3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-05-02 20:06:03 +02:00
Code Issues Projects Releases Packages Wiki Activity

core/kubernetes: fix impersonate group header (#5090)

Browse source 
* core/kubernetes: fix impersonate group header

* formatting
This commit is contained in:
Caleb Doxsey 2024-04-26 15:26:41 -06:00 committed by GitHub
parent 99a5dbd65b
commit 8b3a79152b
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2 changed files with 34 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

24
authorize/evaluator/headers_evaluator_test.go
View file

@ -15,6 +15,7 @@ import (
"github.com/stretchr/testify/assert" "github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require" "github.com/stretchr/testify/require"
"google.golang.org/protobuf/proto" "google.golang.org/protobuf/proto"
"google.golang.org/protobuf/reflect/protoreflect"
"google.golang.org/protobuf/types/known/structpb" "google.golang.org/protobuf/types/known/structpb"
"google.golang.org/protobuf/types/known/timestamppb" "google.golang.org/protobuf/types/known/timestamppb"
@ -22,6 +23,7 @@ import (
"github.com/pomerium/pomerium/config" "github.com/pomerium/pomerium/config"
"github.com/pomerium/pomerium/pkg/cryptutil" "github.com/pomerium/pomerium/pkg/cryptutil"
"github.com/pomerium/pomerium/pkg/grpc/session" "github.com/pomerium/pomerium/pkg/grpc/session"
"github.com/pomerium/pomerium/pkg/grpc/user"
"github.com/pomerium/pomerium/pkg/storage" "github.com/pomerium/pomerium/pkg/storage"
) )
@ -58,6 +60,8 @@ func TestNewHeadersRequestFromPolicy_nil(t *testing.T) {
} }
func TestHeadersEvaluator(t *testing.T) { func TestHeadersEvaluator(t *testing.T) {
t.Parallel()
type A = []interface{} type A = []interface{}
type M = map[string]interface{} type M = map[string]interface{}
@ -231,6 +235,26 @@ func TestHeadersEvaluator(t *testing.T) {
assert.Equal(t, "", output.Headers.Get("fingerprint")) assert.Equal(t, "", output.Headers.Get("fingerprint"))
}) })
t.Run("kubernetes", func(t *testing.T) {
t.Parallel()
output, err := eval(t,
[]protoreflect.ProtoMessage{
&session.Session{Id: "s1", UserId: "u1"},
&user.User{Id: "u1", Email: "u1@example.com"},
},
&HeadersRequest{
Issuer: "from.example.com",
ToAudience: "to.example.com",
KubernetesServiceAccountToken: "TOKEN",
Session: RequestSession{ID: "s1"},
})
require.NoError(t, err)
assert.Equal(t, "Bearer TOKEN", output.Headers.Get("Authorization"))
assert.Equal(t, "u1@example.com", output.Headers.Get("Impersonate-User"))
assert.Empty(t, output.Headers["Impersonate-Group"])
})
} }
func decodeJWSPayload(t *testing.T, jws string) []byte { func decodeJWSPayload(t *testing.T, jws string) []byte {

12
authorize/evaluator/opa/policy/headers.rego
View file

@ -174,11 +174,12 @@ signed_jwt := io.jwt.encode_sign(jwt_headers, jwt_payload, data.signing_key)
kubernetes_headers := h if { kubernetes_headers := h if {
input.kubernetes_service_account_token != "" input.kubernetes_service_account_token != ""
h := [
h := remove_empty_header_values([
["Authorization", concat(" ", ["Bearer", input.kubernetes_service_account_token])], ["Authorization", concat(" ", ["Bearer", input.kubernetes_service_account_token])],
["Impersonate-User", jwt_payload_email], ["Impersonate-User", jwt_payload_email],
["Impersonate-Group", get_header_string_value(jwt_payload_groups)], ["Impersonate-Group", get_header_string_value(jwt_payload_groups)],
] ])
} else := [] } else := []
google_cloud_serverless_authentication_service_account := s if { google_cloud_serverless_authentication_service_account := s if {
@ -267,3 +268,10 @@ get_header_string_value(obj) := s if {
} else := s if { } else := s if {
s := concat(",", [obj]) s := concat(",", [obj])
} }
remove_empty_header_values(arr) := [[k, v] |
some idx
k := arr[idx][0]
v := arr[idx][1]
v != ""
]