mirror of
https://github.com/pomerium/pomerium.git
synced 2025-05-29 17:07:24 +02:00
authorize: move headers and jwt signing to rego (#1856)
* wip * wip * wip * remove SignedJWT field * set google_cloud_serverless_authentication_service_account * update jwt claim headers * add mock get_google_cloud_serverless_headers for opa test * swap issuer and audience * add comment * change default port in authz
This commit is contained in:
parent
2dc0be2ec9
commit
7d236ca1af
17 changed files with 492 additions and 675 deletions
|
@ -7,15 +7,10 @@ import (
|
|||
|
||||
envoy_service_auth_v2 "github.com/envoyproxy/go-control-plane/envoy/service/auth/v2"
|
||||
"github.com/stretchr/testify/assert"
|
||||
"github.com/stretchr/testify/require"
|
||||
|
||||
"github.com/pomerium/pomerium/authorize/evaluator"
|
||||
"github.com/pomerium/pomerium/config"
|
||||
"github.com/pomerium/pomerium/internal/directory"
|
||||
"github.com/pomerium/pomerium/internal/encoding/jws"
|
||||
"github.com/pomerium/pomerium/internal/sessions"
|
||||
"github.com/pomerium/pomerium/pkg/grpc/session"
|
||||
"github.com/pomerium/pomerium/pkg/grpc/user"
|
||||
)
|
||||
|
||||
func TestLoadSession(t *testing.T) {
|
||||
|
@ -105,71 +100,3 @@ func TestLoadSession(t *testing.T) {
|
|||
assert.NotNil(t, sess)
|
||||
})
|
||||
}
|
||||
|
||||
func TestAuthorize_getJWTClaimHeaders(t *testing.T) {
|
||||
opt := &config.Options{
|
||||
AuthenticateURL: mustParseURL("https://authenticate.example.com"),
|
||||
Policies: []config.Policy{{
|
||||
Source: &config.StringURL{URL: &url.URL{Host: "example.com"}},
|
||||
SubPolicies: []config.SubPolicy{{
|
||||
Rego: []string{"allow = true"},
|
||||
}},
|
||||
}},
|
||||
}
|
||||
a := &Authorize{currentOptions: config.NewAtomicOptions(), state: newAtomicAuthorizeState(new(authorizeState))}
|
||||
encoder, _ := jws.NewHS256Signer([]byte{0, 0, 0, 0})
|
||||
a.state.Load().encoder = encoder
|
||||
a.currentOptions.Store(opt)
|
||||
a.store = evaluator.NewStoreFromProtos(
|
||||
&session.Session{
|
||||
Id: "SESSION_ID",
|
||||
UserId: "USER_ID",
|
||||
},
|
||||
&user.User{
|
||||
Id: "USER_ID",
|
||||
Name: "foo",
|
||||
Email: "foo@example.com",
|
||||
},
|
||||
&directory.User{
|
||||
Id: "USER_ID",
|
||||
GroupIds: []string{"admin_id", "test_id"},
|
||||
},
|
||||
&directory.Group{
|
||||
Id: "admin_id",
|
||||
Name: "admin",
|
||||
},
|
||||
&directory.Group{
|
||||
Id: "test_id",
|
||||
Name: "test",
|
||||
},
|
||||
)
|
||||
pe, err := newPolicyEvaluator(opt, a.store)
|
||||
require.NoError(t, err)
|
||||
a.state.Load().evaluator = pe
|
||||
signedJWT, _ := pe.SignedJWT(pe.JWTPayload(&evaluator.Request{
|
||||
HTTP: evaluator.RequestHTTP{URL: "https://example.com"},
|
||||
Session: evaluator.RequestSession{
|
||||
ID: "SESSION_ID",
|
||||
},
|
||||
}))
|
||||
|
||||
tests := []struct {
|
||||
name string
|
||||
signedJWT string
|
||||
jwtHeaders []string
|
||||
expectedHeaders map[string]string
|
||||
}{
|
||||
{"good with email", signedJWT, []string{"email"}, map[string]string{"x-pomerium-claim-email": "foo@example.com"}},
|
||||
{"good with groups", signedJWT, []string{"groups"}, map[string]string{"x-pomerium-claim-groups": "admin_id,test_id,admin,test"}},
|
||||
{"empty signed JWT", "", nil, make(map[string]string)},
|
||||
}
|
||||
|
||||
for _, tc := range tests {
|
||||
t.Run(tc.name, func(t *testing.T) {
|
||||
opt.JWTClaimsHeaders = tc.jwtHeaders
|
||||
gotHeaders, err := a.getJWTClaimHeaders(opt, tc.signedJWT)
|
||||
require.NoError(t, err)
|
||||
assert.Equal(t, tc.expectedHeaders, gotHeaders)
|
||||
})
|
||||
}
|
||||
}
|
||||
|
|
Loading…
Add table
Add a link
Reference in a new issue