sessions: add impersonate_session_id, remove legacy impersonation (#2407)

* sessions: add impersonate_session_id, remove legacy impersonation

* show impersonated user details

* fix headers

* address feedback

* only check impersonate id on non-nil pbSession

* Revert "only check impersonate id on non-nil pbSession"

This reverts commit a6f7ca5abd.

pkg/policy/criteria/domains_test.go

@@ -4,7 +4,6 @@ import (
 	"testing"
 
 	"github.com/stretchr/testify/require"
-	"google.golang.org/protobuf/proto"
 
 	"github.com/pomerium/pomerium/pkg/grpc/session"
 	"github.com/pomerium/pomerium/pkg/grpc/user"
@@ -53,9 +52,8 @@ allow:
 `,
 			[]dataBrokerRecord{
 				&session.Session{
-					Id:               "SESSION_ID",
-					UserId:           "USER_ID",
-					ImpersonateEmail: proto.String("test2@example.com"),
+					Id:     "SESSION_ID",
+					UserId: "USER_ID",
 				},
 				&user.User{
 					Id:    "USER_ID",

pkg/policy/criteria/emails_test.go

@@ -44,7 +44,7 @@ allow:
 		require.Equal(t, true, res["allow"])
 		require.Equal(t, false, res["deny"])
 	})
-	t.Run("by impersonate email", func(t *testing.T) {
+	t.Run("by impersonate session id", func(t *testing.T) {
 		res, err := evaluate(t, `
 allow:
   and:
@@ -53,16 +53,24 @@ allow:
 `,
 			[]dataBrokerRecord{
 				&session.Session{
-					Id:               "SESSION_ID",
-					UserId:           "USER_ID",
-					ImpersonateEmail: proto.String("test2@example.com"),
+					Id:                   "SESSION1",
+					UserId:               "USER1",
+					ImpersonateSessionId: proto.String("SESSION2"),
+				},
+				&session.Session{
+					Id:     "SESSION2",
+					UserId: "USER2",
 				},
 				&user.User{
-					Id:    "USER_ID",
+					Id:    "USER1",
 					Email: "test1@example.com",
 				},
+				&user.User{
+					Id:    "USER2",
+					Email: "test2@example.com",
+				},
 			},
-			Input{Session: InputSession{ID: "SESSION_ID"}})
+			Input{Session: InputSession{ID: "SESSION1"}})
 		require.NoError(t, err)
 		require.Equal(t, true, res["allow"])
 		require.Equal(t, false, res["deny"])

pkg/policy/rules/rules.go

@@ -3,15 +3,23 @@ package rules
 
 import "github.com/open-policy-agent/opa/ast"
 
-// GetSession the session for the given id.
+// GetSession gets the session for the given id.
 func GetSession() *ast.Rule {
 	return ast.MustParseRule(`
 get_session(id) = v {
 	v = get_databroker_record("type.googleapis.com/user.ServiceAccount", id)
 	v != null
+} else = iv {
+	v = get_databroker_record("type.googleapis.com/session.Session", id)
+	v != null
+	object.get(v, "impersonate_session_id", "") != ""
+
+	iv = get_databroker_record("type.googleapis.com/session.Session", v.impersonate_session_id)
+	iv != null
 } else = v {
 	v = get_databroker_record("type.googleapis.com/session.Session", id)
 	v != null
+	object.get(v, "impersonate_session_id", "") == ""
 } else = {} {
 	true
 }
@@ -22,9 +30,6 @@ get_session(id) = v {
 func GetUser() *ast.Rule {
 	return ast.MustParseRule(`
 get_user(session) = v {
-	v = get_databroker_record("type.googleapis.com/user.User", session.impersonate_user_id)
-	v != null
-} else = v {
 	v = get_databroker_record("type.googleapis.com/user.User", session.user_id)
 	v != null
 } else = {} {
@@ -37,8 +42,6 @@ get_user(session) = v {
 func GetUserEmail() *ast.Rule {
 	return ast.MustParseRule(`
 get_user_email(session, user) = v {
-	v = session.impersonate_email
-} else = v {
 	v = user.email
 } else = "" {
 	true
@@ -50,9 +53,6 @@ get_user_email(session, user) = v {
 func GetDirectoryUser() *ast.Rule {
 	return ast.MustParseRule(`
 get_directory_user(session) = v {
-	v = get_databroker_record("type.googleapis.com/directory.User", session.impersonate_user_id)
-	v != null
-} else = v {
 	v = get_databroker_record("type.googleapis.com/directory.User", session.user_id)
 	v != null
 } else = "" {
@@ -77,9 +77,6 @@ get_directory_group(id) = v {
 func GetGroupIDs() *ast.Rule {
 	return ast.MustParseRule(`
 get_group_ids(session, directory_user) = v {
-	v = session.impersonate_groups
-	v != null
-} else = v {
 	v = directory_user.group_ids
 	v != null
 } else = [] {