@@ -155,13 +155,9 @@ silo) and `duration` (the number of seconds the token will be valid for).
155155### Polar scheme for ` request ` of type ` GitHub `
156156
157157The ` request ` argument in Polar policies can be of type ` GitHub ` when the user
158- requested a GitHub token. There are three fields available:
159-
160- * ` permission ` : the name of one of the requested permissions.
161- * ` repository ` : the name of one of the repositories being requested.
162- * ` repository_visibility ` : the visibility of the repository in the ` repository `
163- field. Can be one of ` public ` , ` internal ` or ` private ` . The repository
164- visibility is fetched by oidc-exchange and cached for an hour.
158+ requested a GitHub token. The two fields available are ` repository ` (the name of
159+ one of the repositories being requested) and ` permission ` (the name of one of
160+ the requested permissions).
165161
166162To simplify how policies are written, when authorizing GitHub token requests
167163oidcx will individually test whether all permutations of repositories
@@ -172,20 +168,6 @@ a time.
172168[ polar ] : https://www.osohq.com/docs/oss/learn/polar-foundations.html
173169[ gha-claims ] : https://docs.github.com/en/actions/reference/security/oidc
174170
175- ### Polar utility functions
176-
177- Some custom utility functions are provided for use within the Oso policy:
178-
179- * ** ` utils.concat(a, b) ` ** : concatenate two strings together:
180-
181- ``` polar
182- allow_request(claims, request: Oxide) if
183- request.silo == utils.concat(
184- utils.concat("https://", claims.environment),
185- ".sys.rack2.eng.oxide.computer"
186- );
187- ```
188-
189171## Configuration
190172
191173The main configuration of the service is defined into a TOML file. Multiple
@@ -217,18 +199,10 @@ log_directory = "path/to/logs"
217199[[providers ]]
218200url = " https://token.actions.githubusercontent.com/.well-known/openid-configuration"
219201
220- # The [oxide] blcok defines the configuration for issuing Oxide silo tokens. The
221- # block is optional, and if omitted no Oxide silo tokens will be issued.
222- [oxide ]
223- # Whether to allow issuing tokens without an expiration. Optional, the default
224- # is to forbid issuing them.
225- allow_tokens_without_expiry = false
226- # Maximum duration tokens can have. Optional, the default is 3600 seconds.
227- max_duration = 3600
228- # List of silos a token can be requested for, and the credential used to
229- # generate those tokens. The tokens will have the same permissions as the user
230- # the credential is from.
231- [oxide .silos ]
202+ # The [oxide_silos] block defines the list of Oxide silos a token can be
203+ # requested for, and the credential used to generate those tokens. The block is
204+ # optional, and if omitted no Oxide silo tokens will be issued.
205+ [oxide_silos ]
232206"https://oxide.sys.rack2.eng.oxide.computer" = " oxide-token-helloworld"
233207"https://example.sys.rack2.eng.oxide.computer" = " oxide-token-helloworld"
234208
0 commit comments