mirror of
https://github.com/pomerium/pomerium.git
synced 2025-05-31 18:07:17 +02:00
authorize: add filter options for JWT groups (#5417)
Add a new option for filtering to a subset of directory groups in the Pomerium JWT and Impersonate-Group headers. Add a JWTGroupsFilter field to both the Options struct (for a global filter) and to the Policy struct (for per-route filter). These will be populated only from the config protos, and not from a config file. If either filter is set, then for each of a user's groups, the group name or group ID will be added to the JWT groups claim only if it is an exact string match with one of the elements of either filter.
This commit is contained in:
Kenneth Jenkins
GitHub
parent
95d4a24271
commit
21b9e7890c
13 changed files with 834 additions and 620 deletions
|
|
@ -7,17 +7,20 @@ import (
|
|||
"fmt"
|
||||
"net/url"
|
||||
"reflect"
|
||||
"slices"
|
||||
"strconv"
|
||||
"strings"
|
||||
"unicode"
|
||||
|
||||
envoy_config_cluster_v3 "github.com/envoyproxy/go-control-plane/envoy/config/cluster/v3"
|
||||
goset "github.com/hashicorp/go-set/v3"
|
||||
"github.com/mitchellh/mapstructure"
|
||||
"github.com/volatiletech/null/v9"
|
||||
"google.golang.org/protobuf/encoding/protojson"
|
||||
"google.golang.org/protobuf/proto"
|
||||
"gopkg.in/yaml.v3"
|
||||
|
||||
"github.com/pomerium/pomerium/internal/hashutil"
|
||||
"github.com/pomerium/pomerium/internal/httputil"
|
||||
"github.com/pomerium/pomerium/internal/urlutil"
|
||||
"github.com/pomerium/pomerium/pkg/policy/parser"
|
||||
|
|
@ -574,3 +577,43 @@ func serializable(in any) (any, error) {
|
|||
return in, nil
|
||||
}
|
||||
}
|
||||
|
||||
type JWTGroupsFilter struct {
|
||||
set *goset.Set[string]
|
||||
}
|
||||
|
||||
func NewJWTGroupsFilter(groups []string) JWTGroupsFilter {
|
||||
var s *goset.Set[string]
|
||||
if len(groups) > 0 {
|
||||
s = goset.From(groups)
|
||||
}
|
||||
return JWTGroupsFilter{s}
|
||||
}
|
||||
|
||||
func (f JWTGroupsFilter) Enabled() bool {
|
||||
return f.set != nil
|
||||
}
|
||||
|
||||
func (f JWTGroupsFilter) IsAllowed(group string) bool {
|
||||
return f.set == nil || f.set.Contains(group)
|
||||
}
|
||||
|
||||
func (f JWTGroupsFilter) ToSlice() []string {
|
||||
if f.set == nil {
|
||||
return nil
|
||||
}
|
||||
return slices.Sorted(f.set.Items())
|
||||
}
|
||||
|
||||
func (f JWTGroupsFilter) Hash() (uint64, error) {
|
||||
return hashutil.Hash(f.ToSlice())
|
||||
}
|
||||
|
||||
func (f JWTGroupsFilter) Equal(other JWTGroupsFilter) bool {
|
||||
if f.set == nil && other.set == nil {
|
||||
return true
|
||||
} else if f.set == nil || other.set == nil {
|
||||
return false
|
||||
}
|
||||
return f.set.Equal(other.set)
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue