authorize: support authenticating with idp tokens (#5484)

* identity: add support for verifying access and identity tokens * allow overriding with policy option * authenticate: add verify endpoints * wip * implement session creation * add verify test * implement idp token login * fix tests * add pr permission * make session ids route-specific * rename method * add test * add access token test * test for newUserFromIDPClaims * more tests * make the session id per-idp * use type for * add test * remove nil checks
2025-05-22 21:47:16 +02:00 · 2025-02-18 13:02:06 -07:00 · 2025-02-18 13:02:06 -07:00 · b9fd926618
commit b9fd926618
parent 6e22b7a19a
36 changed files with 2791 additions and 885 deletions
--- a/authorize/grpc_test.go
+++ b/authorize/grpc_test.go
@ -18,7 +18,6 @@ import (
 	"github.com/pomerium/pomerium/authorize/evaluator"
 	"github.com/pomerium/pomerium/config"
 	"github.com/pomerium/pomerium/internal/atomicutil"
-	"github.com/pomerium/pomerium/internal/sessions"
 	"github.com/pomerium/pomerium/internal/testutil"
 	"github.com/pomerium/pomerium/pkg/grpc/databroker"
 	"github.com/pomerium/pomerium/pkg/storage"
@ -49,15 +48,16 @@ yE+vPxsiUkvQHdO2fojCkY8jg70jxM+gu59tPDNbw3Uh/2Ij310FgTHsnGQMyA==
 -----END CERTIFICATE-----`

 func Test_getEvaluatorRequest(t *testing.T) {
-	a := &Authorize{currentOptions: config.NewAtomicOptions(), state: atomicutil.NewValue(new(authorizeState))}
-	a.currentOptions.Store(&config.Options{
-		Policies: []config.Policy{{
-			From: "https://example.com",
-			SubPolicies: []config.SubPolicy{{
-				Rego: []string{"allow = true"},
+	a := &Authorize{currentConfig: atomicutil.NewValue(&config.Config{
+		Options: &config.Options{
+			Policies: []config.Policy{{
+				From: "https://example.com",
+				SubPolicies: []config.SubPolicy{{
+					Rego: []string{"allow = true"},
+				}},
 			}},
-		}},
-	})
+		},
+	}), state: atomicutil.NewValue(new(authorizeState))}

 	actual, err := a.getEvaluatorRequestFromCheckRequest(context.Background(),
 		&envoy_service_auth_v3.CheckRequest{
@ -88,16 +88,10 @@ func Test_getEvaluatorRequest(t *testing.T) {
 				},
 			},
 		},
-		&sessions.State{
-			ID: "SESSION_ID",
-		},
 	)
 	require.NoError(t, err)
 	expect := &evaluator.Request{
-		Policy: &a.currentOptions.Load().Policies[0],
-		Session: evaluator.RequestSession{
-			ID: "SESSION_ID",
-		},
+		Policy: &a.currentConfig.Load().Options.Policies[0],
 		HTTP: evaluator.NewRequestHTTP(
 			http.MethodGet,
 			mustParseURL("http://example.com/some/path?qs=1"),
@ -117,15 +111,16 @@ func Test_getEvaluatorRequest(t *testing.T) {
 }

 func Test_getEvaluatorRequestWithPortInHostHeader(t *testing.T) {
-	a := &Authorize{currentOptions: config.NewAtomicOptions(), state: atomicutil.NewValue(new(authorizeState))}
-	a.currentOptions.Store(&config.Options{
-		Policies: []config.Policy{{
-			From: "https://example.com",
-			SubPolicies: []config.SubPolicy{{
-				Rego: []string{"allow = true"},
+	a := &Authorize{currentConfig: atomicutil.NewValue(&config.Config{
+		Options: &config.Options{
+			Policies: []config.Policy{{
+				From: "https://example.com",
+				SubPolicies: []config.SubPolicy{{
+					Rego: []string{"allow = true"},
+				}},
 			}},
-		}},
-	})
+		},
+	}), state: atomicutil.NewValue(new(authorizeState))}

 	actual, err := a.getEvaluatorRequestFromCheckRequest(context.Background(),
 		&envoy_service_auth_v3.CheckRequest{
@ -145,10 +140,10 @@ func Test_getEvaluatorRequestWithPortInHostHeader(t *testing.T) {
 					},
 				},
 			},
-		}, nil)
+		})
 	require.NoError(t, err)
 	expect := &evaluator.Request{
-		Policy:  &a.currentOptions.Load().Policies[0],
+		Policy:  &a.currentConfig.Load().Options.Policies[0],
 		Session: evaluator.RequestSession{},
 		HTTP: evaluator.NewRequestHTTP(
 			http.MethodGet,