authorize: add filter options for JWT groups (#5417) (#5426)

Add a new option for filtering to a subset of directory groups in the Pomerium JWT and Impersonate-Group headers. Add a JWTGroupsFilter field to both the Options struct (for a global filter) and to the Policy struct (for per-route filter). These will be populated only from the config protos, and not from a config file. If either filter is set, then for each of a user's groups, the group name or group ID will be added to the JWT groups claim only if it is an exact string match with one of the elements of either filter.
2025-08-03 16:59:22 +02:00 · 2025-01-14 14:38:33 -08:00 · 2025-01-14 14:38:33 -08:00 · 084ad15464
commit 084ad15464
parent 1246f0f76a
14 changed files with 859 additions and 629 deletions
--- a/authorize/evaluator/config.go
+++ b/authorize/evaluator/config.go
@ -15,6 +15,7 @@ type evaluatorConfig struct {
 	AuthenticateURL                                   string
 	GoogleCloudServerlessAuthenticationServiceAccount string
 	JWTClaimsHeaders                                  config.JWTClaimHeaders
+	JWTGroupsFilter                                   config.JWTGroupsFilter
 }

 // cacheKey() returns a hash over the configuration, except for the policies.
@ -97,3 +98,10 @@ func WithJWTClaimsHeaders(headers config.JWTClaimHeaders) Option {
 		cfg.JWTClaimsHeaders = headers
 	}
 }
+
+// WithJWTGroupsFilter sets the JWT groups filter in the config.
+func WithJWTGroupsFilter(groups config.JWTGroupsFilter) Option {
+	return func(cfg *evaluatorConfig) {
+		cfg.JWTGroupsFilter = groups
+	}
+}