@@ -33,7 +33,8 @@ func Filter[O Objecter](ctx context.Context, auth Authorizer, subjID string, sub
33
33
34
34
// RegoAuthorizer will use a prepared rego query for performing authorize()
35
35
type RegoAuthorizer struct {
36
- query rego.PreparedEvalQuery
36
+ query rego.PreparedEvalQuery
37
+ partial rego.PreparedPartialQuery
37
38
}
38
39
39
40
// Load the policy from policy.rego in this directory.
@@ -49,10 +50,19 @@ func NewAuthorizer() (*RegoAuthorizer, error) {
49
50
rego .Module ("policy.rego" , policy ),
50
51
).PrepareForEval (ctx )
51
52
53
+ partial , err := rego .New (
54
+ rego .Query ("allowed = data.authz.allow" ),
55
+ rego .Module ("policy.rego" , policy ),
56
+ rego .Unknowns ([]string {
57
+ "input.object.owner" ,
58
+ "input.object.org_owner" ,
59
+ }),
60
+ ).PrepareForPartial (ctx )
61
+
52
62
if err != nil {
53
63
return nil , xerrors .Errorf ("prepare query: %w" , err )
54
64
}
55
- return & RegoAuthorizer {query : query }, nil
65
+ return & RegoAuthorizer {query : query , partial : partial }, nil
56
66
}
57
67
58
68
type authSubject struct {
@@ -107,3 +117,23 @@ func (a RegoAuthorizer) Authorize(ctx context.Context, subjectID string, roles [
107
117
108
118
return nil
109
119
}
120
+
121
+ // CheckPartial will not authorize the request. This function is to be used for unit testing to verify the rego policy
122
+ // can be converted into ONLY queries. This ensures we can convert the queries into SQL WHERE clauses in the future.
123
+ // If this function returns an error, then there is a set of inputs that also returns support rules, which cannot
124
+ // be converted.
125
+ // This function will not be used to actually perform authorization on partial queries.
126
+ func (a RegoAuthorizer ) CheckPartial (ctx context.Context , subjectID string , roles []Role , action Action , objectType string ) (* rego.PartialQueries , interface {}, error ) {
127
+ input := map [string ]interface {}{
128
+ "subject" : authSubject {
129
+ ID : subjectID ,
130
+ Roles : roles ,
131
+ },
132
+ "object" : map [string ]string {
133
+ "type" : objectType ,
134
+ },
135
+ "action" : action ,
136
+ }
137
+ result , err := a .partial .Partial (ctx , rego .EvalInput (input ))
138
+ return result , input , err
139
+ }
0 commit comments