authorizer

package
v1.0.4 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: May 26, 2026 License: Apache-2.0 Imports: 14 Imported by: 0

Documentation

Overview

Package authorizer implements two-layer authorization for token exchange requests.

Layer 1 (Central): Validates against organization-wide policies — issuer allowlist, required/forbidden claims, time restrictions.

Layer 2 (Repository): Validates against per-repo trust policies — rule matching, permission resolution, TTL enforcement.

Index

Constants

This section is empty.

Variables

View Source
var (
	// ErrPolicyFileNotFound is returned when the trust policy file
	// does not exist at the expected path.
	ErrPolicyFileNotFound = errors.New("trust policy file not found")
	// ErrRepositoryNotAccessible is returned when the repository is not
	// found or not accessible to the app.
	ErrRepositoryNotAccessible = errors.New("repository not found or not accessible")
)

Functions

This section is empty.

Types

type Authorizer

type Authorizer struct {
	// contains filtered or unexported fields
}

Authorizer performs two-layer authorization for token exchange requests.

func NewAuthorizer

func NewAuthorizer(
	cfg *config.PolicyConfig,
	sel *selector.Selector,
	clients map[string]github.ClientIface,
) (*Authorizer, error)

NewAuthorizer creates an authorizer. Claim patterns from provider configs are compiled once; an error is returned if any pattern is invalid.

func (*Authorizer) Authorize

func (a *Authorizer) Authorize(ctx context.Context, req *Request) *Result

Authorize performs two-layer authorization. Denials are returned in Result.DenyReason, never as Go errors.

type Condition

type Condition struct {
	Field   string `yaml:"field"`
	Pattern string `yaml:"pattern"`
	// contains filtered or unexported fields
}

Condition checks an OIDC token claim against a regex pattern.

func (*Condition) Matches

func (c *Condition) Matches(value string) bool

Matches tests if the given value matches the condition's compiled pattern.

func (*Condition) Validate

func (c *Condition) Validate() error

Validate validates the condition structure and compiles its regex pattern.

type DenialError

type DenialError struct {
	Code    ErrorCode
	Message string
	Details string
}

DenialError represents an authorization failure with a structured code.

func (*DenialError) Error

func (e *DenialError) Error() string

Error returns the formatted error message including the error code and details.

type ErrorCode

type ErrorCode string

ErrorCode represents specific authorization failure reasons.

const (
	ErrIssuerNotAllowed             ErrorCode = "ISSUER_NOT_ALLOWED"
	ErrRequiredClaimMismatch        ErrorCode = "REQUIRED_CLAIM_MISMATCH"
	ErrForbiddenClaimMatched        ErrorCode = "FORBIDDEN_CLAIM_MATCHED"
	ErrTimeRestriction              ErrorCode = "TIME_RESTRICTION"
	ErrPolicyLoadFailed             ErrorCode = "POLICY_LOAD_FAILED"
	ErrTrustPolicyNotFound          ErrorCode = "TRUST_POLICY_NOT_FOUND"
	ErrRepositoryNotFound           ErrorCode = "REPOSITORY_NOT_FOUND"
	ErrPolicyNotFound               ErrorCode = "POLICY_NOT_FOUND"
	ErrNoRulesMatched               ErrorCode = "NO_RULES_MATCHED"
	ErrPermissionNotInPolicy        ErrorCode = "PERMISSION_NOT_IN_POLICY"
	ErrPermissionExceedsPolicy      ErrorCode = "PERMISSION_EXCEEDS_POLICY"
	ErrPermissionExceedsMax         ErrorCode = "PERMISSION_EXCEEDS_ORG_MAX"
	ErrPermissionDenied             ErrorCode = "PERMISSION_DENIED"
	ErrPermissionNotInMaxPermission ErrorCode = "PERMISSION_NOT_IN_MAX_PERMISSIONS"
	ErrNonRepoPermission            ErrorCode = "NON_REPOSITORY_PERMISSION"
	ErrPolicyNameRequired           ErrorCode = "POLICY_NAME_REQUIRED"
)

Authorization denial codes returned in Result.DenyReason.

type PolicyFile

type PolicyFile struct {
	Version       string        `yaml:"version"`
	TrustPolicies []TrustPolicy `yaml:"trust_policies"`
}

PolicyFile represents the trust policy YAML stored in a repository.

func (*PolicyFile) Validate

func (f *PolicyFile) Validate() error

Validate validates the policy file structure, version, and ensures all trust policies are valid.

type PolicyRule

type PolicyRule struct {
	Name       string      `yaml:"name"`
	Logic      string      `yaml:"logic"`
	Conditions []Condition `yaml:"conditions"`
}

PolicyRule defines conditions that must be met for a policy to match. Logic is "AND" (all conditions must match) or "OR" (at least one). Defaults to "AND".

func (*PolicyRule) Validate

func (r *PolicyRule) Validate() error

Validate validates the policy rule structure, ensuring it has a name, valid logic, and conditions.

type Request

type Request struct {
	Claims               map[string]any
	Issuer               string
	TargetRepository     string
	PolicyName           string
	RequestedPermissions map[string]string
	RequestedTTL         int
}

Request represents a token exchange request submitted for authorization.

type Result

type Result struct {
	Allowed              bool
	MatchedPolicy        string
	EffectivePermissions map[string]string
	EffectiveTTL         int
	DenyReason           *DenialError
}

Result represents the authorization decision.

type TrustPolicy

type TrustPolicy struct {
	Name        string            `yaml:"name"`
	Description string            `yaml:"description"`
	Issuer      string            `yaml:"issuer"`
	Rules       []PolicyRule      `yaml:"rules"`
	Permissions map[string]string `yaml:"permissions"`
	TokenTTL    int               `yaml:"token_ttl,omitempty"`
}

TrustPolicy defines authorization rules for token exchange requests.

func (*TrustPolicy) Validate

func (p *TrustPolicy) Validate() error

Validate validates the trust policy structure, ensuring required fields are present and rules are valid.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL