3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-04-28 18:06:34 +02:00
Code Issues Projects Releases Packages Wiki Activity

sessions: add impersonate_session_id, remove legacy impersonation (#2407)

Browse source 
* sessions: add impersonate_session_id, remove legacy impersonation

* show impersonated user details

* fix headers

* address feedback

* only check impersonate id on non-nil pbSession

* Revert "only check impersonate id on non-nil pbSession"

This reverts commit a6f7ca5abd.
This commit is contained in:
Caleb Doxsey 2021-07-30 08:42:36 -06:00 committed by GitHub
parent 2b6813dc95
commit 1a95036b8c
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
11 changed files with 116 additions and 216 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

9
authenticate/handlers.go
View file

@ -451,12 +451,18 @@ func (a *Authenticate) userInfo(w http.ResponseWriter, r *http.Request) error {
s.ID = uuid.New().String()
}
isImpersonated := false
pbSession, err := session.Get(ctx, state.dataBrokerClient, s.ID)
if pbSession.GetImpersonateSessionId() != "" {
pbSession, err = session.Get(ctx, state.dataBrokerClient, pbSession.GetImpersonateSessionId())
isImpersonated = true
}
if err != nil {
pbSession = &session.Session{
Id: s.ID,
}
}
pbUser, err := user.Get(ctx, state.dataBrokerClient, pbSession.GetUserId())
if err != nil {
pbUser = &user.User{
@ -488,8 +494,9 @@ func (a *Authenticate) userInfo(w http.ResponseWriter, r *http.Request) error {
}
input := map[string]interface{}{
"IsImpersonated": isImpersonated,
"State": s, // local session state (cookie, header, etc)
"Session": pbSession, // current access, refresh, id token, & impersonation state
"Session": pbSession, // current access, refresh, id token
"User": pbUser, // user details inferred from oidc id_token
"DirectoryUser": pbDirectoryUser, // user details inferred from idp directory
"DirectoryGroups": groups, // user's groups inferred from idp directory

79
authorize/evaluator/evaluator_test.go
View file

@ -118,7 +118,6 @@ func TestEvaluator(t *testing.T) {
&session.Session{
Id: "session1",
UserId: "user1",
ImpersonateGroups: []string{"i1", "i2"},
},
&user.User{
Id: "user1",
@ -137,7 +136,6 @@ func TestEvaluator(t *testing.T) {
})
require.NoError(t, err)
assert.Equal(t, "a@example.com", res.Headers.Get("Impersonate-User"))
assert.Equal(t, "i1,i2", res.Headers.Get("Impersonate-Group"))
})
t.Run("google_cloud_serverless", func(t *testing.T) {
withMockGCP(t, func() {
@ -145,7 +143,6 @@ func TestEvaluator(t *testing.T) {
&session.Session{
Id: "session1",
UserId: "user1",
ImpersonateGroups: []string{"i1", "i2"},
},
&user.User{
Id: "user1",
@ -247,16 +244,20 @@ func TestEvaluator(t *testing.T) {
&session.Session{
Id: "session1",
UserId: "user1",
ImpersonateEmail: proto.String("a@example.com"),
},
&session.Session{
Id: "session2",
UserId: "user2",
ImpersonateSessionId: proto.String("session1"),
},
&user.User{
Id: "user1",
Email: "b@example.com",
Email: "a@example.com",
},
}, &Request{
Policy: &policies[3],
Session: RequestSession{
ID: "session1",
ID: "session2",
},
HTTP: RequestHTTP{
Method: "GET",
@ -267,31 +268,6 @@ func TestEvaluator(t *testing.T) {
require.NoError(t, err)
assert.True(t, res.Allow)
})
t.Run("denied", func(t *testing.T) {
res, err := eval(t, options, []proto.Message{
&session.Session{
Id: "session1",
UserId: "user1",
ImpersonateEmail: proto.String("b@example.com"),
},
&user.User{
Id: "user1",
Email: "a@example.com",
},
}, &Request{
Policy: &policies[3],
Session: RequestSession{
ID: "session1",
},
HTTP: RequestHTTP{
Method: "GET",
URL: "https://from.example.com",
ClientCertificate: testValidCert,
},
})
require.NoError(t, err)
assert.False(t, res.Allow)
})
})
t.Run("user_id", func(t *testing.T) {
res, err := eval(t, options, []proto.Message{
@ -346,11 +322,15 @@ func TestEvaluator(t *testing.T) {
&session.Session{
Id: "session1",
UserId: "user1",
ImpersonateEmail: proto.String("a@example.com"),
},
&session.Session{
Id: "session2",
UserId: "user2",
ImpersonateSessionId: proto.String("session1"),
},
&user.User{
Id: "user1",
Email: "a@notexample.com",
Email: "a@example.com",
},
}, &Request{
Policy: &policies[6],
@ -399,39 +379,6 @@ func TestEvaluator(t *testing.T) {
require.NoError(t, err)
assert.True(t, res.Allow)
})
t.Run("impersonate groups", func(t *testing.T) {
res, err := eval(t, options, []proto.Message{
&session.Session{
Id: "session1",
UserId: "user1",
ImpersonateGroups: []string{"group1"},
},
&user.User{
Id: "user1",
Email: "a@example.com",
},
&directory.User{
Id: "user1",
},
&directory.Group{
Id: "group1",
Name: "group1name",
Email: "group1@example.com",
},
}, &Request{
Policy: &policies[7],
Session: RequestSession{
ID: "session1",
},
HTTP: RequestHTTP{
Method: "GET",
URL: "https://from.example.com",
ClientCertificate: testValidCert,
},
})
require.NoError(t, err)
assert.True(t, res.Allow)
})
t.Run("any authenticated user", func(t *testing.T) {
res, err := eval(t, options, []proto.Message{
&session.Session{

