authorize: add authorization (#59)

* authorize: authorization module adds support for per-route access policy. In this release we support the most common forms of identity based access policy: `allowed_users`, `allowed_groups`, and `allowed_domains`. In future versions, the authorization module will also support context and device based authorization policy and decisions. See website documentation for more details. * docs: updated `env.example` to include a `POLICY` setting example. * docs: added `IDP_SERVICE_ACCOUNT` to `env.example` . * docs: removed `PROXY_ROOT_DOMAIN` settings which has been replaced by `POLICY`. * all: removed `ALLOWED_DOMAINS` settings which has been replaced by `POLICY`. Authorization is now handled by the authorization service and is defined in the policy configuration files. * proxy: `ROUTES` settings which has been replaced by `POLICY`. * internal/log: `http.Server` and `httputil.NewSingleHostReverseProxy` now uses pomerium's logging package instead of the standard library's built in one. Closes #54 Closes #41 Closes #61 Closes #58
2025-06-01 02:12:50 +02:00 · 2019-03-07 12:47:07 -08:00 · 2019-03-07 12:47:07 -08:00 · c13459bb88
commit c13459bb88
parent 1187be2bf3
65 changed files with 1683 additions and 879 deletions
--- a/proxy/clients/mock_clients_test.go
+++ b/proxy/clients/mock_clients_test.go
@ -0,0 +1,61 @@
+package clients
+
+import (
+	"context"
+	"errors"
+	"reflect"
+	"testing"
+	"time"
+
+	"github.com/pomerium/pomerium/internal/sessions"
+)
+
+func TestMockAuthenticate(t *testing.T) {
+	// Absurd, but I caught a typo this way.
+	fixedDate := time.Date(2009, 11, 17, 20, 34, 58, 651387237, time.UTC)
+	redeemResponse := &sessions.SessionState{
+		AccessToken:      "AccessToken",
+		RefreshToken:     "RefreshToken",
+		LifetimeDeadline: fixedDate,
+	}
+	ma := &MockAuthenticate{
+		RedeemError:    errors.New("RedeemError"),
+		RedeemResponse: redeemResponse,
+		RefreshResponse: &sessions.SessionState{
+			AccessToken:      "AccessToken",
+			RefreshToken:     "RefreshToken",
+			LifetimeDeadline: fixedDate,
+		},
+		RefreshError:     errors.New("RefreshError"),
+		ValidateResponse: true,
+		ValidateError:    errors.New("ValidateError"),
+		CloseError:       errors.New("CloseError"),
+	}
+	got, gotErr := ma.Redeem(context.Background(), "a")
+	if gotErr.Error() != "RedeemError" {
+		t.Errorf("unexpected value for gotErr %s", gotErr)
+	}
+	if !reflect.DeepEqual(redeemResponse, got) {
+		t.Errorf("unexpected value for redeemResponse %s", got)
+	}
+	newSession, gotErr := ma.Refresh(context.Background(), nil)
+	if gotErr.Error() != "RefreshError" {
+		t.Errorf("unexpected value for gotErr %s", gotErr)
+	}
+	if !reflect.DeepEqual(newSession, redeemResponse) {
+		t.Errorf("unexpected value for newSession %s", newSession)
+	}
+
+	ok, gotErr := ma.Validate(context.Background(), "a")
+	if !ok {
+		t.Errorf("unexpected value for ok : %t", ok)
+	}
+	if gotErr.Error() != "ValidateError" {
+		t.Errorf("unexpected value for gotErr %s", gotErr)
+	}
+	gotErr = ma.Close()
+	if gotErr.Error() != "CloseError" {
+		t.Errorf("unexpected value for ma.CloseError %s", gotErr)
+	}
+
+}