diff --git a/authenticate/handlers.go b/authenticate/handlers.go
index d73ee9325..a04310fdc 100644
--- a/authenticate/handlers.go
+++ b/authenticate/handlers.go
@@ -451,12 +451,18 @@ func (a *Authenticate) userInfo(w http.ResponseWriter, r *http.Request) error {
s.ID = uuid.New().String()
}
+ isImpersonated := false
pbSession, err := session.Get(ctx, state.dataBrokerClient, s.ID)
+ if pbSession.GetImpersonateSessionId() != "" {
+ pbSession, err = session.Get(ctx, state.dataBrokerClient, pbSession.GetImpersonateSessionId())
+ isImpersonated = true
+ }
if err != nil {
pbSession = &session.Session{
Id: s.ID,
}
}
+
pbUser, err := user.Get(ctx, state.dataBrokerClient, pbSession.GetUserId())
if err != nil {
pbUser = &user.User{
@@ -488,8 +494,9 @@ func (a *Authenticate) userInfo(w http.ResponseWriter, r *http.Request) error {
}
input := map[string]interface{}{
+ "IsImpersonated": isImpersonated,
"State": s, // local session state (cookie, header, etc)
- "Session": pbSession, // current access, refresh, id token, & impersonation state
+ "Session": pbSession, // current access, refresh, id token
"User": pbUser, // user details inferred from oidc id_token
"DirectoryUser": pbDirectoryUser, // user details inferred from idp directory
"DirectoryGroups": groups, // user's groups inferred from idp directory
diff --git a/authorize/evaluator/evaluator_test.go b/authorize/evaluator/evaluator_test.go
index 55cbde617..d83e5e9e7 100644
--- a/authorize/evaluator/evaluator_test.go
+++ b/authorize/evaluator/evaluator_test.go
@@ -116,9 +116,8 @@ func TestEvaluator(t *testing.T) {
t.Run("kubernetes", func(t *testing.T) {
res, err := eval(t, options, []proto.Message{
&session.Session{
- Id: "session1",
- UserId: "user1",
- ImpersonateGroups: []string{"i1", "i2"},
+ Id: "session1",
+ UserId: "user1",
},
&user.User{
Id: "user1",
@@ -137,15 +136,13 @@ func TestEvaluator(t *testing.T) {
})
require.NoError(t, err)
assert.Equal(t, "a@example.com", res.Headers.Get("Impersonate-User"))
- assert.Equal(t, "i1,i2", res.Headers.Get("Impersonate-Group"))
})
t.Run("google_cloud_serverless", func(t *testing.T) {
withMockGCP(t, func() {
res, err := eval(t, options, []proto.Message{
&session.Session{
- Id: "session1",
- UserId: "user1",
- ImpersonateGroups: []string{"i1", "i2"},
+ Id: "session1",
+ UserId: "user1",
},
&user.User{
Id: "user1",
@@ -245,18 +242,22 @@ func TestEvaluator(t *testing.T) {
t.Run("allowed", func(t *testing.T) {
res, err := eval(t, options, []proto.Message{
&session.Session{
- Id: "session1",
- UserId: "user1",
- ImpersonateEmail: proto.String("a@example.com"),
+ Id: "session1",
+ UserId: "user1",
+ },
+ &session.Session{
+ Id: "session2",
+ UserId: "user2",
+ ImpersonateSessionId: proto.String("session1"),
},
&user.User{
Id: "user1",
- Email: "b@example.com",
+ Email: "a@example.com",
},
}, &Request{
Policy: &policies[3],
Session: RequestSession{
- ID: "session1",
+ ID: "session2",
},
HTTP: RequestHTTP{
Method: "GET",
@@ -267,31 +268,6 @@ func TestEvaluator(t *testing.T) {
require.NoError(t, err)
assert.True(t, res.Allow)
})
- t.Run("denied", func(t *testing.T) {
- res, err := eval(t, options, []proto.Message{
- &session.Session{
- Id: "session1",
- UserId: "user1",
- ImpersonateEmail: proto.String("b@example.com"),
