mirror of
https://github.com/pomerium/pomerium.git
synced 2025-08-06 02:09:15 +02:00
Caleb Doxsey
GitHub
parent
b7f0242090
commit
655951cfa1
3 changed files with 241 additions and 309 deletions
|
|
@ -2,16 +2,22 @@ package pomerium.authz
|
||||||
|
|
||||||
default allow = false
|
default allow = false
|
||||||
|
|
||||||
|
|
||||||
route_policy_idx := first_allowed_route_policy_idx(input.http.url)
|
route_policy_idx := first_allowed_route_policy_idx(input.http.url)
|
||||||
|
|
||||||
route_policy := data.route_policies[route_policy_idx]
|
route_policy := data.route_policies[route_policy_idx]
|
||||||
|
|
||||||
session := input.databroker_data.session
|
session := input.databroker_data.session
|
||||||
|
|
||||||
user := input.databroker_data.user
|
user := input.databroker_data.user
|
||||||
|
|
||||||
groups := input.databroker_data.groups
|
groups := input.databroker_data.groups
|
||||||
|
|
||||||
all_allowed_domains := get_allowed_domains(route_policy)
|
all_allowed_domains := get_allowed_domains(route_policy)
|
||||||
|
|
||||||
all_allowed_groups := get_allowed_groups(route_policy)
|
all_allowed_groups := get_allowed_groups(route_policy)
|
||||||
|
|
||||||
all_allowed_users := get_allowed_users(route_policy)
|
all_allowed_users := get_allowed_users(route_policy)
|
||||||
|
|
||||||
all_allowed_idp_claims := get_allowed_idp_claims(route_policy)
|
all_allowed_idp_claims := get_allowed_idp_claims(route_policy)
|
||||||
|
|
||||||
is_impersonating := count(session.impersonate_email) > 0
|
is_impersonating := count(session.impersonate_email) > 0
|
||||||
|
|
@ -31,8 +37,8 @@ allow {
|
||||||
|
|
||||||
# allow any authenticated user
|
# allow any authenticated user
|
||||||
allow {
|
allow {
|
||||||
route_policy.AllowAnyAuthenticatedUser == true
|
route_policy.AllowAnyAuthenticatedUser == true
|
||||||
session.user_id != ""
|
session.user_id != ""
|
||||||
}
|
}
|
||||||
|
|
||||||
# allow by email
|
# allow by email
|
||||||
|
|
@ -79,10 +85,11 @@ allow {
|
||||||
|
|
||||||
# allow by arbitrary idp claims
|
# allow by arbitrary idp claims
|
||||||
allow {
|
allow {
|
||||||
are_claims_allowed(all_allowed_idp_claims[_], session.claims)
|
are_claims_allowed(all_allowed_idp_claims[_], session.claims)
|
||||||
}
|
}
|
||||||
|
|
||||||
allow {
|
allow {
|
||||||
are_claims_allowed(all_allowed_idp_claims[_], user.claims)
|
are_claims_allowed(all_allowed_idp_claims[_], user.claims)
|
||||||
}
|
}
|
||||||
|
|
||||||
# allow pomerium urls
|
# allow pomerium urls
|
||||||
|
|
@ -101,7 +108,7 @@ first_allowed_route_policy_idx(input_url) = first_policy_idx {
|
||||||
first_policy_idx := [idx | some idx, policy; policy = data.route_policies[idx]; allowed_route(input.http.url, policy)][0]
|
first_policy_idx := [idx | some idx, policy; policy = data.route_policies[idx]; allowed_route(input.http.url, policy)][0]
|
||||||
}
|
}
|
||||||
|
|
||||||
allowed_route(input_url, policy){
|
allowed_route(input_url, policy) {
|
||||||
input_url_obj := parse_url(input_url)
|
input_url_obj := parse_url(input_url)
|
||||||
allowed_route_source(input_url_obj, policy)
|
allowed_route_source(input_url_obj, policy)
|
||||||
allowed_route_prefix(input_url_obj, policy)
|
allowed_route_prefix(input_url_obj, policy)
|
||||||
|
|
@ -112,6 +119,7 @@ allowed_route(input_url, policy){
|
||||||
allowed_route_source(input_url_obj, policy) {
|
