authorize: remove DataBrokerData input (#1847)

* authorize: remove DataBrokerData

* add opa test

* domain, group tests

* more tests

* remove databroker data input

* update authz tests

* update dead code

* fix method name

* handle / in keys
This commit is contained in:
Caleb Doxsey 2021-02-02 14:27:35 -07:00 committed by GitHub
parent 14a637570f
commit 74ac23c980
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
6 changed files with 566 additions and 104 deletions

View file

@ -15,19 +15,10 @@ import (
"gopkg.in/square/go-jose.v2"
"github.com/pomerium/pomerium/config"
"github.com/pomerium/pomerium/internal/directory"
"github.com/pomerium/pomerium/internal/log"
"github.com/pomerium/pomerium/pkg/cryptutil"
)
const (
directoryGroupTypeURL = "type.googleapis.com/directory.Group"
directoryUserTypeURL = "type.googleapis.com/directory.User"
serviceAccountTypeURL = "type.googleapis.com/user.ServiceAccount"
sessionTypeURL = "type.googleapis.com/session.Session"
userTypeURL = "type.googleapis.com/user.User"
)
// Evaluator specifies the interface for a policy engine.
type Evaluator struct {
custom *CustomEvaluator
@ -230,52 +221,13 @@ func (e *Evaluator) SignedJWT(payload map[string]interface{}) (string, error) {
}
type input struct {
DataBrokerData dataBrokerDataInput `json:"databroker_data"`
HTTP RequestHTTP `json:"http"`
Session RequestSession `json:"session"`
IsValidClientCertificate bool `json:"is_valid_client_certificate"`
}
type dataBrokerDataInput struct {
Session interface{} `json:"session,omitempty"`
User interface{} `json:"user,omitempty"`
Groups interface{} `json:"groups,omitempty"`
HTTP RequestHTTP `json:"http"`
Session RequestSession `json:"session"`
IsValidClientCertificate bool `json:"is_valid_client_certificate"`
}
func (e *Evaluator) newInput(req *Request, isValidClientCertificate bool) *input {
i := new(input)
i.DataBrokerData.Session = e.store.GetRecordData(sessionTypeURL, req.Session.ID)
if i.DataBrokerData.Session == nil {
i.DataBrokerData.Session = e.store.GetRecordData(serviceAccountTypeURL, req.Session.ID)
}
var userIDs []string
if obj, ok := i.DataBrokerData.Session.(interface{ GetUserId() string }); ok && obj.GetUserId() != "" {
userIDs = append(userIDs, obj.GetUserId())
}
if obj, ok := i.DataBrokerData.Session.(interface{ GetImpersonateUserId() string }); ok && obj.GetImpersonateUserId() != "" {
userIDs = append(userIDs, obj.GetImpersonateUserId())
}
for _, userID := range userIDs {
i.DataBrokerData.User = e.store.GetRecordData(userTypeURL, userID)
user, ok := e.store.GetRecordData(directoryUserTypeURL, userID).(*directory.User)
if ok {
var groups []string
for _, groupID := range user.GetGroupIds() {
if dg, ok := e.store.GetRecordData(directoryGroupTypeURL, groupID).(*directory.Group); ok {
if dg.Name != "" {
groups = append(groups, dg.Name)
}
if dg.Email != "" {
groups = append(groups, dg.Email)
}
}
}
groups = append(groups, user.GetGroupIds()...)
i.DataBrokerData.Groups = groups
}
}
i.HTTP = req.HTTP
i.Session = req.Session
i.IsValidClientCertificate = isValidClientCertificate

View file

@ -58,7 +58,6 @@ func TestJSONMarshal(t *testing.T) {
},
}, true))
assert.JSONEq(t, `{
"databroker_data": {},
"http": {
"client_certificate": "CLIENT_CERTIFICATE",
"headers": {

