authorize: move headers and jwt signing to rego (#1856)

* wip * wip * wip * remove SignedJWT field * set google_cloud_serverless_authentication_service_account * update jwt claim headers * add mock get_google_cloud_serverless_headers for opa test * swap issuer and audience * add comment * change default port in authz
2025-06-03 11:22:45 +02:00 · 2021-02-08 10:53:21 -07:00 · 2021-02-08 10:53:21 -07:00 · 7d236ca1af
commit 7d236ca1af
parent 2dc0be2ec9
17 changed files with 492 additions and 675 deletions
--- a/authorize/session.go
+++ b/authorize/session.go
@ -1,12 +1,10 @@
 package authorize

 import (
-	"encoding/json"
 	"errors"
 	"fmt"
 	"net/http"
 	"net/http/httptest"
-	"strings"

 	"github.com/pomerium/pomerium/config"
 	"github.com/pomerium/pomerium/internal/encoding"
@ -85,41 +83,3 @@ func getJWTSetCookieHeaders(cookieStore sessions.SessionStore, rawjwt []byte) (m
 	}
 	return hdrs, nil
 }
-
-func (a *Authorize) getJWTClaimHeaders(options *config.Options, signedJWT string) (map[string]string, error) {
-	if len(signedJWT) == 0 {
-		return make(map[string]string), nil
-	}
-
-	state := a.state.Load()
-
-	var claims map[string]interface{}
-	payload, err := state.evaluator.ParseSignedJWT(signedJWT)
-	if err != nil {
-		return nil, err
-	}
-	if err := json.Unmarshal(payload, &claims); err != nil {
-		return nil, err
-	}
-
-	hdrs := make(map[string]string)
-	for _, name := range options.JWTClaimsHeaders {
-		if claim, ok := claims[name]; ok {
-			switch value := claim.(type) {
-			case string:
-				hdrs["x-pomerium-claim-"+name] = value
-			case []interface{}:
-				hdrs["x-pomerium-claim-"+name] = strings.Join(toSliceStrings(value), ",")
-			}
-		}
-	}
-	return hdrs, nil
-}
-
-func toSliceStrings(sliceIfaces []interface{}) []string {
-	sliceStrings := make([]string, 0, len(sliceIfaces))
-	for _, e := range sliceIfaces {
-		sliceStrings = append(sliceStrings, fmt.Sprint(e))
-	}
-	return sliceStrings
-}