authorize: allow access by user id (#1850)

This commit is contained in:
Caleb Doxsey 2021-02-03 07:15:44 -07:00 committed by GitHub
parent 7a5c4fd0f6
commit 25b697a13d
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
5 changed files with 55 additions and 3 deletions

View file

@ -77,12 +77,18 @@ allow {
session.user_id != ""
}
# allow by email
# allow by user email
allow {
not is_impersonating
user.email == all_allowed_users[_]
}
# allow by user id
allow {
not is_impersonating
user.id == all_allowed_users[_]
}
# allow group
allow {
not is_impersonating

File diff suppressed because one or more lines are too long

View file

@ -168,6 +168,35 @@ func TestOPA(t *testing.T) {
assert.False(t, res.Bindings["result"].(M)["allow"].(bool))
})
})
t.Run("user_id", func(t *testing.T) {
res := eval([]config.Policy{
{
Source: &config.StringURL{URL: mustParseURL("https://from.example.com")},
To: config.WeightedURLs{
{URL: *mustParseURL("https://to.example.com")},
},
AllowedUsers: []string{"example/1234"},
},
}, []proto.Message{
&session.Session{
Id: "session1",
UserId: "example/1234",
},
&user.User{
Id: "example/1234",
Email: "a@example.com",
},
}, &Request{
Session: RequestSession{
ID: "session1",
},
HTTP: RequestHTTP{
Method: "GET",
URL: "https://from.example.com",
},
}, true)
assert.True(t, res.Bindings["result"].(M)["allow"].(bool))
})
t.Run("domain", func(t *testing.T) {
t.Run("allowed", func(t *testing.T) {
res := eval([]config.Policy{

View file

@ -216,7 +216,7 @@ func NewPolicyFromProto(pb *configpb.Route) (*Policy, error) {
PassIdentityHeaders: pb.GetPassIdentityHeaders(),
KubernetesServiceAccountToken: pb.GetKubernetesServiceAccountToken(),
}
if pb.Redirect != nil {
if pb.Redirect.IsSet() {
p.Redirect = &PolicyRedirect{
HTTPSRedirect: pb.Redirect.HttpsRedirect,
SchemeRedirect: pb.Redirect.SchemeRedirect,

17
pkg/grpc/config/config.go Normal file
View file

@ -0,0 +1,17 @@
package config
// IsSet returns true if one of the route redirect options has been chosen.
func (rr *RouteRedirect) IsSet() bool {
if rr == nil {
return false
}
return rr.StripQuery != nil ||
rr.ResponseCode != nil ||
rr.PrefixRewrite != nil ||
rr.PathRedirect != nil ||
rr.PortRedirect != nil ||
rr.HostRedirect != nil ||
rr.SchemeRedirect != nil ||
rr.HttpsRedirect != nil
}