Documentation

Pipeline Directives

Control flow for pipeline execution

Pipeline directives control how a pipeline block executes. The directive can be explicitly requested using the standalone actions:

Or they can be used as parameters in these actions:

first

  • Behavior: Stops execution when any action returns a definitive result: accept or reject and returns that, if action returns ignore, continues to next action.
  • Use case: When you want the first action to provide a result to make the decision
  • Example: Testing multiple conditions where any one can determine the outcome
first {
    backend "PRIMARY_AUTH";
    backend "FALLBACK_AUTH";
}

any

  • Behavior: Continues until an action returns accept, then returns accept
  • Use case: When any successful action should trigger the do block
  • Example: Multiple authentication methods where any success is sufficient
any {
    pap;
    chap;
}

while - Default

  • Behavior: Continues until an action returns reject, then returns reject, otherwise returns accept
  • Use case: When all conditions must pass for success
  • Example: Multiple validation checks that all must succeed
while {
    backend "USER_EXISTS";
    script "CHECK_BUSINESS_HOURS";
}

This the default behavior for pipelines. There is really no need to use the standalone while action but it can be used for clarity in the with action.

It should noted that if a policy handler returns ignore as the last action it will still reject the request.

all

  • Behavior: Continues until an action returns ignore or reject and then rejects. If all actions return accept, then returns accept
  • Use case: When all actions must explicitly succeed
  • Example: Comprehensive validation requiring all checks to pass
all {
    backend "VALIDATE_USER";
    backend "CHECK_PERMISSIONS";
    backend "VERIFY_LICENSE";
}

none

  • Behavior: Continues until an action returns accept, then returns reject, otherwise returns accept
  • Use case: When success means no action should succeed (negative logic)
  • Example: Blacklist checking where any match means rejection

There is a standalone none action but it is most useful in the with action:

with none {
    backend "BLACKLIST_CHECK";
    backend "BANNED_USERS";
    backend "SUSPICIOUS_PATTERNS";
} do {
    # No matches found in blacklists - proceed
    accept;
} else {
    # Found in at least one blacklist
    reject "Access denied - blacklisted";
}

each

  • Behavior: Executes all actions regardless of results, returns result of last action
  • Use case: When all actions should execute for side effects
  • Example: Logging and metrics collection
each {
    backend "STORE_ANALYTICS";
    backend "PRIMARY_AUTH";
}

Error handling

Any error in an action is treated as an immediate reject result for that action. If you need to catch errors, use the try action.