Add configurable JWT claim headers (#596)

2025-06-29 07:58:14 +02:00 · 2020-04-09 23:41:55 -04:00 · 2020-04-09 23:41:55 -04:00 · 789068e27a
commit 789068e27a
parent b08ecc624a
6 changed files with 118 additions and 17 deletions
--- a/proxy/middleware_test.go
+++ b/proxy/middleware_test.go
@ -11,6 +11,7 @@ import (

 	"github.com/google/go-cmp/cmp"
 	"github.com/pomerium/pomerium/internal/encoding"
+	"github.com/pomerium/pomerium/internal/encoding/jws"
 	"github.com/pomerium/pomerium/internal/encoding/mock"
 	"github.com/pomerium/pomerium/internal/grpc/authorize"
 	"github.com/pomerium/pomerium/internal/grpc/authorize/client"
@ -72,15 +73,72 @@ func TestProxy_AuthenticateSession(t *testing.T) {
 			r = r.WithContext(ctx)
 			r.Header.Set("Accept", "application/json")
 			w := httptest.NewRecorder()
-			got := a.userDetailsLoggerMiddleware(a.AuthenticateSession(fn))
+			got := a.jwtClaimMiddleware(a.AuthenticateSession(fn))
 			got.ServeHTTP(w, r)
 			if status := w.Code; status != tt.wantStatus {
 				t.Errorf("AuthenticateSession() error = %v, wantErr %v\n%v", w.Result().StatusCode, tt.wantStatus, w.Body.String())
 			}
+
 		})
 	}
 }

+func Test_jwtClaimMiddleware(t *testing.T) {
+	email := "test@pomerium.example"
+	groups := []string{"foo", "bar"}
+	claimHeaders := []string{"email", "groups", "missing"}
+	sharedKey := "80ldlrU2d7w+wVpKNfevk6fmb8otEx6CqOfshj2LwhQ="
+
+	session := &sessions.State{Email: email, Expiry: jwt.NewNumericDate(time.Now().Add(10 * time.Second)), Groups: groups}
+	encoder, _ := jws.NewHS256Signer([]byte(sharedKey), "https://authenticate.pomerium.example")
+	state, err := encoder.Marshal(session)
+
+	if err != nil {
+		t.Errorf("failed to marshal state: %s", err)
+	}
+
+	a := Proxy{
+		SharedKey:       sharedKey,
+		cookieSecret:    []byte("80ldlrU2d7w+wVpKNfevk6fmb8otEx6CqOfshj2LwhQ="),
+		encoder:         encoder,
+		jwtClaimHeaders: claimHeaders,
+	}
+
+	handler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.WriteHeader(http.StatusOK)
+	})
+
+	r := httptest.NewRequest(http.MethodGet, "/", nil)
+	ctx := r.Context()
+	ctx = sessions.NewContext(ctx, string(state), nil)
+	r = r.WithContext(ctx)
+	w := httptest.NewRecorder()
+	proxyHandler := a.jwtClaimMiddleware(handler)
+	proxyHandler.ServeHTTP(w, r)
+
+	t.Run("email claim", func(t *testing.T) {
+		emailHeader := r.Header.Get("x-pomerium-claim-email")
+		if emailHeader != email {
+			t.Errorf("did not find claim email, want=%q, got=%q", email, emailHeader)
+		}
+	})
+
+	t.Run("groups claim", func(t *testing.T) {
+		groupsHeader := r.Header.Get("x-pomerium-claim-groups")
+		if groupsHeader != strings.Join(groups, ",") {
+			t.Errorf("did not find claim groups, want=%q, got=%q", groups, groupsHeader)
+		}
+	})
+
+	t.Run("missing claim", func(t *testing.T) {
+		absentHeader := r.Header.Get("x-pomerium-claim-missing")
+		if absentHeader != "" {
+			t.Errorf("found claim that should not exist, got=%q", absentHeader)
+		}
+	})
+
+}
+
 func TestProxy_AuthorizeSession(t *testing.T) {
 	t.Parallel()
 	fn := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {