3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-08-01 07:50:26 +02:00
Code Issues Projects Releases Packages Wiki Activity

opa: format rego files (#1845)

Browse source 
* opa: format rego files

* statik
This commit is contained in:
Caleb Doxsey 2021-02-01 15:43:08 -07:00 committed by GitHub
parent b7f0242090
commit 655951cfa1
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 241 additions and 309 deletions
Download patch file Download diff file Expand all files Collapse all files

69
authorize/evaluator/opa/policy/authz.rego
View file

@ -2,16 +2,22 @@ package pomerium.authz
default allow = false
route_policy_idx := first_allowed_route_policy_idx(input.http.url)
route_policy := data.route_policies[route_policy_idx]
session := input.databroker_data.session
user := input.databroker_data.user
groups := input.databroker_data.groups
all_allowed_domains := get_allowed_domains(route_policy)
all_allowed_groups := get_allowed_groups(route_policy)
all_allowed_users := get_allowed_users(route_policy)
all_allowed_idp_claims := get_allowed_idp_claims(route_policy)
is_impersonating := count(session.impersonate_email) > 0
@ -31,8 +37,8 @@ allow {
# allow any authenticated user
allow {
route_policy.AllowAnyAuthenticatedUser == true
session.user_id != ""
route_policy.AllowAnyAuthenticatedUser == true
session.user_id != ""
}
# allow by email
@ -79,10 +85,11 @@ allow {
# allow by arbitrary idp claims
allow {
are_claims_allowed(all_allowed_idp_claims[_], session.claims)
are_claims_allowed(all_allowed_idp_claims[_], session.claims)
}
allow {
are_claims_allowed(all_allowed_idp_claims[_], user.claims)
are_claims_allowed(all_allowed_idp_claims[_], user.claims)
}
# allow pomerium urls
@ -101,7 +108,7 @@ first_allowed_route_policy_idx(input_url) = first_policy_idx {
first_policy_idx := [idx | some idx, policy; policy = data.route_policies[idx]; allowed_route(input.http.url, policy)][0]
}
allowed_route(input_url, policy){
allowed_route(input_url, policy) {
input_url_obj := parse_url(input_url)
allowed_route_source(input_url_obj, policy)
allowed_route_prefix(input_url_obj, policy)
@ -112,6 +119,7 @@ allowed_route(input_url, policy){
allowed_route_source(input_url_obj, policy) {
object.get(policy, "source", "") == ""
}
allowed_route_source(input_url_obj, policy) {
object.get(policy, "source", "") != ""
source_url_obj := parse_url(policy.source)
@ -121,6 +129,7 @@ allowed_route_source(input_url_obj, policy) {
allowed_route_prefix(input_url_obj, policy) {
object.get(policy, "prefix", "") == ""
}
allowed_route_prefix(input_url_obj, policy) {
object.get(policy, "prefix", "") != ""
startswith(input_url_obj.path, policy.prefix)
@ -129,6 +138,7 @@ allowed_route_prefix(input_url_obj, policy) {
allowed_route_path(input_url_obj, policy) {
object.get(policy, "path", "") == ""
}
allowed_route_path(input_url_obj, policy) {
object.get(policy, "path", "") != ""
policy.path == input_url_obj.path
@ -137,21 +147,22 @@ allowed_route_path(input_url_obj, policy) {
allowed_route_regex(input_url_obj, policy) {
object.get(policy, "regex", "") == ""
}
allowed_route_regex(input_url_obj, policy) {
object.get(policy, "regex", "") != ""
re_match(policy.regex, input_url_obj.path)
}
parse_url(str) = { "scheme": scheme, "host": host, "path": path } {
[_, scheme, host, rawpath] = regex.find_all_string_submatch_n(
`(?:((?:tcp[+])?http[s]?)://)?([^/]+)([^?#]*)`,
str, 1)[0]
parse_url(str) = {"scheme": scheme, "host": host, "path": path} {
[_, scheme, host, rawpath] = regex.find_all_string_submatch_n(`(?:((?:tcp[+])?http[s]?)://)?([^/]+)([^?#]*)`, str, 1)[0]
path = normalize_url_path(rawpath)
}
normalize_url_path(str) = "/" {
str == ""
}
normalize_url_path(str) = str {
str != ""
}
@ -163,45 +174,33 @@ email_in_domain(email, domain) {
}
element_in_list(list, elem) {
list[_] = elem
list[_] = elem
}
get_allowed_users(policy) = v {
sub_allowed_users = [sp.allowed_users | sp := policy.sub_policies[_]]
v := { x | x = array.concat(
policy.allowed_users,
[u | u := policy.sub_policies[_].allowed_users[_]]
)[_] }
sub_allowed_users = [sp.allowed_users | sp := policy.sub_policies[_]]
v := {x | x = array.concat(policy.allowed_users, [u | u := policy.sub_policies[_].allowed_users[_]])[_]}
}
get_allowed_domains(policy) = v {
v := { x | x = array.concat(
policy.allowed_domains,
[u | u := policy.sub_policies[_].allowed_domains[_]]
)[_] }
v := {x | x = array.concat(policy.allowed_domains, [u | u := policy.sub_policies[_].allowed_domains[_]])[_]}
}
get_allowed_groups(policy) = v {
v := { x | x = array.concat(
policy.allowed_groups,
[u | u := policy.sub_policies[_].allowed_groups[_]]
)[_] }
v := {x | x = array.concat(policy.allowed_groups, [u | u := policy.sub_policies[_].allowed_groups[_]])[_]}
}
get_allowed_idp_claims(policy) = v {
v := array.concat(
[policy.allowed_idp_claims],
[u | u := policy.sub_policies[_].allowed_idp_claims]
)
v := array.concat([policy.allowed_idp_claims], [u | u := policy.sub_policies[_].allowed_idp_claims])
}
are_claims_allowed(a, b) {
is_object(a)
is_object(b)
avs := a[ak]
bvs := object.get(b, ak, null)
is_object(a)
is_object(b)
avs := a[ak]
bvs := object.get(b, ak, null)
is_array(avs)
is_array(bvs)
avs[_] == bvs[_]
is_array(avs)
is_array(bvs)
avs[_] == bvs[_]
}

479
authorize/evaluator/opa/policy/authz_test.rego
View file

@ -1,283 +1,220 @@
package pomerium.authz
test_email_allowed {
allow with
data.route_policies as [{
"source": "example.com",
"allowed_users": ["x@example.com"]
}] with
input.databroker_data as {
"session": {
"user_id": "user1"
},
"user": {
"email": "x@example.com"
}
} with
input.http as { "url": "http://example.com" } with
input.session as { "id": "session1" }
allow with data.route_policies as [{
"source": "example.com",
"allowed_users": ["x@example.com"],
}]
with input.databroker_data as {
"session": {"user_id": "user1"},
"user": {"email": "x@example.com"},
}
with input.http as {"url": "http://example.com"}
with input.session as {"id": "session1"}
}
test_impersonate_email_not_allowed {
not allow with
data.route_policies as [{
"source": "example.com",
"allowed_users": ["x@example.com"]
}] with
input.databroker_data as {
"session": {
"user_id": "user1", "impersonate_email": "y@example.com"
},
"user": {
"email": "x@example.com"
}
} with
input.http as { "url": "http://example.com" } with
input.session as { "id": "session1" }
not allow with data.route_policies as [{
"source": "example.com",
"allowed_users": ["x@example.com"],
}]
with input.databroker_data as {
"session": {"user_id": "user1", "impersonate_email": "y@example.com"},
"user": {"email": "x@example.com"},
}
with input.http as {"url": "http://example.com"}
with input.session as {"id": "session1"}
}
test_impersonate_email_allowed {
allow with
data.route_policies as [{
"source": "example.com",
"allowed_users": ["y@example.com"]
}] with
input.databroker_data as {
"session": {
"user_id": "user1", "impersonate_email": "y@example.com"
},
"user": {
"email": "x@example.com"
}
} with
input.http as { "url": "http://example.com" } with
input.session as { "id": "session1" }
allow with data.route_policies as [{
"source": "example.com",
"allowed_users": ["y@example.com"],
}]
with input.databroker_data as {
"session": {"user_id": "user1", "impersonate_email": "y@example.com"},
"user": {"email": "x@example.com"},
}
with input.http as {"url": "http://example.com"}
with input.session as {"id": "session1"}
}
test_group_allowed {
allow with
data.route_policies as [{
"source": "example.com",
"allowed_groups": ["1"]
}] with
input.databroker_data as {
"session": {
"user_id": "user1"
},
"user": {
"email": "x@example.com",
},
"groups": ["1"]
} with
input.http as { "url": "http://example.com" } with
input.session as { "id": "session1" }
allow with data.route_policies as [{
"source": "example.com",
"allowed_groups": ["1"],
}]
with input.databroker_data as {
"session": {"user_id": "user1"},
"user": {"email": "x@example.com"},
"groups": ["1"],
}
with input.http as {"url": "http://example.com"}
with input.session as {"id": "session1"}
}
test_impersonate_groups_not_allowed {
not allow with
data.route_policies as [{
"source": "example.com",
"allowed_groups": ["1"]
}] with
input.databroker_data as {
"session": {
"user_id": "user1", "impersonate_email": "y@example.com", "impersonate_groups": ["2"]
},
"user": {
"email": "x@example.com"
},
"groups": ["1"]
} with
input.http as { "url": "http://example.com" } with
input.session as { "id": "session1" }
not allow with data.route_policies as [{
"source": "example.com",
"allowed_groups": ["1"],
}]
with input.databroker_data as {
"session": {"user_id": "user1", "impersonate_email": "y@example.com", "impersonate_groups": ["2"]},
"user": {"email": "x@example.com"},
"groups": ["1"],
}
with input.http as {"url": "http://example.com"}
with input.session as {"id": "session1"}
}
test_impersonate_groups_allowed {
allow with
data.route_policies as [{
"source": "example.com",
"allowed_groups": ["2"]
}] with
input.databroker_data as {
"session": {
"user_id": "user1", "impersonate_email": "y@example.com", "impersonate_groups": ["2"]
},
"user": {
"email": "x@example.com"
},
"directory_user": {
"groups": ["1"]
}
} with
input.http as { "url": "http://example.com" } with
input.session as { "id": "session1" }
allow with data.route_policies as [{
"source": "example.com",
"allowed_groups": ["2"],
}]
with input.databroker_data as {
"session": {"user_id": "user1", "impersonate_email": "y@example.com", "impersonate_groups": ["2"]},
"user": {"email": "x@example.com"},
"directory_user": {"groups": ["1"]},
}
with input.http as {"url": "http://example.com"}
with input.session as {"id": "session1"}
}
test_domain_allowed {
allow with
data.route_policies as [{
"source": "example.com",
"allowed_domains": ["example.com"]
}] with
input.databroker_data as {
"session": {
"user_id": "user1", "impersonate_email": ""
},
"user": {
"email": "x@example.com"
}
} with
input.http as { "url": "http://example.com" } with
input.session as { "id": "session1" }
allow with data.route_policies as [{
"source": "example.com",
"allowed_domains": ["example.com"],
}]
with input.databroker_data as {
"session": {"user_id": "user1", "impersonate_email": ""},
"user": {"email": "x@example.com"},
}
with input.http as {"url": "http://example.com"}
with input.session as {"id": "session1"}
}
test_impersonate_domain_not_allowed {
not allow with
data.route_policies as [{
"source": "example.com",
"allowed_domains": ["example.com"]
}] with
input.databroker_data as {
"session": {
"user_id": "user1", "impersonate_email": "y@example1.com"
},
"user": {
"email": "x@example.com"
}
} with
input.http as { "url": "http://example.com" } with
input.session as { "id": "session1" }
not allow with data.route_policies as [{
"source": "example.com",
"allowed_domains": ["example.com"],
}]
with input.databroker_data as {
"session": {"user_id": "user1", "impersonate_email": "y@example1.com"},
"user": {"email": "x@example.com"},
}
with input.http as {"url": "http://example.com"}
with input.session as {"id": "session1"}
}
test_impersonate_domain_allowed {
allow with
data.route_policies as [{
"source": "example.com",
"allowed_domains": ["example1.com"]
}] with
input.databroker_data as {
"session": {
"user_id": "user1", "impersonate_email": "y@example1.com"
},
"user": {
"email": "x@example.com"
}
} with
input.http as { "url": "http://example.com" } with
input.session as { "id": "session1" }
allow with data.route_policies as [{
"source": "example.com",
"allowed_domains": ["example1.com"],
}]
with input.databroker_data as {
"session": {"user_id": "user1", "impersonate_email": "y@example1.com"},
"user": {"email": "x@example.com"},
}
with input.http as {"url": "http://example.com"}
with input.session as {"id": "session1"}
}
test_idp_claims_allowed {
allow with
data.route_policies as [{
"source": "example.com",
"allowed_idp_claims": {
"some.claim": ["a", "b"]
}
}] with
input.databroker_data as {
"session": {
"claims": {
"some.claim": ["b"]
}
}
} with
