Documentation
¶
Overview ¶
Package authorizer implements two-layer authorization for token exchange requests.
Layer 1 (Central): Validates against organization-wide policies — issuer allowlist, required/forbidden claims, time restrictions.
Layer 2 (Repository): Validates against per-repo trust policies — rule matching, permission resolution, TTL enforcement.
Index ¶
Constants ¶
This section is empty.
Variables ¶
var ( // ErrPolicyFileNotFound is returned when the trust policy file // does not exist at the expected path. ErrPolicyFileNotFound = errors.New("trust policy file not found") // ErrRepositoryNotAccessible is returned when the repository is not // found or not accessible to the app. ErrRepositoryNotAccessible = errors.New("repository not found or not accessible") )
Functions ¶
This section is empty.
Types ¶
type Authorizer ¶
type Authorizer struct {
// contains filtered or unexported fields
}
Authorizer performs two-layer authorization for token exchange requests.
func NewAuthorizer ¶
func NewAuthorizer( cfg *config.PolicyConfig, sel *selector.Selector, clients map[string]github.ClientIface, ) (*Authorizer, error)
NewAuthorizer creates an authorizer. Claim patterns from provider configs are compiled once; an error is returned if any pattern is invalid.
type Condition ¶
type Condition struct {
Field string `yaml:"field"`
Pattern string `yaml:"pattern"`
// contains filtered or unexported fields
}
Condition checks an OIDC token claim against a regex pattern.
type DenialError ¶
DenialError represents an authorization failure with a structured code.
func (*DenialError) Error ¶
func (e *DenialError) Error() string
Error returns the formatted error message including the error code and details.
type ErrorCode ¶
type ErrorCode string
ErrorCode represents specific authorization failure reasons.
const ( ErrIssuerNotAllowed ErrorCode = "ISSUER_NOT_ALLOWED" ErrRequiredClaimMismatch ErrorCode = "REQUIRED_CLAIM_MISMATCH" ErrForbiddenClaimMatched ErrorCode = "FORBIDDEN_CLAIM_MATCHED" ErrTimeRestriction ErrorCode = "TIME_RESTRICTION" ErrPolicyLoadFailed ErrorCode = "POLICY_LOAD_FAILED" ErrTrustPolicyNotFound ErrorCode = "TRUST_POLICY_NOT_FOUND" ErrRepositoryNotFound ErrorCode = "REPOSITORY_NOT_FOUND" ErrPolicyNotFound ErrorCode = "POLICY_NOT_FOUND" ErrNoRulesMatched ErrorCode = "NO_RULES_MATCHED" ErrPermissionNotInPolicy ErrorCode = "PERMISSION_NOT_IN_POLICY" ErrPermissionExceedsPolicy ErrorCode = "PERMISSION_EXCEEDS_POLICY" ErrPermissionExceedsMax ErrorCode = "PERMISSION_EXCEEDS_ORG_MAX" ErrPermissionDenied ErrorCode = "PERMISSION_DENIED" ErrPermissionNotInMaxPermission ErrorCode = "PERMISSION_NOT_IN_MAX_PERMISSIONS" ErrNonRepoPermission ErrorCode = "NON_REPOSITORY_PERMISSION" ErrPolicyNameRequired ErrorCode = "POLICY_NAME_REQUIRED" )
Authorization denial codes returned in Result.DenyReason.
type PolicyFile ¶
type PolicyFile struct {
Version string `yaml:"version"`
TrustPolicies []TrustPolicy `yaml:"trust_policies"`
}
PolicyFile represents the trust policy YAML stored in a repository.
func (*PolicyFile) Validate ¶
func (f *PolicyFile) Validate() error
Validate validates the policy file structure, version, and ensures all trust policies are valid.
type PolicyRule ¶
type PolicyRule struct {
Name string `yaml:"name"`
Logic string `yaml:"logic"`
Conditions []Condition `yaml:"conditions"`
}
PolicyRule defines conditions that must be met for a policy to match. Logic is "AND" (all conditions must match) or "OR" (at least one). Defaults to "AND".
func (*PolicyRule) Validate ¶
func (r *PolicyRule) Validate() error
Validate validates the policy rule structure, ensuring it has a name, valid logic, and conditions.
type Request ¶
type Request struct {
Claims map[string]any
Issuer string
TargetRepository string
PolicyName string
RequestedPermissions map[string]string
RequestedTTL int
}
Request represents a token exchange request submitted for authorization.
type Result ¶
type Result struct {
Allowed bool
MatchedPolicy string
EffectivePermissions map[string]string
EffectiveTTL int
DenyReason *DenialError
}
Result represents the authorization decision.
type TrustPolicy ¶
type TrustPolicy struct {
Name string `yaml:"name"`
Description string `yaml:"description"`
Issuer string `yaml:"issuer"`
Rules []PolicyRule `yaml:"rules"`
Permissions map[string]string `yaml:"permissions"`
TokenTTL int `yaml:"token_ttl,omitempty"`
}
TrustPolicy defines authorization rules for token exchange requests.
func (*TrustPolicy) Validate ¶
func (p *TrustPolicy) Validate() error
Validate validates the trust policy structure, ensuring required fields are present and rules are valid.