mirror of
https://github.com/pomerium/pomerium.git
synced 2025-04-30 10:56:28 +02:00
evaluator: use impersonate groups if impersonate email is set (#1701)
This commit is contained in:
Caleb Doxsey
GitHub
parent
c367498fbc
commit
4eec2ed1d5
3 changed files with 13 additions and 10 deletions
|
|
@ -14,6 +14,8 @@ all_allowed_groups := get_allowed_groups(route_policy)
|
|||
all_allowed_users := get_allowed_users(route_policy)
|
||||
all_allowed_idp_claims := get_allowed_idp_claims(route_policy)
|
||||
|
||||
is_impersonating := count(input.session.impersonate_email) > 0
|
||||
|
||||
# allow public
|
||||
allow {
|
||||
route_policy.AllowPublicUnauthenticatedAccess == true
|
||||
|
|
@ -35,25 +37,27 @@ allow {
|
|||
|
||||
# allow by email
|
||||
allow {
|
||||
not is_impersonating
|
||||
user.email == all_allowed_users[_]
|
||||
input.session.impersonate_email == ""
|
||||
}
|
||||
|
||||
# allow group
|
||||
allow {
|
||||
not is_impersonating
|
||||
some group
|
||||
groups[_] = group
|
||||
all_allowed_groups[_] = group
|
||||
input.session.impersonate_groups == null
|
||||
}
|
||||
|
||||
# allow by impersonate email
|
||||
allow {
|
||||
is_impersonating
|
||||
all_allowed_users[_] = input.session.impersonate_email
|
||||
}
|
||||
|
||||
# allow by impersonate group
|
||||
allow {
|
||||
is_impersonating
|
||||
some group
|
||||
input.session.impersonate_groups[_] = group
|
||||
all_allowed_groups[_] = group
|
||||
|
|
@ -61,13 +65,14 @@ allow {
|
|||
|
||||
# allow by domain
|
||||
allow {
|
||||
not is_impersonating
|
||||
some domain
|
||||
email_in_domain(user.email, all_allowed_domains[domain])
|
||||
input.session.impersonate_email == ""
|
||||
}
|
||||
|
||||
# allow by impersonate domain
|
||||
allow {
|
||||
is_impersonating
|
||||
some domain
|
||||
email_in_domain(input.session.impersonate_email, all_allowed_domains[domain])
|
||||
}
|
||||
|
|
|
|||
|
|
@ -70,7 +70,7 @@ test_group_allowed {
|
|||
"groups": ["1"]
|
||||
} with
|
||||
input.http as { "url": "http://example.com" } with
|
||||
input.session as { "id": "session1", "impersonate_groups": null }
|
||||
input.session as { "id": "session1" }
|
||||
}
|
||||
|
||||
test_impersonate_groups_not_allowed {
|
||||
|
|
@ -86,12 +86,10 @@ test_impersonate_groups_not_allowed {
|
|||
"user": {
|
||||
"email": "x@example.com"
|
||||
},
|
||||
"directory_user": {
|
||||
"groups": ["1"]
|
||||
}
|
||||
"groups": ["1"]
|
||||
} with
|
||||
input.http as { "url": "http://example.com" } with
|
||||
input.session as { "id": "session1", "impersonate_groups": ["2"] }
|
||||
input.session as { "id": "session1", "impersonate_email": "y@example.com", "impersonate_groups": ["2"] }
|
||||
}
|
||||
|
||||
test_impersonate_groups_allowed {
|
||||
|
|
@ -112,7 +110,7 @@ test_impersonate_groups_allowed {
|
|||
}
|
||||
} with
|
||||
input.http as { "url": "http://example.com" } with
|
||||
input.session as { "id": "session1", "impersonate_groups": ["2"] }
|
||||
input.session as { "id": "session1", "impersonate_email": "y@example.com", "impersonate_groups": ["2"] }
|
||||
}
|
||||
|
||||
test_domain_allowed {
|
||||
|
|
|
|||
File diff suppressed because one or more lines are too long
Loading…
Add table
Reference in a new issue