authorize: remove DataBrokerData input (#1847)

* authorize: remove DataBrokerData * add opa test * domain, group tests * more tests * remove databroker data input * update authz tests * update dead code * fix method name * handle / in keys
2025-08-03 16:59:22 +02:00 · 2021-02-02 14:27:35 -07:00 · 2021-02-02 14:27:35 -07:00 · 74ac23c980
commit 74ac23c980
parent 14a637570f
6 changed files with 566 additions and 104 deletions
--- a/authorize/evaluator/evaluator.go
+++ b/authorize/evaluator/evaluator.go
@ -15,19 +15,10 @@ import (
 	"gopkg.in/square/go-jose.v2"

 	"github.com/pomerium/pomerium/config"
-	"github.com/pomerium/pomerium/internal/directory"
 	"github.com/pomerium/pomerium/internal/log"
 	"github.com/pomerium/pomerium/pkg/cryptutil"
 )

-const (
-	directoryGroupTypeURL = "type.googleapis.com/directory.Group"
-	directoryUserTypeURL  = "type.googleapis.com/directory.User"
-	serviceAccountTypeURL = "type.googleapis.com/user.ServiceAccount"
-	sessionTypeURL        = "type.googleapis.com/session.Session"
-	userTypeURL           = "type.googleapis.com/user.User"
-)
-
 // Evaluator specifies the interface for a policy engine.
 type Evaluator struct {
 	custom   *CustomEvaluator
@ -230,52 +221,13 @@ func (e *Evaluator) SignedJWT(payload map[string]interface{}) (string, error) {
 }

 type input struct {
-	DataBrokerData           dataBrokerDataInput `json:"databroker_data"`
-	HTTP                     RequestHTTP         `json:"http"`
-	Session                  RequestSession      `json:"session"`
-	IsValidClientCertificate bool                `json:"is_valid_client_certificate"`
-}
-
-type dataBrokerDataInput struct {
-	Session interface{} `json:"session,omitempty"`
-	User    interface{} `json:"user,omitempty"`
-	Groups  interface{} `json:"groups,omitempty"`
+	HTTP                     RequestHTTP    `json:"http"`
+	Session                  RequestSession `json:"session"`
+	IsValidClientCertificate bool           `json:"is_valid_client_certificate"`
 }

 func (e *Evaluator) newInput(req *Request, isValidClientCertificate bool) *input {
 	i := new(input)
-	i.DataBrokerData.Session = e.store.GetRecordData(sessionTypeURL, req.Session.ID)
-	if i.DataBrokerData.Session == nil {
-		i.DataBrokerData.Session = e.store.GetRecordData(serviceAccountTypeURL, req.Session.ID)
-	}
-	var userIDs []string
-	if obj, ok := i.DataBrokerData.Session.(interface{ GetUserId() string }); ok && obj.GetUserId() != "" {
-		userIDs = append(userIDs, obj.GetUserId())
-	}
-	if obj, ok := i.DataBrokerData.Session.(interface{ GetImpersonateUserId() string }); ok && obj.GetImpersonateUserId() != "" {
-		userIDs = append(userIDs, obj.GetImpersonateUserId())
-	}
-
-	for _, userID := range userIDs {
-		i.DataBrokerData.User = e.store.GetRecordData(userTypeURL, userID)
-
-		user, ok := e.store.GetRecordData(directoryUserTypeURL, userID).(*directory.User)
-		if ok {
-			var groups []string
-			for _, groupID := range user.GetGroupIds() {
-				if dg, ok := e.store.GetRecordData(directoryGroupTypeURL, groupID).(*directory.Group); ok {
-					if dg.Name != "" {
-						groups = append(groups, dg.Name)
-					}
-					if dg.Email != "" {
-						groups = append(groups, dg.Email)
-					}
-				}
-			}
-			groups = append(groups, user.GetGroupIds()...)
-			i.DataBrokerData.Groups = groups
-		}
-	}
 	i.HTTP = req.HTTP
 	i.Session = req.Session
 	i.IsValidClientCertificate = isValidClientCertificate
--- a/authorize/evaluator/evaluator_test.go
+++ b/authorize/evaluator/evaluator_test.go
@ -58,7 +58,6 @@ func TestJSONMarshal(t *testing.T) {
 		},
 	}, true))
 	assert.JSONEq(t, `{
-		"databroker_data": {},
 		"http": {
 			"client_certificate": "CLIENT_CERTIFICATE",
 			"headers": {
--- a/authorize/evaluator/opa/policy/authz.rego
+++ b/authorize/evaluator/opa/policy/authz.rego
@ -6,11 +6,39 @@ route_policy_idx := first_allowed_route_policy_idx(input.http.url)

 route_policy := data.route_policies[route_policy_idx]

-session := input.databroker_data.session
+session = s {
+	s = object_get(data.databroker_data["type.googleapis.com"]["user.ServiceAccount"], input.session.id, null)
+} else = s {
+	s = object_get(data.databroker_data["type.googleapis.com"]["session.Session"], input.session.id, null)
+} else = {} {
+	true
+}

-user := input.databroker_data.user
+user = u {
+	u = object_get(data.databroker_data["type.googleapis.com"]["user.User"], session.impersonate_user_id, null)
+} else = u {
+	u = object_get(data.databroker_data["type.googleapis.com"]["user.User"], session.user_id, null)
+} else = {} {
+	true
+}

-groups := input.databroker_data.groups
+directory_user = du {
+	du = object_get(data.databroker_data["type.googleapis.com"]["directory.User"], session.impersonate_user_id, null)
+} else = du {
+	du = object_get(data.databroker_data["type.googleapis.com"]["directory.User"], session.user_id, null)
+} else = {} {
+	true
+}
+
+group_ids = gs {
+	gs = session.impersonate_group_ids
+} else = gs {
+	gs = directory_user.group_ids
+} else = [] {
+	true
+}
+
+groups := array.concat(group_ids, array.concat(get_databroker_group_names(group_ids), get_databroker_group_emails(group_ids)))

 all_allowed_domains := get_allowed_domains(route_policy)

@ -204,3 +232,43 @@ are_claims_allowed(a, b) {
 	is_array(bvs)
 	avs[_] == bvs[_]
 }
+
+get_databroker_group_names(ids) = gs {
+	gs := [name | id := ids[i]; group := data.databroker_data["type.googleapis.com"]["directory.Group"][id]; name := group.name]
+}
+
+get_databroker_group_emails(ids) = gs {
+	gs := [email | id := ids[i]; group := data.databroker_data["type.googleapis.com"]["directory.Group"][id]; email := group.email]
+}
+
+# object_get is like object.get, but supports converting "/" in keys to separate lookups
+# rego doesn't support recursion, so we hard code a limited number of /'s
+object_get(obj, key, def) = value {
+	segments := split(key, "/")
+	count(segments) == 2
+	o1 := object.get(obj, segments[0], {})
+	value = object.get(o1, segments[1], def)
+} else = value {
+	segments := split(key, "/")
+	count(segments) == 3
+	o1 := object.get(obj, segments[0], {})
+	o2 := object.get(o1, segments[1], {})
+	value = object.get(o2, segments[2], def)
+} else = value {
+	segments := split(key, "/")
+	count(segments) == 4
+	o1 := object.get(obj, segments[0], {})
+	o2 := object.get(o1, segments[1], {})
+	o3 := object.get(o2, segments[2], {})
+	value = object.get(o3, segments[3], def)
+} else = value {
+	segments := split(key, "/")
+	count(segments) == 5
+	o1 := object.get(obj, segments[0], {})
+	o2 := object.get(o1, segments[1], {})
+	o3 := object.get(o2, segments[2], {})
+	o4 := object.get(o3, segments[3], {})
+	value = object.get(o4, segments[4], def)
+} else = value {
+	value = object.get(obj, key, def)
+}
--- a/authorize/evaluator/opa/policy/authz_test.rego
+++ b/authorize/evaluator/opa/policy/authz_test.rego
@ -5,10 +5,10 @@ test_email_allowed {
 		"source": "example.com",
 		"allowed_users": ["x@example.com"],
 	}]
-		 with input.databroker_data as {
-			"session": {"user_id": "user1"},
-			"user": {"email": "x@example.com"},
-		}
+		 with data.databroker_data as {"type.googleapis.com": {
+			"session.Session": {"session1": {"id": "session1", "user_id": "user1"}},
+			"user.User": {"user1": {"id": "user1", "email": "x@example.com"}},
