3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-05-12 16:47:41 +02:00
Code Issues Projects Releases Packages Wiki Activity

Decouple audience claim value from issuer format (#5345)

Browse source
This commit is contained in:
Joe Kralicky 2024-10-25 16:21:19 -04:00 committed by GitHub
parent fe31799eb5
commit 4f0ff35b4c
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
3 changed files with 37 additions and 10 deletions
Download patch file Download diff file Expand all files Collapse all files

2
authorize/evaluator/headers_evaluator.go
View file

@ -22,6 +22,7 @@ type HeadersRequest struct {
EnableGoogleCloudServerlessAuthentication bool `json:"enable_google_cloud_serverless_authentication"` EnableGoogleCloudServerlessAuthentication bool `json:"enable_google_cloud_serverless_authentication"`
EnableRoutingKey bool `json:"enable_routing_key"` EnableRoutingKey bool `json:"enable_routing_key"`
Issuer string `json:"issuer"` Issuer string `json:"issuer"`
Audience string `json:"audience"`
KubernetesServiceAccountToken string `json:"kubernetes_service_account_token"` KubernetesServiceAccountToken string `json:"kubernetes_service_account_token"`
ToAudience string `json:"to_audience"` ToAudience string `json:"to_audience"`
Session RequestSession `json:"session"` Session RequestSession `json:"session"`
@ -32,6 +33,7 @@ type HeadersRequest struct {
// NewHeadersRequestFromPolicy creates a new HeadersRequest from a policy. // NewHeadersRequestFromPolicy creates a new HeadersRequest from a policy.
func NewHeadersRequestFromPolicy(policy *config.Policy, http RequestHTTP) (*HeadersRequest, error) { func NewHeadersRequestFromPolicy(policy *config.Policy, http RequestHTTP) (*HeadersRequest, error) {
input := new(HeadersRequest) input := new(HeadersRequest)
input.Audience = http.Hostname
var issuerFormat string var issuerFormat string
if policy != nil { if policy != nil {
issuerFormat = policy.JWTIssuerFormat issuerFormat = policy.JWTIssuerFormat

