core/ppl: add groups criterion (#4916)

* core/ppl: add groups criterion * remove dead code * add additional test
2025-08-03 08:50:42 +02:00 · 2024-01-30 09:40:15 -07:00 · 2024-01-30 09:40:15 -07:00 · 6a833b365a
commit 6a833b365a
parent 3ca2f2462d
16 changed files with 268 additions and 109 deletions
--- a/pkg/policy/criteria/groups_test.go
+++ b/pkg/policy/criteria/groups_test.go
@ -0,0 +1,69 @@
+package criteria
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/require"
+
+	"github.com/pomerium/datasource/pkg/directory"
+	"github.com/pomerium/pomerium/pkg/grpc/databroker"
+	"github.com/pomerium/pomerium/pkg/grpc/session"
+)
+
+func TestGroups(t *testing.T) {
+	t.Run("no session", func(t *testing.T) {
+		res, err := evaluate(t, `
+allow:
+  and:
+    - groups:
+        has: group1
+    - groups:
+        has: group2
+`, []*databroker.Record{}, Input{Session: InputSession{ID: "session1"}})
+		require.NoError(t, err)
+		require.Equal(t, A{false, A{ReasonUserUnauthenticated}, M{}}, res["allow"])
+		require.Equal(t, A{false, A{}}, res["deny"])
+	})
+	t.Run("by id", func(t *testing.T) {
+		res, err := evaluate(t, `
+allow:
+  and:
+    - groups:
+        has: group1
+`,
+			[]*databroker.Record{
+				makeRecord(&session.Session{
+					Id:     "session1",
+					UserId: "user1",
+				}),
+				makeStructRecord(directory.UserRecordType, "user1", map[string]any{
+					"group_ids": []any{"group1", "group2"},
+				}),
+			},
+			Input{Session: InputSession{ID: "session1"}})
+		require.NoError(t, err)
+		require.Equal(t, A{true, A{ReasonGroupsOK}, M{}}, res["allow"])
+		require.Equal(t, A{false, A{}}, res["deny"])
+	})
+	t.Run("not allowed", func(t *testing.T) {
+		res, err := evaluate(t, `
+allow:
+  and:
+    - groups:
+        has: group1
+`,
+			[]*databroker.Record{
+				makeRecord(&session.Session{
+					Id:     "session1",
+					UserId: "user1",
+				}),
+				makeStructRecord(directory.UserRecordType, "user1", map[string]any{
+					"group_ids": []any{"group2"},
+				}),
+			},
+			Input{Session: InputSession{ID: "session1"}})
+		require.NoError(t, err)
+		require.Equal(t, A{false, A{ReasonGroupsUnauthorized}, M{}}, res["allow"])
+		require.Equal(t, A{false, A{}}, res["deny"])
+	})
+}