35
authorize/evaluator/opa/policy/headers.rego
View file

@ -26,20 +26,29 @@ package pomerium.headers
# 5 minutes from now in seconds
five_minutes := round((time.now_ns() / 1e9) + (60 * 5))
session = s {
s = get_databroker_record("type.googleapis.com/user.ServiceAccount", input.session.id)
s != null
} else = s {
s = get_databroker_record("type.googleapis.com/session.Session", input.session.id)
s != null
# get the session
session = v {
# try a service account
v = get_databroker_record("type.googleapis.com/user.ServiceAccount", input.session.id)
v != null
} else = iv {
# try an impersonated session
v = get_databroker_record("type.googleapis.com/session.Session", input.session.id)
v != null
object.get(v, "impersonate_session_id", "") != ""
iv = get_databroker_record("type.googleapis.com/session.Session", v.impersonate_session_id)
iv != null
} else = v {
# try a normal session
v = get_databroker_record("type.googleapis.com/session.Session", input.session.id)
v != null
object.get(v, "impersonate_session_id", "") == ""
} else = {} {
true
}
user = u {
u = get_databroker_record("type.googleapis.com/user.User", session.impersonate_user_id)
u != null
} else = u {
u = get_databroker_record("type.googleapis.com/user.User", session.user_id)
u != null
} else = {} {
@ -47,9 +56,6 @@ user = u {
}
directory_user = du {
du = get_databroker_record("type.googleapis.com/directory.User", session.impersonate_user_id)
du != null
} else = du {
du = get_databroker_record("type.googleapis.com/directory.User", session.user_id)
du != null
} else = {} {
@ -57,9 +63,6 @@ directory_user = du {
}
group_ids = gs {
gs = session.impersonate_groups
gs != null
} else = gs {
gs = directory_user.group_ids
gs != null
} else = [] {
@ -119,8 +122,6 @@ jwt_payload_user = v {
}
jwt_payload_email = v {
v = session.impersonate_email
} else = v {
v = directory_user.email
} else = v {
v = user.email

