github/zot
1
0
Fork 0
mirror of https://github.com/project-zot/zot.git synced 2026-06-17 21:17:58 +08:00
Code Issues Packages Projects Releases Wiki Activity

feat(authz): introduce conditional access control via CEL (#4040)

Browse Source
This commit is contained in:
Matheus Pimenta
2026-05-09 20:43:00 +01:00
committed by GitHub
parent ddb6279a25
commit 8a6674f198
15 changed files with 1636 additions and 85 deletions
Download Patch File Download Diff File Expand all files Collapse all files
pkg/requestcontext/user_access_control.go
+27 -5
View File
@@ -22,8 +22,14 @@ func GetContextKey() *Key {
}
type UserAccessControl struct {
authzInfo *UserAuthzInfo
authnInfo *UserAuthnInfo
authzInfo *UserAuthzInfo
authnInfo *UserAuthnInfo
// claims is a free-form bag of authentication-time attributes surfaced to
// authorization-time CEL conditions as `req.claims`. It is populated by
// whichever authn flow has structured attributes to expose: OIDC bearer
// today (the ID token's claim set), and optionally other flows (browser
// OpenID, mTLS cert attributes, ...) as they grow that capability.
claims map[string]any
methodActions []string
behaviourActions []string
}
@@ -92,6 +98,20 @@ func (uac *UserAccessControl) GetGroups() []string {
return uac.authnInfo.groups
}
// SetClaims stores authentication-time attributes (OIDC token claims, mTLS
// cert attributes, etc.) that should be exposed to authz-time CEL conditions
// as `req.claims`. Authn flows are free to populate whichever subset they
// have available; everything else is left nil.
func (uac *UserAccessControl) SetClaims(claims map[string]any) {
uac.claims = claims
}
// GetClaims returns the authentication-time attribute bag, or nil if the
// active authn flow did not populate one.
func (uac *UserAccessControl) GetClaims() map[string]any {
return uac.claims
}
func (uac *UserAccessControl) IsAnonymous() bool {
if uac.authnInfo == nil {
return true
@@ -137,9 +157,11 @@ func UserAcFromContext(ctx context.Context) (*UserAccessControl, error) {
func (uac *UserAccessControl) SetGlobPatterns(action string, patterns map[string]bool) {
if uac.authzInfo == nil {
uac.authzInfo = &UserAuthzInfo{
globPatterns: make(map[string]map[string]bool),
}
uac.authzInfo = &UserAuthzInfo{}
}
if uac.authzInfo.globPatterns == nil {
uac.authzInfo.globPatterns = make(map[string]map[string]bool)
}
uac.authzInfo.globPatterns[action] = patterns