authorize: add support for webauthn device policy enforcement (#2700)

* authorize: add support for webauthn device policy enforcement * update docs * group statuses
2025-08-03 00:40:25 +02:00 · 2021-10-25 09:41:03 -06:00 · 2021-10-25 09:41:03 -06:00 · 3497c39b9b
commit 3497c39b9b
parent 9d4ebcf871
8 changed files with 456 additions and 27 deletions
--- a/pkg/policy/criteria/device_test.go
+++ b/pkg/policy/criteria/device_test.go
@ -0,0 +1,168 @@
+package criteria
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/require"
+
+	"github.com/pomerium/pomerium/pkg/grpc/device"
+	"github.com/pomerium/pomerium/pkg/grpc/session"
+)
+
+func TestDevice(t *testing.T) {
+	mkDeviceSession := func(sessionID, deviceType, deviceCredentialID string) *session.Session {
+		return &session.Session{
+			Id: sessionID,
+			DeviceCredentials: []*session.Session_DeviceCredential{
+				{TypeId: deviceType, Credential: &session.Session_DeviceCredential_Id{Id: deviceCredentialID}},
+			},
+		}
+	}
+
+	t.Run("no session", func(t *testing.T) {
+		res, err := evaluate(t, `
+allow:
+  and:
+    - device:
+        is: dc1
+`, []dataBrokerRecord{}, Input{Session: InputSession{ID: "s1"}})
+		require.NoError(t, err)
+		require.Equal(t, A{false, A{ReasonUserUnauthenticated}, M{"device_type": "default"}}, res["allow"])
+		require.Equal(t, A{false, A{}}, res["deny"])
+	})
+	t.Run("no device credential", func(t *testing.T) {
+		res, err := evaluate(t, `
+allow:
+  and:
+    - device:
+        is: dc1
+`, []dataBrokerRecord{
+			mkDeviceSession("s1", "default", "dc1"),
+		}, Input{Session: InputSession{ID: "s1"}})
+		require.NoError(t, err)
+		require.Equal(t, A{false, A{ReasonDeviceUnauthenticated}, M{"device_type": "default"}}, res["allow"])
+		require.Equal(t, A{false, A{}}, res["deny"])
+	})
+	t.Run("allowed by is", func(t *testing.T) {
+		res, err := evaluate(t, `
+allow:
+  and:
+    - device:
+        is: dc1
+`, []dataBrokerRecord{
+			mkDeviceSession("s1", "default", "dc1"),
+			&device.Credential{Id: "dc1", EnrollmentId: "de1"},
+			&device.Enrollment{Id: "de1"},
+		}, Input{Session: InputSession{ID: "s1"}})
+		require.NoError(t, err)
+		require.Equal(t, A{true, A{ReasonDeviceOK}, M{"device_type": "default"}}, res["allow"])
+		require.Equal(t, A{false, A{}}, res["deny"])
+	})
+	t.Run("not allowed by is", func(t *testing.T) {
+		res, err := evaluate(t, `
+allow:
+  and:
+    - device:
+        is: dc2
+`, []dataBrokerRecord{
+			mkDeviceSession("s1", "default", "dc1"),
+			&device.Credential{Id: "dc1", EnrollmentId: "de1"},
+			&device.Enrollment{Id: "de1"},
+			&device.Credential{Id: "dc2", EnrollmentId: "de2"},
+			&device.Enrollment{Id: "de2"},
+		}, Input{Session: InputSession{ID: "s1"}})
+		require.NoError(t, err)
+		require.Equal(t, A{false, A{ReasonDeviceUnauthorized}, M{"device_type": "default"}}, res["allow"])
+		require.Equal(t, A{false, A{}}, res["deny"])
+	})
+	t.Run("allowed by approved", func(t *testing.T) {
+		res, err := evaluate(t, `
+allow:
+  and:
+    - device:
+        approved: true
+`, []dataBrokerRecord{