input.http as { "url": "http://example.com" } with
input.session as { "id": "session1" }
allow with data.route_policies as [{
"source": "example.com",
"allowed_idp_claims": {"some.claim": ["a", "b"]},
}]
with input.databroker_data as {"session": {"claims": {"some.claim": ["b"]}}}
with input.http as {"url": "http://example.com"}
with input.session as {"id": "session1"}
}
test_example {
not allow with
data.route_policies as [
{
"source": "http://example.com",
"path": "/a",
"allowed_domains": ["example.com"]
},
{
"source": "http://example.com",
"path": "/b",
"allowed_users": ["noone@pomerium.com"]
},
] with
input.http as { "url": "http://example.com/b" } with
input.user as { "id": "1", "email": "joe@example.com" }
not allow with data.route_policies as [
{
"source": "http://example.com",
"path": "/a",
"allowed_domains": ["example.com"],
},
{
"source": "http://example.com",
"path": "/b",
"allowed_users": ["noone@pomerium.com"],
},
]
with input.http as {"url": "http://example.com/b"}
with input.user as {"id": "1", "email": "joe@example.com"}
}
test_email_denied {
not allow with
data.route_policies as [{
"source": "example.com",
"allowed_users": ["bob@example.com"]
}] with
input.http as { "url": "http://example.com" } with
input.user as { "id": "1", "email": "joe@example.com" }
not allow with data.route_policies as [{
"source": "example.com",
"allowed_users": ["bob@example.com"],
}]
with input.http as {"url": "http://example.com"}
with input.user as {"id": "1", "email": "joe@example.com"}
}
test_public_allowed {
allow with
data.route_policies as [{
"source": "example.com",
"AllowPublicUnauthenticatedAccess": true
}] with
input.http as { "url": "http://example.com" }
allow with data.route_policies as [{
"source": "example.com",
"AllowPublicUnauthenticatedAccess": true,
}]
with input.http as {"url": "http://example.com"}
}
test_public_denied {
not allow with
data.route_policies as [
{
"source": "example.com",
"prefix": "/by-user",
"allowed_users": ["bob@example.com"]
},
{
"source": "example.com",
"AllowPublicUnauthenticatedAccess": true
}
] with
input.http as {
"url": "http://example.com/by-user"
}
not allow with data.route_policies as [
{
"source": "example.com",
"prefix": "/by-user",
"allowed_users": ["bob@example.com"],
},
{
"source": "example.com",
"AllowPublicUnauthenticatedAccess": true,
},
]
with input.http as {"url": "http://example.com/by-user"}
}
test_pomerium_allowed {
allow with
data.route_policies as [{
"source": "example.com",
"allowed_users": ["bob@example.com"]
}] with
input.http as { "url": "http://example.com/.pomerium/" }
allow with data.route_policies as [{
"source": "example.com",
"allowed_users": ["bob@example.com"],
}]
with input.http as {"url": "http://example.com/.pomerium/"}
}
test_cors_preflight_allowed {
allow with
data.route_policies as [{
"source": "example.com",
"allowed_users": ["bob@example.com"],
"CORSAllowPreflight": true
}] with
input.http as {
allow with data.route_policies as [{
"source": "example.com",
"allowed_users": ["bob@example.com"],
"CORSAllowPreflight": true,
}]
with input.http as {
"method": "OPTIONS",
"url": "http://example.com/",
"headers": {
"Origin": ["someorigin"],
"Access-Control-Request-Method": ["GET"]
}
"Access-Control-Request-Method": ["GET"],
},
}
}
test_cors_preflight_denied {
not allow with
data.route_policies as [{
"source": "example.com",
"allowed_users": ["bob@example.com"]