+		}}
 		 with input.http as {"url": "http://example.com"}
 		 with input.session as {"id": "session1"}
 }
@ -18,10 +18,10 @@ test_impersonate_email_not_allowed {
 		"source": "example.com",
 		"allowed_users": ["x@example.com"],
 	}]
-		 with input.databroker_data as {
-			"session": {"user_id": "user1", "impersonate_email": "y@example.com"},
-			"user": {"email": "x@example.com"},
-		}
+		 with data.databroker_data as {"type.googleapis.com": {
+			"session.Session": {"session1": {"id": "session1", "user_id": "user1", "impersonate_email": "y@example.com"}},
+			"user.User": {"user1": {"id": "user1", "email": "x@example.com"}},
+		}}
 		 with input.http as {"url": "http://example.com"}
 		 with input.session as {"id": "session1"}
 }
@ -31,10 +31,10 @@ test_impersonate_email_allowed {
 		"source": "example.com",
 		"allowed_users": ["y@example.com"],
 	}]
-		 with input.databroker_data as {
-			"session": {"user_id": "user1", "impersonate_email": "y@example.com"},
-			"user": {"email": "x@example.com"},
-		}
+		 with data.databroker_data as {"type.googleapis.com": {
+			"session.Session": {"session1": {"id": "session1", "user_id": "user1", "impersonate_email": "y@example.com"}},
+			"user.User": {"user1": {"id": "user1", "email": "x@example.com"}},
+		}}
 		 with input.http as {"url": "http://example.com"}
 		 with input.session as {"id": "session1"}
 }
@ -42,13 +42,14 @@ test_impersonate_email_allowed {
 test_group_allowed {
 	allow with data.route_policies as [{
 		"source": "example.com",
-		"allowed_groups": ["1"],
+		"allowed_groups": ["group1"],
 	}]
-		 with input.databroker_data as {
-			"session": {"user_id": "user1"},
-			"user": {"email": "x@example.com"},
-			"groups": ["1"],
-		}
+		 with data.databroker_data as {"type.googleapis.com": {
+			"session.Session": {"session1": {"id": "session1", "user_id": "user1"}},
+			"user.User": {"user1": {"id": "user1", "email": "x@example.com"}},
+			"directory.User": {"user1": {"id": "user1", "group_ids": ["group1"]}},
+			"directory.Group": {"group1": {"id": "group1"}},
+		}}
 		 with input.http as {"url": "http://example.com"}
 		 with input.session as {"id": "session1"}
 }
@ -56,13 +57,14 @@ test_group_allowed {
 test_impersonate_groups_not_allowed {
 	not allow with data.route_policies as [{
 		"source": "example.com",
-		"allowed_groups": ["1"],
+		"allowed_groups": ["group1"],
 	}]
-		 with input.databroker_data as {
-			"session": {"user_id": "user1", "impersonate_email": "y@example.com", "impersonate_groups": ["2"]},
-			"user": {"email": "x@example.com"},
-			"groups": ["1"],
-		}
+		 with data.databroker_data as {"type.googleapis.com": {
+			"session.Session": {"session1": {"id": "session1", "user_id": "user1", "impersonate_email": "y@example.com", "impersonate_groups": ["group2"]}},
+			"user.User": {"user1": {"id": "user1", "email": "x@example.com"}},
+			"directory.User": {"user1": {"id": "user1", "group_ids": ["group1"]}},
+			"directory.Group": {"group1": {"id": "group1"}},
+		}}
 		 with input.http as {"url": "http://example.com"}
 		 with input.session as {"id": "session1"}
 }
@ -70,13 +72,14 @@ test_impersonate_groups_not_allowed {
 test_impersonate_groups_allowed {
 	allow with data.route_policies as [{
 		"source": "example.com",
-		"allowed_groups": ["2"],
+		"allowed_groups": ["group2"],
 	}]
-		 with input.databroker_data as {
-			"session": {"user_id": "user1", "impersonate_email": "y@example.com", "impersonate_groups": ["2"]},
-			"user": {"email": "x@example.com"},
-			"directory_user": {"groups": ["1"]},
-		}
+		 with data.databroker_data as {"type.googleapis.com": {
+			"session.Session": {"session1": {"id": "session1", "user_id": "user1", "impersonate_email": "y@example.com", "impersonate_groups": ["group2"]}},
+			"user.User": {"user1": {"id": "user1", "email": "x@example.com"}},
+			"directory.User": {"user1": {"id": "user1", "group_ids": ["group1"]}},
+			"directory.Group": {"group1": {"id": "group1"}},
+		}}
