policy: fix allowed idp claims PPL generation (#2243)

2025-08-03 00:40:25 +02:00 · 2021-05-27 15:12:12 -06:00 · 2021-05-27 15:12:12 -06:00 · 91dd937468
commit 91dd937468
parent ef62d9bb31
2 changed files with 53 additions and 25 deletions
--- a/config/policy_ppl.go
+++ b/config/policy_ppl.go
@ -1,7 +1,9 @@
 package config

 import (
+	"bytes"
 	"encoding/json"
+	"sort"

 	"github.com/pomerium/pomerium/pkg/policy/parser"
 )
@ -55,14 +57,23 @@ func (p *Policy) ToPPL() *parser.Policy {
 			})
 	}
 	for _, aic := range p.AllAllowedIDPClaims() {
-		o := parser.Object{}
-		bs, _ := json.Marshal(aic)
-		_ = json.Unmarshal(bs, &o)
-		allowRule.Or = append(allowRule.Or,
-			parser.Criterion{
-				Name: "claims",
-				Data: o,
-			})
+		var ks []string
+		for k := range aic {
+			ks = append(ks, k)
+		}
+		sort.Strings(ks)
+		for _, k := range ks {
+			for _, v := range aic[k] {
+				bs, _ := json.Marshal(v)
+				data, _ := parser.ParseValue(bytes.NewReader(bs))
+				allowRule.Or = append(allowRule.Or,
+					parser.Criterion{
+						Name:    "claims",
+						SubPath: k,
+						Data:    data,
+					})
+			}
+		}
 	}
 	for _, au := range p.AllAllowedUsers() {
 		allowRule.Or = append(allowRule.Or,
--- a/config/policy_ppl_test.go
+++ b/config/policy_ppl_test.go
@ -18,7 +18,7 @@ func TestPolicy_ToPPL(t *testing.T) {
 		AllowedGroups:                    []string{"group1", "group2"},
 		AllowedUsers:                     []string{"user1", "user2"},
 		AllowedIDPClaims: map[string][]interface{}{
-			"family_name": {"Smith"},
+			"family_name": {"Smith", "Jones"},
 		},
 		SubPolicies: []SubPolicy{
 			{
@ -212,8 +212,8 @@ groups_4 {
 }

 claims_0 {
-	rule_data := {"family_name": null}
-	rule_path := ""
+	rule_data := "Smith"
+	rule_path := "family_name"
 	session := get_session(input.session.id)
 	session_claims := object.get(session, "claims", {})
 	user := get_user(session)
@ -224,8 +224,8 @@ claims_0 {
 }

 claims_1 {
-	rule_data := {"given_name": null}
-	rule_path := ""
+	rule_data := "Jones"
+	rule_path := "family_name"
 	session := get_session(input.session.id)
 	session_claims := object.get(session, "claims", {})
 	user := get_user(session)
@ -236,8 +236,20 @@ claims_1 {
 }

 claims_2 {
-	rule_data := {"timezone": null}
-	rule_path := ""
+	rule_data := "John"
+	rule_path := "given_name"
+	session := get_session(input.session.id)
+	session_claims := object.get(session, "claims", {})
+	user := get_user(session)
+	user_claims := object.get(user, "claims", {})
+	all_claims := object.union(session_claims, user_claims)
+	values := object_get(all_claims, rule_path, [])
+	rule_data == values[_0]
+}
+
+claims_3 {
+	rule_data := "EST"
+	rule_path := "timezone"
 	session := get_session(input.session.id)
 	session_claims := object.get(session, "claims", {})
 	user := get_user(session)
@ -403,55 +415,60 @@ else = v17 {
 }

 else = v18 {
-	v18 := users_0
+	v18 := claims_3
 	v18
 }

 else = v19 {
-	v19 := emails_0
+	v19 := users_0
 	v19
 }

 else = v20 {
-	v20 := users_1
+	v20 := emails_0
 	v20
 }

 else = v21 {
-	v21 := emails_1
+	v21 := users_1
 	v21
 }

 else = v22 {
-	v22 := users_2
+	v22 := emails_1
 	v22
 }

 else = v23 {
-	v23 := emails_2
+	v23 := users_2
 	v23
 }

 else = v24 {
-	v24 := users_3
+	v24 := emails_2
 	v24
 }

 else = v25 {
-	v25 := emails_3
+	v25 := users_3
 	v25
 }

 else = v26 {
-	v26 := users_4
+	v26 := emails_3
 	v26
 }

 else = v27 {
-	v27 := emails_4
+	v27 := users_4
 	v27
 }

+else = v28 {
+	v28 := emails_4
+	v28
+}
+
 allow = v1 {
 	v1 := or_0
 	v1