3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-06-01 10:22:43 +02:00
Code Issues Projects Releases Packages Wiki Activity

config: support map of jwt claim headers (#1906)

Browse source 
* config: support map of jwt claim headers

* fix array handling, add test

* update docs

* use separate hook, add tests
This commit is contained in:
Caleb Doxsey 2021-02-17 13:43:18 -07:00 committed by GitHub
parent d04416a5fd
commit 1a1cc30c67
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
14 changed files with 482 additions and 269 deletions
Download patch file Download diff file Expand all files Collapse all files

2
authorize/check_response_test.go
View file

@ -33,7 +33,7 @@ func TestAuthorize_okResponse(t *testing.T) {
Rego: []string{"allow = true"},
}},
}},
JWTClaimsHeaders: []string{"email"},
JWTClaimsHeaders: config.NewJWTClaimHeaders("email"),
}
a := &Authorize{currentOptions: config.NewAtomicOptions(), state: newAtomicAuthorizeState(new(authorizeState))}
encoder, _ := jws.NewHS256Signer([]byte{0, 0, 0, 0})

5
authorize/evaluator/opa/policy/authz.rego
View file

@ -262,11 +262,12 @@ identity_headers := {key: value |
claim_value != null
# only include those headers requested by the user
available := data.jwt_claim_headers[_]
some header_name
available := data.jwt_claim_headers[header_name]
available == claim_key
# create the header key and value
k := concat("", ["x-pomerium-claim-", claim_key])
k := header_name
v := get_header_string_value(claim_value)
]

2
authorize/evaluator/opa/policy/statik.go
View file

File diff suppressed because one or more lines are too long

2
authorize/evaluator/opa_test.go
View file

@ -39,7 +39,7 @@ func TestOPA(t *testing.T) {
require.NoError(t, err)
store := NewStoreFromProtos(data...)
store.UpdateIssuer("authenticate.example.com")
store.UpdateJWTClaimHeaders([]string{"email", "groups", "user"})
store.UpdateJWTClaimHeaders(config.NewJWTClaimHeaders("email", "groups", "user"))
store.UpdateRoutePolicies(policies)
store.UpdateSigningKey(privateJWK)
r := rego.New(

2
authorize/evaluator/store.go
View file

@ -102,7 +102,7 @@ func (s *Store) UpdateGoogleCloudServerlessAuthenticationServiceAccount(serviceA
}
// UpdateJWTClaimHeaders updates the jwt claim headers in the store.
func (s *Store) UpdateJWTClaimHeaders(jwtClaimHeaders []string) {
func (s *Store) UpdateJWTClaimHeaders(jwtClaimHeaders map[string]string) {
s.write("/jwt_claim_headers", jwtClaimHeaders)
}