authorize/evaluator/opa/policy: fix allow rules with impersonate (#1094)

Currently, with impersonated request, the real user email/group still has effects. Example: data.route_policies as [{ "source": "example.com", "allowed_users": ["x@example.com"] }] with input.databroker_data as { "session": { "user_id": "user1" }, "user": { "email": "x@example.com" } } with input.http as { "url": "http://example.com" } with input.session as { "id": "session1", "impersonate_email": "y@example.com" } Here user "x@example.com" is allowed, but was impersonated as "y@example.com". As the rules indicated, the request must be denied, because it only allows "x@example.com", not "y@example.com". The current bug causes the request is still allowed. To fix it, when evaluates rules for allowed email/group/domain, we must checking that the impersonate email/groups is not set/empty. Fixes #1091
2025-08-02 16:30:17 +02:00 · 2020-07-17 22:07:11 +07:00 · 2020-07-17 22:07:11 +07:00 · 408f201d16
commit 408f201d16
parent 59c17fb497
5 changed files with 163 additions and 6 deletions
--- a/authorize/evaluator/opa/policy/authz.rego
+++ b/authorize/evaluator/opa/policy/authz.rego
@ -26,6 +26,7 @@ allow {
 # allow by email
 allow {
 	user.email == route_policy.allowed_users[_]
+	input.session.impersonate_email == ""
 }

 # allow group
@ -33,6 +34,7 @@ allow {
 	some group
 	directory_user.groups[_] = group
 	route_policy.allowed_groups[_] = group
+	input.session.impersonate_groups == null
 }

 # allow by impersonate email
@ -51,6 +53,7 @@ allow {
 allow {
 	some domain
 	email_in_domain(user.email, route_policy.allowed_domains[domain])
+	input.session.impersonate_email == ""
 }

 # allow by impersonate domain
--- a/authorize/evaluator/opa/policy/authz_test.rego
+++ b/authorize/evaluator/opa/policy/authz_test.rego
@ -8,14 +8,167 @@ test_email_allowed {
 		}] with
 		input.databroker_data as {
 			"session": {
-                "user_id": "user1"
-            },
+				"user_id": "user1"
+			},
 			"user": {
 				"email": "x@example.com"
 			}
 		} with
 		input.http as { "url": "http://example.com" } with
-		input.session as { "id": "session1" }
+		input.session as { "id": "session1", "impersonate_email": "" }
+}
+
+test_impersonate_email_not_allowed {
+	not allow with
+		data.route_policies as [{
+			"source": "example.com",
+			"allowed_users": ["x@example.com"]
+		}] with
+		input.databroker_data as {
+			"session": {
+				"user_id": "user1"
+			},
+			"user": {
+				"email": "x@example.com"
+			}
+		} with
+		input.http as { "url": "http://example.com" } with
+		input.session as { "id": "session1", "impersonate_email": "y@example.com" }
+}
+
+test_impersonate_email_allowed {
+	allow with
+		data.route_policies as [{
+			"source": "example.com",
+			"allowed_users": ["y@example.com"]
+		}] with
+		input.databroker_data as {
+			"session": {
+				"user_id": "user1"
+			},
+			"user": {
+				"email": "x@example.com"
+			}
+		} with
+		input.http as { "url": "http://example.com" } with
+		input.session as { "id": "session1", "impersonate_email": "y@example.com" }
+}
+
+test_group_allowed {
+	allow with
+		data.route_policies as [{
+			"source": "example.com",
+			"allowed_groups": ["1"]
+		}] with
+		input.databroker_data as {
+			"session": {
+				"user_id": "user1"
+			},
+			"user": {
+				"email": "x@example.com",
+			},
+			"directory_user": {
+			    "groups": ["1"]
+			}
+		} with
+		input.http as { "url": "http://example.com" } with
+		input.session as { "id": "session1", "impersonate_groups": null }
+}
+
+test_impersonate_groups_not_allowed {
+	not allow with
+		data.route_policies as [{
+			"source": "example.com",
+			"allowed_groups": ["1"]
+		}] with
+		input.databroker_data as {
+			"session": {
+				"user_id": "user1"
+			},
+			"user": {
+				"email": "x@example.com"
+			},
+			"directory_user": {
+			    "groups": ["1"]
+			}
+		} with
+		input.http as { "url": "http://example.com" } with
+		input.session as { "id": "session1", "impersonate_groups": ["2"] }
+}
+
+test_impersonate_groups_allowed {
+	allow with
+		data.route_policies as [{
+			"source": "example.com",
+			"allowed_groups": ["2"]
+		}] with
+		input.databroker_data as {
+			"session": {
+				"user_id": "user1"
+			},
+			"user": {
+				"email": "x@example.com"
+			},
+			"directory_user": {
+			    "groups": ["1"]
+			}
+		} with
+		input.http as { "url": "http://example.com" } with
+		input.session as { "id": "session1", "impersonate_groups": ["2"] }
+}
+
+test_domain_allowed {
+	allow with
+		data.route_policies as [{
+			"source": "example.com",
+			"allowed_domains": ["example.com"]
+		}] with
+		input.databroker_data as {
+			"session": {
+				"user_id": "user1"
+			},
+			"user": {
+				"email": "x@example.com"
+			}
+		} with
+		input.http as { "url": "http://example.com" } with
+		input.session as { "id": "session1", "impersonate_email": "" }
+}
+
+test_impersonate_domain_not_allowed {
+	not allow with
+		data.route_policies as [{
+			"source": "example.com",
+			"allowed_domains": ["example.com"]
+		}] with
+		input.databroker_data as {
+			"session": {
+				"user_id": "user1"
+			},
+			"user": {
+				"email": "x@example.com"
+			}
+		} with
+		input.http as { "url": "http://example.com" } with
+		input.session as { "id": "session1", "impersonate_email": "y@example1.com" }
+}
+
+test_impersonate_domain_allowed {
+	allow with
+		data.route_policies as [{
+			"source": "example.com",
+			"allowed_domains": ["example1.com"]
+		}] with
+		input.databroker_data as {
+			"session": {
+				"user_id": "user1"
+			},
+			"user": {
+				"email": "x@example.com"
+			}
+		} with
+		input.http as { "url": "http://example.com" } with
+		input.session as { "id": "session1", "impersonate_email": "y@example1.com" }
 }

 test_example {
--- a/authorize/evaluator/opa/policy/statik.go
+++ b/authorize/evaluator/opa/policy/statik.go