- },
- &user.User{
- Id: "user1",
- Email: "a@example.com",
- },
- }, &Request{
- Policy: &policies[3],
- Session: RequestSession{
- ID: "session1",
- },
- HTTP: RequestHTTP{
- Method: "GET",
- URL: "https://from.example.com",
- ClientCertificate: testValidCert,
- },
- })
- require.NoError(t, err)
- assert.False(t, res.Allow)
- })
})
t.Run("user_id", func(t *testing.T) {
res, err := eval(t, options, []proto.Message{
@@ -344,13 +320,17 @@ func TestEvaluator(t *testing.T) {
t.Run("impersonate domain", func(t *testing.T) {
res, err := eval(t, options, []proto.Message{
&session.Session{
- Id: "session1",
- UserId: "user1",
- ImpersonateEmail: proto.String("a@example.com"),
+ Id: "session1",
+ UserId: "user1",
+ },
+ &session.Session{
+ Id: "session2",
+ UserId: "user2",
+ ImpersonateSessionId: proto.String("session1"),
},
&user.User{
Id: "user1",
- Email: "a@notexample.com",
+ Email: "a@example.com",
},
}, &Request{
Policy: &policies[6],
@@ -399,39 +379,6 @@ func TestEvaluator(t *testing.T) {
require.NoError(t, err)
assert.True(t, res.Allow)
})
- t.Run("impersonate groups", func(t *testing.T) {
- res, err := eval(t, options, []proto.Message{
- &session.Session{
- Id: "session1",
- UserId: "user1",
- ImpersonateGroups: []string{"group1"},
- },
- &user.User{
- Id: "user1",
- Email: "a@example.com",
- },
- &directory.User{
- Id: "user1",
- },
- &directory.Group{
- Id: "group1",
- Name: "group1name",
- Email: "group1@example.com",
- },
- }, &Request{
- Policy: &policies[7],
- Session: RequestSession{
- ID: "session1",
- },
- HTTP: RequestHTTP{
- Method: "GET",
- URL: "https://from.example.com",
- ClientCertificate: testValidCert,
- },
- })
- require.NoError(t, err)
- assert.True(t, res.Allow)
- })
t.Run("any authenticated user", func(t *testing.T) {
res, err := eval(t, options, []proto.Message{
&session.Session{
diff --git a/authorize/evaluator/opa/policy/headers.rego b/authorize/evaluator/opa/policy/headers.rego
index f09e695a9..d567c91d2 100644
--- a/authorize/evaluator/opa/policy/headers.rego
+++ b/authorize/evaluator/opa/policy/headers.rego
@@ -26,20 +26,29 @@ package pomerium.headers
# 5 minutes from now in seconds
five_minutes := round((time.now_ns() / 1e9) + (60 * 5))
-session = s {
- s = get_databroker_record("type.googleapis.com/user.ServiceAccount", input.session.id)
- s != null
-} else = s {
- s = get_databroker_record("type.googleapis.com/session.Session", input.session.id)
- s != null
+# get the session
+session = v {
+ # try a service account
+ v = get_databroker_record("type.googleapis.com/user.ServiceAccount", input.session.id)
+ v != null
+} else = iv {
+ # try an impersonated session
+ v = get_databroker_record("type.googleapis.com/session.Session", input.session.id)
+ v != null
+ object.get(v, "impersonate_session_id", "") != ""
+
+ iv = get_databroker_record("type.googleapis.com/session.Session", v.impersonate_session_id)
+ iv != null
+} else = v {
+ # try a normal session
+ v = get_databroker_record("type.googleapis.com/session.Session", input.session.id)
+ v != null
+ object.get(v, "impersonate_session_id", "") == ""
} else = {} {
true
}
user = u {
- u = get_databroker_record("type.googleapis.com/user.User", session.impersonate_user_id)
- u != null
-} else = u {
