backwards compatibility.

func NewForTesting ¶ added in v0.3.3

func NewForTesting(cfg *policyserver.PolicyRulesConfig) *Evaluator

NewForTesting creates an evaluator without OIDC validation for unit testing. The Evaluate method doesn't use the validator (validation happens in the handler), so this is safe for testing policy logic.

func NewForTestingWithProvider ¶ added in v0.8.0

func NewForTestingWithProvider(provider policyserver.PolicyProvider) *Evaluator

NewForTestingWithProvider creates an evaluator with a policy provider for testing.

func NewWithProvider ¶ added in v0.8.0

func NewWithProvider(ctx context.Context, serverCfg *policyserver.ServerConfig, provider policyserver.PolicyProvider, tlsCfg tlsconfig.Config) (*Evaluator, *oidc.Validator, error)

NewWithProvider creates a new policy evaluator that loads policy dynamically.

func (*Evaluator) Evaluate ¶

func (e *Evaluator) Evaluate(ctx context.Context, identity string, conn policy.Connection) (*policyserver.Response, error)

Evaluate implements policyserver.PolicyEvaluator. The identity has already been extracted from a validated token by the handler.

Source Files ¶

View all Source files

evaluator.go

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL