mirror of
https://github.com/pomerium/pomerium.git
synced 2025-08-03 16:59:22 +02:00
authorize: remove DataBrokerData input (#1847)
* authorize: remove DataBrokerData * add opa test * domain, group tests * more tests * remove databroker data input * update authz tests * update dead code * fix method name * handle / in keys
This commit is contained in:
parent
14a637570f
commit
74ac23c980
6 changed files with 566 additions and 104 deletions
|
@ -15,19 +15,10 @@ import (
|
|||
"gopkg.in/square/go-jose.v2"
|
||||
|
||||
"github.com/pomerium/pomerium/config"
|
||||
"github.com/pomerium/pomerium/internal/directory"
|
||||
"github.com/pomerium/pomerium/internal/log"
|
||||
"github.com/pomerium/pomerium/pkg/cryptutil"
|
||||
)
|
||||
|
||||
const (
|
||||
directoryGroupTypeURL = "type.googleapis.com/directory.Group"
|
||||
directoryUserTypeURL = "type.googleapis.com/directory.User"
|
||||
serviceAccountTypeURL = "type.googleapis.com/user.ServiceAccount"
|
||||
sessionTypeURL = "type.googleapis.com/session.Session"
|
||||
userTypeURL = "type.googleapis.com/user.User"
|
||||
)
|
||||
|
||||
// Evaluator specifies the interface for a policy engine.
|
||||
type Evaluator struct {
|
||||
custom *CustomEvaluator
|
||||
|
@ -230,52 +221,13 @@ func (e *Evaluator) SignedJWT(payload map[string]interface{}) (string, error) {
|
|||
}
|
||||
|
||||
type input struct {
|
||||
DataBrokerData dataBrokerDataInput `json:"databroker_data"`
|
||||
HTTP RequestHTTP `json:"http"`
|
||||
Session RequestSession `json:"session"`
|
||||
IsValidClientCertificate bool `json:"is_valid_client_certificate"`
|
||||
}
|
||||
|
||||
type dataBrokerDataInput struct {
|
||||
Session interface{} `json:"session,omitempty"`
|
||||
User interface{} `json:"user,omitempty"`
|
||||
Groups interface{} `json:"groups,omitempty"`
|
||||
HTTP RequestHTTP `json:"http"`
|
||||
Session RequestSession `json:"session"`
|
||||
IsValidClientCertificate bool `json:"is_valid_client_certificate"`
|
||||
}
|
||||
|
||||
func (e *Evaluator) newInput(req *Request, isValidClientCertificate bool) *input {
|
||||
i := new(input)
|
||||
i.DataBrokerData.Session = e.store.GetRecordData(sessionTypeURL, req.Session.ID)
|
||||
if i.DataBrokerData.Session == nil {
|
||||
i.DataBrokerData.Session = e.store.GetRecordData(serviceAccountTypeURL, req.Session.ID)
|
||||
}
|
||||
var userIDs []string
|
||||
if obj, ok := i.DataBrokerData.Session.(interface{ GetUserId() string }); ok && obj.GetUserId() != "" {
|
||||
userIDs = append(userIDs, obj.GetUserId())
|
||||
}
|
||||
if obj, ok := i.DataBrokerData.Session.(interface{ GetImpersonateUserId() string }); ok && obj.GetImpersonateUserId() != "" {
|
||||
userIDs = append(userIDs, obj.GetImpersonateUserId())
|
||||
}
|
||||
|
||||
for _, userID := range userIDs {
|
||||
i.DataBrokerData.User = e.store.GetRecordData(userTypeURL, userID)
|
||||
|
||||
user, ok := e.store.GetRecordData(directoryUserTypeURL, userID).(*directory.User)
|
||||
if ok {
|
||||
var groups []string
|
||||
for _, groupID := range user.GetGroupIds() {
|
||||
if dg, ok := e.store.GetRecordData(directoryGroupTypeURL, groupID).(*directory.Group); ok {
|
||||
if dg.Name != "" {
|
||||
groups = append(groups, dg.Name)
|
||||
}
|
||||
if dg.Email != "" {
|
||||
groups = append(groups, dg.Email)
|
||||
}
|
||||
}
|
||||
}
|
||||
groups = append(groups, user.GetGroupIds()...)
