-
Notifications
You must be signed in to change notification settings - Fork 3
Expand file tree
/
Copy pathbefore.go
More file actions
36 lines (33 loc) · 1.14 KB
/
before.go
File metadata and controls
36 lines (33 loc) · 1.14 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
package iamcel
import (
"fmt"
"github.com/google/cel-go/cel"
iamv1 "go.einride.tech/iam/proto/gen/einride/iam/v1"
"google.golang.org/protobuf/reflect/protoreflect"
)
// NewBeforeEnv creates a new CEL environment for authorization checks that run before the request has been handled.
func NewBeforeEnv(method protoreflect.MethodDescriptor) (*cel.Env, error) {
caller := (&iamv1.Caller{}).ProtoReflect().Descriptor()
descriptors, err := collectDependencies(caller, method.Input())
if err != nil {
return nil, fmt.Errorf("new IAM CEL `before` env: %w", err)
}
env, err := cel.NewEnv(
cel.TypeDescs(descriptors),
cel.Variable("caller", cel.ObjectType(string(caller.FullName()))),
cel.Variable("request", cel.ObjectType(string(method.Input().FullName()))),
cel.Declarations(
// TODO: Migrate declarations to new top-level API.
NewTestFunctionDeclaration(),
NewTestAllFunctionDeclaration(),
NewTestAnyFunctionDeclaration(),
NewAncestorFunctionDeclaration(),
NewMemberFunctionDeclaration(),
NewJoinFunctionDeclaration(),
),
)
if err != nil {
return nil, fmt.Errorf("new IAM CEL `before` env: %w", err)
}
return env, nil
}