3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-04-28 18:06:34 +02:00
Code Issues Projects Releases Packages Wiki Activity

sessions: add impersonate_session_id, remove legacy impersonation (#2407)

Browse source 
* sessions: add impersonate_session_id, remove legacy impersonation

* show impersonated user details

* fix headers

* address feedback

* only check impersonate id on non-nil pbSession

* Revert "only check impersonate id on non-nil pbSession"

This reverts commit a6f7ca5abd.
This commit is contained in:
Caleb Doxsey 2021-07-30 08:42:36 -06:00 committed by GitHub
parent 2b6813dc95
commit 1a95036b8c
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
11 changed files with 116 additions and 216 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

9
authenticate/handlers.go
View file

@ -451,12 +451,18 @@ func (a *Authenticate) userInfo(w http.ResponseWriter, r *http.Request) error {
s.ID = uuid.New().String() s.ID = uuid.New().String()
} }
isImpersonated := false
pbSession, err := session.Get(ctx, state.dataBrokerClient, s.ID) pbSession, err := session.Get(ctx, state.dataBrokerClient, s.ID)
if pbSession.GetImpersonateSessionId() != "" {
pbSession, err = session.Get(ctx, state.dataBrokerClient, pbSession.GetImpersonateSessionId())
isImpersonated = true
}
if err != nil { if err != nil {
pbSession = &session.Session{ pbSession = &session.Session{
Id: s.ID, Id: s.ID,
} }
} }
pbUser, err := user.Get(ctx, state.dataBrokerClient, pbSession.GetUserId()) pbUser, err := user.Get(ctx, state.dataBrokerClient, pbSession.GetUserId())
if err != nil { if err != nil {
pbUser = &user.User{ pbUser = &user.User{
@ -488,8 +494,9 @@ func (a *Authenticate) userInfo(w http.ResponseWriter, r *http.Request) error {
} }
input := map[string]interface{}{ input := map[string]interface{}{
"IsImpersonated": isImpersonated,
"State": s, // local session state (cookie, header, etc) "State": s, // local session state (cookie, header, etc)
"Session": pbSession, // current access, refresh, id token, & impersonation state "Session": pbSession, // current access, refresh, id token
"User": pbUser, // user details inferred from oidc id_token "User": pbUser, // user details inferred from oidc id_token
"DirectoryUser": pbDirectoryUser, // user details inferred from idp directory "DirectoryUser": pbDirectoryUser, // user details inferred from idp directory
"DirectoryGroups": groups, // user's groups inferred from idp directory "DirectoryGroups": groups, // user's groups inferred from idp directory