|
||||
i.DataBrokerData.Groups = groups
|
||||
}
|
||||
}
|
||||
i.HTTP = req.HTTP
|
||||
i.Session = req.Session
|
||||
i.IsValidClientCertificate = isValidClientCertificate
|
||||
|
|
|
@ -58,7 +58,6 @@ func TestJSONMarshal(t *testing.T) {
|
|||
},
|
||||
}, true))
|
||||
assert.JSONEq(t, `{
|
||||
"databroker_data": {},
|
||||
"http": {
|
||||
"client_certificate": "CLIENT_CERTIFICATE",
|
||||
"headers": {
|
||||
|
|
|
@ -6,11 +6,39 @@ route_policy_idx := first_allowed_route_policy_idx(input.http.url)
|
|||
|
||||
route_policy := data.route_policies[route_policy_idx]
|
||||
|
||||
session := input.databroker_data.session
|
||||
session = s {
|
||||
s = object_get(data.databroker_data["type.googleapis.com"]["user.ServiceAccount"], input.session.id, null)
|
||||
} else = s {
|
||||
s = object_get(data.databroker_data["type.googleapis.com"]["session.Session"], input.session.id, null)
|
||||
} else = {} {
|
||||
true
|
||||
}
|
||||
|
||||
user := input.databroker_data.user
|
||||
user = u {
|
||||
u = object_get(data.databroker_data["type.googleapis.com"]["user.User"], session.impersonate_user_id, null)
|
||||
} else = u {
|
||||
u = object_get(data.databroker_data["type.googleapis.com"]["user.User"], session.user_id, null)
|
||||
} else = {} {
|
||||
true
|
||||
}
|
||||
|
||||
groups := input.databroker_data.groups
|
||||
directory_user = du {
|
||||
du = object_get(data.databroker_data["type.googleapis.com"]["directory.User"], session.impersonate_user_id, null)
|
||||
} else = du {
|
||||
du = object_get(data.databroker_data["type.googleapis.com"]["directory.User"], session.user_id, null)
|
||||
} else = {} {
|
||||
true
|
||||
}
|
||||
|
||||
group_ids = gs {
|
||||
gs = session.impersonate_group_ids
|
||||
} else = gs {
|
||||
gs = directory_user.group_ids
|
||||
} else = [] {
|
||||
true
|
||||
}
|
||||
|
||||
groups := array.concat(group_ids, array.concat(get_databroker_group_names(group_ids), get_databroker_group_emails(group_ids)))
|
||||
|
||||
all_allowed_domains := get_allowed_domains(route_policy)
|
||||
|
||||
|
@ -204,3 +232,43 @@ are_claims_allowed(a, b) {
|
|||
is_array(bvs)
|
||||
avs[_] == bvs[_]
|
||||
}
|
||||
|
||||
get_databroker_group_names(ids) = gs {
|
||||
gs := [name | id := ids[i]; group := data.databroker_data["type.googleapis.com"]["directory.Group"][id]; name := group.name]
|
||||
}
|
||||
|
||||
get_databroker_group_emails(ids) = gs {
|
||||
gs := [email | id := ids[i]; group := data.databroker_data["type.googleapis.com"]["directory.Group"][id]; email := group.email]
|
||||
}
|
||||
|
||||
# object_get is like object.get, but supports converting "/" in keys to separate lookups
|
||||
# rego doesn't support recursion, so we hard code a limited number of /'s
|
||||
object_get(obj, key, def) = value {
|
||||
segments := split(key, "/")
|
||||
count(segments) == 2
|
||||
o1 := object.get(obj, segments[0], {})
|
||||
value = object.get(o1, segments[1], def)
|
||||
} else = value {
|
||||
segments := split(key, "/")
|
||||
count(segments) == 3
|
||||
o1 := object.get(obj, segments[0], {})
|
||||
o2 := object.get(o1, segments[1], {})
|
||||
value = object.get(o2, segments[2], def)
|
||||
} else = value {
|
||||
segments := split(key, "/")
|
||||
count(segments) == 4
|
||||
o1 := object.get(obj, segments[0], {})
|
||||
o2 := object.get(o1, segments[1], {})
|
||||
o3 := object.get(o2, segments[2], {})
|
||||
value = object.get(o3, segments[3], def)
|
||||
} else = value {
|
||||
segments := split(key, "/")
|
||||
count(segments) == 5
|
||||