10
authorize/log.go
View file

@ -38,14 +38,8 @@ func (a *Authorize) logAuthorizeCheck(
// session information
if s, ok := s.(*session.Session); ok {
evt = evt.Str("session-id", s.GetId())
if s.GetImpersonateEmail() != "" {
evt = evt.Str("impersonate-email", s.GetImpersonateEmail())
}
if len(s.GetImpersonateGroups()) > 0 {
evt = evt.Strs("impersonate-groups", s.GetImpersonateGroups())
}
if s.GetImpersonateUserId() != "" {
evt = evt.Str("impersonate-user-id", s.GetImpersonateUserId())
if s.GetImpersonateSessionId() != "" {
evt = evt.Str("impersonate-session-id", s.GetImpersonateSessionId())
}
}
if sa, ok := s.(*user.ServiceAccount); ok {

29
config/policy_ppl_test.go
View file

@ -526,9 +526,19 @@ get_session(id) = v {
v != null
}
else = iv {
v = get_databroker_record("type.googleapis.com/session.Session", id)
v != null
object.get(v, "impersonate_session_id", "") != ""
iv = get_databroker_record("type.googleapis.com/session.Session", v.impersonate_session_id)
iv != null
}
else = v {
v = get_databroker_record("type.googleapis.com/session.Session", id)
v != null
object.get(v, "impersonate_session_id", "") == ""
}
else = {} {
@ -536,11 +546,6 @@ else = {} {
}
get_user(session) = v {
v = get_databroker_record("type.googleapis.com/user.User", session.impersonate_user_id)
v != null
}
else = v {
v = get_databroker_record("type.googleapis.com/user.User", session.user_id)
v != null
}
@ -550,11 +555,6 @@ else = {} {
}
get_directory_user(session) = v {
v = get_databroker_record("type.googleapis.com/directory.User", session.impersonate_user_id)
v != null
}
else = v {
v = get_databroker_record("type.googleapis.com/directory.User", session.user_id)
v != null
}
@ -573,10 +573,6 @@ else = {} {
}
get_user_email(session, user) = v {
v = session.impersonate_email
}
else = v {
v = user.email
}
@ -585,11 +581,6 @@ else = "" {
}
get_group_ids(session, directory_user) = v {
v = session.impersonate_groups
v != null
}
else = v {
v = directory_user.group_ids
v != null
}

22
internal/frontend/assets/html/userInfo.html
View file

@ -82,28 +82,10 @@
<td>{{.AsTime | formatTime}}</td>
</tr>
{{end}}
{{with .Session.ImpersonateUserId}}
<tr>
<td>Impersonate ID</td>
<td>{{.}}</td>
<td>Impersonated</td>
<td>{{.IsImpersonated}}</td>
</tr>
{{end}}
{{with .Session.ImpersonateEmail}}
<tr>
<td>Impersonate Email</td>
<td>{{.}}</td>
</tr>
{{end}}
{{with $groups := .Session.ImpersonateGroups}}
<tr>
<td>Impersonate Groups</td>
<td>
{{range $groups}}
<p>{{.}}</p>
{{end}}
</td>
</tr>
{{end}}
</tbody>
</table>
{{else}}

