diff --git a/authorize/evaluator/evaluator.go b/authorize/evaluator/evaluator.go index 03ce65243..89d157985 100644 --- a/authorize/evaluator/evaluator.go +++ b/authorize/evaluator/evaluator.go @@ -97,6 +97,11 @@ func (e *Evaluator) Evaluate(ctx context.Context, req *Request) (*Result, error) ) allow := getAllowVar(res[0].Bindings.WithoutWildcards()) + log.Info(ctx). + Bool("ALLOW", allow). + Interface("SESSION", req.Session). + Interface("RESULT", res[0].Bindings.WithoutWildcards()). + Send() // evaluate any custom policies if allow { for _, src := range req.CustomPolicies { diff --git a/authorize/evaluator/opa/policy/authz.rego b/authorize/evaluator/opa/policy/authz.rego index 0c8d1c8be..1c25c0686 100644 --- a/authorize/evaluator/opa/policy/authz.rego +++ b/authorize/evaluator/opa/policy/authz.rego @@ -394,16 +394,21 @@ element_in_list(list, elem) { } get_allowed_users(policy) = v { - sub_allowed_users = [sp.allowed_users | sp := policy.sub_policies[_]] - v := {x | x = array.concat(policy.allowed_users, [u | u := policy.sub_policies[_].allowed_users[_]])[_]} + sub_array := [x | x = policy.sub_policies[_].allowed_users[_]] + main_array := [x | x = policy.allowed_users[_]] + v := {x | x = array.concat(main_array, sub_array)[_]} } get_allowed_domains(policy) = v { - v := {x | x = array.concat(policy.allowed_domains, [u | u := policy.sub_policies[_].allowed_domains[_]])[_]} + sub_array := [x | x = policy.sub_policies[_].allowed_domains[_]] + main_array := [x | x = policy.allowed_domains[_]] + v := {x | x = array.concat(main_array, sub_array)[_]} } get_allowed_groups(policy) = v { - v := {x | x = array.concat(policy.allowed_groups, [u | u := policy.sub_policies[_].allowed_groups[_]])[_]} + sub_array := [x | x = policy.sub_policies[_].allowed_groups[_]] + main_array := [x | x = policy.allowed_groups[_]] + v := {x | x = array.concat(main_array, sub_array)[_]} } get_allowed_idp_claims(policy) = v { diff --git a/authorize/evaluator/opa_test.go b/authorize/evaluator/opa_test.go index 1136a160e..f7f4433b2 100644 --- a/authorize/evaluator/opa_test.go +++ b/authorize/evaluator/opa_test.go @@ -278,6 +278,39 @@ func TestOPA(t *testing.T) { }, true) assert.True(t, res.Bindings["result"].(M)["allow"].(bool)) }) + t.Run("allowed sub", func(t *testing.T) { + res := eval(t, []config.Policy{ + { + Source: &config.StringURL{URL: mustParseURL("https://from.example.com:8000")}, + To: config.WeightedURLs{ + {URL: *mustParseURL("https://to.example.com")}, + }, + SubPolicies: []config.SubPolicy{ + { + AllowedUsers: []string{"a@example.com"}, + }, + }, + }, + }, []proto.Message{ + &session.Session{ + Id: "session1", + UserId: "user1", + }, + &user.User{ + Id: "user1", + Email: "a@example.com", + }, + }, &Request{ + Session: RequestSession{ + ID: "session1", + }, + HTTP: RequestHTTP{ + Method: "GET", + URL: "https://from.example.com:8000", + }, + }, true) + assert.True(t, res.Bindings["result"].(M)["allow"].(bool)) + }) t.Run("denied", func(t *testing.T) { res := eval(t, []config.Policy{ { @@ -430,6 +463,40 @@ func TestOPA(t *testing.T) { }, true) assert.True(t, res.Bindings["result"].(M)["allow"].(bool)) }) + t.Run("allowed sub", func(t *testing.T) { + res := eval(t, []config.Policy{ + { + Source: &config.StringURL{URL: mustParseURL("https://from.example.com")}, + To: config.WeightedURLs{ + {URL: *mustParseURL("https://to.example.com")}, + }, + SubPolicies: []config.SubPolicy{ + { + AllowedDomains: []string{"example.com"}, + }, + }, + }, + }, []proto.Message{ + &user.ServiceAccount{Id: "serviceaccount1"}, + &session.Session{ + Id: "session1", + UserId: "example/user1", + }, + &user.User{ + Id: "example/user1", + Email: "a@example.com", + }, + }, &Request{ + Session: RequestSession{ + ID: "session1", + }, + HTTP: RequestHTTP{ + Method: "GET", + URL: "https://from.example.com", + }, + }, true) + assert.True(t, res.Bindings["result"].(M)["allow"].(bool)) + }) t.Run("denied", func(t *testing.T) { res := eval(t, []config.Policy{ {