o1 := object.get(obj, segments[0], {})
|
||||
o2 := object.get(o1, segments[1], {})
|
||||
o3 := object.get(o2, segments[2], {})
|
||||
o4 := object.get(o3, segments[3], {})
|
||||
value = object.get(o4, segments[4], def)
|
||||
} else = value {
|
||||
value = object.get(obj, key, def)
|
||||
}
|
||||
|
|
|
@ -5,10 +5,10 @@ test_email_allowed {
|
|||
"source": "example.com",
|
||||
"allowed_users": ["x@example.com"],
|
||||
}]
|
||||
with input.databroker_data as {
|
||||
"session": {"user_id": "user1"},
|
||||
"user": {"email": "x@example.com"},
|
||||
}
|
||||
with data.databroker_data as {"type.googleapis.com": {
|
||||
"session.Session": {"session1": {"id": "session1", "user_id": "user1"}},
|
||||
"user.User": {"user1": {"id": "user1", "email": "x@example.com"}},
|
||||
}}
|
||||
with input.http as {"url": "http://example.com"}
|
||||
with input.session as {"id": "session1"}
|
||||
}
|
||||
|
@ -18,10 +18,10 @@ test_impersonate_email_not_allowed {
|
|||
"source": "example.com",
|
||||
"allowed_users": ["x@example.com"],
|
||||
}]
|
||||
with input.databroker_data as {
|
||||
"session": {"user_id": "user1", "impersonate_email": "y@example.com"},
|
||||
"user": {"email": "x@example.com"},
|
||||
}
|
||||
with data.databroker_data as {"type.googleapis.com": {
|
||||
"session.Session": {"session1": {"id": "session1", "user_id": "user1", "impersonate_email": "y@example.com"}},
|
||||
"user.User": {"user1": {"id": "user1", "email": "x@example.com"}},
|
||||
}}
|
||||
with input.http as {"url": "http://example.com"}
|
||||
with input.session as {"id": "session1"}
|
||||
}
|
||||
|
@ -31,10 +31,10 @@ test_impersonate_email_allowed {
|
|||
"source": "example.com",
|
||||
"allowed_users": ["y@example.com"],
|
||||
}]
|
||||
with input.databroker_data as {
|
||||
"session": {"user_id": "user1", "impersonate_email": "y@example.com"},
|
||||
"user": {"email": "x@example.com"},
|
||||
}
|
||||
with data.databroker_data as {"type.googleapis.com": {
|
||||
"session.Session": {"session1": {"id": "session1", "user_id": "user1", "impersonate_email": "y@example.com"}},
|
||||
"user.User": {"user1": {"id": "user1", "email": "x@example.com"}},
|
||||
}}
|
||||
with input.http as {"url": "http://example.com"}
|
||||
with input.session as {"id": "session1"}
|
||||
}
|
||||
|
@ -42,13 +42,14 @@ test_impersonate_email_allowed {
|
|||
test_group_allowed {
|
||||
allow with data.route_policies as [{
|
||||
"source": "example.com",
|
||||
"allowed_groups": ["1"],
|
||||
"allowed_groups": ["group1"],
|
||||
}]
|
||||
with input.databroker_data as {
|
||||
"session": {"user_id": "user1"},
|
||||
"user": {"email": "x@example.com"},
|
||||
"groups": ["1"],
|
||||
}
|
||||
with data.databroker_data as {"type.googleapis.com": {
|
||||
"session.Session": {"session1": {"id": "session1", "user_id": "user1"}},
|
||||
"user.User": {"user1": {"id": "user1", "email": "x@example.com"}},
|
||||
"directory.User": {"user1": {"id": "user1", "group_ids": ["group1"]}},
|
||||
"directory.Group": {"group1": {"id": "group1"}},
|
||||
}}
|
||||
with input.http as {"url": "http://example.com"}
|
||||
with input.session as {"id": "session1"}
|
||||
}
|
||||
|
@ -56,13 +57,14 @@ test_group_allowed {
|
|||
test_impersonate_groups_not_allowed {
|
||||
not allow with data.route_policies as [{
|
||||
"source": "example.com",
|
||||
"allowed_groups": ["1"],
|
||||
"allowed_groups": ["group1"],
|
||||
}]
|
||||
with input.databroker_data as {
|
||||
"session": {"user_id": "user1", "impersonate_email": "y@example.com", "impersonate_groups": ["2"]},
|
||||
"user": {"email": "x@example.com"},
|
||||
"groups": ["1"],
|
||||
}
|
||||
with data.databroker_data as {"type.googleapis.com": {
|
||||
"session.Session": {"session1": {"id": "session1", "user_id": "user1", "impersonate_email": "y@example.com", "impersonate_groups": ["group2"]}},
|
||||
"user.User": {"user1": {"id": "user1", "email": "x@example.com"}},
|
||||
"directory.User": {"user1": {"id": "user1", "group_ids": ["group1"]}},
|
||||
"directory.Group": {"group1": {"id": "group1"}},
|
||||
}}
|
||||
with input.http as {"url": "http://example.com"}
|
||||
with input.session as {"id": "session1"}
|
||||
}
|
||||
|
@ -70,13 +72,14 @@ test_impersonate_groups_not_allowed {
|
|||
test_impersonate_groups_allowed {
|
||||
allow with data.route_policies as [{
|
||||
"source": "example.com",
|
||||
"allowed_groups": ["2"],
|
||||
"allowed_groups": ["group2"],
|
||||
}]
|
||||
with input.databroker_data as {
|
||||
"session": {"user_id": "user1", "impersonate_email": "y@example.com", "impersonate_groups": ["2"]},
|
||||
"user": {"email": "x@example.com"},
|
||||
"directory_user": {"groups": ["1"]},
|
||||
}
|
||||
with data.databroker_data as {"type.googleapis.com": {
|
||||
"session.Session": {"session1": {"id": "session1", "user_id": "user1", "impersonate_email": "y@example.com", "impersonate_groups": ["group2"]}},
|
||||
"user.User": {"user1": {"id": "user1", "email": "x@example.com"}},
|
||||
"directory.User": {"user1": {"id": "user1", "group_ids": ["group1"]}},
|
||||
"directory.Group": {"group1": {"id": "group1"}},
|
||||
}}
|
||||
with input.http as {"url": "http://example.com"}
|
||||
with input.session as {"id": "session1"}
|
||||
}
|
||||
|
@ -86,10 +89,10 @@ test_domain_allowed {
|
|||
"source": "example.com",
|
||||
"allowed_domains": ["example.com"],
|
||||
}]
|
||||
with input.databroker_data as {
|
||||
"session": {"user_id": "user1", "impersonate_email": ""},
|
||||
"user": {"email": "x@example.com"},
|
||||
}
|
||||
with data.databroker_data as {"type.googleapis.com": {
|
||||
"session.Session": {"session1": {"id": "session1", "user_id": "user1"}},
|
||||
"user.User": {"user1": {"id": "user1", "email": "x@example.com"}},
|
||||
}}
|
||||
with input.http as {"url": "http://example.com"}
|
||||
with input.session as {"id": "session1"}
|
||||
}
|
||||
|
@ -99,10 +102,10 @@ test_impersonate_domain_not_allowed {
|
|||
"source": "example.com",
|
||||
"allowed_domains": ["example.com"],
|
||||
}]
|
||||
with input.databroker_data as {
|
||||
"session": {"user_id": "user1", "impersonate_email": "y@example1.com"},
|
||||
"user": {"email": "x@example.com"},
|
||||
}
|
||||
with data.databroker_data as {"type.googleapis.com": {
|
||||
"session.Session": {"session1": {"id": "session1", "user_id": "user1", "impersonate_email": "y@notexample.com"}},
|
||||
"user.User": {"user1": {"id": "user1", "email": "x@example.com"}},
|
||||
}}
|
||||
with input.http as {"url": "http://example.com"}
|
||||
with input.session as {"id": "session1"}
|
||||
}
|
||||
|
@ -110,12 +113,12 @@ test_impersonate_domain_not_allowed {
|
|||
test_impersonate_domain_allowed {
|
||||
allow with data.route_policies as [{
|
||||
"source": "example.com",
|
||||
"allowed_domains": ["example1.com"],
|
||||
"allowed_domains": ["notexample.com"],
|
||||
}]
|
||||
with input.databroker_data as {
|
||||
"session": {"user_id": "user1", "impersonate_email": "y@example1.com"},
|
||||
"user": {"email": "x@example.com"},
|
||||
}
|
||||
with data.databroker_data as {"type.googleapis.com": {
|
||||