allowed_route_source(input_url_obj, policy) {
|
||||||
object.get(policy, "source", "") == ""
|
object.get(policy, "source", "") == ""
|
||||||
}
|
}
|
||||||
|
|
||||||
allowed_route_source(input_url_obj, policy) {
|
allowed_route_source(input_url_obj, policy) {
|
||||||
object.get(policy, "source", "") != ""
|
object.get(policy, "source", "") != ""
|
||||||
source_url_obj := parse_url(policy.source)
|
source_url_obj := parse_url(policy.source)
|
||||||
|
|
@ -121,6 +129,7 @@ allowed_route_source(input_url_obj, policy) {
|
||||||
allowed_route_prefix(input_url_obj, policy) {
|
allowed_route_prefix(input_url_obj, policy) {
|
||||||
object.get(policy, "prefix", "") == ""
|
object.get(policy, "prefix", "") == ""
|
||||||
}
|
}
|
||||||
|
|
||||||
allowed_route_prefix(input_url_obj, policy) {
|
allowed_route_prefix(input_url_obj, policy) {
|
||||||
object.get(policy, "prefix", "") != ""
|
object.get(policy, "prefix", "") != ""
|
||||||
startswith(input_url_obj.path, policy.prefix)
|
startswith(input_url_obj.path, policy.prefix)
|
||||||
|
|
@ -129,6 +138,7 @@ allowed_route_prefix(input_url_obj, policy) {
|
||||||
allowed_route_path(input_url_obj, policy) {
|
allowed_route_path(input_url_obj, policy) {
|
||||||
object.get(policy, "path", "") == ""
|
object.get(policy, "path", "") == ""
|
||||||
}
|
}
|
||||||
|
|
||||||
allowed_route_path(input_url_obj, policy) {
|
allowed_route_path(input_url_obj, policy) {
|
||||||
object.get(policy, "path", "") != ""
|
object.get(policy, "path", "") != ""
|
||||||
policy.path == input_url_obj.path
|
policy.path == input_url_obj.path
|
||||||
|
|
@ -137,21 +147,22 @@ allowed_route_path(input_url_obj, policy) {
|
||||||
allowed_route_regex(input_url_obj, policy) {
|
allowed_route_regex(input_url_obj, policy) {
|
||||||
object.get(policy, "regex", "") == ""
|
object.get(policy, "regex", "") == ""
|
||||||
}
|
}
|
||||||
|
|
||||||
allowed_route_regex(input_url_obj, policy) {
|
allowed_route_regex(input_url_obj, policy) {
|
||||||
object.get(policy, "regex", "") != ""
|
object.get(policy, "regex", "") != ""
|
||||||
re_match(policy.regex, input_url_obj.path)
|
re_match(policy.regex, input_url_obj.path)
|
||||||
}
|
}
|
||||||
|
|
||||||
parse_url(str) = { "scheme": scheme, "host": host, "path": path } {
|
parse_url(str) = {"scheme": scheme, "host": host, "path": path} {
|
||||||
[_, scheme, host, rawpath] = regex.find_all_string_submatch_n(
|
[_, scheme, host, rawpath] = regex.find_all_string_submatch_n(`(?:((?:tcp[+])?http[s]?)://)?([^/]+)([^?#]*)`, str, 1)[0]
|
||||||
`(?:((?:tcp[+])?http[s]?)://)?([^/]+)([^?#]*)`,
|
|
||||||
str, 1)[0]
|
|
||||||
path = normalize_url_path(rawpath)
|
path = normalize_url_path(rawpath)
|
||||||
}
|
}
|
||||||
|
|
||||||
normalize_url_path(str) = "/" {
|
normalize_url_path(str) = "/" {
|
||||||
str == ""
|
str == ""
|
||||||
}
|
}
|
||||||
|
|
||||||
normalize_url_path(str) = str {
|
normalize_url_path(str) = str {
|
||||||
str != ""
|
str != ""
|
||||||
}
|
}
|
||||||
|
|
@ -163,45 +174,33 @@ email_in_domain(email, domain) {
|
||||||
}
|
}
|
||||||
|
|
||||||
element_in_list(list, elem) {
|
element_in_list(list, elem) {
|
||||||
list[_] = elem
|
list[_] = elem
|
||||||
}
|
}
|
||||||
|
|
||||||
get_allowed_users(policy) = v {
|
get_allowed_users(policy) = v {
|
||||||
sub_allowed_users = [sp.allowed_users | sp := policy.sub_policies[_]]
|
