mirror of
https://github.com/pomerium/pomerium.git
synced 2025-08-03 08:50:42 +02:00
sessions: add impersonate_session_id, remove legacy impersonation (#2407)
* sessions: add impersonate_session_id, remove legacy impersonation
* show impersonated user details
* fix headers
* address feedback
* only check impersonate id on non-nil pbSession
* Revert "only check impersonate id on non-nil pbSession"
This reverts commit a6f7ca5abd.
This commit is contained in:
Caleb Doxsey
GitHub
parent
2b6813dc95
commit
1a95036b8c
11 changed files with 116 additions and 216 deletions
|
|
@ -116,9 +116,8 @@ func TestEvaluator(t *testing.T) {
|
|||
t.Run("kubernetes", func(t *testing.T) {
|
||||
res, err := eval(t, options, []proto.Message{
|
||||
&session.Session{
|
||||
Id: "session1",
|
||||
UserId: "user1",
|
||||
ImpersonateGroups: []string{"i1", "i2"},
|
||||
Id: "session1",
|
||||
UserId: "user1",
|
||||
},
|
||||
&user.User{
|
||||
Id: "user1",
|
||||
|
|
@ -137,15 +136,13 @@ func TestEvaluator(t *testing.T) {
|
|||
})
|
||||
require.NoError(t, err)
|
||||
assert.Equal(t, "a@example.com", res.Headers.Get("Impersonate-User"))
|
||||
assert.Equal(t, "i1,i2", res.Headers.Get("Impersonate-Group"))
|
||||
})
|
||||
t.Run("google_cloud_serverless", func(t *testing.T) {
|
||||
withMockGCP(t, func() {
|
||||
res, err := eval(t, options, []proto.Message{
|
||||
&session.Session{
|
||||
Id: "session1",
|
||||
UserId: "user1",
|
||||
ImpersonateGroups: []string{"i1", "i2"},
|
||||
Id: "session1",
|
||||
UserId: "user1",
|
||||
},
|
||||
&user.User{
|
||||
Id: "user1",
|
||||
|
|
@ -245,18 +242,22 @@ func TestEvaluator(t *testing.T) {
|
|||
t.Run("allowed", func(t *testing.T) {
|
||||
res, err := eval(t, options, []proto.Message{
|
||||
&session.Session{
|
||||
Id: "session1",
|
||||
UserId: "user1",
|
||||
ImpersonateEmail: proto.String("a@example.com"),
|
||||
Id: "session1",
|
||||
UserId: "user1",
|
||||
},
|
||||
&session.Session{
|
||||
Id: "session2",
|
||||
UserId: "user2",
|
||||
ImpersonateSessionId: proto.String("session1"),
|
||||
},
|
||||
&user.User{
|
||||
Id: "user1",
|
||||
Email: "b@example.com",
|
||||
Email: "a@example.com",
|
||||
},
|
||||
}, &Request{
|
||||
Policy: &policies[3],
|
||||
Session: RequestSession{
|
||||
ID: "session1",
|
||||
ID: "session2",
|
||||
},
|
||||
HTTP: RequestHTTP{
|
||||
Method: "GET",
|
||||
|
|
@ -267,31 +268,6 @@ func TestEvaluator(t *testing.T) {
|
|||
require.NoError(t, err)
|
||||
assert.True(t, res.Allow)
|
||||
})
|
||||
t.Run("denied", func(t *testing.T) {
|
||||
res, err := eval(t, options, []proto.Message{
|
||||
&session.Session{
|
||||
Id: "session1",
|
||||
UserId: "user1",
|
||||
ImpersonateEmail: proto.String("b@example.com"),
|
||||
},
|
||||
&user.User{
|
||||
Id: "user1",
|
||||
Email: "a@example.com",
|
||||
},
|
||||
}, &Request{
|
||||
Policy: &policies[3],
|
||||
Session: RequestSession{
|
||||
ID: "session1",
|
||||
},
|
||||
HTTP: RequestHTTP{
|
||||
Method: "GET",
|
||||
URL: "https://from.example.com",
|
||||
ClientCertificate: testValidCert,
|
||||
},
|
||||
})
|
||||
require.NoError(t, err)
|
||||
assert.False(t, res.Allow)
|
||||
})
|
||||
})
|
||||
t.Run("user_id", func(t *testing.T) {
|
||||
res, err := eval(t, options, []proto.Message{
|
||||
|
|
@ -344,13 +320,17 @@ func TestEvaluator(t *testing.T) {
|
|||
t.Run("impersonate domain", func(t *testing.T) {
|
||||
res, err := eval(t, options, []proto.Message{
|
||||
&session.Session{
|
||||
Id: "session1",
|
||||
UserId: "user1",
|
||||
ImpersonateEmail: proto.String("a@example.com"),
|
||||
Id: "session1",
|
||||
UserId: "user1",
|
||||
},
|
||||
&session.Session{
|
||||
Id: "session2",
|
||||
UserId: "user2",
|
||||
ImpersonateSessionId: proto.String("session1"),
|
||||
},
|
||||
&user.User{
|
||||
Id: "user1",
|
||||
Email: "a@notexample.com",
|
||||
Email: "a@example.com",
|
||||
},
|
||||
}, &Request{
|
||||
Policy: &policies[6],
|
||||
|
|
@ -399,39 +379,6 @@ func TestEvaluator(t *testing.T) {
|
|||
require.NoError(t, err)
|
||||
assert.True(t, res.Allow)
|
||||
})
|
||||
t.Run("impersonate groups", func(t *testing.T) {
|
||||
res, err := eval(t, options, []proto.Message{
|
||||
&session.Session{
|
||||
Id: "session1",
|
||||
UserId: "user1",
|
||||
ImpersonateGroups: []string{"group1"},
|
||||
},
|
||||
&user.User{
|
||||
Id: "user1",
|
||||
Email: "a@example.com",
|
||||
},
|
||||
&directory.User{
|
||||
Id: "user1",
|
||||
},
|
||||
&directory.Group{
|
||||
Id: "group1",
|
||||
Name: "group1name",
|
||||
Email: "group1@example.com",
|
||||
},
|
||||
}, &Request{
|
||||
Policy: &policies[7],
|
||||
Session: RequestSession{
|
||||
ID: "session1",
|
||||
},
|
||||
HTTP: RequestHTTP{
|
||||
Method: "GET",
|
||||
URL: "https://from.example.com",
|
||||
ClientCertificate: testValidCert,
|
||||
},
|
||||
})
|
||||
require.NoError(t, err)
|
||||
assert.True(t, res.Allow)
|
||||
})
|
||||
t.Run("any authenticated user", func(t *testing.T) {
|
||||
res, err := eval(t, options, []proto.Message{
|
||||
&session.Session{
|
||||
|
|
|
|||
|
|
@ -26,20 +26,29 @@ package pomerium.headers
|
|||
# 5 minutes from now in seconds
|
||||
five_minutes := round((time.now_ns() / 1e9) + (60 * 5))
|
||||
|
||||
session = s {
|
||||
s = get_databroker_record("type.googleapis.com/user.ServiceAccount", input.session.id)
|
||||
s != null
|
||||
} else = s {
|
||||
s = get_databroker_record("type.googleapis.com/session.Session", input.session.id)
|
||||
s != null
|
||||
# get the session
|
||||
session = v {
|
||||
# try a service account
|
||||
v = get_databroker_record("type.googleapis.com/user.ServiceAccount", input.session.id)
|
||||
v != null
|
||||
} else = iv {
|
||||
# try an impersonated session
|
||||
v = get_databroker_record("type.googleapis.com/session.Session", input.session.id)
|
||||
v != null
|
||||
object.get(v, "impersonate_session_id", "") != ""
|
||||
|
||||
iv = get_databroker_record("type.googleapis.com/session.Session", v.impersonate_session_id)
|
||||
iv != null
|
||||
} else = v {
|
||||
# try a normal session
|
||||
v = get_databroker_record("type.googleapis.com/session.Session", input.session.id)
|
||||
v != null
|
||||
object.get(v, "impersonate_session_id", "") == ""
|
||||
} else = {} {
|
||||
true
|
||||
}
|
||||
|
||||
user = u {
|
||||
u = get_databroker_record("type.googleapis.com/user.User", session.impersonate_user_id)
|
||||
u != null
|
||||
} else = u {
|
||||
u = get_databroker_record("type.googleapis.com/user.User", session.user_id)
|
||||
u != null
|
||||
} else = {} {
|
||||
|
|
@ -47,9 +56,6 @@ user = u {
|
|||
}
|
||||
|
||||
directory_user = du {
|
||||
du = get_databroker_record("type.googleapis.com/directory.User", session.impersonate_user_id)
|
||||
du != null
|
||||
} else = du {
|
||||
du = get_databroker_record("type.googleapis.com/directory.User", session.user_id)
|
||||
du != null
|
||||
} else = {} {
|
||||
|
|
@ -57,9 +63,6 @@ directory_user = du {
|
|||
}
|
||||
|
||||
group_ids = gs {
|
||||
gs = session.impersonate_groups
|
||||
gs != null
|
||||
} else = gs {
|
||||
gs = directory_user.group_ids
|
||||
gs != null
|
||||
} else = [] {
|
||||
|
|
@ -119,8 +122,6 @@ jwt_payload_user = v {
|
|||
}
|
||||
|
||||
jwt_payload_email = v {
|
||||
v = session.impersonate_email
|
||||
} else = v {
|
||||
v = directory_user.email
|
||||
} else = v {
|
||||
v = user.email
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue