authorize: add authorization (#59)

* authorize: authorization module adds support for per-route access policy. In this release we support the most common forms of identity based access policy: `allowed_users`, `allowed_groups`, and `allowed_domains`. In future versions, the authorization module will also support context and device based authorization policy and decisions. See website documentation for more details. * docs: updated `env.example` to include a `POLICY` setting example. * docs: added `IDP_SERVICE_ACCOUNT` to `env.example` . * docs: removed `PROXY_ROOT_DOMAIN` settings which has been replaced by `POLICY`. * all: removed `ALLOWED_DOMAINS` settings which has been replaced by `POLICY`. Authorization is now handled by the authorization service and is defined in the policy configuration files. * proxy: `ROUTES` settings which has been replaced by `POLICY`. * internal/log: `http.Server` and `httputil.NewSingleHostReverseProxy` now uses pomerium's logging package instead of the standard library's built in one. Closes #54 Closes #41 Closes #61 Closes #58
2025-06-05 12:23:03 +02:00 · 2019-03-07 12:47:07 -08:00 · 2019-03-07 12:47:07 -08:00 · c13459bb88
commit c13459bb88
parent 1187be2bf3
65 changed files with 1683 additions and 879 deletions
--- a/proto/authenticate/mock_authenticate/authenticate_mock_test.go
+++ b/proto/authenticate/mock_authenticate/authenticate_mock_test.go
@ -1,142 +0,0 @@
-package mock_authenticate_test
-
-import (
-	"context"
-	"fmt"
-	"testing"
-	"time"
-
-	"github.com/golang/mock/gomock"
-	"github.com/golang/protobuf/proto"
-	"github.com/golang/protobuf/ptypes"
-	pb "github.com/pomerium/pomerium/proto/authenticate"
-
-	mock "github.com/pomerium/pomerium/proto/authenticate/mock_authenticate"
-)
-
-var fixedDate = time.Date(2009, 11, 17, 20, 34, 58, 651387237, time.UTC)
-
-// rpcMsg implements the gomock.Matcher interface
-type rpcMsg struct {
-	msg proto.Message
-}
-
-func (r *rpcMsg) Matches(msg interface{}) bool {
-	m, ok := msg.(proto.Message)
-	if !ok {
-		return false
-	}
-	return proto.Equal(m, r.msg)
-}
-
-func (r *rpcMsg) String() string {
-	return fmt.Sprintf("is %s", r.msg)
-}
-func TestValidate(t *testing.T) {
-	ctrl := gomock.NewController(t)
-	defer ctrl.Finish()
-	mockAuthenticateClient := mock.NewMockAuthenticatorClient(ctrl)
-	req := &pb.ValidateRequest{IdToken: "unit_test"}
-	mockAuthenticateClient.EXPECT().Validate(
-		gomock.Any(),
-		&rpcMsg{msg: req},
-	).Return(&pb.ValidateReply{IsValid: false}, nil)
-	testValidate(t, mockAuthenticateClient)
-}
-
-func testValidate(t *testing.T, client pb.AuthenticatorClient) {
-	ctx, cancel := context.WithTimeout(context.Background(), time.Second)
-	defer cancel()
-	r, err := client.Validate(ctx, &pb.ValidateRequest{IdToken: "unit_test"})
-	if err != nil || r.IsValid != false {
-		t.Errorf("mocking failed")
-	}
-	t.Log("Reply : ", r.IsValid)
-}
-
-func TestAuthenticate(t *testing.T) {
-	ctrl := gomock.NewController(t)
-	defer ctrl.Finish()
-	mockAuthenticateClient := mock.NewMockAuthenticatorClient(ctrl)
-	mockExpire, err := ptypes.TimestampProto(fixedDate)
-	if err != nil {
-		t.Fatalf("%v failed converting timestamp", err)
-	}
-	req := &pb.AuthenticateRequest{Code: "unit_test"}
-	mockAuthenticateClient.EXPECT().Authenticate(
-		gomock.Any(),
-		&rpcMsg{msg: req},
-	).Return(&pb.Session{
-		AccessToken:      "mocked access token",
-		RefreshToken:     "mocked refresh token",
-		IdToken:          "mocked id token",
-		User:             "user1",
-		Email:            "test@email.com",
-		LifetimeDeadline: mockExpire,
-	}, nil)
-	testAuthenticate(t, mockAuthenticateClient)
-}
-
-func testAuthenticate(t *testing.T, client pb.AuthenticatorClient) {
-	ctx, cancel := context.WithTimeout(context.Background(), time.Second)
-	defer cancel()
-	r, err := client.Authenticate(ctx, &pb.AuthenticateRequest{Code: "unit_test"})
-	if err != nil {
-		t.Errorf("mocking failed %v", err)
-	}
-	if r.AccessToken != "mocked access token" {
-		t.Errorf("authenticate: invalid access token")
-	}
-	if r.RefreshToken != "mocked refresh token" {
-		t.Errorf("authenticate: invalid refresh token")
-	}
-	if r.IdToken != "mocked id token" {
-		t.Errorf("authenticate: invalid id token")
-	}
-	if r.User != "user1" {
-		t.Errorf("authenticate: invalid user")
-	}
-	if r.Email != "test@email.com" {
-		t.Errorf("authenticate: invalid email")
-	}
-}
-
-func TestRefresh(t *testing.T) {
-	ctrl := gomock.NewController(t)
-	defer ctrl.Finish()
-	mockRefreshClient := mock.NewMockAuthenticatorClient(ctrl)
-	mockExpire, err := ptypes.TimestampProto(fixedDate)
-	if err != nil {
-		t.Fatalf("%v failed converting timestamp", err)
-	}
-	req := &pb.Session{RefreshToken: "unit_test"}
-	mockRefreshClient.EXPECT().Refresh(
-		gomock.Any(),
-		&rpcMsg{msg: req},
-	).Return(&pb.Session{
-		AccessToken:      "mocked access token",
-		LifetimeDeadline: mockExpire,
-	}, nil)
-	testRefresh(t, mockRefreshClient)
-}
-
-func testRefresh(t *testing.T, client pb.AuthenticatorClient) {
-	ctx, cancel := context.WithTimeout(context.Background(), time.Second)
-	defer cancel()
-	r, err := client.Refresh(ctx, &pb.Session{RefreshToken: "unit_test"})
-	if err != nil {
-		t.Errorf("mocking failed %v", err)
-	}
-	if r.AccessToken != "mocked access token" {
-		t.Errorf("Refresh: invalid access token")
-	}
-	respExpire, err := ptypes.Timestamp(r.LifetimeDeadline)
-	if err != nil {
-		t.Fatalf("%v failed converting timestamp", err)
-	}
-
-	if respExpire != fixedDate {
-		t.Errorf("Refresh: bad expiry got:%v want:%v", respExpire, fixedDate)
-	}
-
-}