 		 with input.http as {"url": "http://example.com"}
 		 with input.session as {"id": "session1"}
 }
@ -86,10 +89,10 @@ test_domain_allowed {
 		"source": "example.com",
 		"allowed_domains": ["example.com"],
 	}]
-		 with input.databroker_data as {
-			"session": {"user_id": "user1", "impersonate_email": ""},
-			"user": {"email": "x@example.com"},
-		}
+		 with data.databroker_data as {"type.googleapis.com": {
+			"session.Session": {"session1": {"id": "session1", "user_id": "user1"}},
+			"user.User": {"user1": {"id": "user1", "email": "x@example.com"}},
+		}}
 		 with input.http as {"url": "http://example.com"}
 		 with input.session as {"id": "session1"}
 }
@ -99,10 +102,10 @@ test_impersonate_domain_not_allowed {
 		"source": "example.com",
 		"allowed_domains": ["example.com"],
 	}]
-		 with input.databroker_data as {
-			"session": {"user_id": "user1", "impersonate_email": "y@example1.com"},
-			"user": {"email": "x@example.com"},
-		}
+		 with data.databroker_data as {"type.googleapis.com": {
+			"session.Session": {"session1": {"id": "session1", "user_id": "user1", "impersonate_email": "y@notexample.com"}},
+			"user.User": {"user1": {"id": "user1", "email": "x@example.com"}},
+		}}
 		 with input.http as {"url": "http://example.com"}
 		 with input.session as {"id": "session1"}
 }
@ -110,12 +113,12 @@ test_impersonate_domain_not_allowed {
 test_impersonate_domain_allowed {
 	allow with data.route_policies as [{
 		"source": "example.com",
-		"allowed_domains": ["example1.com"],
+		"allowed_domains": ["notexample.com"],
 	}]
-		 with input.databroker_data as {
-			"session": {"user_id": "user1", "impersonate_email": "y@example1.com"},
-			"user": {"email": "x@example.com"},
-		}
+		 with data.databroker_data as {"type.googleapis.com": {
+			"session.Session": {"session1": {"id": "session1", "user_id": "user1", "impersonate_email": "y@notexample.com"}},
+			"user.User": {"user1": {"id": "user1", "email": "x@example.com"}},
+		}}
 		 with input.http as {"url": "http://example.com"}
 		 with input.session as {"id": "session1"}
 }
@ -125,7 +128,7 @@ test_idp_claims_allowed {
 		"source": "example.com",
 		"allowed_idp_claims": {"some.claim": ["a", "b"]},
 	}]
-		 with input.databroker_data as {"session": {"claims": {"some.claim": ["b"]}}}
+		 with data.databroker_data as {"type.googleapis.com": {"session.Session": {"session1": {"id": "session1", "claims": {"some.claim": ["b"]}}}}}
 		 with input.http as {"url": "http://example.com"}
 		 with input.session as {"id": "session1"}
 }
@ -312,10 +315,10 @@ test_any_authenticated_user_allowed {
 		"source": "example.com",
 		"AllowAnyAuthenticatedUser": true,
 	}]
-		 with input.databroker_data as {
-			"session": {"user_id": "user1"},
-			"user": {"email": "x@example.com"},
-		}
+		 with data.databroker_data as {"type.googleapis.com": {
+			"session.Session": {"session1": {"id": "session1", "user_id": "user1"}},
+			"user.User": {"user1": {"id": "user1", "email": "x@example.com"}},
+		}}
 		 with input.http as {"url": "http://example.com"}
 		 with input.session as {"id": "session1"}
 }
--- a/authorize/evaluator/opa/policy/statik.go
+++ b/authorize/evaluator/opa/policy/statik.go
--- a/authorize/evaluator/opa_test.go
+++ b/authorize/evaluator/opa_test.go
@ -0,0 +1,440 @@
+package evaluator
+
+import (
+	"context"
+	"encoding/json"
+	"testing"
+
+	"github.com/open-policy-agent/opa/rego"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"google.golang.org/protobuf/proto"
+
+	"github.com/pomerium/pomerium/config"
+	"github.com/pomerium/pomerium/pkg/grpc/directory"
+	"github.com/pomerium/pomerium/pkg/grpc/session"
+	"github.com/pomerium/pomerium/pkg/grpc/user"
+)
+
+func TestOPA(t *testing.T) {
+	type A = []interface{}
+	type M = map[string]interface{}
+
+	eval := func(policies []config.Policy, data []proto.Message, req *Request, isValidClientCertificate bool) rego.Result {
+		authzPolicy, err := readPolicy("/authz.rego")
+		require.NoError(t, err)
+		store := NewStoreFromProtos(data...)
+		store.UpdateRoutePolicies(policies)
+		r := rego.New(
+			rego.Store(store.opaStore),
+			rego.Module("pomerium.authz", string(authzPolicy)),
+			rego.Query("result = data.pomerium.authz"),
+		)
+		q, err := r.PrepareForEval(context.Background())
+		require.NoError(t, err)
+		rs, err := q.Eval(context.Background(),
+			rego.EvalInput((&Evaluator{store: store}).newInput(req, isValidClientCertificate)),
+		)
+		require.NoError(t, err)
+		require.Len(t, rs, 1)
+		return rs[0]
+	}
+
+	t.Run("client certificate", func(t *testing.T) {
+		res := eval(nil, nil, &Request{}, false)
+		assert.Equal(t,
+			A{A{json.Number("495"), "invalid client certificate"}},
+			res.Bindings["result"].(M)["deny"])
+	})
+	t.Run("email", func(t *testing.T) {
+		t.Run("allowed", func(t *testing.T) {
+			res := eval([]config.Policy{
+				{
+					Source: &config.StringURL{URL: mustParseURL("https://from.example.com")},
+					To: config.WeightedURLs{
+						{URL: *mustParseURL("https://to.example.com")},
+					},
+					AllowedUsers: []string{"a@example.com"},
+				},
+			}, []proto.Message{
+				&session.Session{
+					Id:     "session1",
+					UserId: "user1",
+				},
+				&user.User{
+					Id:    "user1",
+					Email: "a@example.com",
+				},
+			}, &Request{
+				Session: RequestSession{
+					ID: "session1",
+				},
+				HTTP: RequestHTTP{
+					Method: "GET",
+					URL:    "https://from.example.com",
+				},
+			}, true)
+			assert.True(t, res.Bindings["result"].(M)["allow"].(bool))
+		})
+		t.Run("denied", func(t *testing.T) {
+			res := eval([]config.Policy{
+				{
+					Source: &config.StringURL{URL: mustParseURL("https://from.example.com")},
+					To: config.WeightedURLs{
+						{URL: *mustParseURL("https://to.example.com")},
+					},
+					AllowedUsers: []string{"a@example.com"},
+				},
+			}, []proto.Message{
+				&session.Session{
+					Id:     "session1",
+					UserId: "user1",
+				},
+				&user.User{
+					Id:    "user1",
+					Email: "b@example.com",
+				},
+			}, &Request{
+				Session: RequestSession{
+					ID: "session1",
+				},
+				HTTP: RequestHTTP{
+					Method: "GET",
+					URL:    "https://from.example.com",
+				},
+			}, true)
+			assert.False(t, res.Bindings["result"].(M)["allow"].(bool))
+		})
+	})
+	t.Run("impersonate email", func(t *testing.T) {
+		t.Run("allowed", func(t *testing.T) {
+			res := eval([]config.Policy{
+				{
+					Source: &config.StringURL{URL: mustParseURL("https://from.example.com")},
+					To: config.WeightedURLs{
+						{URL: *mustParseURL("https://to.example.com")},
+					},
+					AllowedUsers: []string{"b@example.com"},
+				},
+			}, []proto.Message{
+				&user.ServiceAccount{
+					Id:               "session1",
+					UserId:           "user1",
+					ImpersonateEmail: proto.String("b@example.com"),
+				},
+				&user.User{
+					Id:    "user1",
+					Email: "a@example.com",
+				},
+			}, &Request{
+				Session: RequestSession{
+					ID: "session1",
+				},
+				HTTP: RequestHTTP{
+					Method: "GET",
+					URL:    "https://from.example.com",
+				},
+			}, true)
+			assert.True(t, res.Bindings["result"].(M)["allow"].(bool))
+		})
+		t.Run("denied", func(t *testing.T) {
+			res := eval([]config.Policy{
+				{
+					Source: &config.StringURL{URL: mustParseURL("https://from.example.com")},
+					To: config.WeightedURLs{
+						{URL: *mustParseURL("https://to.example.com")},
+					},
+					AllowedUsers: []string{"a@example.com"},
+				},
+			}, []proto.Message{
+				&session.Session{
+					Id:               "session1",
+					UserId:           "user1",
+					ImpersonateEmail: proto.String("b@example.com"),
+				},
+				&user.User{
+					Id:    "user1",
+					Email: "a@example.com",
