authorize: add authorization (#59)

* authorize: authorization module adds support for per-route access policy. In this release we support the most common forms of identity based access policy: `allowed_users`, `allowed_groups`, and `allowed_domains`. In future versions, the authorization module will also support context and device based authorization policy and decisions. See website documentation for more details. * docs: updated `env.example` to include a `POLICY` setting example. * docs: added `IDP_SERVICE_ACCOUNT` to `env.example` . * docs: removed `PROXY_ROOT_DOMAIN` settings which has been replaced by `POLICY`. * all: removed `ALLOWED_DOMAINS` settings which has been replaced by `POLICY`. Authorization is now handled by the authorization service and is defined in the policy configuration files. * proxy: `ROUTES` settings which has been replaced by `POLICY`. * internal/log: `http.Server` and `httputil.NewSingleHostReverseProxy` now uses pomerium's logging package instead of the standard library's built in one. Closes #54 Closes #41 Closes #61 Closes #58
2025-05-29 17:07:24 +02:00 · 2019-03-07 12:47:07 -08:00 · 2019-03-07 12:47:07 -08:00 · c13459bb88
commit c13459bb88
parent 1187be2bf3
65 changed files with 1683 additions and 879 deletions
--- a/proxy/clients/authorize_client_test.go
+++ b/proxy/clients/authorize_client_test.go
@ -0,0 +1,47 @@
+package clients
+
+import (
+	"context"
+	"testing"
+
+	"github.com/pomerium/pomerium/internal/sessions"
+	pb "github.com/pomerium/pomerium/proto/authorize"
+	"google.golang.org/grpc"
+)
+
+func TestAuthorizeGRPC_Authorize(t *testing.T) {
+	type fields struct {
+		Conn   *grpc.ClientConn
+		client pb.AuthorizerClient
+	}
+	type args struct {
+		ctx   context.Context
+		route string
+		s     *sessions.SessionState
+	}
+	tests := []struct {
+		name    string
+		fields  fields
+		args    args
+		want    bool
+		wantErr bool
+	}{
+		// TODO: Add test cases.
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			a := &AuthorizeGRPC{
+				Conn:   tt.fields.Conn,
+				client: tt.fields.client,
+			}
+			got, err := a.Authorize(tt.args.ctx, tt.args.route, tt.args.s)
+			if (err != nil) != tt.wantErr {
+				t.Errorf("AuthorizeGRPC.Authorize() error = %v, wantErr %v", err, tt.wantErr)
+				return
+			}
+			if got != tt.want {
+				t.Errorf("AuthorizeGRPC.Authorize() = %v, want %v", got, tt.want)
+			}
+		})
+	}
+}