57 lines
950 B
Rego
57 lines
950 B
Rego
package styx
|
|
|
|
import input.client as client
|
|
import input.request as http_request
|
|
|
|
# HTTP -> HTTPS redirects for allowed domains
|
|
redirect = concat("", ["https://", http_request.host, http_request.path]) if {
|
|
_social
|
|
http_request.scheme == "http"
|
|
}
|
|
|
|
reject = 403 if {
|
|
_childsafe_network
|
|
_social
|
|
}
|
|
|
|
reject = 403 if {
|
|
_childsafe_network
|
|
_toxic
|
|
}
|
|
|
|
# Sensitive domains are always allowed
|
|
permit if {
|
|
_sensitive
|
|
}
|
|
|
|
permit if {
|
|
reject != 0
|
|
}
|
|
|
|
_sensitive if {
|
|
styx.in_domains("sensitive", http_request.host)
|
|
}
|
|
|
|
_social if {
|
|
styx.in_domains("social", http_request.host)
|
|
print("Domain in social", http_request.host)
|
|
}
|
|
|
|
errors contains "Social networking domain not allowed" if {
|
|
reject != 0
|
|
_social
|
|
}
|
|
|
|
_toxic if {
|
|
styx.in_domains("toxic", http_request.host)
|
|
}
|
|
|
|
errors contains "Toxic domain not allowed" if {
|
|
reject != 0
|
|
_toxic
|
|
}
|
|
|
|
_childsafe_network if {
|
|
styx.in_networks("kids", client.ip)
|
|
}
|