search

XenitAB / git-auth-proxy

Proxy to allow multi tenant sharing of Git credentials.
MIT License
8 stars 2 forks source link

Replace regex with rego to implement authorization #42

Open phillebaba opened 2 years ago

phillebaba commented 2 years ago

Currently the authorization is implemented with the help of regex. A set of regex rules are constructed for each possible org, project, and repo. They are then run for each request to validate that the token is allowed for the requested path. Relevant code can be found here.

https://github.com/XenitAB/git-auth-proxy/blob/main/pkg/auth/auth.go

Regex is not a great tool for path validation, a better option may instead be to use Rego as it is a purpose built tool. All of the regex would be replaced by a single Rego policy which should be executed for each request.

Here is an example how the Rego could be written to validate the HTTP requests. https://www.openpolicyagent.org/docs/latest/http-api-authorization/

Here is the documentation for how to execute Rego from Go. https://www.openpolicyagent.org/docs/latest/integration/#integrating-with-the-go-api

simongottschlag commented 2 years ago

I've was testing this (OPA as a Go library) a while ago together with nginx, you can find that code here: https://github.com/simongottschlag/opa-nginx-authz/tree/main/opa-nginx-external-auth