+				},
+			}, &Request{
+				Session: RequestSession{
+					ID: "session1",
+				},
+				HTTP: RequestHTTP{
+					Method: "GET",
+					URL:    "https://from.example.com",
+				},
+			}, true)
+			assert.False(t, res.Bindings["result"].(M)["allow"].(bool))
+		})
+	})
+	t.Run("domain", func(t *testing.T) {
+		t.Run("allowed", func(t *testing.T) {
+			res := eval([]config.Policy{
+				{
+					Source: &config.StringURL{URL: mustParseURL("https://from.example.com")},
+					To: config.WeightedURLs{
+						{URL: *mustParseURL("https://to.example.com")},
+					},
+					AllowedDomains: []string{"example.com"},
+				},
+			}, []proto.Message{
+				&session.Session{
+					Id:     "session1",
+					UserId: "example/user1",
+				},
+				&user.User{
+					Id:    "example/user1",
+					Email: "a@example.com",
+				},
+			}, &Request{
+				Session: RequestSession{
+					ID: "session1",
+				},
+				HTTP: RequestHTTP{
+					Method: "GET",
+					URL:    "https://from.example.com",
+				},
+			}, true)
+			assert.True(t, res.Bindings["result"].(M)["allow"].(bool))
+		})
+		t.Run("denied", func(t *testing.T) {
+			res := eval([]config.Policy{
+				{
+					Source: &config.StringURL{URL: mustParseURL("https://from.example.com")},
+					To: config.WeightedURLs{
+						{URL: *mustParseURL("https://to.example.com")},
+					},
+					AllowedDomains: []string{"notexample.com"},
+				},
+			}, []proto.Message{
+				&session.Session{
+					Id:     "session1",
+					UserId: "user1",
+				},
+				&user.User{
+					Id:    "user1",
+					Email: "a@example.com",
+				},
+			}, &Request{
+				Session: RequestSession{
+					ID: "session1",
+				},
+				HTTP: RequestHTTP{
+					Method: "GET",
+					URL:    "https://from.example.com",
+				},
+			}, true)
+			assert.False(t, res.Bindings["result"].(M)["allow"].(bool))
+		})
+	})
+	t.Run("impersonate domain", func(t *testing.T) {
+		t.Run("allowed", func(t *testing.T) {
+			res := eval([]config.Policy{
+				{
+					Source: &config.StringURL{URL: mustParseURL("https://from.example.com")},
+					To: config.WeightedURLs{
+						{URL: *mustParseURL("https://to.example.com")},
+					},
+					AllowedDomains: []string{"example.com"},
+				},
+			}, []proto.Message{
+				&session.Session{
+					Id:               "session1",
+					UserId:           "user1",
+					ImpersonateEmail: proto.String("a@example.com"),
+				},
+				&user.User{
+					Id:    "user1",
+					Email: "a@notexample.com",
+				},
+			}, &Request{
+				Session: RequestSession{
+					ID: "session1",
+				},
+				HTTP: RequestHTTP{
+					Method: "GET",
+					URL:    "https://from.example.com",
+				},
+			}, true)
+			assert.True(t, res.Bindings["result"].(M)["allow"].(bool))
+		})
+		t.Run("denied", func(t *testing.T) {
+			res := eval([]config.Policy{
+				{
+					Source: &config.StringURL{URL: mustParseURL("https://from.example.com")},
+					To: config.WeightedURLs{
+						{URL: *mustParseURL("https://to.example.com")},
+					},
+					AllowedDomains: []string{"example.com"},
+				},
+			}, []proto.Message{
+				&session.Session{
+					Id:               "session1",
+					UserId:           "user1",
+					ImpersonateEmail: proto.String("a@notexample.com"),
+				},
+				&user.User{
+					Id:    "user1",
+					Email: "a@example.com",
+				},
+			}, &Request{
+				Session: RequestSession{
+					ID: "session1",
+				},
+				HTTP: RequestHTTP{
+					Method: "GET",
+					URL:    "https://from.example.com",
+				},
+			}, true)
+			assert.False(t, res.Bindings["result"].(M)["allow"].(bool))
+		})
+	})
+	t.Run("groups", func(t *testing.T) {
+		t.Run("allowed", func(t *testing.T) {
+			for _, nm := range []string{"group1", "group1name", "group1@example.com"} {