95
authorize/evaluator/evaluator_test.go
View file

@ -116,9 +116,8 @@ func TestEvaluator(t *testing.T) {
t.Run("kubernetes", func(t *testing.T) { t.Run("kubernetes", func(t *testing.T) {
res, err := eval(t, options, []proto.Message{ res, err := eval(t, options, []proto.Message{
&session.Session{ &session.Session{
Id: "session1", Id: "session1",
UserId: "user1", UserId: "user1",
ImpersonateGroups: []string{"i1", "i2"},
}, },
&user.User{ &user.User{
Id: "user1", Id: "user1",
@ -137,15 +136,13 @@ func TestEvaluator(t *testing.T) {
}) })
require.NoError(t, err) require.NoError(t, err)
assert.Equal(t, "a@example.com", res.Headers.Get("Impersonate-User")) assert.Equal(t, "a@example.com", res.Headers.Get("Impersonate-User"))
assert.Equal(t, "i1,i2", res.Headers.Get("Impersonate-Group"))
}) })
t.Run("google_cloud_serverless", func(t *testing.T) { t.Run("google_cloud_serverless", func(t *testing.T) {
withMockGCP(t, func() { withMockGCP(t, func() {
res, err := eval(t, options, []proto.Message{ res, err := eval(t, options, []proto.Message{
&session.Session{ &session.Session{
Id: "session1", Id: "session1",
UserId: "user1", UserId: "user1",
ImpersonateGroups: []string{"i1", "i2"},
}, },
&user.User{ &user.User{
Id: "user1", Id: "user1",
@ -245,18 +242,22 @@ func TestEvaluator(t *testing.T) {
t.Run("allowed", func(t *testing.T) { t.Run("allowed", func(t *testing.T) {
res, err := eval(t, options, []proto.Message{ res, err := eval(t, options, []proto.Message{
&session.Session{ &session.Session{
Id: "session1", Id: "session1",
UserId: "user1", UserId: "user1",
ImpersonateEmail: proto.String("a@example.com"), },
&session.Session{
Id: "session2",
UserId: "user2",
ImpersonateSessionId: proto.String("session1"),
}, },
&user.User{ &user.User{
Id: "user1", Id: "user1",
Email: "b@example.com", Email: "a@example.com",
}, },
}, &Request{ }, &Request{
Policy: &policies[3], Policy: &policies[3],
Session: RequestSession{ Session: RequestSession{
ID: "session1", ID: "session2",
}, },
HTTP: RequestHTTP{ HTTP: RequestHTTP{
Method: "GET", Method: "GET",
@ -267,31 +268,6 @@ func TestEvaluator(t *testing.T) {
require.NoError(t, err) require.NoError(t, err)
assert.True(t, res.Allow) assert.True(t, res.Allow)
}) })
t.Run("denied", func(t *testing.T) {
res, err := eval(t, options, []proto.Message{
&session.Session{
Id: "session1",
UserId: "user1",
ImpersonateEmail: proto.String("b@example.com"),
},
&user.User{
Id: "user1",
Email: "a@example.com",
},
}, &Request{
Policy: &policies[3],
Session: RequestSession{
ID: "session1",
},
HTTP: RequestHTTP{
Method: "GET",
URL: "https://from.example.com",
ClientCertificate: testValidCert,
},
})
require.NoError(t, err)
assert.False(t, res.Allow)
})
}) })
t.Run("user_id", func(t *testing.T) { t.Run("user_id", func(t *testing.T) {
res, err := eval(t, options, []proto.Message{ res, err := eval(t, options, []proto.Message{
@ -344,13 +320,17 @@ func TestEvaluator(t *testing.T) {
t.Run("impersonate domain", func(t *testing.T) { t.Run("impersonate domain", func(t *testing.T) {
res, err := eval(t, options, []proto.Message{ res, err := eval(t, options, []proto.Message{
&session.Session{ &session.Session{
Id: "session1", Id: "session1",
UserId: "user1", UserId: "user1",
ImpersonateEmail: proto.String("a@example.com"), },
&session.Session{
Id: "session2",
UserId: "user2",
ImpersonateSessionId: proto.String("session1"),
}, },
&user.User{ &user.User{
Id: "user1", Id: "user1",
Email: "a@notexample.com", Email: "a@example.com",
}, },
}, &Request{ }, &Request{
Policy: &policies[6], Policy: &policies[6],
@ -399,39 +379,6 @@ func TestEvaluator(t *testing.T) {
require.NoError(t, err) require.NoError(t, err)
assert.True(t, res.Allow) assert.True(t, res.Allow)
}) })
t.Run("impersonate groups", func(t *testing.T) {
res, err := eval(t, options, []proto.Message{
&session.Session{
Id: "session1",
UserId: "user1",
ImpersonateGroups: []string{"group1"},
},
&user.User{
Id: "user1",
Email: "a@example.com",
},
&directory.User{
Id: "user1",
},
&directory.Group{
Id: "group1",
Name: "group1name",
Email: "group1@example.com",
},
}, &Request{
Policy: &policies[7],
Session: RequestSession{
ID: "session1",
},
HTTP: RequestHTTP{
Method: "GET",
URL: "https://from.example.com",
ClientCertificate: testValidCert,
},
})
require.NoError(t, err)
assert.True(t, res.Allow)
})
t.Run("any authenticated user", func(t *testing.T) { t.Run("any authenticated user", func(t *testing.T) {
res, err := eval(t, options, []proto.Message{ res, err := eval(t, options, []proto.Message{
&session.Session{ &session.Session{

