ppl: add support for http_path and http_method (#2813)

* ppl: add support for http_path and http_method * fix import ordering
2025-06-24 21:48:23 +02:00 · 2021-12-10 07:28:51 -07:00 · 2021-12-10 07:28:51 -07:00 · 2d04106e6d
commit 2d04106e6d
parent 54ec88fb93
13 changed files with 257 additions and 18 deletions
--- a/authorize/evaluator/evaluator_test.go
+++ b/authorize/evaluator/evaluator_test.go
@ -22,6 +22,7 @@ import (
 	"github.com/pomerium/pomerium/pkg/grpc/session"
 	"github.com/pomerium/pomerium/pkg/grpc/user"
 	"github.com/pomerium/pomerium/pkg/policy/criteria"
+	"github.com/pomerium/pomerium/pkg/policy/parser"
 	"github.com/pomerium/pomerium/pkg/protoutil"
 )

@ -86,6 +87,36 @@ func TestEvaluator(t *testing.T) {
 			To:                        config.WeightedURLs{{URL: *mustParseURL("https://to9.example.com")}},
 			AllowAnyAuthenticatedUser: true,
 		},
+		{
+			To: config.WeightedURLs{{URL: *mustParseURL("https://to10.example.com")}},
+			Policy: &config.PPLPolicy{
+				Policy: &parser.Policy{
+					Rules: []parser.Rule{{
+						Action: parser.ActionAllow,
+						Or: []parser.Criterion{{
+							Name: "http_method", Data: parser.Object{
+								"is": parser.String("GET"),
+							},
+						}},
+					}},
+				},
+			},
+		},
+		{
+			To: config.WeightedURLs{{URL: *mustParseURL("https://to11.example.com")}},
+			Policy: &config.PPLPolicy{
+				Policy: &parser.Policy{
+					Rules: []parser.Rule{{
+						Action: parser.ActionAllow,
+						Or: []parser.Criterion{{
+							Name: "http_path", Data: parser.Object{
+								"is": parser.String("/test"),
+							},
+						}},
+					}},
+				},
+			},
+		},
 	}
 	options := []Option{
 		WithAuthenticateURL("https://authn.example.com"),
@ -442,6 +473,32 @@ func TestEvaluator(t *testing.T) {
 			}
 		}
 	})
+	t.Run("http method", func(t *testing.T) {
+		res, err := eval(t, options, []proto.Message{}, &Request{
+			Policy: &policies[9],
+			HTTP: NewRequestHTTP(
+				"GET",
+				*mustParseURL("https://from.example.com/"),
+				nil,
+				testValidCert,
+			),
+		})
+		require.NoError(t, err)
+		assert.True(t, res.Allow.Value)
+	})
+	t.Run("http path", func(t *testing.T) {
+		res, err := eval(t, options, []proto.Message{}, &Request{
+			Policy: &policies[10],
+			HTTP: NewRequestHTTP(
+				"POST",
+				*mustParseURL("https://from.example.com/test"),
+				nil,
+				testValidCert,
+			),
+		})
+		require.NoError(t, err)
+		assert.True(t, res.Allow.Value)
+	})
 }

 func mustParseURL(str string) *url.URL {