(ctx context.Context, subject Subject, action policy.Action, objectType string)
| 629 | } |
| 630 | |
| 631 | func (a RegoAuthorizer) newPartialAuthorizer(ctx context.Context, subject Subject, action policy.Action, objectType string) (*PartialAuthorizer, error) { |
| 632 | if subject.Roles == nil { |
| 633 | return nil, xerrors.Errorf("subject must have roles") |
| 634 | } |
| 635 | if subject.Scope == nil { |
| 636 | return nil, xerrors.Errorf("subject must have a scope") |
| 637 | } |
| 638 | |
| 639 | input, err := regoPartialInputValue(subject, action, objectType) |
| 640 | if err != nil { |
| 641 | return nil, xerrors.Errorf("prepare input: %w", err) |
| 642 | } |
| 643 | |
| 644 | partialQueries, err := a.partialQuery.Partial(ctx, rego.EvalParsedInput(input)) |
| 645 | if err != nil { |
| 646 | return nil, xerrors.Errorf("prepare: %w", err) |
| 647 | } |
| 648 | |
| 649 | pAuth := &PartialAuthorizer{ |
| 650 | partialQueries: partialQueries, |
| 651 | preparedQueries: []rego.PreparedEvalQuery{}, |
| 652 | subjectInput: subject, |
| 653 | subjectResourceType: Object{ |
| 654 | Type: objectType, |
| 655 | ID: "prepared-object", |
| 656 | }, |
| 657 | subjectAction: action, |
| 658 | } |
| 659 | |
| 660 | // Prepare each query to optimize the runtime when we iterate over the objects. |
| 661 | preparedQueries := make([]rego.PreparedEvalQuery, 0, len(partialQueries.Queries)) |
| 662 | for _, q := range partialQueries.Queries { |
| 663 | if q.String() == "" { |
| 664 | // No more work needed. An empty query is the same as |
| 665 | // 'WHERE true' |
| 666 | // This is likely an admin. We don't even need to use rego going |
| 667 | // forward. |
| 668 | pAuth.alwaysTrue = true |
| 669 | preparedQueries = []rego.PreparedEvalQuery{} |
| 670 | break |
| 671 | } |
| 672 | results, err := rego.New( |
| 673 | rego.ParsedQuery(q), |
| 674 | ).PrepareForEval(ctx) |
| 675 | if err != nil { |
| 676 | return nil, xerrors.Errorf("prepare query %s: %w", q.String(), err) |
| 677 | } |
| 678 | preparedQueries = append(preparedQueries, results) |
| 679 | } |
| 680 | pAuth.preparedQueries = preparedQueries |
| 681 | |
| 682 | return pAuth, nil |
| 683 | } |
| 684 | |
| 685 | // AuthorizeFilter is a compiled partial query that can be converted to SQL. |
| 686 | // This allows enforcing the policy on the database side in a WHERE clause. |
no test coverage detected