u = get_databroker_record("type.googleapis.com/user.User", session.user_id)
u != null
} else = {} {
@@ -47,9 +56,6 @@ user = u {
}
directory_user = du {
- du = get_databroker_record("type.googleapis.com/directory.User", session.impersonate_user_id)
- du != null
-} else = du {
du = get_databroker_record("type.googleapis.com/directory.User", session.user_id)
du != null
} else = {} {
@@ -57,9 +63,6 @@ directory_user = du {
}
group_ids = gs {
- gs = session.impersonate_groups
- gs != null
-} else = gs {
gs = directory_user.group_ids
gs != null
} else = [] {
@@ -119,8 +122,6 @@ jwt_payload_user = v {
}
jwt_payload_email = v {
- v = session.impersonate_email
-} else = v {
v = directory_user.email
} else = v {
v = user.email
diff --git a/authorize/log.go b/authorize/log.go
index 4db30df51..3d0b26f29 100644
--- a/authorize/log.go
+++ b/authorize/log.go
@@ -38,14 +38,8 @@ func (a *Authorize) logAuthorizeCheck(
// session information
if s, ok := s.(*session.Session); ok {
evt = evt.Str("session-id", s.GetId())
- if s.GetImpersonateEmail() != "" {
- evt = evt.Str("impersonate-email", s.GetImpersonateEmail())
- }
- if len(s.GetImpersonateGroups()) > 0 {
- evt = evt.Strs("impersonate-groups", s.GetImpersonateGroups())
- }
- if s.GetImpersonateUserId() != "" {
- evt = evt.Str("impersonate-user-id", s.GetImpersonateUserId())
+ if s.GetImpersonateSessionId() != "" {
+ evt = evt.Str("impersonate-session-id", s.GetImpersonateSessionId())
}
}
if sa, ok := s.(*user.ServiceAccount); ok {
diff --git a/config/policy_ppl_test.go b/config/policy_ppl_test.go
index 915254aaa..57102f27a 100644
--- a/config/policy_ppl_test.go
+++ b/config/policy_ppl_test.go
@@ -526,9 +526,19 @@ get_session(id) = v {
v != null
}
+else = iv {
+ v = get_databroker_record("type.googleapis.com/session.Session", id)
+ v != null
+ object.get(v, "impersonate_session_id", "") != ""
+
+ iv = get_databroker_record("type.googleapis.com/session.Session", v.impersonate_session_id)
+ iv != null
+}
+
else = v {
v = get_databroker_record("type.googleapis.com/session.Session", id)
v != null
+ object.get(v, "impersonate_session_id", "") == ""
}
else = {} {
@@ -536,11 +546,6 @@ else = {} {
}
get_user(session) = v {
- v = get_databroker_record("type.googleapis.com/user.User", session.impersonate_user_id)
- v != null
-}
-
-else = v {
v = get_databroker_record("type.googleapis.com/user.User", session.user_id)
v != null
}
@@ -550,11 +555,6 @@ else = {} {
}
get_directory_user(session) = v {
- v = get_databroker_record("type.googleapis.com/directory.User", session.impersonate_user_id)
- v != null
-}
-
-else = v {
v = get_databroker_record("type.googleapis.com/directory.User", session.user_id)
v != null
}
@@ -573,10 +573,6 @@ else = {} {
}
get_user_email(session, user) = v {
- v = session.impersonate_email
-}
-
-else = v {
v = user.email
}
@@ -585,11 +581,6 @@ else = "" {
}
get_group_ids(session, directory_user) = v {
- v = session.impersonate_groups
- v != null
-}
-
-else = v {
v = directory_user.group_ids
v != null
}
diff --git a/internal/frontend/assets/html/userInfo.html b/internal/frontend/assets/html/userInfo.html
index 17a4d84b2..ad558b91c 100644
--- a/internal/frontend/assets/html/userInfo.html
+++ b/internal/frontend/assets/html/userInfo.html