35
authorize/evaluator/opa/policy/headers.rego
View file

@ -26,20 +26,29 @@ package pomerium.headers
# 5 minutes from now in seconds # 5 minutes from now in seconds
five_minutes := round((time.now_ns() / 1e9) + (60 * 5)) five_minutes := round((time.now_ns() / 1e9) + (60 * 5))
session = s { # get the session
s = get_databroker_record("type.googleapis.com/user.ServiceAccount", input.session.id) session = v {
s != null # try a service account
} else = s { v = get_databroker_record("type.googleapis.com/user.ServiceAccount", input.session.id)
s = get_databroker_record("type.googleapis.com/session.Session", input.session.id) v != null
s != null } else = iv {
# try an impersonated session
v = get_databroker_record("type.googleapis.com/session.Session", input.session.id)
v != null
object.get(v, "impersonate_session_id", "") != ""
iv = get_databroker_record("type.googleapis.com/session.Session", v.impersonate_session_id)
iv != null
} else = v {
# try a normal session
v = get_databroker_record("type.googleapis.com/session.Session", input.session.id)
v != null
object.get(v, "impersonate_session_id", "") == ""
} else = {} { } else = {} {
true true
} }
user = u { user = u {
u = get_databroker_record("type.googleapis.com/user.User", session.impersonate_user_id)
u != null
} else = u {
u = get_databroker_record("type.googleapis.com/user.User", session.user_id) u = get_databroker_record("type.googleapis.com/user.User", session.user_id)
u != null u != null
} else = {} { } else = {} {
@ -47,9 +56,6 @@ user = u {
} }
directory_user = du { directory_user = du {
du = get_databroker_record("type.googleapis.com/directory.User", session.impersonate_user_id)
du != null
} else = du {
du = get_databroker_record("type.googleapis.com/directory.User", session.user_id) du = get_databroker_record("type.googleapis.com/directory.User", session.user_id)
du != null du != null
} else = {} { } else = {} {
@ -57,9 +63,6 @@ directory_user = du {
} }
group_ids = gs { group_ids = gs {
gs = session.impersonate_groups
gs != null
} else = gs {
gs = directory_user.group_ids gs = directory_user.group_ids
gs != null gs != null
} else = [] { } else = [] {
@ -119,8 +122,6 @@ jwt_payload_user = v {
} }
jwt_payload_email = v { jwt_payload_email = v {
v = session.impersonate_email
} else = v {
v = directory_user.email v = directory_user.email
} else = v { } else = v {
v = user.email v = user.email

10
authorize/log.go
View file

@ -38,14 +38,8 @@ func (a *Authorize) logAuthorizeCheck(
// session information // session information
if s, ok := s.(*session.Session); ok { if s, ok := s.(*session.Session); ok {
evt = evt.Str("session-id", s.GetId()) evt = evt.Str("session-id", s.GetId())
if s.GetImpersonateEmail() != "" { if s.GetImpersonateSessionId() != "" {
evt = evt.Str("impersonate-email", s.GetImpersonateEmail()) evt = evt.Str("impersonate-session-id", s.GetImpersonateSessionId())
}
if len(s.GetImpersonateGroups()) > 0 {
evt = evt.Strs("impersonate-groups", s.GetImpersonateGroups())
}
if s.GetImpersonateUserId() != "" {
evt = evt.Str("impersonate-user-id", s.GetImpersonateUserId())
} }
} }
if sa, ok := s.(*user.ServiceAccount); ok { if sa, ok := s.(*user.ServiceAccount); ok {