sub_allowed_users = [sp.allowed_users | sp := policy.sub_policies[_]]
|
||||||
v := { x | x = array.concat(
|
v := {x | x = array.concat(policy.allowed_users, [u | u := policy.sub_policies[_].allowed_users[_]])[_]}
|
||||||
policy.allowed_users,
|
|
||||||
[u | u := policy.sub_policies[_].allowed_users[_]]
|
|
||||||
)[_] }
|
|
||||||
}
|
}
|
||||||
|
|
||||||
get_allowed_domains(policy) = v {
|
get_allowed_domains(policy) = v {
|
||||||
v := { x | x = array.concat(
|
v := {x | x = array.concat(policy.allowed_domains, [u | u := policy.sub_policies[_].allowed_domains[_]])[_]}
|
||||||
policy.allowed_domains,
|
|
||||||
[u | u := policy.sub_policies[_].allowed_domains[_]]
|
|
||||||
)[_] }
|
|
||||||
}
|
}
|
||||||
|
|
||||||
get_allowed_groups(policy) = v {
|
get_allowed_groups(policy) = v {
|
||||||
v := { x | x = array.concat(
|
v := {x | x = array.concat(policy.allowed_groups, [u | u := policy.sub_policies[_].allowed_groups[_]])[_]}
|
||||||
policy.allowed_groups,
|
|
||||||
[u | u := policy.sub_policies[_].allowed_groups[_]]
|
|
||||||
)[_] }
|
|
||||||
}
|
}
|
||||||
|
|
||||||
get_allowed_idp_claims(policy) = v {
|
get_allowed_idp_claims(policy) = v {
|
||||||
v := array.concat(
|
v := array.concat([policy.allowed_idp_claims], [u | u := policy.sub_policies[_].allowed_idp_claims])
|
||||||
[policy.allowed_idp_claims],
|
|
||||||
[u | u := policy.sub_policies[_].allowed_idp_claims]
|
|
||||||
)
|
|
||||||
}
|
}
|
||||||
|
|
||||||
are_claims_allowed(a, b) {
|
are_claims_allowed(a, b) {
|
||||||
is_object(a)
|
is_object(a)
|
||||||
is_object(b)
|
is_object(b)
|
||||||
avs := a[ak]
|
avs := a[ak]
|
||||||
bvs := object.get(b, ak, null)
|
bvs := object.get(b, ak, null)
|
||||||
|
|
||||||
is_array(avs)
|
is_array(avs)
|
||||||
is_array(bvs)
|
is_array(bvs)
|
||||||
avs[_] == bvs[_]
|
avs[_] == bvs[_]
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -1,283 +1,220 @@
|
||||||
package pomerium.authz
|
package pomerium.authz
|
||||||
|
|
||||||
test_email_allowed {
|
test_email_allowed {
|
||||||
allow with
|
allow with data.route_policies as [{
|
||||||
data.route_policies as [{
|
"source": "example.com",
|
||||||
"source": "example.com",
|
"allowed_users": ["x@example.com"],
|
||||||
"allowed_users": ["x@example.com"]
|
}]
|
||||||
}] with
|
with input.databroker_data as {
|
||||||
input.databroker_data as {
|
"session": {"user_id": "user1"},
|
||||||
"session": {
|
"user": {"email": "x@example.com"},
|
||||||
"user_id": "user1"
|
}
|
||||||
},
|
with input.http as {"url": "http://example.com"}
|
||||||
"user": {
|
with input.session as {"id": "session1"}
|
||||||
"email": "x@example.com"
|
|
||||||
}
|
|
||||||
} with
|
|
||||||
input.http as { "url": "http://example.com" } with
|
|
||||||
input.session as { "id": "session1" }
|
|
||||||
}
|
}
|
||||||
|
|
||||||
test_impersonate_email_not_allowed {
|
test_impersonate_email_not_allowed {
|
||||||
not allow with
|
not allow with data.route_policies as [{
|
||||||
data.route_policies as [{
|
"source": "example.com",
|
||||||
"source": "example.com",
|
"allowed_users": ["x@example.com"],
|
||||||
"allowed_users": ["x@example.com"]
|
}]
|
||||||
}] with
|
with input.databroker_data as {
|
||||||
input.databroker_data as {
|
"session": {"user_id": "user1", "impersonate_email": "y@example.com"},
|
||||||
"session": {
|
"user": {"email": "x@example.com"},
|
||||||
