3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-07-24 12:08:19 +02:00
Code Issues Projects Releases Packages Wiki Activity

authorize: remove JWT timestamp format workaround (#4321)

Browse source 
Update OPA to v0.54.0, which changes the JSON serialization behavior for
large integers. Remove the formatting workaround and the unit test that
verified that the workaround was still needed.
This commit is contained in:
Kenneth Jenkins 2023-06-30 11:54:46 -07:00 committed by GitHub
parent cd056e89db
commit 74e648630f
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
4 changed files with 14 additions and 39 deletions
Download patch file Download diff file Expand all files Collapse all files

17
authorize/evaluator/headers_evaluator_test.go
View file

@ -5,7 +5,6 @@ import (
"context"
"encoding/base64"
"encoding/json"
"fmt"
"math"
"strconv"
"strings"
@ -13,7 +12,6 @@ import (
"time"
"github.com/go-jose/go-jose/v3/jwt"
"github.com/open-policy-agent/opa/rego"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
"google.golang.org/protobuf/proto"
@ -233,18 +231,3 @@ func decodeJWSPayload(t *testing.T, jws string) []byte {
require.NoError(t, err)
return payload
}
// If this test fails with the message "workaround no longer needed", then the
// upstream serialization issue in Rego has been fixed, and we should be able
// to remove the to_number / format_int workaround from headers.rego (and
// delete this test).
func TestTimestampWorkaroundStillNeeded(t *testing.T) {
now := strconv.FormatInt(time.Now().Unix(), 10)
r := rego.New(rego.Query(fmt.Sprintf("json.marshal(%s + 0)", now)))
rs, err := r.Eval(context.Background())
require.NoError(t, err, "rego evaluation error")
require.Equal(t, 1, len(rs))
e := rs[0].Expressions
require.Equal(t, 1, len(e))
assert.NotEqual(t, now, e[0].Value, "workaround no longer needed")
}

12
authorize/evaluator/opa/policy/headers.rego
View file

@ -90,10 +90,6 @@ jwt_payload_exp = v {
v = five_minutes
} else = null
jwt_payload_exp_int = v {
v = to_number(format_int(jwt_payload_exp, 10))
} else = null
jwt_payload_iat = v {
# sessions store the issued_at on the id_token
v = round(session.id_token.issued_at.seconds)
@ -102,10 +98,6 @@ jwt_payload_iat = v {
v = round(session.issued_at.seconds)
} else = null
jwt_payload_iat_int = v {
v = to_number(format_int(jwt_payload_iat, 10))
} else = null
jwt_payload_sub = v {
v = session.user_id
} else = ""
@ -141,8 +133,8 @@ base_jwt_claims := [
["iss", jwt_payload_iss],
["aud", jwt_payload_aud],
["jti", jwt_payload_jti],
["exp", jwt_payload_exp_int],
["iat", jwt_payload_iat_int],
["exp", jwt_payload_exp],
["iat", jwt_payload_iat],
["sub", jwt_payload_sub],
["user", jwt_payload_user],
["email", jwt_payload_email],