29
config/policy_ppl_test.go
View file

@ -526,9 +526,19 @@ get_session(id) = v {
v != null v != null
} }
else = iv {
v = get_databroker_record("type.googleapis.com/session.Session", id)
v != null
object.get(v, "impersonate_session_id", "") != ""
iv = get_databroker_record("type.googleapis.com/session.Session", v.impersonate_session_id)
iv != null
}
else = v { else = v {
v = get_databroker_record("type.googleapis.com/session.Session", id) v = get_databroker_record("type.googleapis.com/session.Session", id)
v != null v != null
object.get(v, "impersonate_session_id", "") == ""
} }
else = {} { else = {} {
@ -536,11 +546,6 @@ else = {} {
} }
get_user(session) = v { get_user(session) = v {
v = get_databroker_record("type.googleapis.com/user.User", session.impersonate_user_id)
v != null
}
else = v {
v = get_databroker_record("type.googleapis.com/user.User", session.user_id) v = get_databroker_record("type.googleapis.com/user.User", session.user_id)
v != null v != null
} }
@ -550,11 +555,6 @@ else = {} {
} }
get_directory_user(session) = v { get_directory_user(session) = v {
v = get_databroker_record("type.googleapis.com/directory.User", session.impersonate_user_id)
v != null
}
else = v {
v = get_databroker_record("type.googleapis.com/directory.User", session.user_id) v = get_databroker_record("type.googleapis.com/directory.User", session.user_id)
v != null v != null
} }
@ -573,10 +573,6 @@ else = {} {
} }
get_user_email(session, user) = v { get_user_email(session, user) = v {
v = session.impersonate_email
}
else = v {
v = user.email v = user.email
} }
@ -585,11 +581,6 @@ else = "" {
} }
get_group_ids(session, directory_user) = v { get_group_ids(session, directory_user) = v {
v = session.impersonate_groups
v != null
}
else = v {
v = directory_user.group_ids v = directory_user.group_ids
v != null v != null
} }

22
internal/frontend/assets/html/userInfo.html
View file

@ -82,28 +82,10 @@
<td>{{.AsTime | formatTime}}</td> <td>{{.AsTime | formatTime}}</td>
</tr> </tr>
{{end}} {{end}}
{{with .Session.ImpersonateUserId}}
<tr> <tr>
<td>Impersonate ID</td> <td>Impersonated</td>
<td>{{.}}</td> <td>{{.IsImpersonated}}</td>
</tr> </tr>
{{end}}
{{with .Session.ImpersonateEmail}}
<tr>
<td>Impersonate Email</td>
<td>{{.}}</td>
</tr>
{{end}}
{{with $groups := .Session.ImpersonateGroups}}
<tr>
<td>Impersonate Groups</td>
<td>
{{range $groups}}
<p>{{.}}</p>
{{end}}
</td>
</tr>
{{end}}
</tbody> </tbody>
</table> </table>
{{else}} {{else}}

81
pkg/grpc/session/session.pb.go
View file

@ -177,18 +177,16 @@ type Session struct {
sizeCache protoimpl.SizeCache sizeCache protoimpl.SizeCache
unknownFields protoimpl.UnknownFields unknownFields protoimpl.UnknownFields
Version string `protobuf:"bytes,1,opt,name=version,proto3" json:"version,omitempty"` Version string `protobuf:"bytes,1,opt,name=version,proto3" json:"version,omitempty"`
Id string `protobuf:"bytes,2,opt,name=id,proto3" json:"id,omitempty"` Id string `protobuf:"bytes,2,opt,name=id,proto3" json:"id,omitempty"`
UserId string `protobuf:"bytes,3,opt,name=user_id,json=userId,proto3" json:"user_id,omitempty"` UserId string `protobuf:"bytes,3,opt,name=user_id,json=userId,proto3" json:"user_id,omitempty"`
IssuedAt *timestamppb.Timestamp `protobuf:"bytes,14,opt,name=issued_at,json=issuedAt,proto3" json:"issued_at,omitempty"` IssuedAt *timestamppb.Timestamp `protobuf:"bytes,14,opt,name=issued_at,json=issuedAt,proto3" json:"issued_at,omitempty"`
ExpiresAt *timestamppb.Timestamp `protobuf:"bytes,4,opt,name=expires_at,json=expiresAt,proto3" json:"expires_at,omitempty"` ExpiresAt *timestamppb.Timestamp `protobuf:"bytes,4,opt,name=expires_at,json=expiresAt,proto3" json:"expires_at,omitempty"`
IdToken *IDToken `protobuf:"bytes,6,opt,name=id_token,json=idToken,proto3" json:"id_token,omitempty"` IdToken *IDToken `protobuf:"bytes,6,opt,name=id_token,json=idToken,proto3" json:"id_token,omitempty"`
OauthToken *OAuthToken `protobuf:"bytes,7,opt,name=oauth_token,json=oauthToken,proto3" json:"oauth_token,omitempty"` OauthToken *OAuthToken `protobuf:"bytes,7,opt,name=oauth_token,json=oauthToken,proto3" json:"oauth_token,omitempty"`
Claims map[string]*structpb.ListValue `protobuf:"bytes,9,rep,name=claims,proto3" json:"claims,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"` Claims map[string]*structpb.ListValue `protobuf:"bytes,9,rep,name=claims,proto3" json:"claims,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"`
Audience []string `protobuf:"bytes,10,rep,name=audience,proto3" json:"audience,omitempty"` Audience []string `protobuf:"bytes,10,rep,name=audience,proto3" json:"audience,omitempty"`
ImpersonateUserId *string `protobuf:"bytes,11,opt,name=impersonate_user_id,json=impersonateUserId,proto3,oneof" json:"impersonate_user_id,omitempty"` ImpersonateSessionId *string `protobuf:"bytes,15,opt,name=impersonate_session_id,json=impersonateSessionId,proto3,oneof" json:"impersonate_session_id,omitempty"`
ImpersonateEmail *string `protobuf:"bytes,12,opt,name=impersonate_email,json=impersonateEmail,proto3,oneof" json:"impersonate_email,omitempty"`
ImpersonateGroups []string `protobuf:"bytes,13,rep,name=impersonate_groups,json=impersonateGroups,proto3" json:"impersonate_groups,omitempty"`
} }
func (x *Session) Reset() { func (x *Session) Reset() {
@ -286,27 +284,13 @@ func (x *Session) GetAudience() []string {
return nil return nil
} }
func (x *Session) GetImpersonateUserId() string { func (x *Session) GetImpersonateSessionId() string {
if x != nil && x.ImpersonateUserId != nil { if x != nil && x.ImpersonateSessionId != nil {
return *x.ImpersonateUserId return *x.ImpersonateSessionId
} }
return "" return ""
} }
func (x *Session) GetImpersonateEmail() string {
if x != nil && x.ImpersonateEmail != nil {
return *x.ImpersonateEmail
}
return ""
}
func (x *Session) GetImpersonateGroups() []string {
if x != nil {
return x.ImpersonateGroups
}
return nil
}
var File_session_proto protoreflect.FileDescriptor var File_session_proto protoreflect.FileDescriptor
var file_session_proto_rawDesc = []byte{ var file_session_proto_rawDesc = []byte{
@ -338,7 +322,7 @@ var file_session_proto_rawDesc = []byte{
0x75, 0x66, 0x2e, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x52, 0x09, 0x65, 0x78, 0x75, 0x66, 0x2e, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x52, 0x09, 0x65, 0x78,
0x70, 0x69, 0x72, 0x65, 0x73, 0x41, 0x74, 0x12, 0x23, 0x0a, 0x0d, 0x72, 0x65, 0x66, 0x72, 0x65, 0x70, 0x69, 0x72, 0x65, 0x73, 0x41, 0x74, 0x12, 0x23, 0x0a, 0x0d, 0x72, 0x65, 0x66, 0x72, 0x65,
0x73, 0x68, 0x5f, 0x74, 0x6f, 0x6b, 0x65, 0x6e, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0c, 0x73, 0x68, 0x5f, 0x74, 0x6f, 0x6b, 0x65, 0x6e, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0c,
0x72, 0x65, 0x66, 0x72, 0x65, 0x73, 0x68, 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x22, 0x90, 0x05, 0x0a, 0x72, 0x65, 0x66, 0x72, 0x65, 0x73, 0x68, 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x22, 0xa2, 0x04, 0x0a,
