Replace regex with rego to implement authorization

[phillebaba]

Currently the authorization is implemented with the help of regex. A set of regex rules are constructed for each possible org, project, and repo. They are then run for each request to validate that the token is allowed for the requested path. Relevant code can be found here.

https://github.com/XenitAB/git-auth-proxy/blob/main/pkg/auth/auth.go

Regex is not a great tool for path validation, a better option may instead be to use Rego as it is a purpose built tool. All of the regex would be replaced by a single Rego policy which should be executed for each request.

Here is an example how the Rego could be written to validate the HTTP requests.
https://www.openpolicyagent.org/docs/latest/http-api-authorization/

Here is the documentation for how to execute Rego from Go.
https://www.openpolicyagent.org/docs/latest/integration/#integrating-with-the-go-api

[simongottschlag]

I've was testing this (OPA as a Go library) a while ago together with nginx, you can find that code here: https://github.com/simongottschlag/opa-nginx-authz/tree/main/opa-nginx-external-auth