mirror of
https://github.com/pomerium/pomerium.git
synced 2025-08-03 00:40:25 +02:00
authorize: allow access by user id (#1850)
This commit is contained in:
parent
7a5c4fd0f6
commit
25b697a13d
5 changed files with 55 additions and 3 deletions
|
@ -77,12 +77,18 @@ allow {
|
|||
session.user_id != ""
|
||||
}
|
||||
|
||||
# allow by email
|
||||
# allow by user email
|
||||
allow {
|
||||
not is_impersonating
|
||||
user.email == all_allowed_users[_]
|
||||
}
|
||||
|
||||
# allow by user id
|
||||
allow {
|
||||
not is_impersonating
|
||||
user.id == all_allowed_users[_]
|
||||
}
|
||||
|
||||
# allow group
|
||||
allow {
|
||||
not is_impersonating
|
||||
|
|
File diff suppressed because one or more lines are too long
|
@ -168,6 +168,35 @@ func TestOPA(t *testing.T) {
|
|||
assert.False(t, res.Bindings["result"].(M)["allow"].(bool))
|
||||
})
|
||||
})
|
||||
t.Run("user_id", func(t *testing.T) {
|
||||
res := eval([]config.Policy{
|
||||
{
|
||||
Source: &config.StringURL{URL: mustParseURL("https://from.example.com")},
|
||||
To: config.WeightedURLs{
|
||||
{URL: *mustParseURL("https://to.example.com")},
|
||||
},
|
||||
AllowedUsers: []string{"example/1234"},
|
||||
},
|
||||
}, []proto.Message{
|
||||
&session.Session{
|
||||
Id: "session1",
|
||||
UserId: "example/1234",
|
||||
},
|
||||
&user.User{
|
||||
Id: "example/1234",
|
||||
Email: "a@example.com",
|
||||
},
|
||||
}, &Request{
|
||||
Session: RequestSession{
|
||||
ID: "session1",
|
||||
},
|
||||
HTTP: RequestHTTP{
|
||||
Method: "GET",
|
||||
URL: "https://from.example.com",
|
||||
},
|
||||
}, true)
|
||||
assert.True(t, res.Bindings["result"].(M)["allow"].(bool))
|
||||
})
|
||||
t.Run("domain", func(t *testing.T) {
|
||||
t.Run("allowed", func(t *testing.T) {
|
||||
res := eval([]config.Policy{
|
||||
|
|
|
@ -216,7 +216,7 @@ func NewPolicyFromProto(pb *configpb.Route) (*Policy, error) {
|
|||
PassIdentityHeaders: pb.GetPassIdentityHeaders(),
|
||||
KubernetesServiceAccountToken: pb.GetKubernetesServiceAccountToken(),
|
||||
}
|
||||
if pb.Redirect != nil {
|
||||
if pb.Redirect.IsSet() {
|
||||
p.Redirect = &PolicyRedirect{
|
||||
HTTPSRedirect: pb.Redirect.HttpsRedirect,
|
||||
SchemeRedirect: pb.Redirect.SchemeRedirect,
|
||||
|
|
17
pkg/grpc/config/config.go
Normal file
17
pkg/grpc/config/config.go
Normal file
|
@ -0,0 +1,17 @@
|
|||
package config
|
||||
|
||||
// IsSet returns true if one of the route redirect options has been chosen.
|
||||
func (rr *RouteRedirect) IsSet() bool {
|
||||
if rr == nil {
|
||||
return false
|
||||
}
|
||||
|
||||
return rr.StripQuery != nil ||
|
||||
rr.ResponseCode != nil ||
|
||||
rr.PrefixRewrite != nil ||
|
||||
rr.PathRedirect != nil ||
|
||||
rr.PortRedirect != nil ||
|
||||
rr.HostRedirect != nil ||
|
||||
rr.SchemeRedirect != nil ||
|
||||
rr.HttpsRedirect != nil
|
||||
}
|
Loading…
Add table
Add a link
Reference in a new issue