+			mkDeviceSession("s1", "default", "dc1"),
+			&device.Credential{Id: "dc1", EnrollmentId: "de1"},
+			&device.Enrollment{Id: "de1", ApprovedBy: "u1"},
+		}, Input{Session: InputSession{ID: "s1"}})
+		require.NoError(t, err)
+		require.Equal(t, A{true, A{ReasonDeviceOK}, M{"device_type": "default"}}, res["allow"])
+		require.Equal(t, A{false, A{}}, res["deny"])
+	})
+	t.Run("not allowed by approved", func(t *testing.T) {
+		res, err := evaluate(t, `
+allow:
+  and:
+    - device:
+        approved: true
+`, []dataBrokerRecord{
+			mkDeviceSession("s1", "default", "dc1"),
+			&device.Credential{Id: "dc1", EnrollmentId: "de1"},
+			&device.Enrollment{Id: "de1"},
+		}, Input{Session: InputSession{ID: "s1"}})
+		require.NoError(t, err)
+		require.Equal(t, A{false, A{ReasonDeviceUnauthorized}, M{"device_type": "default"}}, res["allow"])
+		require.Equal(t, A{false, A{}}, res["deny"])
+	})
+	t.Run("allowed by not approved", func(t *testing.T) {
+		res, err := evaluate(t, `
+allow:
+  and:
+    - device:
+        approved: false
+`, []dataBrokerRecord{
+			mkDeviceSession("s1", "default", "dc1"),
+			&device.Credential{Id: "dc1", EnrollmentId: "de1"},
+			&device.Enrollment{Id: "de1"},
+		}, Input{Session: InputSession{ID: "s1"}})
+		require.NoError(t, err)
+		require.Equal(t, A{true, A{ReasonDeviceOK}, M{"device_type": "default"}}, res["allow"])
+		require.Equal(t, A{false, A{}}, res["deny"])
+	})
+	t.Run("not allowed by not approved", func(t *testing.T) {
+		res, err := evaluate(t, `
+allow:
+  and:
+    - device:
+        approved: false
+`, []dataBrokerRecord{
+			mkDeviceSession("s1", "default", "dc1"),
+			&device.Credential{Id: "dc1", EnrollmentId: "de1"},
+			&device.Enrollment{Id: "de1", ApprovedBy: "u1"},
+		}, Input{Session: InputSession{ID: "s1"}})
+		require.NoError(t, err)
+		require.Equal(t, A{false, A{ReasonDeviceUnauthorized}, M{"device_type": "default"}}, res["allow"])
+		require.Equal(t, A{false, A{}}, res["deny"])
+	})
+	t.Run("allowed by type", func(t *testing.T) {
+		res, err := evaluate(t, `
+allow:
+  and:
+    - device:
+        type: t1
+`, []dataBrokerRecord{
+			mkDeviceSession("s1", "t1", "dc1"),
+			&device.Credential{Id: "dc1", EnrollmentId: "de1", TypeId: "t1"},
+			&device.Enrollment{Id: "de1", ApprovedBy: "u1"},
+		}, Input{Session: InputSession{ID: "s1"}})
+		require.NoError(t, err)
+		require.Equal(t, A{true, A{ReasonDeviceOK}, M{"device_type": "t1"}}, res["allow"])
+		require.Equal(t, A{false, A{}}, res["deny"])
+	})
+	t.Run("not allowed by type", func(t *testing.T) {
+		res, err := evaluate(t, `
+allow:
+  and:
+    - device:
+        type: t2
+`, []dataBrokerRecord{
+			mkDeviceSession("s1", "t1", "dc1"),
+			&device.Credential{Id: "dc1", EnrollmentId: "de1", TypeId: "t1"},
+			&device.Enrollment{Id: "de1", ApprovedBy: "u1"},
+		}, Input{Session: InputSession{ID: "s1"}})
+		require.NoError(t, err)
+		require.Equal(t, A{false, A{ReasonDeviceUnauthenticated}, M{"device_type": "t2"}}, res["allow"])
+		require.Equal(t, A{false, A{}}, res["deny"])
+	})
+}