@@ -82,28 +82,10 @@
| {{.AsTime | formatTime}} |
{{end}}
- {{with .Session.ImpersonateUserId}}
- | Impersonate ID |
- {{.}} |
+ Impersonated |
+ {{.IsImpersonated}} |
- {{end}}
- {{with .Session.ImpersonateEmail}}
-
- | Impersonate Email |
- {{.}} |
-
- {{end}}
- {{with $groups := .Session.ImpersonateGroups}}
-
- | Impersonate Groups |
-
- {{range $groups}}
- {{.}}
- {{end}}
- |
-
- {{end}}
{{else}}
diff --git a/pkg/grpc/session/session.pb.go b/pkg/grpc/session/session.pb.go
index 0be3b5e23..dda972d3c 100644
--- a/pkg/grpc/session/session.pb.go
+++ b/pkg/grpc/session/session.pb.go
@@ -177,18 +177,16 @@ type Session struct {
sizeCache protoimpl.SizeCache
unknownFields protoimpl.UnknownFields
- Version string `protobuf:"bytes,1,opt,name=version,proto3" json:"version,omitempty"`
- Id string `protobuf:"bytes,2,opt,name=id,proto3" json:"id,omitempty"`
- UserId string `protobuf:"bytes,3,opt,name=user_id,json=userId,proto3" json:"user_id,omitempty"`
- IssuedAt *timestamppb.Timestamp `protobuf:"bytes,14,opt,name=issued_at,json=issuedAt,proto3" json:"issued_at,omitempty"`
- ExpiresAt *timestamppb.Timestamp `protobuf:"bytes,4,opt,name=expires_at,json=expiresAt,proto3" json:"expires_at,omitempty"`
- IdToken *IDToken `protobuf:"bytes,6,opt,name=id_token,json=idToken,proto3" json:"id_token,omitempty"`
- OauthToken *OAuthToken `protobuf:"bytes,7,opt,name=oauth_token,json=oauthToken,proto3" json:"oauth_token,omitempty"`
- Claims map[string]*structpb.ListValue `protobuf:"bytes,9,rep,name=claims,proto3" json:"claims,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"`
- Audience []string `protobuf:"bytes,10,rep,name=audience,proto3" json:"audience,omitempty"`
- ImpersonateUserId *string `protobuf:"bytes,11,opt,name=impersonate_user_id,json=impersonateUserId,proto3,oneof" json:"impersonate_user_id,omitempty"`
- ImpersonateEmail *string `protobuf:"bytes,12,opt,name=impersonate_email,json=impersonateEmail,proto3,oneof" json:"impersonate_email,omitempty"`
- ImpersonateGroups []string `protobuf:"bytes,13,rep,name=impersonate_groups,json=impersonateGroups,proto3" json:"impersonate_groups,omitempty"`
+ Version string `protobuf:"bytes,1,opt,name=version,proto3" json:"version,omitempty"`
+ Id string `protobuf:"bytes,2,opt,name=id,proto3" json:"id,omitempty"`
+ UserId string `protobuf:"bytes,3,opt,name=user_id,json=userId,proto3" json:"user_id,omitempty"`
+ IssuedAt *timestamppb.Timestamp `protobuf:"bytes,14,opt,name=issued_at,json=issuedAt,proto3" json:"issued_at,omitempty"`
+ ExpiresAt *timestamppb.Timestamp `protobuf:"bytes,4,opt,name=expires_at,json=expiresAt,proto3" json:"expires_at,omitempty"`
+ IdToken *IDToken `protobuf:"bytes,6,opt,name=id_token,json=idToken,proto3" json:"id_token,omitempty"`
+ OauthToken *OAuthToken `protobuf:"bytes,7,opt,name=oauth_token,json=oauthToken,proto3" json:"oauth_token,omitempty"`
+ Claims map[string]*structpb.ListValue `protobuf:"bytes,9,rep,name=claims,proto3" json:"claims,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"`
+ Audience []string `protobuf:"bytes,10,rep,name=audience,proto3" json:"audience,omitempty"`
+ ImpersonateSessionId *string `protobuf:"bytes,15,opt,name=impersonate_session_id,json=impersonateSessionId,proto3,oneof" json:"impersonate_session_id,omitempty"`
}
func (x *Session) Reset() {
@@ -286,27 +284,13 @@ func (x *Session) GetAudience() []string {
return nil
}
-func (x *Session) GetImpersonateUserId() string {
- if x != nil && x.ImpersonateUserId != nil {
- return *x.ImpersonateUserId
+func (x *Session) GetImpersonateSessionId() string {
+ if x != nil && x.ImpersonateSessionId != nil {
+ return *x.ImpersonateSessionId
}
return ""
}
-func (x *Session) GetImpersonateEmail() string {
- if x != nil && x.ImpersonateEmail != nil {
- return *x.ImpersonateEmail
- }
- return ""
-}
-
-func (x *Session) GetImpersonateGroups() []string {
- if x != nil {
- return x.ImpersonateGroups
- }
- return nil
-}
-
var File_session_proto protoreflect.FileDescriptor
var file_session_proto_rawDesc = []byte{
@@ -338,7 +322,7 @@ var file_session_proto_rawDesc = []byte{
0x75, 0x66, 0x2e, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x52, 0x09, 0x65, 0x78,
0x70, 0x69, 0x72, 0x65, 0x73, 0x41, 0x74, 0x12, 0x23, 0x0a, 0x0d, 0x72, 0x65, 0x66, 0x72, 0x65,
0x73, 0x68, 0x5f, 0x74, 0x6f, 0x6b, 0x65, 0x6e, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0c,
- 0x72, 0x65, 0x66, 0x72, 0x65, 0x73, 0x68, 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x22, 0x90, 0x05, 0x0a,
+ 0x72, 0x65, 0x66, 0x72, 0x65, 0x73, 0x68, 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x22, 0xa2, 0x04, 0x0a,
0x07, 0x53, 0x65, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x12, 0x18, 0x0a, 0x07, 0x76, 0x65, 0x72, 0x73,
0x69, 0x6f, 0x6e, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x07, 0x76, 0x65, 0x72, 0x73, 0x69,
0x6f, 0x6e, 0x12, 0x0e, 0x0a, 0x02, 0x69, 0x64, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x02,
@@ -362,28 +346,21 @@ var file_session_proto_rawDesc = []byte{
0x73, 0x69, 0x6f, 0x6e, 0x2e, 0x43, 0x6c, 0x61, 0x69, 0x6d, 0x73, 0x45, 0x6e, 0x74, 0x72, 0x79,
0x52, 0x06, 0x63, 0x6c, 0x61, 0x69, 0x6d, 0x73, 0x12, 0x1a, 0x0a, 0x08, 0x61, 0x75, 0x64, 0x69,
0x65, 0x6e, 0x63, 0x65, 0x18, 0x0a, 0x20, 0x03, 0x28, 0x09, 0x52, 0x08, 0x61, 0x75, 0x64, 0x69,
- 0x65, 0x6e, 0x63, 0x65, 0x12, 0x33, 0x0a, 0x13, 0x69, 0x6d, 0x70, 0x65, 0x72, 0x73, 0x6f, 0x6e,
- 0x61, 0x74, 0x65, 0x5f, 0x75, 0x73, 0x65, 0x72, 0x5f, 0x69, 0x64, 0x18, 0x0b, 0x20, 0x01, 0x28,
- 0x09, 0x48, 0x00, 0x52, 0x11, 0x69, 0x6d, 0x70, 0x65, 0x72, 0x73, 0x6f, 0x6e, 0x61, 0x74, 0x65,
- 0x55, 0x73, 0x65, 0x72, 0x49, 0x64, 0x88, 0x01, 0x01, 0x12, 0x30, 0x0a, 0x11, 0x69, 0x6d, 0x70,
- 0x65, 0x72, 0x73, 0x6f, 0x6e, 0x61, 0x74, 0x65, 0x5f, 0x65, 0x6d, 0x61, 0x69, 0x6c, 0x18, 0x0c,
- 0x20, 0x01, 0x28, 0x09, 0x48, 0x01, 0x52, 0x10, 0x69, 0x6d, 0x70, 0x65, 0x72, 0x73, 0x6f, 0x6e,
- 0x61, 0x74, 0x65, 0x45, 0x6d, 0x61, 0x69, 0x6c, 0x88, 0x01, 0x01, 0x12, 0x2d, 0x0a, 0x12, 0x69,
- 0x6d, 0x70, 0x65, 0x72, 0x73, 0x6f, 0x6e, 0x61, 0x74, 0x65, 0x5f, 0x67, 0x72, 0x6f, 0x75, 0x70,
- 0x73, 0x18, 0x0d, 0x20, 0x03, 0x28, 0x09, 0x52, 0x11, 0x69, 0x6d, 0x70, 0x65, 0x72, 0x73, 0x6f,
- 0x6e, 0x61, 0x74, 0x65, 0x47, 0x72, 0x6f, 0x75, 0x70, 0x73, 0x1a, 0x55, 0x0a, 0x0b, 0x43, 0x6c,
- 0x61, 0x69, 0x6d, 0x73, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65, 0x79,
- 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, 0x30, 0x0a, 0x05, 0x76,
- 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f,
