authorize: implement allowed_idp_claims (#1542)

* add arbitrary claims to session

* add support for maps

* update flattened claims

* fix eol

* fix trailing whitespace

* fix tests

authorize/evaluator/opa/policy/authz.rego

@@ -12,6 +12,7 @@ groups := input.databroker_data.groups
 all_allowed_domains := get_allowed_domains(route_policy)
 all_allowed_groups := get_allowed_groups(route_policy)
 all_allowed_users := get_allowed_users(route_policy)
+all_allowed_idp_claims := get_allowed_idp_claims(route_policy)
 
 # allow public
 allow {
@@ -65,6 +66,14 @@ allow {
 	email_in_domain(input.session.impersonate_email, all_allowed_domains[domain])
 }
 
+# allow by arbitrary idp claims
+allow {
+    are_claims_allowed(all_allowed_idp_claims[_], session.claims)
+}
+allow {
+    are_claims_allowed(all_allowed_idp_claims[_], user.claims)
+}
+
 # allow pomerium urls
 allow {
 	contains(input.http.url, "/.pomerium/")
@@ -181,3 +190,21 @@ get_allowed_groups(policy) = v {
         [u | u := policy.sub_policies[_].allowed_groups[_]]
     )[_] }
 }
+
+get_allowed_idp_claims(policy) = v {
+    v := array.concat(
+        [policy.allowed_idp_claims],
+        [u | u := policy.sub_policies[_].allowed_idp_claims]
+     )
+}
+
+are_claims_allowed(a, b) {
+    is_object(a)
+    is_object(b)
+    avs := a[ak]
+    bvs := object.get(b, ak, null)
+
+    is_array(avs)
+    is_array(bvs)
+    avs[_] == bvs[_]
+}

authorize/evaluator/opa/policy/authz_test.rego

@@ -169,6 +169,25 @@ test_impersonate_domain_allowed {
 		input.session as { "id": "session1", "impersonate_email": "y@example1.com" }
 }
 
+test_idp_claims_allowed {
+    allow with
+        data.route_policies as [{
+            "source": "example.com",
+            "allowed_idp_claims": {
+                "some.claim": ["a", "b"]
+            }
+        }] with
+        input.databroker_data as {
+            "session": {
+                "claims": {
+                    "some.claim": ["b"]
+                }
+            }
+        } with
+		input.http as { "url": "http://example.com" } with
+        input.session as { "id": "session1", "impersonate_email": "" }
+}
+
 test_example {
 	not allow with
 		data.route_policies as [
@@ -344,3 +363,14 @@ test_sub_policy {
     })
 	z == {"g1", "g2", "g3", "g4"}
 }
+
+test_are_claims_allowed {
+    are_claims_allowed({"a": ["1"]}, {"a": ["1"]})
+    not are_claims_allowed({"a": ["2"]}, {"a": ["1"]})
+
+    are_claims_allowed({"a": ["1", "2", "3"]}, {"a": ["1"]})
+    are_claims_allowed({"a": ["1"]}, {"a": ["1", "2", "3"]})
+    not are_claims_allowed({"a": ["4", "5", "6"]}, {"a": ["1"]})
+
+    are_claims_allowed({"a.b.c": ["1"], "d.e.f": ["2"]}, {"d.e.f": ["2"]})
+}