Checkpoint

testdata/policy/bogons.rego

@@ -0,0 +1,12 @@
+package styx
+
+default permit := true
+
+reject = 404 if {
+    #some addr in net.lookup_ip_addr(input.http_request.host)
+    styx.in_networks("bogons", input.http_request.host)
+}
+
+errors contains "Bogon destination not allowed" if {
+    reject == 404
+}

testdata/policy/childsafe.rego

@@ -0,0 +1,56 @@
+package styx
+
+import input.client as client
+import input.request as http_request
+
+# HTTP -> HTTPS redirects for allowed domains
+redirect = concat("", ["https://", http_request.host, http_request.path]) if {
+    _social
+    http_request.scheme == "http"
+}
+
+reject = 403 if {
+    _childsafe_network
+    _social
+}
+
+reject = 403 if {
+    _childsafe_network
+    _toxic
+}
+
+# Sensitive domains are always allowed
+permit if {
+    _sensitive
+}
+
+permit if {
+    reject != 0
+}
+
+_sensitive if {
+    styx.in_domains("sensitive", http_request.host)
+}
+
+_social if {
+    styx.in_domains("social", http_request.host)
+    print("Domain in social", http_request.host)
+}
+
+errors contains "Social networking domain not allowed" if {
+    reject != 0
+    _social
+}
+
+_toxic if {
+    styx.in_domains("toxic", http_request.host)
+}
+
+errors contains "Toxic domain not allowed" if {
+    reject != 0
+    _toxic
+}
+
+_childsafe_network if {
+    styx.in_networks("kids", client.ip)
+}

testdata/policy/intercept.rego

@@ -0,0 +1,21 @@
+package styx.intercept
+
+reject := 403 if {
+    _target_blocked
+}
+
+template := "template/intercepted.html" if {
+    _target_blocked
+} 
+
+errors contains "Intercepted" if {
+    _target_blocked
+}
+
+_target_blocked if {
+    styx.in_domains("bad", input.request.host)
+}
+
+_target_blocked if {
+    styx.in_networks("bogons", input.client.ip)
+}