}] with
input.http as {
not allow with data.route_policies as [{
"source": "example.com",
"allowed_users": ["bob@example.com"],
}]
with input.http as {
"method": "OPTIONS",
"url": "http://example.com/",
"headers": {
"Origin": ["someorigin"],
"Access-Control-Request-Method": ["GET"]
}
"Access-Control-Request-Method": ["GET"],
},
}
}
@ -326,72 +263,68 @@ test_allowed_route_regex {
test_sub_policy {
x := get_allowed_users({
"source": "example.com",
"allowed_users": ["u1", "u2"],
"sub_policies": [
{ "allowed_users": ["u1", "u3"] },
{ "allowed_users": ["u2", "u4"] }
]
})
"source": "example.com",
"allowed_users": ["u1", "u2"],
"sub_policies": [
{"allowed_users": ["u1", "u3"]},
{"allowed_users": ["u2", "u4"]},
],
})
x == {"u1", "u2", "u3", "u4"}
y := get_allowed_domains({
"source": "example.com",
"allowed_domains": ["d1", "d2"],
"sub_policies": [
{ "allowed_domains": ["d1", "d3"] },
{ "allowed_domains": ["d2", "d4"] }
]
})
"source": "example.com",
"allowed_domains": ["d1", "d2"],
"sub_policies": [
{"allowed_domains": ["d1", "d3"]},
{"allowed_domains": ["d2", "d4"]},
],
})
y == {"d1", "d2", "d3", "d4"}
z := get_allowed_groups({
"source": "example.com",
"allowed_groups": ["g1", "g2"],
"sub_policies": [
{ "allowed_groups": ["g1", "g3"] },
{ "allowed_groups": ["g2", "g4"] }
]
})
"source": "example.com",
"allowed_groups": ["g1", "g2"],
"sub_policies": [
{"allowed_groups": ["g1", "g3"]},
{"allowed_groups": ["g2", "g4"]},
],
})
z == {"g1", "g2", "g3", "g4"}
}
test_are_claims_allowed {
are_claims_allowed({"a": ["1"]}, {"a": ["1"]})
not are_claims_allowed({"a": ["2"]}, {"a": ["1"]})
are_claims_allowed({"a": ["1"]}, {"a": ["1"]})
not are_claims_allowed({"a": ["2"]}, {"a": ["1"]})
are_claims_allowed({"a": ["1", "2", "3"]}, {"a": ["1"]})
are_claims_allowed({"a": ["1"]}, {"a": ["1", "2", "3"]})
not are_claims_allowed({"a": ["4", "5", "6"]}, {"a": ["1"]})
are_claims_allowed({"a": ["1", "2", "3"]}, {"a": ["1"]})
are_claims_allowed({"a": ["1"]}, {"a": ["1", "2", "3"]})
not are_claims_allowed({"a": ["4", "5", "6"]}, {"a": ["1"]})
are_claims_allowed({"a.b.c": ["1"], "d.e.f": ["2"]}, {"d.e.f": ["2"]})
are_claims_allowed({"a.b.c": ["1"], "d.e.f": ["2"]}, {"d.e.f": ["2"]})
}
test_any_authenticated_user_allowed {
allow with
data.route_policies as [{
"source": "example.com",
"AllowAnyAuthenticatedUser": true
}] with
input.databroker_data as {
"session": {
"user_id": "user1"
},
"user": {
"email": "x@example.com"
}
} with
input.http as { "url": "http://example.com" } with
input.session as { "id": "session1" }
allow with data.route_policies as [{
"source": "example.com",
"AllowAnyAuthenticatedUser": true,
}]
with input.databroker_data as {
"session": {"user_id": "user1"},
"user": {"email": "x@example.com"},
}
with input.http as {"url": "http://example.com"}
with input.session as {"id": "session1"}
}
test_any_authenticated_user_denied {
not allow with
data.route_policies as [{
"source": "example.com",
"AllowAnyAuthenticatedUser": true
}] with
input.http as { "url": "http://example.com" } with
input.session as { "id": "session1" }
not allow with data.route_policies as [{
"source": "example.com",
"AllowAnyAuthenticatedUser": true,
}]
with input.http as {"url": "http://example.com"}
with input.session as {"id": "session1"}
}

2
authorize/evaluator/opa/policy/statik.go
View file

File diff suppressed because one or more lines are too long