63
pkg/grpc/session/session.pb.go
View file

@ -186,9 +186,7 @@ type Session struct {
OauthToken *OAuthToken `protobuf:"bytes,7,opt,name=oauth_token,json=oauthToken,proto3" json:"oauth_token,omitempty"`
Claims map[string]*structpb.ListValue `protobuf:"bytes,9,rep,name=claims,proto3" json:"claims,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"`
Audience []string `protobuf:"bytes,10,rep,name=audience,proto3" json:"audience,omitempty"`
ImpersonateUserId *string `protobuf:"bytes,11,opt,name=impersonate_user_id,json=impersonateUserId,proto3,oneof" json:"impersonate_user_id,omitempty"`
ImpersonateEmail *string `protobuf:"bytes,12,opt,name=impersonate_email,json=impersonateEmail,proto3,oneof" json:"impersonate_email,omitempty"`
ImpersonateGroups []string `protobuf:"bytes,13,rep,name=impersonate_groups,json=impersonateGroups,proto3" json:"impersonate_groups,omitempty"`
ImpersonateSessionId *string `protobuf:"bytes,15,opt,name=impersonate_session_id,json=impersonateSessionId,proto3,oneof" json:"impersonate_session_id,omitempty"`
}
func (x *Session) Reset() {
@ -286,27 +284,13 @@ func (x *Session) GetAudience() []string {
return nil
}
func (x *Session) GetImpersonateUserId() string {
if x != nil && x.ImpersonateUserId != nil {
return *x.ImpersonateUserId
func (x *Session) GetImpersonateSessionId() string {
if x != nil && x.ImpersonateSessionId != nil {
return *x.ImpersonateSessionId
}
return ""
}
func (x *Session) GetImpersonateEmail() string {
if x != nil && x.ImpersonateEmail != nil {
return *x.ImpersonateEmail
}
return ""
}
func (x *Session) GetImpersonateGroups() []string {
if x != nil {
return x.ImpersonateGroups
}
return nil
}
var File_session_proto protoreflect.FileDescriptor
var file_session_proto_rawDesc = []byte{
@ -338,7 +322,7 @@ var file_session_proto_rawDesc = []byte{
0x75, 0x66, 0x2e, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x52, 0x09, 0x65, 0x78,
0x70, 0x69, 0x72, 0x65, 0x73, 0x41, 0x74, 0x12, 0x23, 0x0a, 0x0d, 0x72, 0x65, 0x66, 0x72, 0x65,
0x73, 0x68, 0x5f, 0x74, 0x6f, 0x6b, 0x65, 0x6e, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0c,
0x72, 0x65, 0x66, 0x72, 0x65, 0x73, 0x68, 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x22, 0x90, 0x05, 0x0a,
0x72, 0x65, 0x66, 0x72, 0x65, 0x73, 0x68, 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x22, 0xa2, 0x04, 0x0a,
0x07, 0x53, 0x65, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x12, 0x18, 0x0a, 0x07, 0x76, 0x65, 0x72, 0x73,
0x69, 0x6f, 0x6e, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x07, 0x76, 0x65, 0x72, 0x73, 0x69,
0x6f, 0x6e, 0x12, 0x0e, 0x0a, 0x02, 0x69, 0x64, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x02,
@ -362,28 +346,21 @@ var file_session_proto_rawDesc = []byte{
0x73, 0x69, 0x6f, 0x6e, 0x2e, 0x43, 0x6c, 0x61, 0x69, 0x6d, 0x73, 0x45, 0x6e, 0x74, 0x72, 0x79,
0x52, 0x06, 0x63, 0x6c, 0x61, 0x69, 0x6d, 0x73, 0x12, 0x1a, 0x0a, 0x08, 0x61, 0x75, 0x64, 0x69,
0x65, 0x6e, 0x63, 0x65, 0x18, 0x0a, 0x20, 0x03, 0x28, 0x09, 0x52, 0x08, 0x61, 0x75, 0x64, 0x69,
0x65, 0x6e, 0x63, 0x65, 0x12, 0x33, 0x0a, 0x13, 0x69, 0x6d, 0x70, 0x65, 0x72, 0x73, 0x6f, 0x6e,
0x61, 0x74, 0x65, 0x5f, 0x75, 0x73, 0x65, 0x72, 0x5f, 0x69, 0x64, 0x18, 0x0b, 0x20, 0x01, 0x28,
