authorize: move headers and jwt signing to rego (#1856)

* wip * wip * wip * remove SignedJWT field * set google_cloud_serverless_authentication_service_account * update jwt claim headers * add mock get_google_cloud_serverless_headers for opa test * swap issuer and audience * add comment * change default port in authz
2025-05-29 17:07:24 +02:00 · 2021-02-08 10:53:21 -07:00 · 2021-02-08 10:53:21 -07:00 · 7d236ca1af
commit 7d236ca1af
parent 2dc0be2ec9
17 changed files with 492 additions and 675 deletions
--- a/authorize/session_test.go
+++ b/authorize/session_test.go
@ -7,15 +7,10 @@ import (

 	envoy_service_auth_v2 "github.com/envoyproxy/go-control-plane/envoy/service/auth/v2"
 	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"

-	"github.com/pomerium/pomerium/authorize/evaluator"
 	"github.com/pomerium/pomerium/config"
-	"github.com/pomerium/pomerium/internal/directory"
 	"github.com/pomerium/pomerium/internal/encoding/jws"
 	"github.com/pomerium/pomerium/internal/sessions"
-	"github.com/pomerium/pomerium/pkg/grpc/session"
-	"github.com/pomerium/pomerium/pkg/grpc/user"
 )

 func TestLoadSession(t *testing.T) {
@ -105,71 +100,3 @@ func TestLoadSession(t *testing.T) {
 		assert.NotNil(t, sess)
 	})
 }
-
-func TestAuthorize_getJWTClaimHeaders(t *testing.T) {
-	opt := &config.Options{
-		AuthenticateURL: mustParseURL("https://authenticate.example.com"),
-		Policies: []config.Policy{{
-			Source: &config.StringURL{URL: &url.URL{Host: "example.com"}},
-			SubPolicies: []config.SubPolicy{{
-				Rego: []string{"allow = true"},
-			}},
-		}},
-	}
-	a := &Authorize{currentOptions: config.NewAtomicOptions(), state: newAtomicAuthorizeState(new(authorizeState))}
-	encoder, _ := jws.NewHS256Signer([]byte{0, 0, 0, 0})
-	a.state.Load().encoder = encoder
-	a.currentOptions.Store(opt)
-	a.store = evaluator.NewStoreFromProtos(
-		&session.Session{
-			Id:     "SESSION_ID",
-			UserId: "USER_ID",
-		},
-		&user.User{
-			Id:    "USER_ID",
-			Name:  "foo",
-			Email: "foo@example.com",
-		},
-		&directory.User{
-			Id:       "USER_ID",
-			GroupIds: []string{"admin_id", "test_id"},
-		},
-		&directory.Group{
-			Id:   "admin_id",
-			Name: "admin",
-		},
-		&directory.Group{
-			Id:   "test_id",
-			Name: "test",
-		},
-	)
-	pe, err := newPolicyEvaluator(opt, a.store)
-	require.NoError(t, err)
-	a.state.Load().evaluator = pe
-	signedJWT, _ := pe.SignedJWT(pe.JWTPayload(&evaluator.Request{
-		HTTP: evaluator.RequestHTTP{URL: "https://example.com"},
-		Session: evaluator.RequestSession{
-			ID: "SESSION_ID",
-		},
-	}))
-
-	tests := []struct {
-		name            string
-		signedJWT       string
-		jwtHeaders      []string
-		expectedHeaders map[string]string
-	}{
-		{"good with email", signedJWT, []string{"email"}, map[string]string{"x-pomerium-claim-email": "foo@example.com"}},
-		{"good with groups", signedJWT, []string{"groups"}, map[string]string{"x-pomerium-claim-groups": "admin_id,test_id,admin,test"}},
-		{"empty signed JWT", "", nil, make(map[string]string)},
-	}
-
-	for _, tc := range tests {
-		t.Run(tc.name, func(t *testing.T) {
-			opt.JWTClaimsHeaders = tc.jwtHeaders
-			gotHeaders, err := a.getJWTClaimHeaders(opt, tc.signedJWT)
-			require.NoError(t, err)
-			assert.Equal(t, tc.expectedHeaders, gotHeaders)
-		})
-	}
-}