+				t.Run(nm, func(t *testing.T) {
+					res := eval([]config.Policy{
+						{
+							Source: &config.StringURL{URL: mustParseURL("https://from.example.com")},
+							To: config.WeightedURLs{
+								{URL: *mustParseURL("https://to.example.com")},
+							},
+							AllowedGroups: []string{nm},
+						},
+					}, []proto.Message{
+						&session.Session{
+							Id:     "session1",
+							UserId: "user1",
+						},
+						&user.User{
+							Id:    "user1",
+							Email: "a@example.com",
+						},
+						&directory.User{
+							Id:       "user1",
+							GroupIds: []string{"group1"},
+						},
+						&directory.Group{
+							Id:    "group1",
+							Name:  "group1name",
+							Email: "group1@example.com",
+						},
+					}, &Request{
+						Session: RequestSession{
+							ID: "session1",
+						},
+						HTTP: RequestHTTP{
+							Method: "GET",
+							URL:    "https://from.example.com",
+						},
+					}, true)
+					assert.True(t, res.Bindings["result"].(M)["allow"].(bool))
+				})
+			}
+		})
+		t.Run("denied", func(t *testing.T) {
+			res := eval([]config.Policy{
+				{
+					Source: &config.StringURL{URL: mustParseURL("https://from.example.com")},
+					To: config.WeightedURLs{
+						{URL: *mustParseURL("https://to.example.com")},
+					},
+					AllowedGroups: []string{"group1"},
+				},
+			}, []proto.Message{
+				&session.Session{
+					Id:     "session1",
+					UserId: "user1",
+				},
+				&user.User{
+					Id:    "user1",
+					Email: "a@example.com",
+				},
+				&directory.User{
+					Id:       "user1",
+					GroupIds: []string{"group2"},
+				},
+				&directory.Group{
+					Id:    "group1",
+					Name:  "group-1",
+					Email: "group1@example.com",
+				},
+			}, &Request{
+				Session: RequestSession{
+					ID: "session1",
+				},
+				HTTP: RequestHTTP{
+					Method: "GET",
+					URL:    "https://from.example.com",
+				},
+			}, true)
+			assert.False(t, res.Bindings["result"].(M)["allow"].(bool))
+		})
+	})
+	t.Run("impersonate groups", func(t *testing.T) {
+		res := eval([]config.Policy{
+			{
+				Source: &config.StringURL{URL: mustParseURL("https://from.example.com")},
+				To: config.WeightedURLs{
+					{URL: *mustParseURL("https://to.example.com")},
+				},
+				AllowedGroups: []string{"group1"},
+			},
+		}, []proto.Message{
+			&session.Session{
+				Id:                "session1",
+				UserId:            "user1",
+				ImpersonateEmail:  proto.String("a@example.com"),
+				ImpersonateGroups: []string{"group1"},
+			},
+			&user.User{
+				Id:    "user1",
+				Email: "a@example.com",
+			},
+			&directory.Group{
+				Id:    "group1",
+				Name:  "group-1",
+				Email: "group1@example.com",
+			},
+		}, &Request{
+			Session: RequestSession{
+				ID: "session1",
+			},
+			HTTP: RequestHTTP{
+				Method: "GET",
+				URL:    "https://from.example.com",
+			},
+		}, true)
+		assert.True(t, res.Bindings["result"].(M)["allow"].(bool))
+	})
+	t.Run("any authenticated user", func(t *testing.T) {
+		res := eval([]config.Policy{
+			{
+				Source: &config.StringURL{URL: mustParseURL("https://from.example.com")},
+				To: config.WeightedURLs{
+					{URL: *mustParseURL("https://to.example.com")},
+				},
+				AllowAnyAuthenticatedUser: true,
+			},
+		}, []proto.Message{
+			&session.Session{
+				Id:     "session1",
+				UserId: "user1",
+			},
+			&user.User{
+				Id:    "user1",
+				Email: "a@example.com",
+			},
+		}, &Request{
+			Session: RequestSession{
+				ID: "session1",
+			},
+			HTTP: RequestHTTP{
+				Method: "GET",
+				URL:    "https://from.example.com",
+			},
+		}, true)
+		assert.True(t, res.Bindings["result"].(M)["allow"].(bool))
+	})
+}