0x09, 0x48, 0x00, 0x52, 0x11, 0x69, 0x6d, 0x70, 0x65, 0x72, 0x73, 0x6f, 0x6e, 0x61, 0x74, 0x65,
0x55, 0x73, 0x65, 0x72, 0x49, 0x64, 0x88, 0x01, 0x01, 0x12, 0x30, 0x0a, 0x11, 0x69, 0x6d, 0x70,
0x65, 0x72, 0x73, 0x6f, 0x6e, 0x61, 0x74, 0x65, 0x5f, 0x65, 0x6d, 0x61, 0x69, 0x6c, 0x18, 0x0c,
0x20, 0x01, 0x28, 0x09, 0x48, 0x01, 0x52, 0x10, 0x69, 0x6d, 0x70, 0x65, 0x72, 0x73, 0x6f, 0x6e,
0x61, 0x74, 0x65, 0x45, 0x6d, 0x61, 0x69, 0x6c, 0x88, 0x01, 0x01, 0x12, 0x2d, 0x0a, 0x12, 0x69,
0x6d, 0x70, 0x65, 0x72, 0x73, 0x6f, 0x6e, 0x61, 0x74, 0x65, 0x5f, 0x67, 0x72, 0x6f, 0x75, 0x70,
0x73, 0x18, 0x0d, 0x20, 0x03, 0x28, 0x09, 0x52, 0x11, 0x69, 0x6d, 0x70, 0x65, 0x72, 0x73, 0x6f,
0x6e, 0x61, 0x74, 0x65, 0x47, 0x72, 0x6f, 0x75, 0x70, 0x73, 0x1a, 0x55, 0x0a, 0x0b, 0x43, 0x6c,
0x61, 0x69, 0x6d, 0x73, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65, 0x79,
0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, 0x30, 0x0a, 0x05, 0x76,
0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f,
0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x4c, 0x69, 0x73,
0x74, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x3a, 0x02, 0x38,
0x01, 0x42, 0x16, 0x0a, 0x14, 0x5f, 0x69, 0x6d, 0x70, 0x65, 0x72, 0x73, 0x6f, 0x6e, 0x61, 0x74,
0x65, 0x5f, 0x75, 0x73, 0x65, 0x72, 0x5f, 0x69, 0x64, 0x42, 0x14, 0x0a, 0x12, 0x5f, 0x69, 0x6d,
0x70, 0x65, 0x72, 0x73, 0x6f, 0x6e, 0x61, 0x74, 0x65, 0x5f, 0x65, 0x6d, 0x61, 0x69, 0x6c, 0x42,
0x2f, 0x5a, 0x2d, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x70, 0x6f,
0x6d, 0x65, 0x72, 0x69, 0x75, 0x6d, 0x2f, 0x70, 0x6f, 0x6d, 0x65, 0x72, 0x69, 0x75, 0x6d, 0x2f,
0x70, 0x6b, 0x67, 0x2f, 0x67, 0x72, 0x70, 0x63, 0x2f, 0x73, 0x65, 0x73, 0x73, 0x69, 0x6f, 0x6e,
0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
0x65, 0x6e, 0x63, 0x65, 0x12, 0x39, 0x0a, 0x16, 0x69, 0x6d, 0x70, 0x65, 0x72, 0x73, 0x6f, 0x6e,
0x61, 0x74, 0x65, 0x5f, 0x73, 0x65, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x5f, 0x69, 0x64, 0x18, 0x0f,
0x20, 0x01, 0x28, 0x09, 0x48, 0x00, 0x52, 0x14, 0x69, 0x6d, 0x70, 0x65, 0x72, 0x73, 0x6f, 0x6e,
0x61, 0x74, 0x65, 0x53, 0x65, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x49, 0x64, 0x88, 0x01, 0x01, 0x1a,
0x55, 0x0a, 0x0b, 0x43, 0x6c, 0x61, 0x69, 0x6d, 0x73, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x10,
0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79,
0x12, 0x30, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32,
0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75,
0x66, 0x2e, 0x4c, 0x69, 0x73, 0x74, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x52, 0x05, 0x76, 0x61, 0x6c,
0x75, 0x65, 0x3a, 0x02, 0x38, 0x01, 0x42, 0x19, 0x0a, 0x17, 0x5f, 0x69, 0x6d, 0x70, 0x65, 0x72,
0x73, 0x6f, 0x6e, 0x61, 0x74, 0x65, 0x5f, 0x73, 0x65, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x5f, 0x69,
0x64, 0x42, 0x2f, 0x5a, 0x2d, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f,
0x70, 0x6f, 0x6d, 0x65, 0x72, 0x69, 0x75, 0x6d, 0x2f, 0x70, 0x6f, 0x6d, 0x65, 0x72, 0x69, 0x75,
0x6d, 0x2f, 0x70, 0x6b, 0x67, 0x2f, 0x67, 0x72, 0x70, 0x63, 0x2f, 0x73, 0x65, 0x73, 0x73, 0x69,
0x6f, 0x6e, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
}
var (

4
pkg/grpc/session/session.proto
View file

@ -32,7 +32,5 @@ message Session {
map<string, google.protobuf.ListValue> claims = 9;
repeated string audience = 10;
optional string impersonate_user_id = 11;
optional string impersonate_email = 12;
repeated string impersonate_groups = 13;
optional string impersonate_session_id = 15;
}

2
pkg/policy/criteria/domains_test.go
View file

@ -4,7 +4,6 @@ import (
"testing"
"github.com/stretchr/testify/require"
"google.golang.org/protobuf/proto"
"github.com/pomerium/pomerium/pkg/grpc/session"
"github.com/pomerium/pomerium/pkg/grpc/user"
@ -55,7 +54,6 @@ allow:
&session.Session{
Id: "SESSION_ID",
UserId: "USER_ID",
ImpersonateEmail: proto.String("test2@example.com"),
},
&user.User{
Id: "USER_ID",

20
pkg/policy/criteria/emails_test.go
View file

@ -44,7 +44,7 @@ allow:
require.Equal(t, true, res["allow"])
require.Equal(t, false, res["deny"])
})
t.Run("by impersonate email", func(t *testing.T) {
t.Run("by impersonate session id", func(t *testing.T) {
res, err := evaluate(t, `
allow:
and:
@ -53,16 +53,24 @@ allow:
`,
[]dataBrokerRecord{
&session.Session{
Id: "SESSION_ID",
UserId: "USER_ID",
ImpersonateEmail: proto.String("test2@example.com"),
Id: "SESSION1",
UserId: "USER1",
ImpersonateSessionId: proto.String("SESSION2"),
},
&session.Session{
Id: "SESSION2",
UserId: "USER2",
},
&user.User{
Id: "USER_ID",
Id: "USER1",
Email: "test1@example.com",
},
&user.User{
Id: "USER2",
Email: "test2@example.com",
},
Input{Session: InputSession{ID: "SESSION_ID"}})
},
Input{Session: InputSession{ID: "SESSION1"}})
require.NoError(t, err)
require.Equal(t, true, res["allow"])
require.Equal(t, false, res["deny"])

21
pkg/policy/rules/rules.go
View file

@ -3,15 +3,23 @@ package rules
import "github.com/open-policy-agent/opa/ast"
// GetSession the session for the given id.
// GetSession gets the session for the given id.
func GetSession() *ast.Rule {
return ast.MustParseRule(`
get_session(id) = v {
v = get_databroker_record("type.googleapis.com/user.ServiceAccount", id)
v != null
} else = iv {
v = get_databroker_record("type.googleapis.com/session.Session", id)
v != null
object.get(v, "impersonate_session_id", "") != ""
iv = get_databroker_record("type.googleapis.com/session.Session", v.impersonate_session_id)
iv != null
} else = v {
v = get_databroker_record("type.googleapis.com/session.Session", id)
v != null
object.get(v, "impersonate_session_id", "") == ""
} else = {} {
true
}
@ -22,9 +30,6 @@ get_session(id) = v {
func GetUser() *ast.Rule {
return ast.MustParseRule(`
get_user(session) = v {
v = get_databroker_record("type.googleapis.com/user.User", session.impersonate_user_id)
v != null
} else = v {
v = get_databroker_record("type.googleapis.com/user.User", session.user_id)
v != null
} else = {} {
@ -37,8 +42,6 @@ get_user(session) = v {
func GetUserEmail() *ast.Rule {
return ast.MustParseRule(`
get_user_email(session, user) = v {
v = session.impersonate_email
} else = v {
v = user.email
} else = "" {
true
@ -50,9 +53,6 @@ get_user_email(session, user) = v {
func GetDirectoryUser() *ast.Rule {
return ast.MustParseRule(`
get_directory_user(session) = v {
v = get_databroker_record("type.googleapis.com/directory.User", session.impersonate_user_id)
v != null
} else = v {
v = get_databroker_record("type.googleapis.com/directory.User", session.user_id)
v != null
} else = "" {
@ -77,9 +77,6 @@ get_directory_group(id) = v {
func GetGroupIDs() *ast.Rule {
return ast.MustParseRule(`
get_group_ids(session, directory_user) = v {
v = session.impersonate_groups
v != null
} else = v {
v = directory_user.group_ids
v != null
} else = [] {