coulomb/flex-auth
2
0
Fork 0
generated from coulomb/repo-seed
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
Files
main
flex-auth/internal/markitect/decision.go
tegwick 3d1967cb41
Some checks failed
CI / Build and Test (push) Has been cancelled
Details
CI / Lint (push) Has been cancelled
Details
Add Markitect adapter contract tests
2026-05-17 06:36:52 +02:00

76 lines
3.0 KiB
Go
Raw Permalink Blame History

package markitect
import "github.com/netkingdom/flex-auth/pkg/api"
const (
GatewayEffectAllow = "allow"
GatewayEffectDeny = "deny"
GatewayEffectRedact = "redact"
GatewayEffectAuditDenied = "audit_denied"
)
// GatewayDecision is the Markitect-facing decision contract.
type GatewayDecision struct {
ID string `json:"id"`
Effect string `json:"effect"`
Reason string `json:"reason,omitempty"`
RuleID string `json:"rule_id,omitempty"`
PolicyVersion string `json:"policy_version,omitempty"`
Resource api.ResourceRef `json:"resource"`
ResourceMetadata map[string]any `json:"resource_metadata,omitempty"`
Subject api.SubjectRef `json:"subject"`
Obligations []api.Obligation `json:"obligations,omitempty"`
Diagnostics map[string]any `json:"diagnostics,omitempty"`
CaringDescriptor *api.CaringAccessDescriptor `json:"caring_descriptor,omitempty"`
ConformanceFindings []api.CaringConformanceFinding `json:"conformance_findings,omitempty"`
ExposureModes []api.ExposureMode `json:"exposure_modes,omitempty"`
}
// ToGatewayDecision projects a flex-auth decision envelope into the shape
// consumed by the Markitect policy gateway.
func ToGatewayDecision(decision api.DecisionEnvelope) GatewayDecision {
out := GatewayDecision{
ID: decision.ID,
Effect: gatewayEffect(decision),
Reason: decision.Reason,
RuleID: decision.MatchedRule,
PolicyVersion: decision.MatchedPolicyVersion,
Resource: decision.Resource,
ResourceMetadata: copyMap(decision.Resource.Attributes),
Subject: decision.Subject,
Obligations: append([]api.Obligation(nil), decision.Obligations...),
Diagnostics: copyMap(decision.Diagnostics),
}
if out.PolicyVersion == "" {
out.PolicyVersion = decision.Provenance.PolicyVersion
}
if decision.Caring != nil {
if decision.Caring.Descriptor != nil {
descriptor := *decision.Caring.Descriptor
out.CaringDescriptor = &descriptor
}
out.ConformanceFindings = append([]api.CaringConformanceFinding(nil), decision.Caring.ConformanceFindings...)
out.ExposureModes = append([]api.ExposureMode(nil), decision.Caring.ExposureModes...)
}
return out
}
func gatewayEffect(decision api.DecisionEnvelope) string {
if value, ok := decision.Diagnostics["markitect_effect"].(string); ok && value != "" {
return value
}
if auditDenied, ok := decision.Diagnostics["audit_denied"].(bool); ok && auditDenied {
return GatewayEffectAuditDenied
}
switch decision.Effect {
case api.DecisionEffectAllow:
return GatewayEffectAllow
case api.DecisionEffectRedact:
return GatewayEffectRedact
case api.DecisionEffectAuditOnly:
return GatewayEffectAuditDenied
default:
return GatewayEffectDeny
}
}
Reference in New Issue View Git Blame Copy Permalink