View file

@ -6,11 +6,39 @@ route_policy_idx := first_allowed_route_policy_idx(input.http.url)
route_policy := data.route_policies[route_policy_idx]
session := input.databroker_data.session
session = s {
s = object_get(data.databroker_data["type.googleapis.com"]["user.ServiceAccount"], input.session.id, null)
} else = s {
s = object_get(data.databroker_data["type.googleapis.com"]["session.Session"], input.session.id, null)
} else = {} {
true
}
user := input.databroker_data.user
user = u {
u = object_get(data.databroker_data["type.googleapis.com"]["user.User"], session.impersonate_user_id, null)
} else = u {
u = object_get(data.databroker_data["type.googleapis.com"]["user.User"], session.user_id, null)
} else = {} {
true
}
groups := input.databroker_data.groups
directory_user = du {
du = object_get(data.databroker_data["type.googleapis.com"]["directory.User"], session.impersonate_user_id, null)
} else = du {
du = object_get(data.databroker_data["type.googleapis.com"]["directory.User"], session.user_id, null)
} else = {} {
true
}
group_ids = gs {
gs = session.impersonate_group_ids
} else = gs {
gs = directory_user.group_ids
} else = [] {
true
}
groups := array.concat(group_ids, array.concat(get_databroker_group_names(group_ids), get_databroker_group_emails(group_ids)))
all_allowed_domains := get_allowed_domains(route_policy)
@ -204,3 +232,43 @@ are_claims_allowed(a, b) {
is_array(bvs)
avs[_] == bvs[_]
}
get_databroker_group_names(ids) = gs {
gs := [name | id := ids[i]; group := data.databroker_data["type.googleapis.com"]["directory.Group"][id]; name := group.name]
}
get_databroker_group_emails(ids) = gs {
gs := [email | id := ids[i]; group := data.databroker_data["type.googleapis.com"]["directory.Group"][id]; email := group.email]
}
# object_get is like object.get, but supports converting "/" in keys to separate lookups
# rego doesn't support recursion, so we hard code a limited number of /'s
object_get(obj, key, def) = value {
segments := split(key, "/")
count(segments) == 2
o1 := object.get(obj, segments[0], {})
value = object.get(o1, segments[1], def)
} else = value {
segments := split(key, "/")
count(segments) == 3
o1 := object.get(obj, segments[0], {})
o2 := object.get(o1, segments[1], {})
value = object.get(o2, segments[2], def)
} else = value {
segments := split(key, "/")
count(segments) == 4
o1 := object.get(obj, segments[0], {})
o2 := object.get(o1, segments[1], {})
o3 := object.get(o2, segments[2], {})
value = object.get(o3, segments[3], def)
} else = value {
segments := split(key, "/")
count(segments) == 5
o1 := object.get(obj, segments[0], {})
o2 := object.get(o1, segments[1], {})
o3 := object.get(o2, segments[2], {})
o4 := object.get(o3, segments[3], {})
value = object.get(o4, segments[4], def)
} else = value {
value = object.get(obj, key, def)
}

View file

@ -5,10 +5,10 @@ test_email_allowed {
"source": "example.com",
"allowed_users": ["x@example.com"],
}]
with input.databroker_data as {
"session": {"user_id": "user1"},
"user": {"email": "x@example.com"},
}
with data.databroker_data as {"type.googleapis.com": {
"session.Session": {"session1": {"id": "session1", "user_id": "user1"}},
"user.User": {"user1": {"id": "user1", "email": "x@example.com"}},
}}
with input.http as {"url": "http://example.com"}
with input.session as {"id": "session1"}
}
@ -18,10 +18,10 @@ test_impersonate_email_not_allowed {
"source": "example.com",
"allowed_users": ["x@example.com"],
}]
with input.databroker_data as {
"session": {"user_id": "user1", "impersonate_email": "y@example.com"},
"user": {"email": "x@example.com"},
}
with data.databroker_data as {"type.googleapis.com": {
"session.Session": {"session1": {"id": "session1", "user_id": "user1", "impersonate_email": "y@example.com"}},
"user.User": {"user1": {"id": "user1", "email": "x@example.com"}},
}}
with input.http as {"url": "http://example.com"}
with input.session as {"id": "session1"}
}
@ -31,10 +31,10 @@ test_impersonate_email_allowed {
"source": "example.com",
"allowed_users": ["y@example.com"],
}]
with input.databroker_data as {
"session": {"user_id": "user1", "impersonate_email": "y@example.com"},
"user": {"email": "x@example.com"},
}
with data.databroker_data as {"type.googleapis.com": {
"session.Session": {"session1": {"id": "session1", "user_id": "user1", "impersonate_email": "y@example.com"}},
"user.User": {"user1": {"id": "user1", "email": "x@example.com"}},
}}
with input.http as {"url": "http://example.com"}
with input.session as {"id": "session1"}
}
@ -42,13 +42,14 @@ test_impersonate_email_allowed {
test_group_allowed {
allow with data.route_policies as [{
"source": "example.com",
"allowed_groups": ["1"],
"allowed_groups": ["group1"],
}]
with input.databroker_data as {
"session": {"user_id": "user1"},
"user": {"email": "x@example.com"},
"groups": ["1"],
}
with data.databroker_data as {"type.googleapis.com": {
"session.Session": {"session1": {"id": "session1", "user_id": "user1"}},
"user.User": {"user1": {"id": "user1", "email": "x@example.com"}},
"directory.User": {"user1": {"id": "user1", "group_ids": ["group1"]}},
"directory.Group": {"group1": {"id": "group1"}},
}}
with input.http as {"url": "http://example.com"}
with input.session as {"id": "session1"}
}
@ -56,13 +57,14 @@ test_group_allowed {
test_impersonate_groups_not_allowed {
not allow with data.route_policies as [{
"source": "example.com",
"allowed_groups": ["1"],
"allowed_groups": ["group1"],
}]
with input.databroker_data as {
"session": {"user_id": "user1", "impersonate_email": "y@example.com", "impersonate_groups": ["2"]},
"user": {"email": "x@example.com"},
"groups": ["1"],
}
with data.databroker_data as {"type.googleapis.com": {
"session.Session": {"session1": {"id": "session1", "user_id": "user1", "impersonate_email": "y@example.com", "impersonate_groups": ["group2"]}},
"user.User": {"user1": {"id": "user1", "email": "x@example.com"}},
"directory.User": {"user1": {"id": "user1", "group_ids": ["group1"]}},
"directory.Group": {"group1": {"id": "group1"}},
}}
with input.http as {"url": "http://example.com"}
with input.session as {"id": "session1"}
}
@ -70,13 +72,14 @@ test_impersonate_groups_not_allowed {
test_impersonate_groups_allowed {
allow with data.route_policies as [{
"source": "example.com",
"allowed_groups": ["2"],
"allowed_groups": ["group2"],
