evaluator: use impersonate groups if impersonate email is set (#1701)

authorize/evaluator/opa/policy/authz.rego

@@ -14,6 +14,8 @@ all_allowed_groups := get_allowed_groups(route_policy)
 all_allowed_users := get_allowed_users(route_policy)
 all_allowed_idp_claims := get_allowed_idp_claims(route_policy)
 
+is_impersonating := count(input.session.impersonate_email) > 0
+
 # allow public
 allow {
 	route_policy.AllowPublicUnauthenticatedAccess == true
@@ -35,25 +37,27 @@ allow {
 
 # allow by email
 allow {
+	not is_impersonating
 	user.email == all_allowed_users[_]
-	input.session.impersonate_email == ""
 }
 
 # allow group
 allow {
+	not is_impersonating
 	some group
 	groups[_] = group
 	all_allowed_groups[_] = group
-	input.session.impersonate_groups == null
 }
 
 # allow by impersonate email
 allow {
+	is_impersonating
 	all_allowed_users[_] = input.session.impersonate_email
 }
 
 # allow by impersonate group
 allow {
+	is_impersonating
 	some group
 	input.session.impersonate_groups[_] = group
 	all_allowed_groups[_] = group
@@ -61,13 +65,14 @@ allow {
 
 # allow by domain
 allow {
+	not is_impersonating
 	some domain
 	email_in_domain(user.email, all_allowed_domains[domain])
-	input.session.impersonate_email == ""
 }
 
 # allow by impersonate domain
 allow {
+	is_impersonating
 	some domain
 	email_in_domain(input.session.impersonate_email, all_allowed_domains[domain])
 }

authorize/evaluator/opa/policy/authz_test.rego

@@ -70,7 +70,7 @@ test_group_allowed {
 			"groups": ["1"]
 		} with
 		input.http as { "url": "http://example.com" } with
-		input.session as { "id": "session1", "impersonate_groups": null }
+		input.session as { "id": "session1" }
 }
 
 test_impersonate_groups_not_allowed {
@@ -86,12 +86,10 @@ test_impersonate_groups_not_allowed {
 			"user": {
 				"email": "x@example.com"
 			},
-			"directory_user": {
 			"groups": ["1"]
-			}
 		} with
 		input.http as { "url": "http://example.com" } with
-		input.session as { "id": "session1", "impersonate_groups": ["2"] }
+		input.session as { "id": "session1", "impersonate_email": "y@example.com", "impersonate_groups": ["2"] }
 }
 
 test_impersonate_groups_allowed {
@@ -112,7 +110,7 @@ test_impersonate_groups_allowed {
 			}
 		} with
 		input.http as { "url": "http://example.com" } with
-		input.session as { "id": "session1", "impersonate_groups": ["2"] }
+		input.session as { "id": "session1", "impersonate_email": "y@example.com", "impersonate_groups": ["2"] }
 }
 
 test_domain_allowed {