move directory providers (#3633)

* remove directory providers and support for groups * idp: remove directory providers * better error messages * fix errors * restore postgres * fix test
2025-06-11 07:12:59 +02:00 · 2022-11-03 11:33:56 -06:00 · 2022-11-03 11:33:56 -06:00 · c178819875
commit c178819875
parent bb5c80bae9
78 changed files with 723 additions and 8703 deletions
--- a/authorize/evaluator/evaluator_test.go
+++ b/authorize/evaluator/evaluator_test.go
@ -14,7 +14,6 @@ import (
 	"github.com/pomerium/pomerium/config"
 	"github.com/pomerium/pomerium/internal/httputil"
 	"github.com/pomerium/pomerium/pkg/cryptutil"
-	"github.com/pomerium/pomerium/pkg/grpc/directory"
 	"github.com/pomerium/pomerium/pkg/grpc/session"
 	"github.com/pomerium/pomerium/pkg/grpc/user"
 	"github.com/pomerium/pomerium/pkg/policy/criteria"
@ -77,10 +76,6 @@ func TestEvaluator(t *testing.T) {
 			To:             config.WeightedURLs{{URL: *mustParseURL("https://to7.example.com")}},
 			AllowedDomains: []string{"example.com"},
 		},
-		{
-			To:            config.WeightedURLs{{URL: *mustParseURL("https://to8.example.com")}},
-			AllowedGroups: []string{"group1@example.com"},
-		},
 		{
 			To:                        config.WeightedURLs{{URL: *mustParseURL("https://to9.example.com")}},
 			AllowAnyAuthenticatedUser: true,
@ -375,39 +370,6 @@ func TestEvaluator(t *testing.T) {
 		require.NoError(t, err)
 		assert.True(t, res.Allow.Value)
 	})
-	t.Run("groups", func(t *testing.T) {
-		res, err := eval(t, options, []proto.Message{
-			&session.Session{
-				Id:     "session1",
-				UserId: "user1",
-			},
-			&user.User{
-				Id:    "user1",
-				Email: "a@example.com",
-			},
-			&directory.User{
-				Id:       "user1",
-				GroupIds: []string{"group1"},
-			},
-			&directory.Group{
-				Id:    "group1",
-				Name:  "group1name",
-				Email: "group1@example.com",
-			},
-		}, &Request{
-			Policy: &policies[7],
-			Session: RequestSession{
-				ID: "session1",
-			},
-			HTTP: RequestHTTP{
-				Method:            "GET",
-				URL:               "https://from.example.com",
-				ClientCertificate: testValidCert,
-			},
-		})
-		require.NoError(t, err)
-		assert.True(t, res.Allow.Value)
-	})
 	t.Run("any authenticated user", func(t *testing.T) {
 		res, err := eval(t, options, []proto.Message{
 			&session.Session{
@ -473,7 +435,7 @@ func TestEvaluator(t *testing.T) {
 	})
 	t.Run("http method", func(t *testing.T) {
 		res, err := eval(t, options, []proto.Message{}, &Request{
-			Policy: &policies[9],
+			Policy: &policies[8],
 			HTTP: NewRequestHTTP(
 				"GET",
 				*mustParseURL("https://from.example.com/"),
@ -487,7 +449,7 @@ func TestEvaluator(t *testing.T) {
 	})
 	t.Run("http path", func(t *testing.T) {
 		res, err := eval(t, options, []proto.Message{}, &Request{
-			Policy: &policies[10],
+			Policy: &policies[9],
 			HTTP: NewRequestHTTP(
 				"POST",
 				*mustParseURL("https://from.example.com/test"),
--- a/authorize/evaluator/headers_evaluator_test.go
+++ b/authorize/evaluator/headers_evaluator_test.go
@ -15,9 +15,7 @@ import (
 	"github.com/pomerium/pomerium/authorize/internal/store"
 	"github.com/pomerium/pomerium/config"
 	"github.com/pomerium/pomerium/pkg/cryptutil"
-	"github.com/pomerium/pomerium/pkg/grpc/directory"
 	"github.com/pomerium/pomerium/pkg/grpc/session"
-	"github.com/pomerium/pomerium/pkg/grpc/user"
 	"github.com/pomerium/pomerium/pkg/storage"
 )

@ -63,25 +61,6 @@ func TestHeadersEvaluator(t *testing.T) {
 		return e.Evaluate(ctx, input)
 	}

-	t.Run("groups", func(t *testing.T) {
-		output, err := eval(t,
-			[]proto.Message{
-				&session.Session{Id: "s1", UserId: "u1"},
-				&user.User{Id: "u1"},
-				&directory.User{Id: "u1", GroupIds: []string{"g1", "g2", "g3"}},
-			},
-			&HeadersRequest{
-				FromAudience: "from.example.com",
-				ToAudience:   "to.example.com",
-				Session: RequestSession{
-					ID: "s1",
-				},
-			})
-		require.NoError(t, err)
-
-		assert.Equal(t, "g1,g2,g3", output.Headers.Get("X-Pomerium-Claim-Groups"))
-	})
-
 	t.Run("jwt", func(t *testing.T) {
 		output, err := eval(t,
 			[]proto.Message{
--- a/authorize/evaluator/opa/policy/headers.rego
+++ b/authorize/evaluator/opa/policy/headers.rego
@ -59,7 +59,7 @@ user = u {
 }

 directory_user = du {
-	du = get_databroker_record("type.googleapis.com/directory.User", session.user_id)
+	du = get_databroker_record("pomerium.io/DirectoryUser", session.user_id)
 	du != null
 } else = {} {
 	true
@ -273,11 +273,11 @@ identity_headers := {key: values |
 }

 get_databroker_group_names(ids) = gs {
-	gs := [name | id := ids[i]; group := get_databroker_record("type.googleapis.com/directory.Group", id); name := group.name]
+	gs := [name | id := ids[i]; group := get_databroker_record("pomerium.io/DirectoryGroup", id); name := group.name]
 }

 get_databroker_group_emails(ids) = gs {
-	gs := [email | id := ids[i]; group := get_databroker_record("type.googleapis.com/directory.Group", id); email := group.email]
+	gs := [email | id := ids[i]; group := get_databroker_record("pomerium.io/DirectoryGroup", id); email := group.email]
 }

 get_header_string_value(obj) = s {