63 lines
1.0 KiB
Rego
63 lines
1.0 KiB
Rego
package conduit
|
|
|
|
import rego.v1
|
|
|
|
default permit_certificate := false
|
|
|
|
# Accept user certificate if no principals have been offered.
|
|
permit_certificate if {
|
|
count(input.principals) == 0
|
|
}
|
|
|
|
permit_certificate if {
|
|
_token_is_valid
|
|
}
|
|
|
|
default permit_password := false
|
|
|
|
# Accept user password if no principals have been offered.
|
|
permit_password if {
|
|
count(input.principals) == 0
|
|
}
|
|
|
|
permit_password if {
|
|
_token_is_valid
|
|
}
|
|
|
|
# Accept user token as second factor if a valid certificate was offered.
|
|
permit_token if {
|
|
_certificate_is_valid
|
|
}
|
|
|
|
# Accept user password as second factor if a valid certificate was offered.
|
|
permit_token if {
|
|
_password_is_valid
|
|
}
|
|
|
|
default permit := false
|
|
|
|
# Accept certificate + token
|
|
permit if {
|
|
_certificate_is_valid
|
|
_token_is_valid
|
|
}
|
|
|
|
# Accept token + password
|
|
permit if {
|
|
_password_is_valid
|
|
_token_is_valid
|
|
}
|
|
|
|
_certificate_is_valid if {
|
|
some principal in input.principals
|
|
principal.type == "certificate"
|
|
}
|
|
|
|
_password_is_valid if {
|
|
input.principals[_].type == "password"
|
|
}
|
|
|
|
_token_is_valid if {
|
|
input.principals[_].type == "token"
|
|
}
|