3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-08-02 16:30:17 +02:00
Code Issues Projects Releases Packages Wiki Activity

authorize: add filter options for JWT groups (#5417)

Browse source 
Add a new option for filtering to a subset of directory groups in the
Pomerium JWT and Impersonate-Group headers. Add a JWTGroupsFilter field
to both the Options struct (for a global filter) and to the Policy
struct (for per-route filter). These will be populated only from the
config protos, and not from a config file.

If either filter is set, then for each of a user's groups, the group
name or group ID will be added to the JWT groups claim only if it is an
exact string match with one of the elements of either filter.
This commit is contained in:
Kenneth Jenkins 2025-01-08 13:57:57 -08:00 committed by GitHub
parent 95d4a24271
commit 21b9e7890c
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
13 changed files with 834 additions and 620 deletions
Download patch file Download diff file Expand all files Collapse all files

6
config/policy.go
View file

@ -165,6 +165,10 @@ type Policy struct {
// - "uri": Issuer strings will be a complete URI, including the scheme and ending with a trailing slash.
JWTIssuerFormat string `mapstructure:"jwt_issuer_format" yaml:"jwt_issuer_format,omitempty"`
// Allowlist of group names/IDs to include in the Pomerium JWT.
// This expands on any global allowlist set in the main Options.
JWTGroupsFilter JWTGroupsFilter
SubPolicies []SubPolicy `mapstructure:"sub_policies" yaml:"sub_policies,omitempty" json:"sub_policies,omitempty"`
EnvoyOpts *envoy_config_cluster_v3.Cluster `mapstructure:"_envoy_opts" yaml:"-" json:"-"`
@ -290,6 +294,7 @@ func NewPolicyFromProto(pb *configpb.Route) (*Policy, error) {
IdleTimeout: idleTimeout,
IDPClientID: pb.GetIdpClientId(),
IDPClientSecret: pb.GetIdpClientSecret(),
JWTGroupsFilter: NewJWTGroupsFilter(pb.JwtGroupsFilter),
KubernetesServiceAccountToken: pb.GetKubernetesServiceAccountToken(),
KubernetesServiceAccountTokenFile: pb.GetKubernetesServiceAccountTokenFile(),
PassIdentityHeaders: pb.PassIdentityHeaders,
@ -432,6 +437,7 @@ func (p *Policy) ToProto() (*configpb.Route, error) {
From: p.From,
Id: p.ID,
IdleTimeout: idleTimeout,
JwtGroupsFilter: p.JWTGroupsFilter.ToSlice(),
KubernetesServiceAccountToken: p.KubernetesServiceAccountToken,
KubernetesServiceAccountTokenFile: p.KubernetesServiceAccountTokenFile,
Name: fmt.Sprint(p.RouteID()),