"user_id": "user1", "impersonate_email": "y@example.com"
|
}
|
||||||
},
|
with input.http as {"url": "http://example.com"}
|
||||||
"user": {
|
with input.session as {"id": "session1"}
|
||||||
"email": "x@example.com"
|
|
||||||
}
|
|
||||||
} with
|
|
||||||
input.http as { "url": "http://example.com" } with
|
|
||||||
input.session as { "id": "session1" }
|
|
||||||
}
|
}
|
||||||
|
|
||||||
test_impersonate_email_allowed {
|
test_impersonate_email_allowed {
|
||||||
allow with
|
allow with data.route_policies as [{
|
||||||
data.route_policies as [{
|
"source": "example.com",
|
||||||
"source": "example.com",
|
"allowed_users": ["y@example.com"],
|
||||||
"allowed_users": ["y@example.com"]
|
}]
|
||||||
}] with
|
with input.databroker_data as {
|
||||||
input.databroker_data as {
|
"session": {"user_id": "user1", "impersonate_email": "y@example.com"},
|
||||||
"session": {
|
"user": {"email": "x@example.com"},
|
||||||
"user_id": "user1", "impersonate_email": "y@example.com"
|
}
|
||||||
},
|
with input.http as {"url": "http://example.com"}
|
||||||
"user": {
|
with input.session as {"id": "session1"}
|
||||||
"email": "x@example.com"
|
|
||||||
}
|
|
||||||
} with
|
|
||||||
input.http as { "url": "http://example.com" } with
|
|
||||||
input.session as { "id": "session1" }
|
|
||||||
}
|
}
|
||||||
|
|
||||||
test_group_allowed {
|
test_group_allowed {
|
||||||
allow with
|
allow with data.route_policies as [{
|
||||||
data.route_policies as [{
|
"source": "example.com",
|
||||||
"source": "example.com",
|
"allowed_groups": ["1"],
|
||||||
"allowed_groups": ["1"]
|
}]
|
||||||
}] with
|
with input.databroker_data as {
|
||||||
input.databroker_data as {
|
"session": {"user_id": "user1"},
|
||||||
"session": {
|
"user": {"email": "x@example.com"},
|
||||||
"user_id": "user1"
|
"groups": ["1"],
|
||||||
},
|
}
|
||||||
"user": {
|
with input.http as {"url": "http://example.com"}
|
||||||
"email": "x@example.com",
|
with input.session as {"id": "session1"}
|
||||||
},
|
|
||||||
"groups": ["1"]
|
|
||||||
} with
|
|
||||||
input.http as { "url": "http://example.com" } with
|
|
||||||
input.session as { "id": "session1" }
|
|
||||||
}
|
}
|
||||||
|
|
||||||
test_impersonate_groups_not_allowed {
|
test_impersonate_groups_not_allowed {
|
||||||
not allow with
|
not allow with data.route_policies as [{
|
||||||
data.route_policies as [{
|
"source": "example.com",
|
||||||
"source": "example.com",
|
"allowed_groups": ["1"],
|
||||||
"allowed_groups": ["1"]
|
}]
|
||||||
}] with
|
with input.databroker_data as {
|
||||||
input.databroker_data as {
|
"session": {"user_id": "user1", "impersonate_email": "y@example.com", "impersonate_groups": ["2"]},
|
||||||
"session": {
|
"user": {"email": "x@example.com"},
|
||||||
"user_id": "user1", "impersonate_email": "y@example.com", "impersonate_groups": ["2"]
|
"groups": ["1"],
|
||||||
},
|
}
|
||||||
"user": {
|
with input.http as {"url": "http://example.com"}
|
||||||
"email": "x@example.com"
|
with input.session as {"id": "session1"}
|
||||||
},
|
|
||||||
"groups": ["1"]
|
|
||||||
} with
|
|
||||||
input.http as { "url": "http://example.com" } with
|
|
||||||
input.session as { "id": "session1" }
|
|
||||||
}
|
}
|
||||||
|
|
||||||
test_impersonate_groups_allowed {
|
test_impersonate_groups_allowed {
|
||||||
allow with
|
allow with data.route_policies as [{
|
||||||
data.route_policies as [{
|
"source": "example.com",
|
||||||
"source": "example.com",
|
"allowed_groups": ["2"],
|
||||||
"allowed_groups": ["2"]
|
}]
|
||||||
}] with
|
with input.databroker_data as {
|
||||||
input.databroker_data as {
|
"session": {"user_id": "user1", "impersonate_email": "y@example.com", "impersonate_groups": ["2"]},
|
||||||
"session": {
|
"user": {"email": "x@example.com"},
|
||||||
"user_id": "user1", "impersonate_email": "y@example.com", "impersonate_groups": ["2"]
|
"directory_user": {"groups": ["1"]},
|
||||||
},
|
}
|
||||||
"user": {
|
with input.http as {"url": "http://example.com"}
|
||||||
"email": "x@example.com"
|
with input.session as {"id": "session1"}
|
||||||
},
|
|
||||||
"directory_user": {
|
|
||||||
"groups": ["1"]
|
|
||||||
}
|
|
||||||
} with
|
|
||||||
input.http as { "url": "http://example.com" } with
|
|
||||||
input.session as { "id": "session1" }
|
|
||||||
}
|
}
|
||||||
|
|
||||||
test_domain_allowed {
|
test_domain_allowed {
|
||||||
allow with
|
allow with data.route_policies as [{
|
||||||
data.route_policies as [{
|
"source": "example.com",
|
||||||
"source": "example.com",
|
"allowed_domains": ["example.com"],
|
||||||
"allowed_domains": ["example.com"]
|
}]
|
||||||
}] with
|
with input.databroker_data as {
|
||||||
input.databroker_data as {
|
"session": {"user_id": "user1", "impersonate_email": ""},
|
||||||
"session": {
|
"user": {"email": "x@example.com"},
|
||||||
"user_id": "user1", "impersonate_email": ""
|
}
|
||||||
},
|
with input.http as {"url": "http://example.com"}
|
||||||
"user": {
|
with input.session as {"id": "session1"}
|
||||||
"email": "x@example.com"
|
|
||||||
}
|
|
||||||
} with
|
|
||||||
input.http as { "url": "http://example.com" } with
|
|
||||||
input.session as { "id": "session1" }
|
|
||||||
}
|
}
|
||||||
|
|
||||||
test_impersonate_domain_not_allowed {
|
test_impersonate_domain_not_allowed {
|
||||||
not allow with
|
not allow with data.route_policies as [{
|
||||||
data.route_policies as [{
|
"source": "example.com",
|
||||||
"source": "example.com",
|
"allowed_domains": ["example.com"],
|
||||||
"allowed_domains": ["example.com"]
|
}]
|
||||||
}] with
|
with input.databroker_data as {
|
||||||
input.databroker_data as {
|
"session": {"user_id": "user1", "impersonate_email": "y@example1.com"},
|
||||||
"session": {
|
"user": {"email": "x@example.com"},
|
||||||
"user_id": "user1", "impersonate_email": "y@example1.com"
|
}
|
||||||
},
|
with input.http as {"url": "http://example.com"}
|
||||||
"user": {
|
with input.session as {"id": "session1"}
|
||||||
"email": "x@example.com"
|
|
||||||
}
|
|
||||||
} with
|
|
||||||
input.http as { "url": "http://example.com" } with
|
|
||||||
input.session as { "id": "session1" }
|
|
||||||
}
|
}
|
||||||
|
|
||||||
test_impersonate_domain_allowed {
|
test_impersonate_domain_allowed {
|
||||||
allow with
|
allow with data.route_policies as [{
|
||||||
data.route_policies as [{
|
"source": "example.com",
|
||||||
"source": "example.com",
|
"allowed_domains": ["example1.com"],
|
||||||
"allowed_domains": ["example1.com"]
|
}]
|
||||||
}] with
|
with input.databroker_data as {
|
||||||
input.databroker_data as {
|
"session": {"user_id": "user1", "impersonate_email": "y@example1.com"},
|
||||||
"session": {
|
"user": {"email": "x@example.com"},
|
||||||
"user_id": "user1", "impersonate_email": "y@example1.com"
|
}
|
||||||
