authorize: allow access by user id (#1850)

2025-08-03 16:59:22 +02:00 · 2021-02-03 07:15:44 -07:00 · 2021-02-03 07:15:44 -07:00 · 25b697a13d
commit 25b697a13d
parent 7a5c4fd0f6
5 changed files with 55 additions and 3 deletions
--- a/authorize/evaluator/opa/policy/authz.rego
+++ b/authorize/evaluator/opa/policy/authz.rego
@ -77,12 +77,18 @@ allow {
 	session.user_id != ""
 }

-# allow by email
+# allow by user email
 allow {
 	not is_impersonating
 	user.email == all_allowed_users[_]
 }

+# allow by user id
+allow {
+	not is_impersonating
+	user.id == all_allowed_users[_]
+}
+
 # allow group
 allow {
 	not is_impersonating
--- a/authorize/evaluator/opa/policy/statik.go
+++ b/authorize/evaluator/opa/policy/statik.go
--- a/authorize/evaluator/opa_test.go
+++ b/authorize/evaluator/opa_test.go
@ -168,6 +168,35 @@ func TestOPA(t *testing.T) {
 			assert.False(t, res.Bindings["result"].(M)["allow"].(bool))
 		})
 	})
+	t.Run("user_id", func(t *testing.T) {
+		res := eval([]config.Policy{
+			{
+				Source: &config.StringURL{URL: mustParseURL("https://from.example.com")},
+				To: config.WeightedURLs{
+					{URL: *mustParseURL("https://to.example.com")},
+				},
+				AllowedUsers: []string{"example/1234"},
+			},
+		}, []proto.Message{
+			&session.Session{
+				Id:     "session1",
+				UserId: "example/1234",
+			},
+			&user.User{
+				Id:    "example/1234",
+				Email: "a@example.com",
+			},
+		}, &Request{
+			Session: RequestSession{
+				ID: "session1",
+			},
+			HTTP: RequestHTTP{
+				Method: "GET",
+				URL:    "https://from.example.com",
+			},
+		}, true)
+		assert.True(t, res.Bindings["result"].(M)["allow"].(bool))
+	})
 	t.Run("domain", func(t *testing.T) {
 		t.Run("allowed", func(t *testing.T) {
 			res := eval([]config.Policy{
--- a/config/policy.go
+++ b/config/policy.go
@ -216,7 +216,7 @@ func NewPolicyFromProto(pb *configpb.Route) (*Policy, error) {
 		PassIdentityHeaders:              pb.GetPassIdentityHeaders(),
 		KubernetesServiceAccountToken:    pb.GetKubernetesServiceAccountToken(),
 	}
-	if pb.Redirect != nil {
+	if pb.Redirect.IsSet() {
 		p.Redirect = &PolicyRedirect{
 			HTTPSRedirect:  pb.Redirect.HttpsRedirect,
 			SchemeRedirect: pb.Redirect.SchemeRedirect,
--- a/pkg/grpc/config/config.go
+++ b/pkg/grpc/config/config.go
@ -0,0 +1,17 @@
+package config
+
+// IsSet returns true if one of the route redirect options has been chosen.
+func (rr *RouteRedirect) IsSet() bool {
+	if rr == nil {
+		return false
+	}
+
+	return rr.StripQuery != nil ||
+		rr.ResponseCode != nil ||
+		rr.PrefixRewrite != nil ||
+		rr.PathRedirect != nil ||
+		rr.PortRedirect != nil ||
+		rr.HostRedirect != nil ||
+		rr.SchemeRedirect != nil ||
+		rr.HttpsRedirect != nil
+}