sessions: add impersonate_session_id, remove legacy impersonation (#2407)

* sessions: add impersonate_session_id, remove legacy impersonation * show impersonated user details * fix headers * address feedback * only check impersonate id on non-nil pbSession * Revert "only check impersonate id on non-nil pbSession" This reverts commit a6f7ca5abd.
2025-06-02 19:04:14 +02:00 · 2021-07-30 08:42:36 -06:00 · 2021-07-30 08:42:36 -06:00 · 1a95036b8c
commit 1a95036b8c
parent 2b6813dc95
11 changed files with 116 additions and 216 deletions
--- a/authorize/evaluator/evaluator_test.go
+++ b/authorize/evaluator/evaluator_test.go
@ -116,9 +116,8 @@ func TestEvaluator(t *testing.T) {
 		t.Run("kubernetes", func(t *testing.T) {
 			res, err := eval(t, options, []proto.Message{
 				&session.Session{
-					Id:                "session1",
-					UserId:            "user1",
-					ImpersonateGroups: []string{"i1", "i2"},
+					Id:     "session1",
+					UserId: "user1",
 				},
 				&user.User{
 					Id:    "user1",
@ -137,15 +136,13 @@ func TestEvaluator(t *testing.T) {
 			})
 			require.NoError(t, err)
 			assert.Equal(t, "a@example.com", res.Headers.Get("Impersonate-User"))
-			assert.Equal(t, "i1,i2", res.Headers.Get("Impersonate-Group"))
 		})
 		t.Run("google_cloud_serverless", func(t *testing.T) {
 			withMockGCP(t, func() {
 				res, err := eval(t, options, []proto.Message{
 					&session.Session{
-						Id:                "session1",
-						UserId:            "user1",
-						ImpersonateGroups: []string{"i1", "i2"},
+						Id:     "session1",
+						UserId: "user1",
 					},
 					&user.User{
 						Id:    "user1",
@ -245,18 +242,22 @@ func TestEvaluator(t *testing.T) {
 		t.Run("allowed", func(t *testing.T) {
 			res, err := eval(t, options, []proto.Message{
 				&session.Session{
-					Id:               "session1",
-					UserId:           "user1",
-					ImpersonateEmail: proto.String("a@example.com"),
+					Id:     "session1",
+					UserId: "user1",
+				},
+				&session.Session{
+					Id:                   "session2",
+					UserId:               "user2",
+					ImpersonateSessionId: proto.String("session1"),
 				},
 				&user.User{
 					Id:    "user1",
-					Email: "b@example.com",
+					Email: "a@example.com",
 				},
 			}, &Request{
 				Policy: &policies[3],
 				Session: RequestSession{
-					ID: "session1",
+					ID: "session2",
 				},
 				HTTP: RequestHTTP{
 					Method:            "GET",
@ -267,31 +268,6 @@ func TestEvaluator(t *testing.T) {
 			require.NoError(t, err)
 			assert.True(t, res.Allow)
 		})
-		t.Run("denied", func(t *testing.T) {
-			res, err := eval(t, options, []proto.Message{
-				&session.Session{
-					Id:               "session1",
-					UserId:           "user1",
-					ImpersonateEmail: proto.String("b@example.com"),
-				},
-				&user.User{
-					Id:    "user1",
-					Email: "a@example.com",
-				},
-			}, &Request{
-				Policy: &policies[3],
-				Session: RequestSession{
-					ID: "session1",
-				},
-				HTTP: RequestHTTP{
-					Method:            "GET",
-					URL:               "https://from.example.com",
-					ClientCertificate: testValidCert,
-				},
-			})
-			require.NoError(t, err)
-			assert.False(t, res.Allow)
-		})
 	})
 	t.Run("user_id", func(t *testing.T) {
 		res, err := eval(t, options, []proto.Message{
@ -344,13 +320,17 @@ func TestEvaluator(t *testing.T) {
 	t.Run("impersonate domain", func(t *testing.T) {
 		res, err := eval(t, options, []proto.Message{
 			&session.Session{
-				Id:               "session1",
-				UserId:           "user1",
-				ImpersonateEmail: proto.String("a@example.com"),
+				Id:     "session1",
+				UserId: "user1",
+			},
+			&session.Session{
+				Id:                   "session2",
+				UserId:               "user2",
+				ImpersonateSessionId: proto.String("session1"),
 			},
 			&user.User{
 				Id:    "user1",
-				Email: "a@notexample.com",
+				Email: "a@example.com",
 			},
 		}, &Request{
 			Policy: &policies[6],
@ -399,39 +379,6 @@ func TestEvaluator(t *testing.T) {
 		require.NoError(t, err)
 		assert.True(t, res.Allow)
 	})
-	t.Run("impersonate groups", func(t *testing.T) {
-		res, err := eval(t, options, []proto.Message{
-			&session.Session{
-				Id:                "session1",
-				UserId:            "user1",
-				ImpersonateGroups: []string{"group1"},
-			},
-			&user.User{
-				Id:    "user1",
-				Email: "a@example.com",
-			},
-			&directory.User{
-				Id: "user1",
-			},
-			&directory.Group{
-				Id:    "group1",
-				Name:  "group1name",
-				Email: "group1@example.com",
-			},
-		}, &Request{
-			Policy: &policies[7],
-			Session: RequestSession{
-				ID: "session1",
-			},
-			HTTP: RequestHTTP{
-				Method:            "GET",
-				URL:               "https://from.example.com",
-				ClientCertificate: testValidCert,
-			},
-		})
-		require.NoError(t, err)
-		assert.True(t, res.Allow)
-	})
 	t.Run("any authenticated user", func(t *testing.T) {
 		res, err := eval(t, options, []proto.Message{
 			&session.Session{