- 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x4c, 0x69, 0x73,
- 0x74, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x3a, 0x02, 0x38,
- 0x01, 0x42, 0x16, 0x0a, 0x14, 0x5f, 0x69, 0x6d, 0x70, 0x65, 0x72, 0x73, 0x6f, 0x6e, 0x61, 0x74,
- 0x65, 0x5f, 0x75, 0x73, 0x65, 0x72, 0x5f, 0x69, 0x64, 0x42, 0x14, 0x0a, 0x12, 0x5f, 0x69, 0x6d,
- 0x70, 0x65, 0x72, 0x73, 0x6f, 0x6e, 0x61, 0x74, 0x65, 0x5f, 0x65, 0x6d, 0x61, 0x69, 0x6c, 0x42,
- 0x2f, 0x5a, 0x2d, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x70, 0x6f,
- 0x6d, 0x65, 0x72, 0x69, 0x75, 0x6d, 0x2f, 0x70, 0x6f, 0x6d, 0x65, 0x72, 0x69, 0x75, 0x6d, 0x2f,
- 0x70, 0x6b, 0x67, 0x2f, 0x67, 0x72, 0x70, 0x63, 0x2f, 0x73, 0x65, 0x73, 0x73, 0x69, 0x6f, 0x6e,
- 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
+ 0x65, 0x6e, 0x63, 0x65, 0x12, 0x39, 0x0a, 0x16, 0x69, 0x6d, 0x70, 0x65, 0x72, 0x73, 0x6f, 0x6e,
+ 0x61, 0x74, 0x65, 0x5f, 0x73, 0x65, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x5f, 0x69, 0x64, 0x18, 0x0f,
+ 0x20, 0x01, 0x28, 0x09, 0x48, 0x00, 0x52, 0x14, 0x69, 0x6d, 0x70, 0x65, 0x72, 0x73, 0x6f, 0x6e,
+ 0x61, 0x74, 0x65, 0x53, 0x65, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x49, 0x64, 0x88, 0x01, 0x01, 0x1a,
+ 0x55, 0x0a, 0x0b, 0x43, 0x6c, 0x61, 0x69, 0x6d, 0x73, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x10,
+ 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79,
+ 0x12, 0x30, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32,
+ 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75,
+ 0x66, 0x2e, 0x4c, 0x69, 0x73, 0x74, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x52, 0x05, 0x76, 0x61, 0x6c,
+ 0x75, 0x65, 0x3a, 0x02, 0x38, 0x01, 0x42, 0x19, 0x0a, 0x17, 0x5f, 0x69, 0x6d, 0x70, 0x65, 0x72,
+ 0x73, 0x6f, 0x6e, 0x61, 0x74, 0x65, 0x5f, 0x73, 0x65, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x5f, 0x69,
+ 0x64, 0x42, 0x2f, 0x5a, 0x2d, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f,
+ 0x70, 0x6f, 0x6d, 0x65, 0x72, 0x69, 0x75, 0x6d, 0x2f, 0x70, 0x6f, 0x6d, 0x65, 0x72, 0x69, 0x75,
+ 0x6d, 0x2f, 0x70, 0x6b, 0x67, 0x2f, 0x67, 0x72, 0x70, 0x63, 0x2f, 0x73, 0x65, 0x73, 0x73, 0x69,
+ 0x6f, 0x6e, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
}
var (
diff --git a/pkg/grpc/session/session.proto b/pkg/grpc/session/session.proto
index 1f243fbd8..ad94f4eaa 100644
--- a/pkg/grpc/session/session.proto
+++ b/pkg/grpc/session/session.proto
@@ -32,7 +32,5 @@ message Session {
map claims = 9;
repeated string audience = 10;
- optional string impersonate_user_id = 11;
- optional string impersonate_email = 12;
- repeated string impersonate_groups = 13;
+ optional string impersonate_session_id = 15;
}
diff --git a/pkg/policy/criteria/domains_test.go b/pkg/policy/criteria/domains_test.go
index a816b6827..0b225123c 100644
--- a/pkg/policy/criteria/domains_test.go
+++ b/pkg/policy/criteria/domains_test.go
@@ -4,7 +4,6 @@ import (
"testing"
"github.com/stretchr/testify/require"
- "google.golang.org/protobuf/proto"
"github.com/pomerium/pomerium/pkg/grpc/session"
"github.com/pomerium/pomerium/pkg/grpc/user"
@@ -53,9 +52,8 @@ allow:
`,
[]dataBrokerRecord{
&session.Session{
- Id: "SESSION_ID",
- UserId: "USER_ID",
- ImpersonateEmail: proto.String("test2@example.com"),
+ Id: "SESSION_ID",
+ UserId: "USER_ID",
},
&user.User{
Id: "USER_ID",
diff --git a/pkg/policy/criteria/emails_test.go b/pkg/policy/criteria/emails_test.go
index c8981d56e..b4b03f510 100644
--- a/pkg/policy/criteria/emails_test.go
+++ b/pkg/policy/criteria/emails_test.go
@@ -44,7 +44,7 @@ allow:
require.Equal(t, true, res["allow"])
require.Equal(t, false, res["deny"])
})
- t.Run("by impersonate email", func(t *testing.T) {
+ t.Run("by impersonate session id", func(t *testing.T) {
res, err := evaluate(t, `
allow:
and:
@@ -53,16 +53,24 @@ allow:
`,
[]dataBrokerRecord{
&session.Session{
- Id: "SESSION_ID",
- UserId: "USER_ID",
- ImpersonateEmail: proto.String("test2@example.com"),
+ Id: "SESSION1",
+ UserId: "USER1",
+ ImpersonateSessionId: proto.String("SESSION2"),
+ },
+ &session.Session{
+ Id: "SESSION2",
+ UserId: "USER2",
},
&user.User{
- Id: "USER_ID",
+ Id: "USER1",
Email: "test1@example.com",
},
+ &user.User{
+ Id: "USER2",
+ Email: "test2@example.com",
+ },
},
- Input{Session: InputSession{ID: "SESSION_ID"}})
+ Input{Session: InputSession{ID: "SESSION1"}})
require.NoError(t, err)
require.Equal(t, true, res["allow"])
require.Equal(t, false, res["deny"])
diff --git a/pkg/policy/rules/rules.go b/pkg/policy/rules/rules.go
index c3e6a8d0d..67670bd09 100644
--- a/pkg/policy/rules/rules.go
+++ b/pkg/policy/rules/rules.go
@@ -3,15 +3,23 @@ package rules
import "github.com/open-policy-agent/opa/ast"
-// GetSession the session for the given id.
+// GetSession gets the session for the given id.
func GetSession() *ast.Rule {
return ast.MustParseRule(`
get_session(id) = v {
v = get_databroker_record("type.googleapis.com/user.ServiceAccount", id)
v != null
+} else = iv {
+ v = get_databroker_record("type.googleapis.com/session.Session", id)
+ v != null
+ object.get(v, "impersonate_session_id", "") != ""
+
+ iv = get_databroker_record("type.googleapis.com/session.Session", v.impersonate_session_id)
+ iv != null
} else = v {
v = get_databroker_record("type.googleapis.com/session.Session", id)
v != null
+ object.get(v, "impersonate_session_id", "") == ""
} else = {} {
true
}
@@ -22,9 +30,6 @@ get_session(id) = v {
func GetUser() *ast.Rule {
return ast.MustParseRule(`
get_user(session) = v {
- v = get_databroker_record("type.googleapis.com/user.User", session.impersonate_user_id)
- v != null
-} else = v {
v = get_databroker_record("type.googleapis.com/user.User", session.user_id)
v != null
} else = {} {
@@ -37,8 +42,6 @@ get_user(session) = v {
func GetUserEmail() *ast.Rule {
return ast.MustParseRule(`
get_user_email(session, user) = v {
- v = session.impersonate_email
-} else = v {
v = user.email
} else = "" {
true
@@ -50,9 +53,6 @@ get_user_email(session, user) = v {
func GetDirectoryUser() *ast.Rule {
return ast.MustParseRule(`
get_directory_user(session) = v {
- v = get_databroker_record("type.googleapis.com/directory.User", session.impersonate_user_id)
- v != null
-} else = v {
v = get_databroker_record("type.googleapis.com/directory.User", session.user_id)
v != null
} else = "" {
@@ -77,9 +77,6 @@ get_directory_group(id) = v {
func GetGroupIDs() *ast.Rule {
return ast.MustParseRule(`
get_group_ids(session, directory_user) = v {
- v = session.impersonate_groups
- v != null
-} else = v {
v = directory_user.group_ids
v != null
} else = [] {