You've already forked oauth2-proxy
mirror of
https://github.com/oauth2-proxy/oauth2-proxy.git
synced 2025-08-10 22:51:31 +02:00
Expirement with rego to evaluate email domain
This commit is contained in:
17
pkg/authorization/authorization_suite_test.go
Normal file
17
pkg/authorization/authorization_suite_test.go
Normal file
@@ -0,0 +1,17 @@
|
||||
package authorization
|
||||
|
||||
import (
|
||||
"testing"
|
||||
|
||||
"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/logger"
|
||||
. "github.com/onsi/ginkgo"
|
||||
. "github.com/onsi/gomega"
|
||||
)
|
||||
|
||||
func TestAuthorizationSuite(t *testing.T) {
|
||||
logger.SetOutput(GinkgoWriter)
|
||||
logger.SetErrOutput(GinkgoWriter)
|
||||
|
||||
RegisterFailHandler(Fail)
|
||||
RunSpecs(t, "Authorization")
|
||||
}
|
52
pkg/authorization/rego.go
Normal file
52
pkg/authorization/rego.go
Normal file
@@ -0,0 +1,52 @@
|
||||
package authorization
|
||||
|
||||
import (
|
||||
"net/http"
|
||||
|
||||
sessionsapi "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/sessions"
|
||||
"github.com/open-policy-agent/opa/rego"
|
||||
)
|
||||
|
||||
type authInput struct {
|
||||
request *http.Request
|
||||
session *sessionsapi.SessionState
|
||||
}
|
||||
|
||||
func authorize(req *http.Request, session *sessionsapi.SessionState) (bool, error) {
|
||||
r := rego.New(
|
||||
rego.Query("auth = data.oauth2proxy.allow"),
|
||||
rego.Module("oauth2proxy.rego", `
|
||||
package oauth2proxy
|
||||
|
||||
default allow = false
|
||||
|
||||
allow {
|
||||
endswith(input.session.email, "@bar.com")
|
||||
}
|
||||
`),
|
||||
)
|
||||
|
||||
query, err := r.PrepareForEval(req.Context())
|
||||
if err != nil {
|
||||
return false, err
|
||||
}
|
||||
|
||||
input := rego.EvalInput(authInput{
|
||||
request: req,
|
||||
session: session,
|
||||
})
|
||||
|
||||
result, err := query.Eval(req.Context(), input)
|
||||
if err != nil {
|
||||
return false, err
|
||||
}
|
||||
if len(result) == 0 {
|
||||
return false, nil
|
||||
}
|
||||
|
||||
if auth, ok := result[0].Bindings["auth"].(bool); ok {
|
||||
return auth, nil
|
||||
}
|
||||
|
||||
return false, nil
|
||||
}
|
24
pkg/authorization/rego_test.go
Normal file
24
pkg/authorization/rego_test.go
Normal file
@@ -0,0 +1,24 @@
|
||||
package authorization
|
||||
|
||||
import (
|
||||
"net/http"
|
||||
|
||||
sessionsapi "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/sessions"
|
||||
. "github.com/onsi/ginkgo"
|
||||
. "github.com/onsi/gomega"
|
||||
)
|
||||
|
||||
var _ = Describe("Authorization Suite", func() {
|
||||
It("works", func() {
|
||||
req, err := http.NewRequest("GET", "/", nil)
|
||||
Expect(err).ToNot(HaveOccurred())
|
||||
|
||||
session := &sessionsapi.SessionState{
|
||||
Email: "foo@bar.com",
|
||||
}
|
||||
|
||||
authorized, err := authorize(req, session)
|
||||
Expect(err).ToNot(HaveOccurred())
|
||||
Expect(authorized).To(BeTrue())
|
||||
})
|
||||
})
|
Reference in New Issue
Block a user