authorize: get claims from signed jwt (#954)

authorize: get claims from signed jwt When doing databroker refactoring, all claims information were moved to signed JWT instead of raw session JWT. But we are still looking for claims info in raw session JWT, causes all X-Pomerium-Claim-* headers being gone. Fix this by looking for information from signed JWT instead. Note that even with this fix, the X-Pomerium-Claim-Groups is still not present, but it's another bug (see #941) and will be fixed later. Fixes #936
2025-06-01 02:12:50 +02:00 · 2020-06-22 09:51:32 +07:00 · 2020-06-22 09:51:32 +07:00 · 4a3fb5d44b
commit 4a3fb5d44b
parent fbce3dd359
5 changed files with 70 additions and 31 deletions
--- a/authorize/evaluator/evaluator_test.go
+++ b/authorize/evaluator/evaluator_test.go
@ -2,10 +2,14 @@ package evaluator

 import (
 	"encoding/json"
+	"net/http"
+	"net/url"
 	"testing"

 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"

+	"github.com/pomerium/pomerium/config"
 	"github.com/pomerium/pomerium/internal/grpc/directory"
 )

@ -65,3 +69,31 @@ func TestJSONMarshal(t *testing.T) {
 		"is_valid_client_certificate": true
 	}`, string(bs))
 }
+
+func TestEvaluator_SignedJWT(t *testing.T) {
+	opt := config.NewDefaultOptions()
+	opt.AuthenticateURL = mustParseURL("https://authenticate.example.com")
+	e, err := New(opt)
+	require.NoError(t, err)
+	req := &Request{
+		HTTP: RequestHTTP{
+			Method: http.MethodGet,
+			URL:    "https://example.com",
+		},
+	}
+	signedJWT, err := e.SignedJWT(req)
+	require.NoError(t, err)
+	assert.NotEmpty(t, signedJWT)
+
+	payload, err := e.ParseSignedJWT(signedJWT)
+	require.NoError(t, err)
+	assert.NotEmpty(t, payload)
+}
+
+func mustParseURL(str string) *url.URL {
+	u, err := url.Parse(str)
+	if err != nil {
+		panic(err)
+	}
+	return u
+}