}]
with input.databroker_data as {
"session": {"user_id": "user1", "impersonate_email": "y@example.com", "impersonate_groups": ["2"]},
"user": {"email": "x@example.com"},
"directory_user": {"groups": ["1"]},
}
with data.databroker_data as {"type.googleapis.com": {
"session.Session": {"session1": {"id": "session1", "user_id": "user1", "impersonate_email": "y@example.com", "impersonate_groups": ["group2"]}},
"user.User": {"user1": {"id": "user1", "email": "x@example.com"}},
"directory.User": {"user1": {"id": "user1", "group_ids": ["group1"]}},
"directory.Group": {"group1": {"id": "group1"}},
}}
with input.http as {"url": "http://example.com"}
with input.session as {"id": "session1"}
}
@ -86,10 +89,10 @@ test_domain_allowed {
"source": "example.com",
"allowed_domains": ["example.com"],
}]
with input.databroker_data as {
"session": {"user_id": "user1", "impersonate_email": ""},
"user": {"email": "x@example.com"},
}
with data.databroker_data as {"type.googleapis.com": {
"session.Session": {"session1": {"id": "session1", "user_id": "user1"}},
"user.User": {"user1": {"id": "user1", "email": "x@example.com"}},
}}
with input.http as {"url": "http://example.com"}
with input.session as {"id": "session1"}
}
@ -99,10 +102,10 @@ test_impersonate_domain_not_allowed {
"source": "example.com",
"allowed_domains": ["example.com"],
}]
with input.databroker_data as {
"session": {"user_id": "user1", "impersonate_email": "y@example1.com"},
"user": {"email": "x@example.com"},
}
with data.databroker_data as {"type.googleapis.com": {
"session.Session": {"session1": {"id": "session1", "user_id": "user1", "impersonate_email": "y@notexample.com"}},
"user.User": {"user1": {"id": "user1", "email": "x@example.com"}},
}}
with input.http as {"url": "http://example.com"}
with input.session as {"id": "session1"}
}
@ -110,12 +113,12 @@ test_impersonate_domain_not_allowed {
test_impersonate_domain_allowed {
allow with data.route_policies as [{
"source": "example.com",
"allowed_domains": ["example1.com"],
"allowed_domains": ["notexample.com"],
}]
with input.databroker_data as {
"session": {"user_id": "user1", "impersonate_email": "y@example1.com"},
"user": {"email": "x@example.com"},
}
with data.databroker_data as {"type.googleapis.com": {
"session.Session": {"session1": {"id": "session1", "user_id": "user1", "impersonate_email": "y@notexample.com"}},
"user.User": {"user1": {"id": "user1", "email": "x@example.com"}},
}}
with input.http as {"url": "http://example.com"}
with input.session as {"id": "session1"}
}
@ -125,7 +128,7 @@ test_idp_claims_allowed {
"source": "example.com",
"allowed_idp_claims": {"some.claim": ["a", "b"]},
}]
with input.databroker_data as {"session": {"claims": {"some.claim": ["b"]}}}
with data.databroker_data as {"type.googleapis.com": {"session.Session": {"session1": {"id": "session1", "claims": {"some.claim": ["b"]}}}}}
with input.http as {"url": "http://example.com"}
with input.session as {"id": "session1"}
}
@ -312,10 +315,10 @@ test_any_authenticated_user_allowed {
"source": "example.com",
"AllowAnyAuthenticatedUser": true,
}]
with input.databroker_data as {
"session": {"user_id": "user1"},
"user": {"email": "x@example.com"},
}
with data.databroker_data as {"type.googleapis.com": {
"session.Session": {"session1": {"id": "session1", "user_id": "user1"}},
"user.User": {"user1": {"id": "user1", "email": "x@example.com"}},
}}
with input.http as {"url": "http://example.com"}
with input.session as {"id": "session1"}
}