},
|
with input.http as {"url": "http://example.com"}
|
||||||
"user": {
|
with input.session as {"id": "session1"}
|
||||||
"email": "x@example.com"
|
|
||||||
}
|
|
||||||
} with
|
|
||||||
input.http as { "url": "http://example.com" } with
|
|
||||||
input.session as { "id": "session1" }
|
|
||||||
}
|
}
|
||||||
|
|
||||||
test_idp_claims_allowed {
|
test_idp_claims_allowed {
|
||||||
allow with
|
allow with data.route_policies as [{
|
||||||
data.route_policies as [{
|
"source": "example.com",
|
||||||
"source": "example.com",
|
"allowed_idp_claims": {"some.claim": ["a", "b"]},
|
||||||
"allowed_idp_claims": {
|
}]
|
||||||
"some.claim": ["a", "b"]
|
with input.databroker_data as {"session": {"claims": {"some.claim": ["b"]}}}
|
||||||
}
|
with input.http as {"url": "http://example.com"}
|
||||||
}] with
|
with input.session as {"id": "session1"}
|
||||||
input.databroker_data as {
|
|
||||||
"session": {
|
|
||||||
"claims": {
|
|
||||||
"some.claim": ["b"]
|
|
||||||
}
|
|
||||||
}
|
|
||||||
} with
|
|
||||||
input.http as { "url": "http://example.com" } with
|
|
||||||
input.session as { "id": "session1" }
|
|
||||||
}
|
}
|
||||||
|
|
||||||
test_example {
|
test_example {
|
||||||
not allow with
|
not allow with data.route_policies as [
|
||||||
data.route_policies as [
|
{
|
||||||
{
|
"source": "http://example.com",
|
||||||
"source": "http://example.com",
|
"path": "/a",
|
||||||
"path": "/a",
|
"allowed_domains": ["example.com"],
|
||||||
"allowed_domains": ["example.com"]
|
},
|
||||||
},
|
{
|
||||||
{
|
"source": "http://example.com",
|
||||||
"source": "http://example.com",
|
"path": "/b",
|
||||||
"path": "/b",
|
"allowed_users": ["noone@pomerium.com"],
|
||||||
"allowed_users": ["noone@pomerium.com"]
|
},
|
||||||
},
|
]
|
||||||
] with
|
with input.http as {"url": "http://example.com/b"}
|
||||||
input.http as { "url": "http://example.com/b" } with
|
with input.user as {"id": "1", "email": "joe@example.com"}
|
||||||
input.user as { "id": "1", "email": "joe@example.com" }
|
|
||||||
}
|
}
|
||||||
|
|
||||||
test_email_denied {
|
test_email_denied {
|
||||||
not allow with
|
not allow with data.route_policies as [{
|
||||||
data.route_policies as [{
|
"source": "example.com",
|
||||||
"source": "example.com",
|
"allowed_users": ["bob@example.com"],
|
||||||
"allowed_users": ["bob@example.com"]
|
}]
|
||||||
}] with
|
with input.http as {"url": "http://example.com"}
|
||||||
input.http as { "url": "http://example.com" } with
|
with input.user as {"id": "1", "email": "joe@example.com"}
|
||||||
input.user as { "id": "1", "email": "joe@example.com" }
|
|
||||||
}
|
}
|
||||||
|
|
||||||
test_public_allowed {
|
test_public_allowed {
|
||||||
allow with
|
allow with data.route_policies as [{
|
||||||
data.route_policies as [{
|
"source": "example.com",
|
||||||
"source": "example.com",
|
"AllowPublicUnauthenticatedAccess": true,
|
||||||
"AllowPublicUnauthenticatedAccess": true
|
}]
|
||||||
}] with
|
with input.http as {"url": "http://example.com"}
|
||||||
input.http as { "url": "http://example.com" }
|
|
||||||
}
|
}
|
||||||
|
|
||||||
test_public_denied {
|
test_public_denied {
|
||||||
not allow with
|
not allow with data.route_policies as [
|
||||||
data.route_policies as [
|
{
|
||||||
{
|
"source": "example.com",
|
||||||
"source": "example.com",
|
"prefix": "/by-user",
|
||||||
"prefix": "/by-user",
