authorize/evaluator/opa/policy: fix allow rules with impersonate (#1094)

mirror of https://github.com/pomerium/pomerium.git synced 2025-07-22 19:18:01 +02:00

Currently, with impersonated request, the real user email/group still
has effects.

Example:

	data.route_policies as [{
	    "source": "example.com",
	    "allowed_users": ["x@example.com"]
	}] with
	input.databroker_data as {
	    "session": {
	        "user_id": "user1"
	    },
	    "user": {
	        "email": "x@example.com"
	    }
	} with
	input.http as { "url": "http://example.com" } with
	input.session as { "id": "session1", "impersonate_email": "y@example.com" }

Here user "x@example.com" is allowed, but was impersonated as
"y@example.com". As the rules indicated, the request must be denied,
because it only allows "x@example.com", not "y@example.com". The current
bug causes the request is still allowed.

To fix it, when evaluates rules for allowed email/group/domain, we must checking
that the impersonate email/groups is not set/empty.

Fixes #1091

This commit is contained in:

Cuong Manh Le

2020-07-17 22:07:11 +07:00

• committed by

GitHub

parent 59c17fb497

commit 408f201d16

No known key found for this signature in database

GPG key ID: 4AEE18F83AFDEB23

5 changed files with 163 additions and 6 deletions

3

internal/frontend/statik/statik.go

View file

File diff suppressed because one or more lines are too long

Rows
Columns

authorize/evaluator/opa/policy: fix allow rules with impersonate (#1094)

3 internal/frontend/statik/statik.go View file

3

internal/frontend/statik/statik.go

View file