authorize: add support for passing access or id token upstream (#3047)

* authorize: add support for passing access or id token upstream

* use an enum
This commit is contained in:
Caleb Doxsey 2022-02-17 09:28:31 -07:00 committed by GitHub
parent 7140562a82
commit 99b9a3ee12
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
9 changed files with 726 additions and 538 deletions

View file

@ -12,6 +12,7 @@ import (
"github.com/pomerium/pomerium/config"
"github.com/pomerium/pomerium/internal/telemetry/trace"
"github.com/pomerium/pomerium/internal/urlutil"
configpb "github.com/pomerium/pomerium/pkg/grpc/config"
)
// HeadersRequest is the input to the headers.rego script.
@ -22,6 +23,8 @@ type HeadersRequest struct {
KubernetesServiceAccountToken string `json:"kubernetes_service_account_token"`
ToAudience string `json:"to_audience"`
Session RequestSession `json:"session"`
PassAccessToken bool `json:"pass_access_token"`
PassIDToken bool `json:"pass_id_token"`
}
// NewHeadersRequestFromPolicy creates a new HeadersRequest from a policy.
@ -37,6 +40,8 @@ func NewHeadersRequestFromPolicy(policy *config.Policy) *HeadersRequest {
for _, wu := range policy.To {
input.ToAudience = "https://" + wu.URL.Hostname()
}
input.PassAccessToken = policy.GetSetAuthorizationHeader() == configpb.Route_ACCESS_TOKEN
input.PassIDToken = policy.GetSetAuthorizationHeader() == configpb.Route_ID_TOKEN
return input
}

View file

@ -106,4 +106,40 @@ func TestHeadersEvaluator(t *testing.T) {
assert.Equal(t, "u2", claims["sub"], "should set subject to user id")
assert.Equal(t, "u2", claims["user"], "should set user to user id")
})
t.Run("access token", func(t *testing.T) {
output, err := eval(t,
[]proto.Message{
&session.Session{Id: "s1", OauthToken: &session.OAuthToken{
AccessToken: "ACCESS_TOKEN",
}},
},
&HeadersRequest{
FromAudience: "from.example.com",
ToAudience: "to.example.com",
Session: RequestSession{ID: "s1"},
PassAccessToken: true,
})
require.NoError(t, err)
assert.Equal(t, "Bearer ACCESS_TOKEN", output.Headers.Get("Authorization"))
})
t.Run("id token", func(t *testing.T) {
output, err := eval(t,
[]proto.Message{
&session.Session{Id: "s1", IdToken: &session.IDToken{
Raw: "ID_TOKEN",
}},
},
&HeadersRequest{
FromAudience: "from.example.com",
ToAudience: "to.example.com",
Session: RequestSession{ID: "s1"},
PassIDToken: true,
})
require.NoError(t, err)
assert.Equal(t, "Bearer ID_TOKEN", output.Headers.Get("Authorization"))
})
}

View file

@ -8,6 +8,8 @@ package pomerium.headers
# session:
# id: string
# to_audience: string
# pass_access_token: boolean
# pass_id_token: boolean
#
# data:
# issuer: string
@ -153,7 +155,7 @@ base_jwt_claims := [
["user", jwt_payload_user],
["email", jwt_payload_email],
["groups", jwt_payload_groups],
["sid", jwt_payload_sid]
["sid", jwt_payload_sid],
]
additional_jwt_claims := [[k, v] |
@ -208,12 +210,24 @@ google_cloud_serverless_headers = h {
}
routing_key_headers = h {
input.enable_routing_key
h := [
["x-pomerium-routing-key", crypto.sha256(input.session.id)]
]
input.enable_routing_key
h := [["x-pomerium-routing-key", crypto.sha256(input.session.id)]]
} else = [] {
true
true
}
pass_access_token_headers = h {
input.pass_access_token
h := [["Authorization", concat(" ", ["Bearer", session.oauth_token.access_token])]]
} else = [] {
true
}
pass_id_token_headers = h {
input.pass_id_token
h := [["Authorization", concat(" ", ["Bearer", session.id_token.raw])]]
} else = [] {
true
}
identity_headers := {key: values |
@ -226,16 +240,19 @@ identity_headers := {key: values |
[ck, cv] := jwt_claims[_]
ck == k
],
[""]
[""],
)[0]
header_value := get_header_string_value(raw_header_value)
]
h3 := kubernetes_headers
h4 := [[k, v] | v := google_cloud_serverless_headers[k]]
h5 := routing_key_headers
h6 := pass_access_token_headers
h7 := pass_id_token_headers
h := array.concat(array.concat(array.concat(array.concat(h1, h2), h3), h4), h5)
h := array.concat(array.concat(array.concat(array.concat(array.concat(array.concat(h1, h2), h3), h4), h5), h6), h7)
some i
[key, v1] := h[i]