53 lines
942 B
Go
53 lines
942 B
Go
package authorization
|
|
|
|
import (
|
|
"net/http"
|
|
|
|
sessionsapi "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/sessions"
|
|
"github.com/open-policy-agent/opa/rego"
|
|
)
|
|
|
|
type AuthInput struct {
|
|
Request *http.Request
|
|
Session *sessionsapi.SessionState
|
|
}
|
|
|
|
func authorize(req *http.Request, session *sessionsapi.SessionState) (bool, error) {
|
|
r := rego.New(
|
|
rego.Query("auth = data.oauth2proxy.allow"),
|
|
rego.Module("oauth2proxy.rego", `
|
|
package oauth2proxy
|
|
|
|
default allow = false
|
|
|
|
allow {
|
|
endswith(input.Session.Email, "@bar.com")
|
|
}
|
|
`),
|
|
)
|
|
|
|
query, err := r.PrepareForEval(req.Context())
|
|
if err != nil {
|
|
return false, err
|
|
}
|
|
|
|
input := rego.EvalInput(AuthInput{
|
|
Request: nil,
|
|
Session: session,
|
|
})
|
|
|
|
result, err := query.Eval(req.Context(), input)
|
|
if err != nil {
|
|
return false, err
|
|
}
|
|
if len(result) == 0 {
|
|
return false, nil
|
|
}
|
|
|
|
if auth, ok := result[0].Bindings["auth"].(bool); ok {
|
|
return auth, nil
|
|
}
|
|
|
|
return false, nil
|
|
}
|