policy: add ssh PPL criteria (#5658)

Add five new PPL criteria for use with SSH, matching username and public key. Username can be matched against a String Matcher, user's email address, or a custom claim from the IdP claims. Public key can be matched against a list of keys or a trusted CA.
2025-08-04 01:09:36 +02:00 · 2025-06-25 09:42:29 -07:00 · 2025-06-25 09:42:29 -07:00 · 93ff662e1f
commit 93ff662e1f
parent 9363457849
8 changed files with 679 additions and 1 deletions
--- a/authorize/evaluator/evaluator.go
+++ b/authorize/evaluator/evaluator.go
@ -37,8 +37,9 @@ type Request struct {
 	IsInternal         bool
 	Policy             *config.Policy
 	HTTP               RequestHTTP
-	Session            RequestSession
+	SSH                RequestSSH
 	MCP                RequestMCP
+	Session            RequestSession
 	EnvoyRouteChecksum uint64
 	EnvoyRouteID       string
 }
@ -129,6 +130,11 @@ func getClientCertificateInfo(
 	return c
 }

+type RequestSSH struct {
+	Username  string `json:"username"`
+	PublicKey []byte `json:"publickey"`
+}
+
 // RequestSession is the session field in the request.
 type RequestSession struct {
 	ID string `json:"id"`
@ -374,6 +380,7 @@ func (e *Evaluator) evaluatePolicy(ctx context.Context, req *Request) (*PolicyRe

 	return policyEvaluator.Evaluate(ctx, &PolicyRequest{
 		HTTP:                     req.HTTP,
+		SSH:                      req.SSH,
 		MCP:                      req.MCP,
 		Session:                  req.Session,
 		IsValidClientCertificate: isValidClientCertificate,
--- a/authorize/evaluator/policy_evaluator.go
+++ b/authorize/evaluator/policy_evaluator.go
@ -21,6 +21,7 @@ import (
 // PolicyRequest is the input to policy evaluation.
 type PolicyRequest struct {
 	HTTP                     RequestHTTP    `json:"http"`
+	SSH                      RequestSSH     `json:"ssh"`
 	MCP                      RequestMCP     `json:"mcp"`
 	Session                  RequestSession `json:"session"`
 	IsValidClientCertificate bool           `json:"is_valid_client_certificate"`
@ -161,6 +162,7 @@ func NewPolicyEvaluator(
 			rego.Query("result = data.pomerium.policy"),
 			rego.EnablePrintStatements(true),
 			getGoogleCloudServerlessHeadersRegoOption,
+			criteria.SSHVerifyUserCert,
 			store.GetDataBrokerRecordOption(),
 		)

@ -173,6 +175,7 @@ func NewPolicyEvaluator(
 				rego.Query("result = data.pomerium.policy"),
 				rego.EnablePrintStatements(true),
 				getGoogleCloudServerlessHeadersRegoOption,
+				criteria.SSHVerifyUserCert,
 				store.GetDataBrokerRecordOption(),
 			)
 			q, err = r.PrepareForEval(ctx)