43
authorize/evaluator/headers_evaluator_test.go
View file

@ -46,6 +46,7 @@ func TestNewHeadersRequestFromPolicy(t *testing.T) {
assert.Equal(t, &HeadersRequest{ assert.Equal(t, &HeadersRequest{
EnableGoogleCloudServerlessAuthentication: true, EnableGoogleCloudServerlessAuthentication: true,
Issuer: "from.example.com", Issuer: "from.example.com",
Audience: "from.example.com",
ToAudience: "https://to.example.com", ToAudience: "https://to.example.com",
ClientCertificate: ClientCertificateInfo{ ClientCertificate: ClientCertificateInfo{
Leaf: "--- FAKE CERTIFICATE ---", Leaf: "--- FAKE CERTIFICATE ---",
@ -64,14 +65,30 @@ func TestNewHeadersRequestFromPolicy_IssuerFormat(t *testing.T) {
}, },
} }
for _, tc := range []struct { for _, tc := range []struct {
format string format string
expected string expectedIssuer string
err string expectedAudience string
err string
}{ }{
{format: "", expected: "from.example.com"}, {
{format: "hostOnly", expected: "from.example.com"}, format: "",
{format: "uri", expected: "https://from.example.com/"}, expectedIssuer: "from.example.com",
{format: "foo", err: `invalid issuer format: "foo"`}, expectedAudience: "from.example.com",
},
{
format: "hostOnly",
expectedIssuer: "from.example.com",
expectedAudience: "from.example.com",
},
{
format: "uri",
expectedIssuer: "https://from.example.com/",
expectedAudience: "from.example.com",
},
{
format: "foo",
err: `invalid issuer format: "foo"`,
},
} { } {
policy.JWTIssuerFormat = tc.format policy.JWTIssuerFormat = tc.format
req, err := NewHeadersRequestFromPolicy(policy, RequestHTTP{ req, err := NewHeadersRequestFromPolicy(policy, RequestHTTP{
@ -85,7 +102,8 @@ func TestNewHeadersRequestFromPolicy_IssuerFormat(t *testing.T) {
} else { } else {
assert.Equal(t, &HeadersRequest{ assert.Equal(t, &HeadersRequest{
EnableGoogleCloudServerlessAuthentication: true, EnableGoogleCloudServerlessAuthentication: true,
Issuer: tc.expected, Issuer: tc.expectedIssuer,
Audience: tc.expectedAudience,
ToAudience: "https://to.example.com", ToAudience: "https://to.example.com",
ClientCertificate: ClientCertificateInfo{ ClientCertificate: ClientCertificateInfo{
Leaf: "--- FAKE CERTIFICATE ---", Leaf: "--- FAKE CERTIFICATE ---",
@ -98,7 +116,8 @@ func TestNewHeadersRequestFromPolicy_IssuerFormat(t *testing.T) {
func TestNewHeadersRequestFromPolicy_nil(t *testing.T) { func TestNewHeadersRequestFromPolicy_nil(t *testing.T) {
req, _ := NewHeadersRequestFromPolicy(nil, RequestHTTP{Hostname: "from.example.com"}) req, _ := NewHeadersRequestFromPolicy(nil, RequestHTTP{Hostname: "from.example.com"})
assert.Equal(t, &HeadersRequest{ assert.Equal(t, &HeadersRequest{
Issuer: "from.example.com", Issuer: "from.example.com",
Audience: "from.example.com",
}, req) }, req)
} }
@ -142,6 +161,7 @@ func TestHeadersEvaluator(t *testing.T) {
}, },
&HeadersRequest{ &HeadersRequest{
Issuer: "from.example.com", Issuer: "from.example.com",
Audience: "from.example.com",
ToAudience: "to.example.com", ToAudience: "to.example.com",
Session: RequestSession{ Session: RequestSession{
ID: "s1", ID: "s1",
@ -197,6 +217,7 @@ func TestHeadersEvaluator(t *testing.T) {
}, },
&HeadersRequest{ &HeadersRequest{
Issuer: "from.example.com", Issuer: "from.example.com",
Audience: "from.example.com",
ToAudience: "to.example.com", ToAudience: "to.example.com",
Session: RequestSession{ID: "s1"}, Session: RequestSession{ID: "s1"},
SetRequestHeaders: map[string]string{ SetRequestHeaders: map[string]string{
@ -239,6 +260,7 @@ func TestHeadersEvaluator(t *testing.T) {
}, },
&HeadersRequest{ &HeadersRequest{
Issuer: "from.example.com", Issuer: "from.example.com",
Audience: "from.example.com",
ToAudience: "to.example.com", ToAudience: "to.example.com",
Session: RequestSession{ID: "s1"}, Session: RequestSession{ID: "s1"},
SetRequestHeaders: map[string]string{ SetRequestHeaders: map[string]string{
@ -261,6 +283,7 @@ func TestHeadersEvaluator(t *testing.T) {
}, },
&HeadersRequest{ &HeadersRequest{
Issuer: "from.example.com", Issuer: "from.example.com",
Audience: "from.example.com",
ToAudience: "to.example.com", ToAudience: "to.example.com",
Session: RequestSession{ID: "s1"}, Session: RequestSession{ID: "s1"},
SetRequestHeaders: map[string]string{ SetRequestHeaders: map[string]string{
@ -276,6 +299,7 @@ func TestHeadersEvaluator(t *testing.T) {
output, err := eval(t, nil, output, err := eval(t, nil,
&HeadersRequest{ &HeadersRequest{
Issuer: "from.example.com", Issuer: "from.example.com",
Audience: "from.example.com",
ToAudience: "to.example.com", ToAudience: "to.example.com",
SetRequestHeaders: map[string]string{ SetRequestHeaders: map[string]string{
"fingerprint": "${pomerium.client_cert_fingerprint}", "fingerprint": "${pomerium.client_cert_fingerprint}",
@ -296,6 +320,7 @@ func TestHeadersEvaluator(t *testing.T) {
}, },
&HeadersRequest{ &HeadersRequest{
Issuer: "from.example.com", Issuer: "from.example.com",
Audience: "from.example.com",
ToAudience: "to.example.com", ToAudience: "to.example.com",
KubernetesServiceAccountToken: "TOKEN", KubernetesServiceAccountToken: "TOKEN",
Session: RequestSession{ID: "s1"}, Session: RequestSession{ID: "s1"},

2
authorize/evaluator/opa/policy/headers.rego
View file

@ -74,7 +74,7 @@ jwt_headers := {
} }
jwt_payload_aud := v if { jwt_payload_aud := v if {
v := input.issuer v := input.audience
} else := "" } else := ""
jwt_payload_iss := v if { jwt_payload_iss := v if {