|
"allowed_users": ["bob@example.com"],
|
||||||
"allowed_users": ["bob@example.com"]
|
},
|
||||||
},
|
{
|
||||||
{
|
"source": "example.com",
|
||||||
"source": "example.com",
|
"AllowPublicUnauthenticatedAccess": true,
|
||||||
"AllowPublicUnauthenticatedAccess": true
|
},
|
||||||
}
|
]
|
||||||
] with
|
with input.http as {"url": "http://example.com/by-user"}
|
||||||
input.http as {
|
|
||||||
"url": "http://example.com/by-user"
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
test_pomerium_allowed {
|
test_pomerium_allowed {
|
||||||
allow with
|
allow with data.route_policies as [{
|
||||||
data.route_policies as [{
|
"source": "example.com",
|
||||||
"source": "example.com",
|
"allowed_users": ["bob@example.com"],
|
||||||
"allowed_users": ["bob@example.com"]
|
}]
|
||||||
}] with
|
with input.http as {"url": "http://example.com/.pomerium/"}
|
||||||
input.http as { "url": "http://example.com/.pomerium/" }
|
|
||||||
}
|
}
|
||||||
|
|
||||||
test_cors_preflight_allowed {
|
test_cors_preflight_allowed {
|
||||||
allow with
|
allow with data.route_policies as [{
|
||||||
data.route_policies as [{
|
"source": "example.com",
|
||||||
"source": "example.com",
|
"allowed_users": ["bob@example.com"],
|
||||||
"allowed_users": ["bob@example.com"],
|
"CORSAllowPreflight": true,
|
||||||
"CORSAllowPreflight": true
|
}]
|
||||||
}] with
|
with input.http as {
|
||||||
input.http as {
|
|
||||||
"method": "OPTIONS",
|
"method": "OPTIONS",
|
||||||
"url": "http://example.com/",
|
"url": "http://example.com/",
|
||||||
"headers": {
|
"headers": {
|
||||||
"Origin": ["someorigin"],
|
"Origin": ["someorigin"],
|
||||||
"Access-Control-Request-Method": ["GET"]
|
"Access-Control-Request-Method": ["GET"],
|
||||||
}
|
},
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
test_cors_preflight_denied {
|
test_cors_preflight_denied {
|
||||||
not allow with
|
not allow with data.route_policies as [{
|
||||||
data.route_policies as [{
|
"source": "example.com",
|
||||||
"source": "example.com",
|
"allowed_users": ["bob@example.com"],
|
||||||
"allowed_users": ["bob@example.com"]
|
}]
|
||||||
}] with
|
with input.http as {
|
||||||
input.http as {
|
|
||||||
"method": "OPTIONS",
|
"method": "OPTIONS",
|
||||||
"url": "http://example.com/",
|
"url": "http://example.com/",
|
||||||
"headers": {
|
"headers": {
|
||||||
"Origin": ["someorigin"],
|
"Origin": ["someorigin"],
|
||||||
"Access-Control-Request-Method": ["GET"]
|
"Access-Control-Request-Method": ["GET"],
|
||||||
}
|
},
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -326,72 +263,68 @@ test_allowed_route_regex {
|
||||||
|
|
||||||
test_sub_policy {
|
test_sub_policy {
|
||||||
x := get_allowed_users({
|
x := get_allowed_users({
|
||||||
"source": "example.com",
|
"source": "example.com",
|
||||||
"allowed_users": ["u1", "u2"],
|
"allowed_users": ["u1", "u2"],
|
||||||
"sub_policies": [
|
"sub_policies": [
|
||||||
{ "allowed_users": ["u1", "u3"] },
|
{"allowed_users": ["u1", "u3"]},
|
||||||
{ "allowed_users": ["u2", "u4"] }
|
{"allowed_users": ["u2", "u4"]},
|
||||||
]
|
],
|
||||||
})
|
})
|
||||||
|
|
||||||
x == {"u1", "u2", "u3", "u4"}
|
x == {"u1", "u2", "u3", "u4"}
|
||||||
|
|
||||||
|
|
||||||
y := get_allowed_domains({
|
y := get_allowed_domains({
|
||||||
"source": "example.com",
|
"source": "example.com",
|
||||||
"allowed_domains": ["d1", "d2"],
