Documentation

Pipeline Directives

Control flow for pipeline execution

Pipeline directives control how a pipeline block executes. The directive can be explicitly requested using the standalone actions:

Or they can be used as parameters in these actions:

first

Stops on first accept or reject and returns that. If no accept or reject is encountered, ignore is returned.

Example

When you want the first non-ignoring action to provide a result to make the decision

first {
    backend "PRIMARY_AUTH"; # ignores if does not find user
    backend "FALLBACK_AUTH";
}

any

Stop on first accept. If no accept is encountered, return the last reject or ignore.

Example

When calling multile backends or methods where any success is sufficient

any {
    pap;
    chap;
}

while - Default

Stop on reject. Return the last accept or ignore.

NOTE: This is not a loop.

This the default behavior for pipelines. There is really no need to use the standalone while action but it can be used for clarity in the with action.

It should noted that if a policy handler returns ignore as the last action it will still reject the request.

Example

All must accept or ignore

while {
    backend "USER_EXISTS";
    script "CHECK_BUSINESS_HOURS";
}

or since this is the default behavior, you can simply write:

backend "USER_EXISTS";
script "CHECK_BUSINESS_HOURS";

all

All actions must accept. If any action returns ignore or reject, that is returned immediately.

Example

All verifications must succeed

all {
    backend "VALIDATE_USER";
    backend "CHECK_PERMISSIONS";
    backend "VERIFY_LICENSE";
}

none

🚨 None is known to be buggy. Do not use for now.

All actions must return reject, then returns accept. If any action returns accept or ignore then reject is returned immediately.

none {
    backend "BLACKLIST_CHECK";
    backend "BANNED_USERS";
    backend "SUSPICIOUS_PATTERNS";
}

each

Return the result of the last action.

Note that this does not capture errors. If you need to catch errors, use the try action.

Example

each {
    # does not matter if these reject or ignore
    backend "STORE_ANALYTICS";
    backend "LOG_ACCESS";

    # this result is returned
    backend "PRIMARY_AUTH";
}