authorize: move impersonation into session/service account (#1765)

* move impersonation into session/service account * replace frontend statik * fix data race * move JWT filling to separate function, break up functions * maybe fix data race * fix code climate issue
2025-05-31 01:47:33 +02:00 · 2021-01-11 15:40:08 -07:00 · 2021-01-11 15:40:08 -07:00 · a6bc9f492f
commit a6bc9f492f
parent 1466f4e5a0
16 changed files with 328 additions and 162 deletions
--- a/authorize/evaluator/evaluator_test.go
+++ b/authorize/evaluator/evaluator_test.go
@ -12,6 +12,7 @@ import (
 	"github.com/google/uuid"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
+	"google.golang.org/protobuf/proto"
 	"gopkg.in/square/go-jose.v2/jwt"

 	"github.com/pomerium/pomerium/config"
@ -58,9 +59,7 @@ func TestJSONMarshal(t *testing.T) {
 			ClientCertificate: "CLIENT_CERTIFICATE",
 		},
 		Session: RequestSession{
-			ID:                "SESSION_ID",
-			ImpersonateEmail:  "y@example.com",
-			ImpersonateGroups: []string{"group1"},
+			ID: "SESSION_ID",
 		},
 	}, true))
 	assert.JSONEq(t, `{
@ -79,9 +78,7 @@ func TestJSONMarshal(t *testing.T) {
 			"url": "https://example.com"
 		},
 		"session": {
-			"id": "SESSION_ID",
-			"impersonate_email": "y@example.com",
-			"impersonate_groups": ["group1"]
+			"id": "SESSION_ID"
 		},
 		"is_valid_client_certificate": true
 	}`, string(bs))
@ -158,6 +155,7 @@ func TestEvaluator_JWTPayload(t *testing.T) {
 								ExpiresAt: nowPb,
 								IssuedAt:  nowPb,
 							},
+							ExpiresAt: nowPb,
 						},
 					},
 				},
@ -174,6 +172,31 @@ func TestEvaluator_JWTPayload(t *testing.T) {
 				"iat": now.Unix(),
 			},
 		},
+		{
+			"with service account",
+			&Request{
+				DataBrokerData: DataBrokerData{
+					"type.googleapis.com/user.ServiceAccount": map[string]interface{}{
+						"SERVICE_ACCOUNT_ID": &user.ServiceAccount{
+							Id:        "SERVICE_ACCOUNT_ID",
+							IssuedAt:  nowPb,
+							ExpiresAt: nowPb,
+						},
+					},
+				},
+				HTTP: RequestHTTP{URL: "https://example.com"},
+				Session: RequestSession{
+					ID: "SERVICE_ACCOUNT_ID",
+				},
+			},
+			map[string]interface{}{
+				"iss": "authn.example.com",
+				"jti": "SERVICE_ACCOUNT_ID",
+				"aud": "example.com",
+				"exp": now.Unix(),
+				"iat": now.Unix(),
+			},
+		},
 		{
 			"with user",
 			&Request{
@ -252,12 +275,22 @@ func TestEvaluator_JWTPayload(t *testing.T) {
 			&Request{
 				HTTP: RequestHTTP{URL: "https://example.com"},
 				Session: RequestSession{
-					ImpersonateEmail:  "user@example.com",
-					ImpersonateGroups: []string{"admin", "test"},
+					ID: "SESSION_ID",
+				},
+				DataBrokerData: DataBrokerData{
+					"type.googleapis.com/session.Session": map[string]interface{}{
+						"SESSION_ID": &session.Session{
+							Id:                "SESSION_ID",
+							UserId:            "USER_ID",
+							ImpersonateEmail:  proto.String("user@example.com"),
+							ImpersonateGroups: []string{"admin", "test"},
+						},
+					},
 				},
 			},
 			map[string]interface{}{
 				"iss":    "authn.example.com",
+				"jti":    "SESSION_ID",
 				"aud":    "example.com",
 				"email":  "user@example.com",
 				"groups": []string{"admin", "test"},