maze/conduit
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Initial import

Browse Source
This commit is contained in:
maze
2025-10-10 10:05:13 +02:00
parent 3effc1597b
commit b96b6e7f8f
164 changed files with 5473 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

62
testdata/policy/auth.rego vendored Normal file
View File

@@ -0,0 +1,62 @@
package conduit
import rego.v1
default permit_certificate := false
# Accept user certificate if no principals have been offered.
permit_certificate if {
count(input.principals) == 0
}
permit_certificate if {
_token_is_valid
}
default permit_password := false
# Accept user password if no principals have been offered.
permit_password if {
count(input.principals) == 0
}
permit_password if {
_token_is_valid
}
# Accept user token as second factor if a valid certificate was offered.
permit_token if {
_certificate_is_valid
}
# Accept user password as second factor if a valid certificate was offered.
permit_token if {
_password_is_valid
}
default permit := false
# Accept certificate + token
permit if {
_certificate_is_valid
_token_is_valid
}
# Accept token + password
permit if {
_password_is_valid
_token_is_valid
}
_certificate_is_valid if {
some principal in input.principals
principal.type == "certificate"
}
_password_is_valid if {
input.principals[_].type == "password"
}
_token_is_valid if {
input.principals[_].type == "token"
}

76
testdata/policy/conduit/auth/mfa.rego vendored Normal file
View File

@@ -0,0 +1,76 @@
package conduit.auth.mfa
import rego.v1
default permit_certificate := false
default permit_publickey := false
default permit_password := false
default permit_token := false
default permit := false
certificate_valid_for_user(name) if {
some principal in input.principals
principal.type == "certificate"
principal.identity == name
}
certificate_valid_for_user(name) if {
some principal in input.principals
principal.type == "certificate"
name in principal.attr.principals
}
# Accept user certificate if no principals have been offered.
permit_certificate if {
count(input.principals) == 0
}
permit_certificate if {
_token_is_valid
not _certificate_is_valid
}
# Accept user token if no principals have been offered.
permit_token if {
count(input.principals) == 0
}
# Accept user password as second factor if a valid certificate was offered.
permit_token if {
_certificate_is_valid
not _token_is_valid
}
# Accept if user passed multiple factors: certificate and token.
permit if {
_certificate_is_valid
_token_is_valid
}
# Certificate is valid if we have a valid certificate principal and the key-id matches the target user.
_certificate_is_valid if {
certificate_valid_for_user(input.conn.user)
}
# Password is valid if we have a valid password principal
_password_is_valid if {
some principal in input.principals
principal.type == "password"
}
# Token is valid if we have a valid token principal
_token_is_valid if {
some principal in input.principals
principal.type == "token"
}
# Skip token validation if we have a valid certificate with the "permit-skip-mfa" extension.
_token_is_valid if {
certificate_valid_for_user(input.conn.user)
some principal in input.principals
principal.attr.extensions["permit-skip-mfa"] == ""
}

11
testdata/policy/conduit/auth/user_certificate.rego vendored Normal file
View File

@@ -0,0 +1,11 @@
package conduit.auth.user_certificate
default permit := false
permit if {
input.principal.identity == input.conn.user
}
permit if {
input.conn.user in input.principal.attr.principals
}

11
testdata/policy/conduit/session/env.rego vendored Normal file
View File

@@ -0,0 +1,11 @@
package conduit.session.env
default permit := false
permit if {
input.key == "LANG"
}
permit if {
startswith(input.key, "LC_")
}