1 files changed, 55 insertions, 0 deletions

diff --git a/includes/oathkeeper.jsonnet b/includes/oathkeeper.jsonnet
new file mode 100644
index 0000000..02db2b8
--- /dev/null
+++ b/includes/oathkeeper.jsonnet
@@ -0,0 +1,55 @@
+local main = import "main.jsonnet";
+
+local cookieSessionAuthenticator = {
+  handler: "cookie_session"
+};
+local oauth2ClientCredentialsAuthenticator = {
+  handler: "oauth2_client_credentials"
+};
+
+local allowAuthorizer = {
+  handler: "allow"
+};
+local ketoAuthorizer(object) = {
+  handler: "remote_json", config: {
+  remote: "https://keto.sso.internal.random.sh/check",
+  payload: |||
+    {
+      "namespace": "websites",
+      "subject": "{{ print .Subject }}",
+      "object": object,
+      "relation": "access"
+    }
+  |||}
+};
+
+local errorRedirectHandler = {
+  handler: "redirect",
+  config: {
+    to: main.sso.login_url,
+    return_to_query_param: "return_to"
+  }
+};
+
+local idTokenMutator = {handler: "id_token"};
+
+local headerMutator = {handler: "header"};
+
+{
+  authenticators: {
+    cookieSession: cookieSessionAuthenticator,
+    oauth2ClientCredentials: oauth2ClientCredentialsAuthenticator,
+  },
+  authorizers: {
+    keto: ketoAuthorizer,
+    allow: allowAuthorizer,
+  },
+  errors: {
+    redirect: errorRedirectHandler,
+  },
+  mutators: {
+    idToken: idTokenMutator,
+    header: headerMutator
+  },
+  allHttpMethods: ["OPTIONS", "GET", "POST", "PUT", "PATCH", "DELETE"],
+}