55 lines
1.2 KiB
Go
55 lines
1.2 KiB
Go
package authn
|
|
|
|
import (
|
|
"context"
|
|
"net/http"
|
|
|
|
ruleHTTP "forge.cadoles.com/cadoles/bouncer/internal/rule/http"
|
|
"forge.cadoles.com/cadoles/bouncer/internal/store"
|
|
"github.com/expr-lang/expr"
|
|
"github.com/pkg/errors"
|
|
)
|
|
|
|
type Vars struct {
|
|
User *User `expr:"user"`
|
|
}
|
|
|
|
func (l *Layer) applyRules(ctx context.Context, r *http.Request, layer *store.Layer, options *LayerOptions, user *User) error {
|
|
key := string(layer.Proxy) + "-" + string(layer.Name)
|
|
revisionedEngine := l.ruleEngineCache.Get(key)
|
|
|
|
engine, err := revisionedEngine.Get(ctx, layer.Revision, options)
|
|
if err != nil {
|
|
return errors.WithStack(err)
|
|
}
|
|
|
|
vars := &Vars{
|
|
User: user,
|
|
}
|
|
|
|
ctx = ruleHTTP.WithRequest(ctx, r)
|
|
|
|
if _, err := engine.Apply(ctx, vars); err != nil {
|
|
return errors.WithStack(err)
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
func getAuthnAPI() []expr.Option {
|
|
options := make([]expr.Option, 0)
|
|
|
|
// forbidden() allows the layer to hijack the current request and return a 403 Forbidden HTTP status
|
|
forbidden := expr.Function(
|
|
"forbidden",
|
|
func(params ...any) (any, error) {
|
|
return true, errors.WithStack(ErrForbidden)
|
|
},
|
|
new(func() bool),
|
|
)
|
|
|
|
options = append(options, forbidden)
|
|
|
|
return options
|
|
}
|