mirror of
https://github.com/pomerium/pomerium.git
synced 2025-08-06 10:21:05 +02:00
authorize: allow access by user id (#1850)
This commit is contained in:
Caleb Doxsey
GitHub
parent
7a5c4fd0f6
commit
25b697a13d
5 changed files with 55 additions and 3 deletions
|
|
@ -77,12 +77,18 @@ allow {
|
||||||
session.user_id != ""
|
session.user_id != ""
|
||||||
}
|
}
|
||||||
|
|
||||||
# allow by email
|
# allow by user email
|
||||||
allow {
|
allow {
|
||||||
not is_impersonating
|
not is_impersonating
|
||||||
user.email == all_allowed_users[_]
|
user.email == all_allowed_users[_]
|
||||||
}
|
}
|
||||||
|
|
||||||
|
# allow by user id
|
||||||
|
allow {
|
||||||
|
not is_impersonating
|
||||||
|
user.id == all_allowed_users[_]
|
||||||
|
}
|
||||||
|
|
||||||
# allow group
|
# allow group
|
||||||
allow {
|
allow {
|
||||||
not is_impersonating
|
not is_impersonating
|
||||||
|
|
|
||||||
File diff suppressed because one or more lines are too long
|
|
@ -168,6 +168,35 @@ func TestOPA(t *testing.T) {
|
||||||
assert.False(t, res.Bindings["result"].(M)["allow"].(bool))
|
assert.False(t, res.Bindings["result"].(M)["allow"].(bool))
|
||||||
})
|
})
|
||||||
})
|
})
|
||||||
|
t.Run("user_id", func(t *testing.T) {
|
||||||
|
res := eval([]config.Policy{
|
||||||
|
{
|
||||||
|
Source: &config.StringURL{URL: mustParseURL("https://from.example.com")},
|
||||||
|
To: config.WeightedURLs{
|
||||||
|
{URL: *mustParseURL("https://to.example.com")},
|
||||||
|
},
|
||||||
|
AllowedUsers: []string{"example/1234"},
|
||||||
|
},
|
||||||
|
}, []proto.Message{
|
||||||
|
&session.Session{
|
||||||
|
Id: "session1",
|
||||||
|
UserId: "example/1234",
|
||||||
|
},
|
||||||
|
&user.User{
|
||||||
|
Id: "example/1234",
|
||||||
|
Email: "a@example.com",
|
||||||
|
},
|
||||||
|
}, &Request{
|
||||||
|
Session: RequestSession{
|
||||||
|
ID: "session1",
|
||||||
|
},
|
||||||
|
HTTP: RequestHTTP{
|
||||||
|
Method: "GET",
|
||||||
|
URL: "https://from.example.com",
|
||||||
|
},
|
||||||
|
}, true)
|
||||||
|
assert.True(t, res.Bindings["result"].(M)["allow"].(bool))
|
||||||
|
})
|
||||||
t.Run("domain", func(t *testing.T) {
|
t.Run("domain", func(t *testing.T) {
|
||||||
t.Run("allowed", func(t *testing.T) {
|
t.Run("allowed", func(t *testing.T) {
|
||||||
res := eval([]config.Policy{
|
res := eval([]config.Policy{
|
||||||
|
|
|
||||||
|
|
@ -216,7 +216,7 @@ func NewPolicyFromProto(pb *configpb.Route) (*Policy, error) {
|
||||||
PassIdentityHeaders: pb.GetPassIdentityHeaders(),
|
PassIdentityHeaders: pb.GetPassIdentityHeaders(),
|
||||||
KubernetesServiceAccountToken: pb.GetKubernetesServiceAccountToken(),
|
KubernetesServiceAccountToken: pb.GetKubernetesServiceAccountToken(),
|
||||||
}
|
}
|
||||||
if pb.Redirect != nil {
|
if pb.Redirect.IsSet() {
|
||||||
p.Redirect = &PolicyRedirect{
|
p.Redirect = &PolicyRedirect{
|
||||||
HTTPSRedirect: pb.Redirect.HttpsRedirect,
|
HTTPSRedirect: pb.Redirect.HttpsRedirect,
|
||||||
SchemeRedirect: pb.Redirect.SchemeRedirect,
|
SchemeRedirect: pb.Redirect.SchemeRedirect,
|
||||||
|
|
|
||||||
17
pkg/grpc/config/config.go
Normal file
17
pkg/grpc/config/config.go
Normal file
|
|
@ -0,0 +1,17 @@
|
||||||
|
package config
|
||||||
|
|
||||||
|
// IsSet returns true if one of the route redirect options has been chosen.
|
||||||
|
func (rr *RouteRedirect) IsSet() bool {
|
||||||
|
if rr == nil {
|
||||||
|
return false
|
||||||
|
}
|
||||||
|
|
||||||
|
return rr.StripQuery != nil ||
|
||||||
|
rr.ResponseCode != nil ||
|
||||||
|
rr.PrefixRewrite != nil ||
|
||||||
|
rr.PathRedirect != nil ||
|
||||||
|
rr.PortRedirect != nil ||
|
||||||
|
rr.HostRedirect != nil ||
|
||||||
|
rr.SchemeRedirect != nil ||
|
||||||
|
rr.HttpsRedirect != nil
|
||||||
|
}
|
||||||
Loading…
Add table
Add a link
Reference in a new issue