File diff suppressed because one or more lines are too long

View file

@ -0,0 +1,440 @@
package evaluator
import (
"context"
"encoding/json"
"testing"
"github.com/open-policy-agent/opa/rego"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
"google.golang.org/protobuf/proto"
"github.com/pomerium/pomerium/config"
"github.com/pomerium/pomerium/pkg/grpc/directory"
"github.com/pomerium/pomerium/pkg/grpc/session"
"github.com/pomerium/pomerium/pkg/grpc/user"
)
func TestOPA(t *testing.T) {
type A = []interface{}
type M = map[string]interface{}
eval := func(policies []config.Policy, data []proto.Message, req *Request, isValidClientCertificate bool) rego.Result {
authzPolicy, err := readPolicy("/authz.rego")
require.NoError(t, err)
store := NewStoreFromProtos(data...)
store.UpdateRoutePolicies(policies)
r := rego.New(
rego.Store(store.opaStore),
rego.Module("pomerium.authz", string(authzPolicy)),
rego.Query("result = data.pomerium.authz"),
)
q, err := r.PrepareForEval(context.Background())
require.NoError(t, err)
rs, err := q.Eval(context.Background(),
rego.EvalInput((&Evaluator{store: store}).newInput(req, isValidClientCertificate)),
)
require.NoError(t, err)
require.Len(t, rs, 1)
return rs[0]
}
t.Run("client certificate", func(t *testing.T) {
res := eval(nil, nil, &Request{}, false)
assert.Equal(t,
A{A{json.Number("495"), "invalid client certificate"}},
res.Bindings["result"].(M)["deny"])
})
t.Run("email", func(t *testing.T) {
t.Run("allowed", func(t *testing.T) {
res := eval([]config.Policy{
{
Source: &config.StringURL{URL: mustParseURL("https://from.example.com")},
To: config.WeightedURLs{
{URL: *mustParseURL("https://to.example.com")},
},
AllowedUsers: []string{"a@example.com"},
},
}, []proto.Message{
&session.Session{
Id: "session1",
UserId: "user1",
},
&user.User{
Id: "user1",
Email: "a@example.com",
},
}, &Request{
Session: RequestSession{
ID: "session1",
},
HTTP: RequestHTTP{
Method: "GET",
URL: "https://from.example.com",
},
}, true)
assert.True(t, res.Bindings["result"].(M)["allow"].(bool))
})
t.Run("denied", func(t *testing.T) {
res := eval([]config.Policy{
{
Source: &config.StringURL{URL: mustParseURL("https://from.example.com")},
To: config.WeightedURLs{
{URL: *mustParseURL("https://to.example.com")},
},
AllowedUsers: []string{"a@example.com"},
},
}, []proto.Message{
&session.Session{
Id: "session1",
UserId: "user1",
},
&user.User{
Id: "user1",
Email: "b@example.com",
},
}, &Request{
Session: RequestSession{
ID: "session1",
},
HTTP: RequestHTTP{
Method: "GET",
URL: "https://from.example.com",
},
}, true)
assert.False(t, res.Bindings["result"].(M)["allow"].(bool))
})
})
t.Run("impersonate email", func(t *testing.T) {
t.Run("allowed", func(t *testing.T) {
res := eval([]config.Policy{
{
Source: &config.StringURL{URL: mustParseURL("https://from.example.com")},
To: config.WeightedURLs{
{URL: *mustParseURL("https://to.example.com")},
},
AllowedUsers: []string{"b@example.com"},
},
}, []proto.Message{
&user.ServiceAccount{
Id: "session1",
UserId: "user1",
ImpersonateEmail: proto.String("b@example.com"),
},
&user.User{
Id: "user1",
Email: "a@example.com",
},
}, &Request{
Session: RequestSession{
ID: "session1",
},
HTTP: RequestHTTP{
Method: "GET",
URL: "https://from.example.com",
},
}, true)
assert.True(t, res.Bindings["result"].(M)["allow"].(bool))
})
t.Run("denied", func(t *testing.T) {
res := eval([]config.Policy{
{
Source: &config.StringURL{URL: mustParseURL("https://from.example.com")},
To: config.WeightedURLs{
{URL: *mustParseURL("https://to.example.com")},
},
AllowedUsers: []string{"a@example.com"},
},
}, []proto.Message{
&session.Session{
Id: "session1",
UserId: "user1",
ImpersonateEmail: proto.String("b@example.com"),
},
&user.User{
Id: "user1",
Email: "a@example.com",
},
}, &Request{
Session: RequestSession{
ID: "session1",
},
HTTP: RequestHTTP{
Method: "GET",
URL: "https://from.example.com",
},
}, true)
assert.False(t, res.Bindings["result"].(M)["allow"].(bool))
})
})
t.Run("domain", func(t *testing.T) {
t.Run("allowed", func(t *testing.T) {
res := eval([]config.Policy{
{
Source: &config.StringURL{URL: mustParseURL("https://from.example.com")},
To: config.WeightedURLs{
{URL: *mustParseURL("https://to.example.com")},
},
AllowedDomains: []string{"example.com"},
},
}, []proto.Message{
&session.Session{
Id: "session1",
UserId: "example/user1",
},
&user.User{
Id: "example/user1",
Email: "a@example.com",
},
}, &Request{
Session: RequestSession{
ID: "session1",
},
HTTP: RequestHTTP{
Method: "GET",
URL: "https://from.example.com",
},
}, true)
assert.True(t, res.Bindings["result"].(M)["allow"].(bool))
})
t.Run("denied", func(t *testing.T) {
res := eval([]config.Policy{
{
Source: &config.StringURL{URL: mustParseURL("https://from.example.com")},
To: config.WeightedURLs{
{URL: *mustParseURL("https://to.example.com")},
},
AllowedDomains: []string{"notexample.com"},
},
}, []proto.Message{
&session.Session{
Id: "session1",
UserId: "user1",
},
&user.User{
Id: "user1",
Email: "a@example.com",
},
}, &Request{
Session: RequestSession{
ID: "session1",
},
HTTP: RequestHTTP{
Method: "GET",
URL: "https://from.example.com",
},
}, true)
assert.False(t, res.Bindings["result"].(M)["allow"].(bool))
})
})
t.Run("impersonate domain", func(t *testing.T) {
t.Run("allowed", func(t *testing.T) {
res := eval([]config.Policy{
{
Source: &config.StringURL{URL: mustParseURL("https://from.example.com")},
To: config.WeightedURLs{
{URL: *mustParseURL("https://to.example.com")},
},
AllowedDomains: []string{"example.com"},
},
}, []proto.Message{
&session.Session{
Id: "session1",
UserId: "user1",
ImpersonateEmail: proto.String("a@example.com"),
},
&user.User{
Id: "user1",
Email: "a@notexample.com",
},
}, &Request{
Session: RequestSession{
ID: "session1",
},
HTTP: RequestHTTP{
Method: "GET",
URL: "https://from.example.com",
},
}, true)
assert.True(t, res.Bindings["result"].(M)["allow"].(bool))
})
t.Run("denied", func(t *testing.T) {
res := eval([]config.Policy{
{
Source: &config.StringURL{URL: mustParseURL("https://from.example.com")},
To: config.WeightedURLs{
{URL: *mustParseURL("https://to.example.com")},
},
AllowedDomains: []string{"example.com"},
},
}, []proto.Message{
&session.Session{
Id: "session1",
UserId: "user1",
ImpersonateEmail: proto.String("a@notexample.com"),
},
&user.User{
Id: "user1",
Email: "a@example.com",
},
}, &Request{
Session: RequestSession{
ID: "session1",
},
HTTP: RequestHTTP{
Method: "GET",
URL: "https://from.example.com",
},
}, true)
assert.False(t, res.Bindings["result"].(M)["allow"].(bool))
})
})
t.Run("groups", func(t *testing.T) {
t.Run("allowed", func(t *testing.T) {
for _, nm := range []string{"group1", "group1name", "group1@example.com"} {
t.Run(nm, func(t *testing.T) {
res := eval([]config.Policy{
{
Source: &config.StringURL{URL: mustParseURL("https://from.example.com")},
To: config.WeightedURLs{
{URL: *mustParseURL("https://to.example.com")},
},
AllowedGroups: []string{nm},
},
}, []proto.Message{
&session.Session{
Id: "session1",
UserId: "user1",
},
&user.User{
Id: "user1",
Email: "a@example.com",
},
&directory.User{
Id: "user1",
GroupIds: []string{"group1"},
},
&directory.Group{
Id: "group1",
Name: "group1name",
Email: "group1@example.com",
},
}, &Request{
Session: RequestSession{
ID: "session1",
},
HTTP: RequestHTTP{
Method: "GET",
URL: "https://from.example.com",
},
}, true)
assert.True(t, res.Bindings["result"].(M)["allow"].(bool))
})
}
})
t.Run("denied", func(t *testing.T) {
res := eval([]config.Policy{
{
Source: &config.StringURL{URL: mustParseURL("https://from.example.com")},
To: config.WeightedURLs{
{URL: *mustParseURL("https://to.example.com")},
},
AllowedGroups: []string{"group1"},
},
}, []proto.Message{
&session.Session{
Id: "session1",
UserId: "user1",
},
&user.User{
Id: "user1",
Email: "a@example.com",
},
&directory.User{
Id: "user1",
GroupIds: []string{"group2"},
},
&directory.Group{
Id: "group1",
Name: "group-1",
Email: "group1@example.com",
},
}, &Request{
Session: RequestSession{
ID: "session1",
},
HTTP: RequestHTTP{
Method: "GET",
URL: "https://from.example.com",
},
}, true)
assert.False(t, res.Bindings["result"].(M)["allow"].(bool))
})
})
t.Run("impersonate groups", func(t *testing.T) {
res := eval([]config.Policy{
{
Source: &config.StringURL{URL: mustParseURL("https://from.example.com")},
To: config.WeightedURLs{
{URL: *mustParseURL("https://to.example.com")},
},
AllowedGroups: []string{"group1"},
},
}, []proto.Message{
&session.Session{
Id: "session1",
UserId: "user1",
ImpersonateEmail: proto.String("a@example.com"),
ImpersonateGroups: []string{"group1"},
},
&user.User{
Id: "user1",
Email: "a@example.com",
},
&directory.Group{
Id: "group1",
Name: "group-1",
Email: "group1@example.com",
},
}, &Request{
Session: RequestSession{
ID: "session1",
},
HTTP: RequestHTTP{
Method: "GET",
URL: "https://from.example.com",
},
}, true)
assert.True(t, res.Bindings["result"].(M)["allow"].(bool))
})
t.Run("any authenticated user", func(t *testing.T) {
res := eval([]config.Policy{
{
Source: &config.StringURL{URL: mustParseURL("https://from.example.com")},
To: config.WeightedURLs{
{URL: *mustParseURL("https://to.example.com")},
},
AllowAnyAuthenticatedUser: true,
},
}, []proto.Message{
&session.Session{
Id: "session1",
UserId: "user1",
},
&user.User{
Id: "user1",
Email: "a@example.com",
},
}, &Request{
Session: RequestSession{
ID: "session1",
},
HTTP: RequestHTTP{
Method: "GET",
URL: "https://from.example.com",
},
}, true)
assert.True(t, res.Bindings["result"].(M)["allow"].(bool))
})
}