bouncer/internal/proxy/director/layer/authn/rules.go

61 lines
1.2 KiB
Go
Raw Normal View History

package authn
import (
"context"
"net/http"
2024-06-26 13:52:49 +02:00
"forge.cadoles.com/cadoles/bouncer/internal/rule"
ruleHTTP "forge.cadoles.com/cadoles/bouncer/internal/rule/http"
"github.com/expr-lang/expr"
"github.com/pkg/errors"
)
type Vars struct {
2024-06-26 13:52:49 +02:00
User *User `expr:"user"`
}
func (l *Layer) applyRules(ctx context.Context, r *http.Request, options *LayerOptions, user *User) error {
2024-05-21 12:10:52 +02:00
rules := options.Rules
if len(rules) == 0 {
return nil
}
engine, err := rule.NewEngine[*Vars](
2024-06-26 13:52:49 +02:00
rule.WithRules(options.Rules...),
rule.WithExpr(getAuthnAPI()...),
ruleHTTP.WithRequestFuncs(),
2024-06-26 13:52:49 +02:00
)
if err != nil {
return errors.WithStack(err)
}
vars := &Vars{
2024-06-26 13:52:49 +02:00
User: user,
}
ctx = ruleHTTP.WithRequest(ctx, r)
if _, err := engine.Apply(ctx, vars); err != nil {
2024-06-26 13:52:49 +02:00
return errors.WithStack(err)
}
return nil
}
2024-05-21 12:10:52 +02:00
2024-06-26 13:52:49 +02:00
func getAuthnAPI() []expr.Option {
options := make([]expr.Option, 0)
// forbidden() allows the layer to hijack the current request and return a 403 Forbidden HTTP status
2024-05-21 12:10:52 +02:00
forbidden := expr.Function(
"forbidden",
func(params ...any) (any, error) {
2024-06-26 13:52:49 +02:00
return true, errors.WithStack(ErrForbidden)
2024-05-21 12:10:52 +02:00
},
new(func() bool),
)
2024-06-26 13:52:49 +02:00
options = append(options, forbidden)
2024-05-21 12:10:52 +02:00
2024-06-26 13:52:49 +02:00
return options
}