"session.Session": {"session1": {"id": "session1", "user_id": "user1", "impersonate_email": "y@notexample.com"}},
|
||||
"user.User": {"user1": {"id": "user1", "email": "x@example.com"}},
|
||||
}}
|
||||
with input.http as {"url": "http://example.com"}
|
||||
with input.session as {"id": "session1"}
|
||||
}
|
||||
|
@ -125,7 +128,7 @@ test_idp_claims_allowed {
|
|||
"source": "example.com",
|
||||
"allowed_idp_claims": {"some.claim": ["a", "b"]},
|
||||
}]
|
||||
with input.databroker_data as {"session": {"claims": {"some.claim": ["b"]}}}
|
||||
with data.databroker_data as {"type.googleapis.com": {"session.Session": {"session1": {"id": "session1", "claims": {"some.claim": ["b"]}}}}}
|
||||
with input.http as {"url": "http://example.com"}
|
||||
with input.session as {"id": "session1"}
|
||||
}
|
||||
|
@ -312,10 +315,10 @@ test_any_authenticated_user_allowed {
|
|||
"source": "example.com",
|
||||
"AllowAnyAuthenticatedUser": true,
|
||||
}]
|
||||
with input.databroker_data as {
|
||||
"session": {"user_id": "user1"},
|
||||
"user": {"email": "x@example.com"},
|
||||
}
|
||||
with data.databroker_data as {"type.googleapis.com": {
|
||||
"session.Session": {"session1": {"id": "session1", "user_id": "user1"}},
|
||||
"user.User": {"user1": {"id": "user1", "email": "x@example.com"}},
|
||||
}}
|
||||
with input.http as {"url": "http://example.com"}
|
||||
with input.session as {"id": "session1"}
|
||||
}
|
||||
|
|
File diff suppressed because one or more lines are too long
440
authorize/evaluator/opa_test.go
Normal file
440
authorize/evaluator/opa_test.go
Normal file
|
@ -0,0 +1,440 @@
|
|||
package evaluator
|
||||
|
||||
import (
|
||||
"context"
|
||||
"encoding/json"
|
||||
"testing"
|
||||
|
||||
"github.com/open-policy-agent/opa/rego"
|
||||
"github.com/stretchr/testify/assert"
|
||||
"github.com/stretchr/testify/require"
|
||||
"google.golang.org/protobuf/proto"
|
||||
|
||||
"github.com/pomerium/pomerium/config"
|
||||
"github.com/pomerium/pomerium/pkg/grpc/directory"
|
||||
"github.com/pomerium/pomerium/pkg/grpc/session"
|
||||
"github.com/pomerium/pomerium/pkg/grpc/user"
|
||||
)
|
||||
|
||||
func TestOPA(t *testing.T) {
|
||||
type A = []interface{}
|
||||
type M = map[string]interface{}
|
||||
|
||||
eval := func(policies []config.Policy, data []proto.Message, req *Request, isValidClientCertificate bool) rego.Result {
|
||||
authzPolicy, err := readPolicy("/authz.rego")
|
||||
require.NoError(t, err)
|
||||
store := NewStoreFromProtos(data...)
|
||||
store.UpdateRoutePolicies(policies)
|
||||
r := rego.New(
|
||||
rego.Store(store.opaStore),
|
||||
rego.Module("pomerium.authz", string(authzPolicy)),
|
||||
rego.Query("result = data.pomerium.authz"),
|
||||
)
|
||||
q, err := r.PrepareForEval(context.Background())
|
||||
require.NoError(t, err)
|
||||
rs, err := q.Eval(context.Background(),
|
||||
rego.EvalInput((&Evaluator{store: store}).newInput(req, isValidClientCertificate)),
|
||||
)
|
||||
require.NoError(t, err)
|
||||
require.Len(t, rs, 1)
|
||||
return rs[0]
|
||||
}
|
||||
|
||||
t.Run("client certificate", func(t *testing.T) {
|
||||
res := eval(nil, nil, &Request{}, false)
|
||||
assert.Equal(t,
|
||||
A{A{json.Number("495"), "invalid client certificate"}},
|
||||
res.Bindings["result"].(M)["deny"])
|
||||
})
|
||||
t.Run("email", func(t *testing.T) {
|
||||
t.Run("allowed", func(t *testing.T) {
|
||||
res := eval([]config.Policy{
|
||||
{
|
||||
Source: &config.StringURL{URL: mustParseURL("https://from.example.com")},
|
||||
To: config.WeightedURLs{
|
||||
{URL: *mustParseURL("https://to.example.com")},
|
||||
},
|
||||
AllowedUsers: []string{"a@example.com"},
|
||||
},
|
||||
}, []proto.Message{
|
||||
&session.Session{
|
||||
Id: "session1",
|
||||
UserId: "user1",
|
||||
},
|
||||
&user.User{
|
||||
Id: "user1",
|
||||
Email: "a@example.com",
|
||||
},
|
||||
}, &Request{
|
||||
Session: RequestSession{
|
||||
ID: "session1",
|
||||
},
|
||||
HTTP: RequestHTTP{
|
||||
Method: "GET",
|
||||
URL: "https://from.example.com",
|
||||
},
|
||||
}, true)
|
||||
assert.True(t, res.Bindings["result"].(M)["allow"].(bool))
|
||||
})
|
||||
t.Run("denied", func(t *testing.T) {
|
||||
res := eval([]config.Policy{
|
||||
{
|
||||
Source: &config.StringURL{URL: mustParseURL("https://from.example.com")},
|
||||
To: config.WeightedURLs{
|
||||
{URL: *mustParseURL("https://to.example.com")},
|
||||
},
|
||||
AllowedUsers: []string{"a@example.com"},
|
||||
},
|
||||
}, []proto.Message{
|
||||
&session.Session{
|
||||
Id: "session1",
|
||||
UserId: "user1",
|
||||
},
|
||||
&user.User{
|
||||
Id: "user1",
|
||||
Email: "b@example.com",
|
||||
},
|
||||
}, &Request{
|
||||
Session: RequestSession{
|
||||
ID: "session1",
|
||||
},
|
||||
HTTP: RequestHTTP{
|
||||
Method: "GET",
|
||||
URL: "https://from.example.com",
|
||||
},
|
||||
}, true)
|
||||
assert.False(t, res.Bindings["result"].(M)["allow"].(bool))
|
||||
})
|
||||
})
|
||||
t.Run("impersonate email", func(t *testing.T) {
|
||||
t.Run("allowed", func(t *testing.T) {
|
||||
res := eval([]config.Policy{
|
||||
{
|
||||
Source: &config.StringURL{URL: mustParseURL("https://from.example.com")},
|
||||
To: config.WeightedURLs{
|
||||
{URL: *mustParseURL("https://to.example.com")},
|
||||
},
|
||||
AllowedUsers: []string{"b@example.com"},
|
||||
},
|
||||
}, []proto.Message{
|
||||
&user.ServiceAccount{
|
||||
Id: "session1",
|
||||
UserId: "user1",
|
||||
ImpersonateEmail: proto.String("b@example.com"),
|
||||
},
|
||||
&user.User{
|
||||
Id: "user1",
|
||||
Email: "a@example.com",
|
||||
},
|
||||
}, &Request{
|
||||
Session: RequestSession{
|
||||
ID: "session1",
|
||||
},
|
||||
HTTP: RequestHTTP{
|
||||
Method: "GET",
|
||||
URL: "https://from.example.com",
|
||||
},
|
||||
}, true)
|
||||
assert.True(t, res.Bindings["result"].(M)["allow"].(bool))
|
||||
})
|
||||
t.Run("denied", func(t *testing.T) {
|
||||
res := eval([]config.Policy{
|
||||
{
|
||||
Source: &config.StringURL{URL: mustParseURL("https://from.example.com")},
|
||||
To: config.WeightedURLs{
|
||||
{URL: *mustParseURL("https://to.example.com")},
|
||||
},
|
||||
AllowedUsers: []string{"a@example.com"},
|
||||
},
|
||||
}, []proto.Message{
|
||||
&session.Session{
|
||||
Id: "session1",
|
||||
UserId: "user1",
|
||||
ImpersonateEmail: proto.String("b@example.com"),
|
||||
},
|
||||
&user.User{
|
||||
Id: "user1",
|
||||
Email: "a@example.com",
|
||||
},
|
||||
}, &Request{
|
||||
Session: RequestSession{
|
||||
ID: "session1",
|
||||
},
|
||||
HTTP: RequestHTTP{
|
||||
Method: "GET",
|
||||
URL: "https://from.example.com",
|
||||
},
|
||||
}, true)
|
||||
assert.False(t, res.Bindings["result"].(M)["allow"].(bool))
|
||||
})
|
||||
})
|
||||
t.Run("domain", func(t *testing.T) {
|
||||
t.Run("allowed", func(t *testing.T) {
|
||||
res := eval([]config.Policy{
|
||||
{
|
||||
Source: &config.StringURL{URL: mustParseURL("https://from.example.com")},
|
||||
To: config.WeightedURLs{
|
||||
{URL: *mustParseURL("https://to.example.com")},
|
||||
},
|
||||
AllowedDomains: []string{"example.com"},
|
||||
},
|
||||
}, []proto.Message{
|
||||
&session.Session{
|
||||
Id: "session1",
|
||||
UserId: "example/user1",
|
||||
},
|
||||
&user.User{
|
||||
Id: "example/user1",
|
||||
Email: "a@example.com",
|
||||
},
|
||||
}, &Request{
|
||||
Session: RequestSession{
|
||||
ID: "session1",
|
||||
},
|
||||
HTTP: RequestHTTP{
|
||||
Method: "GET",
|
||||
URL: "https://from.example.com",
|
||||
},
|
||||
}, true)
|
||||
assert.True(t, res.Bindings["result"].(M)["allow"].(bool))
|
||||
})
|
||||
t.Run("denied", func(t *testing.T) {
|
||||
res := eval([]config.Policy{
|
||||
{
|
||||
Source: &config.StringURL{URL: mustParseURL("https://from.example.com")},
|
||||
To: config.WeightedURLs{
|
||||
{URL: *mustParseURL("https://to.example.com")},
|
||||
},
|
||||
AllowedDomains: []string{"notexample.com"},
|
||||
},
|
||||
}, []proto.Message{
|
||||
&session.Session{
|
||||
Id: "session1",
|
||||
UserId: "user1",
|
||||
},
|
||||
&user.User{
|
||||
Id: "user1",
|
||||
Email: "a@example.com",
|
||||
},
|
||||
}, &Request{
|
||||
Session: RequestSession{
|
||||
ID: "session1",
|
||||
},
|
||||
HTTP: RequestHTTP{
|
||||
Method: "GET",
|
||||
URL: "https://from.example.com",
|
||||
},
|
||||
}, true)
|
||||
assert.False(t, res.Bindings["result"].(M)["allow"].(bool))
|
||||
})
|
||||
})
|
||||
t.Run("impersonate domain", func(t *testing.T) {
|
||||
t.Run("allowed", func(t *testing.T) {
|
||||
res := eval([]config.Policy{
|
||||
{
|
||||
Source: &config.StringURL{URL: mustParseURL("https://from.example.com")},
|
||||
To: config.WeightedURLs{
|
||||
{URL: *mustParseURL("https://to.example.com")},
|
||||
},
|
||||
AllowedDomains: []string{"example.com"},
|
||||
},
|
||||
}, []proto.Message{
|
||||
&session.Session{
|
||||
Id: "session1",
|
||||
UserId: "user1",
|
||||
ImpersonateEmail: proto.String("a@example.com"),
|
||||
},
|
||||
&user.User{
|
||||
Id: "user1",
|
||||
Email: "a@notexample.com",
|
||||
},
|
||||
}, &Request{
|
||||
Session: RequestSession{
|
||||
ID: "session1",
|
||||
},
|
||||
HTTP: RequestHTTP{
|
||||
Method: "GET",
|
||||
URL: "https://from.example.com",
|
||||
},
|
||||
}, true)
|
||||
assert.True(t, res.Bindings["result"].(M)["allow"].(bool))
|
||||
})
|
||||
t.Run("denied", func(t *testing.T) {
|
||||
res := eval([]config.Policy{
|
||||
{
|
||||
Source: &config.StringURL{URL: mustParseURL("https://from.example.com")},
|
||||
To: config.WeightedURLs{
|
||||
{URL: *mustParseURL("https://to.example.com")},
|
||||
},
|
||||
AllowedDomains: []string{"example.com"},
|
||||
},
|
||||
}, []proto.Message{
|
||||
&session.Session{
|
||||
Id: "session1",
|
||||
UserId: "user1",
|
||||
ImpersonateEmail: proto.String("a@notexample.com"),
|
||||
},
|
||||
&user.User{
|
||||
Id: "user1",
|
||||
Email: "a@example.com",
|
||||
},
|
||||
}, &Request{
|
||||
Session: RequestSession{
|
||||
ID: "session1",
|
||||
},
|
||||
HTTP: RequestHTTP{
|
||||
Method: "GET",
|
||||
URL: "https://from.example.com",
|
||||
},
|
||||
}, true)
|
||||
assert.False(t, res.Bindings["result"].(M)["allow"].(bool))
|
||||
})
|
||||
})
|
||||
t.Run("groups", func(t *testing.T) {
|
||||
t.Run("allowed", func(t *testing.T) {
|
||||
for _, nm := range []string{"group1", "group1name", "group1@example.com"} {
|
||||
t.Run(nm, func(t *testing.T) {
|
||||
res := eval([]config.Policy{
|
||||
{
|
||||
Source: &config.StringURL{URL: mustParseURL("https://from.example.com")},
|
||||
To: config.WeightedURLs{
|
||||
{URL: *mustParseURL("https://to.example.com")},
|
||||
},
|
||||
AllowedGroups: []string{nm},
|
||||
},
|
||||
}, []proto.Message{
|
||||
&session.Session{
|
||||
Id: "session1",
|
||||
UserId: "user1",
|
||||
},
|
||||
&user.User{
|
||||
Id: "user1",
|
||||
Email: "a@example.com",
|
||||
},
|
||||
&directory.User{
|
||||
Id: "user1",
|
||||
GroupIds: []string{"group1"},
|
||||
},
|
||||
&directory.Group{
|
||||
Id: "group1",
|
||||
Name: "group1name",
|
||||
Email: "group1@example.com",
|
||||
},
|
||||
}, &Request{
|
||||
Session: RequestSession{
|
||||
ID: "session1",
|
||||
},
|
||||
HTTP: RequestHTTP{
|
||||
Method: "GET",
|
||||
URL: "https://from.example.com",
|
||||
},
|
||||
}, true)
|
||||
assert.True(t, res.Bindings["result"].(M)["allow"].(bool))
|
||||
})
|
||||
}
|
||||
})
|
||||
t.Run("denied", func(t *testing.T) {
|
||||
res := eval([]config.Policy{
|
||||
{
|
||||
Source: &config.StringURL{URL: mustParseURL("https://from.example.com")},
|
||||
To: config.WeightedURLs{
|
||||
{URL: *mustParseURL("https://to.example.com")},
|
||||
},
|
||||
AllowedGroups: []string{"group1"},
|
||||
},
|
||||
}, []proto.Message{
|
||||
&session.Session{
|
||||
Id: "session1",
|
||||
UserId: "user1",
|
||||
},
|
||||
&user.User{
|
||||
Id: "user1",
|
||||
Email: "a@example.com",
|
||||
},
|
||||
&directory.User{
|
||||
Id: "user1",
|
||||
GroupIds: []string{"group2"},
|
||||
},
|
||||
&directory.Group{
|
||||
Id: "group1",
|
||||
Name: "group-1",
|
||||
Email: "group1@example.com",
|
||||
},
|
||||
}, &Request{
|
||||
Session: RequestSession{
|
||||
ID: "session1",
|
||||
},
|
||||
HTTP: RequestHTTP{
|
||||
Method: "GET",
|
||||
URL: "https://from.example.com",
|
||||
},
|
||||
}, true)
|
||||
assert.False(t, res.Bindings["result"].(M)["allow"].(bool))
|
||||
})
|
||||
})
|
||||
t.Run("impersonate groups", func(t *testing.T) {
|
||||
res := eval([]config.Policy{
|
||||
{
|
||||
Source: &config.StringURL{URL: mustParseURL("https://from.example.com")},
|
||||
To: config.WeightedURLs{
|
||||
{URL: *mustParseURL("https://to.example.com")},
|
||||
},
|
||||
AllowedGroups: []string{"group1"},
|
||||
},
|
||||
}, []proto.Message{
|
||||
&session.Session{
|
||||
Id: "session1",
|
||||
UserId: "user1",
|
||||
ImpersonateEmail: proto.String("a@example.com"),
|
||||
ImpersonateGroups: []string{"group1"},
|
||||
},
|
||||
&user.User{
|
||||
Id: "user1",
|
||||
Email: "a@example.com",
|
||||
},
|
||||
&directory.Group{
|
||||
Id: "group1",
|
||||
Name: "group-1",
|
||||
Email: "group1@example.com",
|
||||
},
|
||||
}, &Request{
|
||||
Session: RequestSession{
|
||||
ID: "session1",
|
||||
},
|
||||
HTTP: RequestHTTP{
|
||||
Method: "GET",
|
||||
URL: "https://from.example.com",
|
||||
},
|
||||
}, true)
|
||||
assert.True(t, res.Bindings["result"].(M)["allow"].(bool))
|
||||
})
|
||||
t.Run("any authenticated user", func(t *testing.T) {
|
||||
res := eval([]config.Policy{
|
||||
{
|
||||
Source: &config.StringURL{URL: mustParseURL("https://from.example.com")},
|
||||
To: config.WeightedURLs{
|
||||
{URL: *mustParseURL("https://to.example.com")},
|
||||
},
|
||||
AllowAnyAuthenticatedUser: true,
|
||||
},
|
||||
}, []proto.Message{
|
||||
&session.Session{
|
||||
Id: "session1",
|
||||
UserId: "user1",
|
||||
},
|
||||
&user.User{
|
||||
Id: "user1",
|
||||
Email: "a@example.com",
|
||||
},
|
||||
}, &Request{
|
||||
Session: RequestSession{
|
||||
ID: "session1",
|
||||
},
|
||||
HTTP: RequestHTTP{
|
||||
Method: "GET",
|
||||
URL: "https://from.example.com",
|
||||
},
|
||||
}, true)
|
||||
assert.True(t, res.Bindings["result"].(M)["allow"].(bool))
|
||||
})
|
||||
}
|
Loading…
Add table
Add a link
Reference in a new issue