mirror of
https://github.com/pomerium/pomerium.git
synced 2025-08-02 08:19:23 +02:00
authorize: add support for passing access or id token upstream (#3047)
* authorize: add support for passing access or id token upstream * use an enum
This commit is contained in:
parent
7140562a82
commit
99b9a3ee12
9 changed files with 726 additions and 538 deletions
|
@ -12,6 +12,7 @@ import (
|
|||
"github.com/pomerium/pomerium/config"
|
||||
"github.com/pomerium/pomerium/internal/telemetry/trace"
|
||||
"github.com/pomerium/pomerium/internal/urlutil"
|
||||
configpb "github.com/pomerium/pomerium/pkg/grpc/config"
|
||||
)
|
||||
|
||||
// HeadersRequest is the input to the headers.rego script.
|
||||
|
@ -22,6 +23,8 @@ type HeadersRequest struct {
|
|||
KubernetesServiceAccountToken string `json:"kubernetes_service_account_token"`
|
||||
ToAudience string `json:"to_audience"`
|
||||
Session RequestSession `json:"session"`
|
||||
PassAccessToken bool `json:"pass_access_token"`
|
||||
PassIDToken bool `json:"pass_id_token"`
|
||||
}
|
||||
|
||||
// NewHeadersRequestFromPolicy creates a new HeadersRequest from a policy.
|
||||
|
@ -37,6 +40,8 @@ func NewHeadersRequestFromPolicy(policy *config.Policy) *HeadersRequest {
|
|||
for _, wu := range policy.To {
|
||||
input.ToAudience = "https://" + wu.URL.Hostname()
|
||||
}
|
||||
input.PassAccessToken = policy.GetSetAuthorizationHeader() == configpb.Route_ACCESS_TOKEN
|
||||
input.PassIDToken = policy.GetSetAuthorizationHeader() == configpb.Route_ID_TOKEN
|
||||
return input
|
||||
}
|
||||
|
||||
|
|
|
@ -106,4 +106,40 @@ func TestHeadersEvaluator(t *testing.T) {
|
|||
assert.Equal(t, "u2", claims["sub"], "should set subject to user id")
|
||||
assert.Equal(t, "u2", claims["user"], "should set user to user id")
|
||||
})
|
||||
|
||||
t.Run("access token", func(t *testing.T) {
|
||||
output, err := eval(t,
|
||||
[]proto.Message{
|
||||
&session.Session{Id: "s1", OauthToken: &session.OAuthToken{
|
||||
AccessToken: "ACCESS_TOKEN",
|
||||
}},
|
||||
},
|
||||
&HeadersRequest{
|
||||
FromAudience: "from.example.com",
|
||||
ToAudience: "to.example.com",
|
||||
Session: RequestSession{ID: "s1"},
|
||||
PassAccessToken: true,
|
||||
})
|
||||
require.NoError(t, err)
|
||||
|
||||
assert.Equal(t, "Bearer ACCESS_TOKEN", output.Headers.Get("Authorization"))
|
||||
})
|
||||
|
||||
t.Run("id token", func(t *testing.T) {
|
||||
output, err := eval(t,
|
||||
[]proto.Message{
|
||||
&session.Session{Id: "s1", IdToken: &session.IDToken{
|
||||
Raw: "ID_TOKEN",
|
||||
}},
|
||||
},
|
||||
&HeadersRequest{
|
||||
FromAudience: "from.example.com",
|
||||
ToAudience: "to.example.com",
|
||||
Session: RequestSession{ID: "s1"},
|
||||
PassIDToken: true,
|
||||
})
|
||||
require.NoError(t, err)
|
||||
|
||||
assert.Equal(t, "Bearer ID_TOKEN", output.Headers.Get("Authorization"))
|
||||
})
|
||||
}
|
||||
|
|
|
@ -8,6 +8,8 @@ package pomerium.headers
|
|||
# session:
|
||||
# id: string
|
||||
# to_audience: string
|
||||
# pass_access_token: boolean
|
||||
# pass_id_token: boolean
|
||||
#
|
||||
# data:
|
||||
# issuer: string
|
||||
|
@ -153,7 +155,7 @@ base_jwt_claims := [
|
|||
["user", jwt_payload_user],
|
||||
["email", jwt_payload_email],
|
||||
["groups", jwt_payload_groups],
|
||||
["sid", jwt_payload_sid]
|
||||
["sid", jwt_payload_sid],
|
||||
]
|
||||
|
||||
additional_jwt_claims := [[k, v] |
|
||||
|
@ -208,12 +210,24 @@ google_cloud_serverless_headers = h {
|
|||
}
|
||||
|
||||
routing_key_headers = h {
|
||||
input.enable_routing_key
|
||||
h := [
|
||||
["x-pomerium-routing-key", crypto.sha256(input.session.id)]
|
||||
]
|
||||
input.enable_routing_key
|
||||
h := [["x-pomerium-routing-key", crypto.sha256(input.session.id)]]
|
||||
} else = [] {
|
||||
true
|
||||
true
|
||||
}
|
||||
|
||||
pass_access_token_headers = h {
|
||||
input.pass_access_token
|
||||
h := [["Authorization", concat(" ", ["Bearer", session.oauth_token.access_token])]]
|
||||
} else = [] {
|
||||
true
|
||||
}
|
||||
|
||||
pass_id_token_headers = h {
|
||||
input.pass_id_token
|
||||
h := [["Authorization", concat(" ", ["Bearer", session.id_token.raw])]]
|
||||
} else = [] {
|
||||
true
|
||||
}
|
||||
|
||||
identity_headers := {key: values |
|
||||
|
@ -226,16 +240,19 @@ identity_headers := {key: values |
|
|||
[ck, cv] := jwt_claims[_]
|
||||
ck == k
|
||||
],
|
||||
[""]
|
||||
[""],
|
||||
)[0]
|
||||
|
||||
header_value := get_header_string_value(raw_header_value)
|
||||
]
|
||||
|
||||
h3 := kubernetes_headers
|
||||
h4 := [[k, v] | v := google_cloud_serverless_headers[k]]
|
||||
h5 := routing_key_headers
|
||||
h6 := pass_access_token_headers
|
||||
h7 := pass_id_token_headers
|
||||
|
||||
h := array.concat(array.concat(array.concat(array.concat(h1, h2), h3), h4), h5)
|
||||
h := array.concat(array.concat(array.concat(array.concat(array.concat(array.concat(h1, h2), h3), h4), h5), h6), h7)
|
||||
|
||||
some i
|
||||
[key, v1] := h[i]
|
||||
|
|
Loading…
Add table
Add a link
Reference in a new issue