0x07, 0x53, 0x65, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x12, 0x18, 0x0a, 0x07, 0x76, 0x65, 0x72, 0x73, 0x07, 0x53, 0x65, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x12, 0x18, 0x0a, 0x07, 0x76, 0x65, 0x72, 0x73,
0x69, 0x6f, 0x6e, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x07, 0x76, 0x65, 0x72, 0x73, 0x69, 0x69, 0x6f, 0x6e, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x07, 0x76, 0x65, 0x72, 0x73, 0x69,
0x6f, 0x6e, 0x12, 0x0e, 0x0a, 0x02, 0x69, 0x64, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x02, 0x6f, 0x6e, 0x12, 0x0e, 0x0a, 0x02, 0x69, 0x64, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x02,
@ -362,28 +346,21 @@ var file_session_proto_rawDesc = []byte{
0x73, 0x69, 0x6f, 0x6e, 0x2e, 0x43, 0x6c, 0x61, 0x69, 0x6d, 0x73, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x73, 0x69, 0x6f, 0x6e, 0x2e, 0x43, 0x6c, 0x61, 0x69, 0x6d, 0x73, 0x45, 0x6e, 0x74, 0x72, 0x79,
0x52, 0x06, 0x63, 0x6c, 0x61, 0x69, 0x6d, 0x73, 0x12, 0x1a, 0x0a, 0x08, 0x61, 0x75, 0x64, 0x69, 0x52, 0x06, 0x63, 0x6c, 0x61, 0x69, 0x6d, 0x73, 0x12, 0x1a, 0x0a, 0x08, 0x61, 0x75, 0x64, 0x69,
0x65, 0x6e, 0x63, 0x65, 0x18, 0x0a, 0x20, 0x03, 0x28, 0x09, 0x52, 0x08, 0x61, 0x75, 0x64, 0x69, 0x65, 0x6e, 0x63, 0x65, 0x18, 0x0a, 0x20, 0x03, 0x28, 0x09, 0x52, 0x08, 0x61, 0x75, 0x64, 0x69,
0x65, 0x6e, 0x63, 0x65, 0x12, 0x33, 0x0a, 0x13, 0x69, 0x6d, 0x70, 0x65, 0x72, 0x73, 0x6f, 0x6e, 0x65, 0x6e, 0x63, 0x65, 0x12, 0x39, 0x0a, 0x16, 0x69, 0x6d, 0x70, 0x65, 0x72, 0x73, 0x6f, 0x6e,
0x61, 0x74, 0x65, 0x5f, 0x75, 0x73, 0x65, 0x72, 0x5f, 0x69, 0x64, 0x18, 0x0b, 0x20, 0x01, 0x28, 0x61, 0x74, 0x65, 0x5f, 0x73, 0x65, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x5f, 0x69, 0x64, 0x18, 0x0f,
0x09, 0x48, 0x00, 0x52, 0x11, 0x69, 0x6d, 0x70, 0x65, 0x72, 0x73, 0x6f, 0x6e, 0x61, 0x74, 0x65, 0x20, 0x01, 0x28, 0x09, 0x48, 0x00, 0x52, 0x14, 0x69, 0x6d, 0x70, 0x65, 0x72, 0x73, 0x6f, 0x6e,
0x55, 0x73, 0x65, 0x72, 0x49, 0x64, 0x88, 0x01, 0x01, 0x12, 0x30, 0x0a, 0x11, 0x69, 0x6d, 0x70, 0x61, 0x74, 0x65, 0x53, 0x65, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x49, 0x64, 0x88, 0x01, 0x01, 0x1a,
0x65, 0x72, 0x73, 0x6f, 0x6e, 0x61, 0x74, 0x65, 0x5f, 0x65, 0x6d, 0x61, 0x69, 0x6c, 0x18, 0x0c, 0x55, 0x0a, 0x0b, 0x43, 0x6c, 0x61, 0x69, 0x6d, 0x73, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x10,
0x20, 0x01, 0x28, 0x09, 0x48, 0x01, 0x52, 0x10, 0x69, 0x6d, 0x70, 0x65, 0x72, 0x73, 0x6f, 0x6e, 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79,
0x61, 0x74, 0x65, 0x45, 0x6d, 0x61, 0x69, 0x6c, 0x88, 0x01, 0x01, 0x12, 0x2d, 0x0a, 0x12, 0x69, 0x12, 0x30, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32,
0x6d, 0x70, 0x65, 0x72, 0x73, 0x6f, 0x6e, 0x61, 0x74, 0x65, 0x5f, 0x67, 0x72, 0x6f, 0x75, 0x70, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75,
0x73, 0x18, 0x0d, 0x20, 0x03, 0x28, 0x09, 0x52, 0x11, 0x69, 0x6d, 0x70, 0x65, 0x72, 0x73, 0x6f, 0x66, 0x2e, 0x4c, 0x69, 0x73, 0x74, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x52, 0x05, 0x76, 0x61, 0x6c,
0x6e, 0x61, 0x74, 0x65, 0x47, 0x72, 0x6f, 0x75, 0x70, 0x73, 0x1a, 0x55, 0x0a, 0x0b, 0x43, 0x6c, 0x75, 0x65, 0x3a, 0x02, 0x38, 0x01, 0x42, 0x19, 0x0a, 0x17, 0x5f, 0x69, 0x6d, 0x70, 0x65, 0x72,
0x61, 0x69, 0x6d, 0x73, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x73, 0x6f, 0x6e, 0x61, 0x74, 0x65, 0x5f, 0x73, 0x65, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x5f, 0x69,
0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, 0x30, 0x0a, 0x05, 0x76, 0x64, 0x42, 0x2f, 0x5a, 0x2d, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f,
0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x70, 0x6f, 0x6d, 0x65, 0x72, 0x69, 0x75, 0x6d, 0x2f, 0x70, 0x6f, 0x6d, 0x65, 0x72, 0x69, 0x75,
0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x4c, 0x69, 0x73, 0x6d, 0x2f, 0x70, 0x6b, 0x67, 0x2f, 0x67, 0x72, 0x70, 0x63, 0x2f, 0x73, 0x65, 0x73, 0x73, 0x69,
0x74, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x3a, 0x02, 0x38, 0x6f, 0x6e, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
0x01, 0x42, 0x16, 0x0a, 0x14, 0x5f, 0x69, 0x6d, 0x70, 0x65, 0x72, 0x73, 0x6f, 0x6e, 0x61, 0x74,
0x65, 0x5f, 0x75, 0x73, 0x65, 0x72, 0x5f, 0x69, 0x64, 0x42, 0x14, 0x0a, 0x12, 0x5f, 0x69, 0x6d,
0x70, 0x65, 0x72, 0x73, 0x6f, 0x6e, 0x61, 0x74, 0x65, 0x5f, 0x65, 0x6d, 0x61, 0x69, 0x6c, 0x42,
0x2f, 0x5a, 0x2d, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x70, 0x6f,
0x6d, 0x65, 0x72, 0x69, 0x75, 0x6d, 0x2f, 0x70, 0x6f, 0x6d, 0x65, 0x72, 0x69, 0x75, 0x6d, 0x2f,
0x70, 0x6b, 0x67, 0x2f, 0x67, 0x72, 0x70, 0x63, 0x2f, 0x73, 0x65, 0x73, 0x73, 0x69, 0x6f, 0x6e,
0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
} }
var ( var (

