1
0
mirror of https://github.com/oauth2-proxy/oauth2-proxy.git synced 2025-08-10 22:51:31 +02:00

Expirement with rego to evaluate email domain

This commit is contained in:
Joel Speed
2021-04-02 20:18:25 +01:00
parent 9d20b4e0e2
commit 56a98c3fa9
5 changed files with 135 additions and 6 deletions

View File

@@ -0,0 +1,17 @@
package authorization
import (
"testing"
"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/logger"
. "github.com/onsi/ginkgo"
. "github.com/onsi/gomega"
)
func TestAuthorizationSuite(t *testing.T) {
logger.SetOutput(GinkgoWriter)
logger.SetErrOutput(GinkgoWriter)
RegisterFailHandler(Fail)
RunSpecs(t, "Authorization")
}

52
pkg/authorization/rego.go Normal file
View File

@@ -0,0 +1,52 @@
package authorization
import (
"net/http"
sessionsapi "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/sessions"
"github.com/open-policy-agent/opa/rego"
)
type authInput struct {
request *http.Request
session *sessionsapi.SessionState
}
func authorize(req *http.Request, session *sessionsapi.SessionState) (bool, error) {
r := rego.New(
rego.Query("auth = data.oauth2proxy.allow"),
rego.Module("oauth2proxy.rego", `
package oauth2proxy
default allow = false
allow {
endswith(input.session.email, "@bar.com")
}
`),
)
query, err := r.PrepareForEval(req.Context())
if err != nil {
return false, err
}
input := rego.EvalInput(authInput{
request: req,
session: session,
})
result, err := query.Eval(req.Context(), input)
if err != nil {
return false, err
}
if len(result) == 0 {
return false, nil
}
if auth, ok := result[0].Bindings["auth"].(bool); ok {
return auth, nil
}
return false, nil
}

View File

@@ -0,0 +1,24 @@
package authorization
import (
"net/http"
sessionsapi "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/sessions"
. "github.com/onsi/ginkgo"
. "github.com/onsi/gomega"
)
var _ = Describe("Authorization Suite", func() {
It("works", func() {
req, err := http.NewRequest("GET", "/", nil)
Expect(err).ToNot(HaveOccurred())
session := &sessionsapi.SessionState{
Email: "foo@bar.com",
}
authorized, err := authorize(req, session)
Expect(err).ToNot(HaveOccurred())
Expect(authorized).To(BeTrue())
})
})