|
"allowed_domains": ["d1", "d2"],
|
||||||
"sub_policies": [
|
"sub_policies": [
|
||||||
{ "allowed_domains": ["d1", "d3"] },
|
{"allowed_domains": ["d1", "d3"]},
|
||||||
{ "allowed_domains": ["d2", "d4"] }
|
{"allowed_domains": ["d2", "d4"]},
|
||||||
]
|
],
|
||||||
})
|
})
|
||||||
|
|
||||||
y == {"d1", "d2", "d3", "d4"}
|
y == {"d1", "d2", "d3", "d4"}
|
||||||
|
|
||||||
|
|
||||||
z := get_allowed_groups({
|
z := get_allowed_groups({
|
||||||
"source": "example.com",
|
"source": "example.com",
|
||||||
"allowed_groups": ["g1", "g2"],
|
"allowed_groups": ["g1", "g2"],
|
||||||
"sub_policies": [
|
"sub_policies": [
|
||||||
{ "allowed_groups": ["g1", "g3"] },
|
{"allowed_groups": ["g1", "g3"]},
|
||||||
{ "allowed_groups": ["g2", "g4"] }
|
{"allowed_groups": ["g2", "g4"]},
|
||||||
]
|
],
|
||||||
})
|
})
|
||||||
|
|
||||||
z == {"g1", "g2", "g3", "g4"}
|
z == {"g1", "g2", "g3", "g4"}
|
||||||
}
|
}
|
||||||
|
|
||||||
test_are_claims_allowed {
|
test_are_claims_allowed {
|
||||||
are_claims_allowed({"a": ["1"]}, {"a": ["1"]})
|
are_claims_allowed({"a": ["1"]}, {"a": ["1"]})
|
||||||
not are_claims_allowed({"a": ["2"]}, {"a": ["1"]})
|
not are_claims_allowed({"a": ["2"]}, {"a": ["1"]})
|
||||||
|
|
||||||
are_claims_allowed({"a": ["1", "2", "3"]}, {"a": ["1"]})
|
are_claims_allowed({"a": ["1", "2", "3"]}, {"a": ["1"]})
|
||||||
are_claims_allowed({"a": ["1"]}, {"a": ["1", "2", "3"]})
|
are_claims_allowed({"a": ["1"]}, {"a": ["1", "2", "3"]})
|
||||||
not are_claims_allowed({"a": ["4", "5", "6"]}, {"a": ["1"]})
|
not are_claims_allowed({"a": ["4", "5", "6"]}, {"a": ["1"]})
|
||||||
|
|
||||||
are_claims_allowed({"a.b.c": ["1"], "d.e.f": ["2"]}, {"d.e.f": ["2"]})
|
are_claims_allowed({"a.b.c": ["1"], "d.e.f": ["2"]}, {"d.e.f": ["2"]})
|
||||||
}
|
}
|
||||||
|
|
||||||
test_any_authenticated_user_allowed {
|
test_any_authenticated_user_allowed {
|
||||||
allow with
|
allow with data.route_policies as [{
|
||||||
data.route_policies as [{
|
"source": "example.com",
|
||||||
"source": "example.com",
|
"AllowAnyAuthenticatedUser": true,
|
||||||
"AllowAnyAuthenticatedUser": true
|
}]
|
||||||
}] with
|
with input.databroker_data as {
|
||||||
input.databroker_data as {
|
"session": {"user_id": "user1"},
|
||||||
"session": {
|
"user": {"email": "x@example.com"},
|
||||||
"user_id": "user1"
|
}
|
||||||
},
|
with input.http as {"url": "http://example.com"}
|
||||||
"user": {
|
with input.session as {"id": "session1"}
|
||||||
"email": "x@example.com"
|
|
||||||
}
|
|
||||||
} with
|
|
||||||
input.http as { "url": "http://example.com" } with
|
|
||||||
input.session as { "id": "session1" }
|
|
||||||
}
|
}
|
||||||
|
|
||||||
test_any_authenticated_user_denied {
|
test_any_authenticated_user_denied {
|
||||||
not allow with
|
not allow with data.route_policies as [{
|
||||||
data.route_policies as [{
|
"source": "example.com",
|
||||||
"source": "example.com",
|
"AllowAnyAuthenticatedUser": true,
|
||||||
"AllowAnyAuthenticatedUser": true
|
}]
|
||||||
}] with
|
with input.http as {"url": "http://example.com"}
|
||||||
input.http as { "url": "http://example.com" } with
|
with input.session as {"id": "session1"}
|
||||||
input.session as { "id": "session1" }
|
|
||||||
}
|
}
|
||||||
|
|
|
||||||
File diff suppressed because one or more lines are too long
Loading…
Add table
Add a link
Reference in a new issue