4
pkg/grpc/session/session.proto
View file

@ -32,7 +32,5 @@ message Session {
map<string, google.protobuf.ListValue> claims = 9; map<string, google.protobuf.ListValue> claims = 9;
repeated string audience = 10; repeated string audience = 10;
optional string impersonate_user_id = 11; optional string impersonate_session_id = 15;
optional string impersonate_email = 12;
repeated string impersonate_groups = 13;
} }

6
pkg/policy/criteria/domains_test.go
View file

@ -4,7 +4,6 @@ import (
"testing" "testing"
"github.com/stretchr/testify/require" "github.com/stretchr/testify/require"
"google.golang.org/protobuf/proto"
"github.com/pomerium/pomerium/pkg/grpc/session" "github.com/pomerium/pomerium/pkg/grpc/session"
"github.com/pomerium/pomerium/pkg/grpc/user" "github.com/pomerium/pomerium/pkg/grpc/user"
@ -53,9 +52,8 @@ allow:
`, `,
[]dataBrokerRecord{ []dataBrokerRecord{
&session.Session{ &session.Session{
Id: "SESSION_ID", Id: "SESSION_ID",
UserId: "USER_ID", UserId: "USER_ID",
ImpersonateEmail: proto.String("test2@example.com"),
}, },
&user.User{ &user.User{
Id: "USER_ID", Id: "USER_ID",

20
pkg/policy/criteria/emails_test.go
View file

@ -44,7 +44,7 @@ allow:
require.Equal(t, true, res["allow"]) require.Equal(t, true, res["allow"])
require.Equal(t, false, res["deny"]) require.Equal(t, false, res["deny"])
}) })
t.Run("by impersonate email", func(t *testing.T) { t.Run("by impersonate session id", func(t *testing.T) {
res, err := evaluate(t, ` res, err := evaluate(t, `
allow: allow:
and: and:
@ -53,16 +53,24 @@ allow:
`, `,
[]dataBrokerRecord{ []dataBrokerRecord{
&session.Session{ &session.Session{
Id: "SESSION_ID", Id: "SESSION1",
UserId: "USER_ID", UserId: "USER1",
ImpersonateEmail: proto.String("test2@example.com"), ImpersonateSessionId: proto.String("SESSION2"),
},
&session.Session{
Id: "SESSION2",
UserId: "USER2",
}, },
&user.User{ &user.User{
Id: "USER_ID", Id: "USER1",
Email: "test1@example.com", Email: "test1@example.com",
}, },
&user.User{
Id: "USER2",
Email: "test2@example.com",
},
}, },
Input{Session: InputSession{ID: "SESSION_ID"}}) Input{Session: InputSession{ID: "SESSION1"}})
require.NoError(t, err) require.NoError(t, err)
require.Equal(t, true, res["allow"]) require.Equal(t, true, res["allow"])
require.Equal(t, false, res["deny"]) require.Equal(t, false, res["deny"])

21
pkg/policy/rules/rules.go
View file

@ -3,15 +3,23 @@ package rules
import "github.com/open-policy-agent/opa/ast" import "github.com/open-policy-agent/opa/ast"
// GetSession the session for the given id. // GetSession gets the session for the given id.
func GetSession() *ast.Rule { func GetSession() *ast.Rule {
return ast.MustParseRule(` return ast.MustParseRule(`
get_session(id) = v { get_session(id) = v {
v = get_databroker_record("type.googleapis.com/user.ServiceAccount", id) v = get_databroker_record("type.googleapis.com/user.ServiceAccount", id)
v != null v != null
} else = iv {
v = get_databroker_record("type.googleapis.com/session.Session", id)
v != null
object.get(v, "impersonate_session_id", "") != ""
iv = get_databroker_record("type.googleapis.com/session.Session", v.impersonate_session_id)
iv != null
} else = v { } else = v {
v = get_databroker_record("type.googleapis.com/session.Session", id) v = get_databroker_record("type.googleapis.com/session.Session", id)
v != null v != null
object.get(v, "impersonate_session_id", "") == ""
} else = {} { } else = {} {
true true
} }
@ -22,9 +30,6 @@ get_session(id) = v {
func GetUser() *ast.Rule { func GetUser() *ast.Rule {
return ast.MustParseRule(` return ast.MustParseRule(`
get_user(session) = v { get_user(session) = v {
v = get_databroker_record("type.googleapis.com/user.User", session.impersonate_user_id)
v != null
} else = v {
v = get_databroker_record("type.googleapis.com/user.User", session.user_id) v = get_databroker_record("type.googleapis.com/user.User", session.user_id)
v != null v != null
} else = {} { } else = {} {
@ -37,8 +42,6 @@ get_user(session) = v {
func GetUserEmail() *ast.Rule { func GetUserEmail() *ast.Rule {
return ast.MustParseRule(` return ast.MustParseRule(`
get_user_email(session, user) = v { get_user_email(session, user) = v {
v = session.impersonate_email
} else = v {
v = user.email v = user.email
} else = "" { } else = "" {
true true
@ -50,9 +53,6 @@ get_user_email(session, user) = v {
func GetDirectoryUser() *ast.Rule { func GetDirectoryUser() *ast.Rule {
return ast.MustParseRule(` return ast.MustParseRule(`
get_directory_user(session) = v { get_directory_user(session) = v {
v = get_databroker_record("type.googleapis.com/directory.User", session.impersonate_user_id)
v != null
} else = v {
v = get_databroker_record("type.googleapis.com/directory.User", session.user_id) v = get_databroker_record("type.googleapis.com/directory.User", session.user_id)
v != null v != null
} else = "" { } else = "" {
@ -77,9 +77,6 @@ get_directory_group(id) = v {
func GetGroupIDs() *ast.Rule { func GetGroupIDs() *ast.Rule {
return ast.MustParseRule(` return ast.MustParseRule(`
get_group_ids(session, directory_user) = v { get_group_ids(session, directory_user) = v {
v = session.impersonate_groups
v != null
} else = v {
v = directory_user.group_ids v = directory_user.group_ids
v != null v != null
} else = [] { } else = [] {