feat(authz): introduce conditional access control via CEL (#4040)

2026-06-17 21:17:58 +08:00 · 2026-05-09 20:43:00 +01:00
parent ddb6279a25
commit 8a6674f198
15 changed files with 1636 additions and 85 deletions
@@ -123,6 +123,15 @@ func NewController(appConfig *config.Config) *Controller {
 		controller.Audit = audit
 	}

+	// Pre-compile policy conditions. Errors were already surfaced by config
+	// validation; if anything still fails here it's a programmer bug.
+	programs, err := CompileAccessControl(appConfig.HTTP.AccessControl)
+	if err != nil {
+		logger.Panic().Err(err).Msg("failed to compile access control policy conditions")
+	}
+
+	appConfig.HTTP.AccessControl.StoreCompiledConditions(programs)
+
 	return &controller
 }

@@ -459,6 +468,14 @@ func (c *Controller) LoadNewConfig(newConfig *config.Config) {
 	// Update only reloadable config fields atomically
 	c.Config.UpdateReloadableConfig(newConfig)

+	// Refresh compiled policy conditions to reflect the new access-control
+	// config. Errors were caught during validation in LoadConfiguration.
+	if programs, err := CompileAccessControl(newConfig.HTTP.AccessControl); err != nil {
+		c.Log.Error().Err(err).Msg("failed to recompile access control policy conditions")
+	} else {
+		c.Config.HTTP.AccessControl.StoreCompiledConditions(programs)
+	}
+
 	// Operations that need to happen after config update
 	authConfig := c.Config.CopyAuthConfig()
 	if authConfig.IsHtpasswdAuthEnabled() {