authorize: add authorization (#59)

* authorize: authorization module adds support for per-route access policy. In this release we support the most common forms of identity based access policy: `allowed_users`, `allowed_groups`, and `allowed_domains`. In future versions, the authorization module will also support context and device based authorization policy and decisions. See website documentation for more details. * docs: updated `env.example` to include a `POLICY` setting example. * docs: added `IDP_SERVICE_ACCOUNT` to `env.example` . * docs: removed `PROXY_ROOT_DOMAIN` settings which has been replaced by `POLICY`. * all: removed `ALLOWED_DOMAINS` settings which has been replaced by `POLICY`. Authorization is now handled by the authorization service and is defined in the policy configuration files. * proxy: `ROUTES` settings which has been replaced by `POLICY`. * internal/log: `http.Server` and `httputil.NewSingleHostReverseProxy` now uses pomerium's logging package instead of the standard library's built in one. Closes #54 Closes #41 Closes #61 Closes #58
2025-08-02 16:30:17 +02:00 · 2019-03-07 12:47:07 -08:00 · 2019-03-07 12:47:07 -08:00 · c13459bb88
commit c13459bb88
parent 1187be2bf3
65 changed files with 1683 additions and 879 deletions
--- a/authorize/identity_test.go
+++ b/authorize/identity_test.go
@ -0,0 +1,62 @@
+package authorize
+
+import (
+	"testing"
+
+	"github.com/pomerium/pomerium/internal/policy"
+)
+
+func TestIdentity_EmailDomain(t *testing.T) {
+	t.Parallel()
+	tests := []struct {
+		name  string
+		Email string
+		want  string
+	}{
+		{"simple", "user@pomerium.io", "pomerium.io"},
+		{"period malformed", "user@.io", ".io"},
+		{"empty", "", ""},
+		{"empty first part", "@uhoh.com", ""},
+		{"empty second part", "uhoh@", ""},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			i := &Identity{Email: tt.Email}
+			if got := i.EmailDomain(); got != tt.want {
+				t.Errorf("Identity.EmailDomain() = %v, want %v", got, tt.want)
+			}
+		})
+	}
+}
+
+func Test_IdentityWhitelistMap(t *testing.T) {
+	t.Parallel()
+	tests := []struct {
+		name     string
+		policies []policy.Policy
+		route    string
+		Identity *Identity
+		want     bool
+	}{
+		{"valid domain", []policy.Policy{{From: "example.com", AllowedDomains: []string{"example.com"}}}, "example.com", &Identity{Email: "user@example.com"}, true},
+		{"invalid domain prepend", []policy.Policy{{From: "example.com", AllowedDomains: []string{"example.com"}}}, "example.com", &Identity{Email: "a@1example.com"}, false},
+		{"invalid domain postpend", []policy.Policy{{From: "example.com", AllowedDomains: []string{"example.com"}}}, "example.com", &Identity{Email: "user@example.com2"}, false},
+		{"valid group", []policy.Policy{{From: "example.com", AllowedGroups: []string{"admin"}}}, "example.com", &Identity{Email: "user@example.com", Groups: []string{"admin"}}, true},
+		{"invalid group", []policy.Policy{{From: "example.com", AllowedGroups: []string{"admin"}}}, "example.com", &Identity{Email: "user@example.com", Groups: []string{"everyone"}}, false},
+		{"invalid empty", []policy.Policy{{From: "example.com", AllowedGroups: []string{"admin"}}}, "example.com", &Identity{Email: "user@example.com", Groups: []string{""}}, false},
+		{"valid group multiple", []policy.Policy{{From: "example.com", AllowedGroups: []string{"admin"}}}, "example.com", &Identity{Email: "user@example.com", Groups: []string{"everyone", "admin"}}, true},
+		{"invalid group multiple", []policy.Policy{{From: "example.com", AllowedGroups: []string{"admin"}}}, "example.com", &Identity{Email: "user@example.com", Groups: []string{"everyones", "sadmin"}}, false},
+		{"valid user email", []policy.Policy{{From: "example.com", AllowedEmails: []string{"user@example.com"}}}, "example.com", &Identity{Email: "user@example.com"}, true},
+		{"invalid user email", []policy.Policy{{From: "example.com", AllowedEmails: []string{"user@example.com"}}}, "example.com", &Identity{Email: "user2@example.com"}, false},
+		{"empty everything", []policy.Policy{{From: "example.com"}}, "example.com", &Identity{Email: "user2@example.com"}, false},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			wl := NewIdentityWhitelist(tt.policies)
+			if got := wl.Valid(tt.route, tt.Identity); got != tt.want {
+				t.Errorf("IdentityACLMap.Allowed() = %v, want %v", got, tt.want)
+			}
+
+		})
+	}
+}