Add automatic configuration reloading and

policy handling
2025-08-03 00:40:25 +02:00 · 2019-05-30 08:48:56 -04:00 · 2019-05-30 08:48:56 -04:00 · 8c2beac6f1
commit 8c2beac6f1
parent 77f3933560
12 changed files with 287 additions and 34 deletions
--- a/authorize/authorize.go
+++ b/authorize/authorize.go
@ -5,6 +5,8 @@ import (
 	"errors"
 	"fmt"

+	"github.com/pomerium/pomerium/internal/log"
+
 	"github.com/pomerium/pomerium/internal/config"

 	"github.com/pomerium/pomerium/internal/policy"
@ -63,3 +65,10 @@ func NewIdentityWhitelist(policies []policy.Policy, admins []string) IdentityVal
 func (a *Authorize) ValidIdentity(route string, identity *Identity) bool {
 	return a.identityAccess.Valid(route, identity)
 }
+
+// UpdateOptions updates internal structres based on config.Options
+func (a *Authorize) UpdateOptions(o *config.Options) error {
+	log.Info().Msg("authorize: updating options")
+	a.identityAccess = NewIdentityWhitelist(o.Policies, o.Administrators)
+	return nil
+}
--- a/authorize/authorize_test.go
+++ b/authorize/authorize_test.go
@ -10,11 +10,7 @@ import (
 func TestNew(t *testing.T) {
 	t.Parallel()

-	goodPolicy := policy.Policy{From: "pomerium.io", To: "httpbin.org"}
-	goodPolicy.Validate()
-	policies := []policy.Policy{
-		goodPolicy,
-	}
+	policies := testPolicies()

 	tests := []struct {
 		name      string
@ -46,3 +42,50 @@ func TestNew(t *testing.T) {
 		})
 	}
 }
+
+func testPolicies() []policy.Policy {
+	testPolicy := policy.Policy{From: "pomerium.io", To: "httpbin.org", AllowedEmails: []string{"test@gmail.com"}}
+	testPolicy.Validate()
+	policies := []policy.Policy{
+		testPolicy,
+	}
+
+	return policies
+}
+
+func Test_UpdateOptions(t *testing.T) {
+	t.Parallel()
+	policies := testPolicies()
+	newPolicy := policy.Policy{From: "foo.notatld", To: "bar.notatld", AllowedEmails: []string{"test@gmail.com"}}
+	newPolicy.Validate()
+	newPolicies := []policy.Policy{
+		newPolicy,
+	}
+	identity := &Identity{Email: "test@gmail.com"}
+	tests := []struct {
+		name        string
+		SharedKey   string
+		Policies    []policy.Policy
+		newPolices  []policy.Policy
+		route       string
+		wantAllowed bool
+	}{
+		{"good", "gXK6ggrlIW2HyKyUF9rUO4azrDgxhDPWqw9y+lJU7B8=", policies, policies, "pomerium.io", true},
+		{"changed", "gXK6ggrlIW2HyKyUF9rUO4azrDgxhDPWqw9y+lJU7B8=", policies, newPolicies, "foo.notatld", true},
+		{"changed and missing", "gXK6ggrlIW2HyKyUF9rUO4azrDgxhDPWqw9y+lJU7B8=", policies, newPolicies, "pomerium.io", false},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			o := &config.Options{SharedKey: tt.SharedKey, Policies: tt.Policies}
+			authorize, _ := New(o)
+			o.Policies = tt.newPolices
+			authorize.UpdateOptions(o)
+
+			allowed := authorize.ValidIdentity(tt.route, identity)
+			if allowed != tt.wantAllowed {
+				t.Errorf("New() allowed = %v, wantAllowed %v", allowed, tt.wantAllowed)
+				return
+			}
+		})
+	}
+}