Run OPA policies during registration

2025-07-29 22:01:14 +03:00 · 2022-06-02 11:07:00 +02:00
parent 9ebff410d1
commit a2b53f0395
5 changed files with 86 additions and 2 deletions
--- a/crates/handlers/src/views/register.rs
+++ b/crates/handlers/src/views/register.rs
@ -14,7 +14,7 @@

 #![allow(clippy::trait_duplication_in_bounds)]

-use std::str::FromStr;
+use std::{str::FromStr, sync::Arc};

 use argon2::Argon2;
 use axum::{
@ -29,6 +29,7 @@ use mas_axum_utils::{
 };
 use mas_config::Encrypter;
 use mas_email::Mailer;
+use mas_policy::PolicyFactory;
 use mas_router::Route;
 use mas_storage::user::{
    add_user_email, add_user_email_verification_code, register_user, start_session, username_exists,
@ -87,6 +88,7 @@ pub(crate) async fn get(

 pub(crate) async fn post(
    Extension(mailer): Extension<Mailer>,
+    Extension(policy_factory): Extension<Arc<PolicyFactory>>,
    Extension(templates): Extension<Templates>,
    Extension(pool): Extension<PgPool>,
    Query(query): Query<OptionalPostAuthAction>,
@ -129,6 +131,15 @@ pub(crate) async fn post(
            state.add_error_on_field(RegisterFormField::PasswordConfirm, FieldError::Unspecified);
        }

+        let mut policy = policy_factory.instanciate().await?;
+        let res = policy
+            .evaluate_register(&form.username, &form.email)
+            .await?;
+
+        if !res {
+            state.add_error_on_form(FormError::Policy);
+        }
+
        state
    };

--- a/crates/templates/src/forms.rs
+++ b/crates/templates/src/forms.rs
@ -52,6 +52,9 @@ pub enum FormError {

    /// There was an internal error
    Internal,
+
+    /// Denied by the policy
+    Policy,
 }

 #[derive(Debug, Default, Serialize)]