move directory providers (#3633)

* remove directory providers and support for groups * idp: remove directory providers * better error messages * fix errors * restore postgres * fix test
2025-05-10 23:57:34 +02:00 · 2022-11-03 11:33:56 -06:00 · 2022-11-03 11:33:56 -06:00 · c178819875
commit c178819875
parent bb5c80bae9
78 changed files with 723 additions and 8703 deletions
--- a/config/policy_ppl_test.go
+++ b/config/policy_ppl_test.go
@ -16,7 +16,6 @@ func TestPolicy_ToPPL(t *testing.T) {
 		CORSAllowPreflight:               true,
 		AllowAnyAuthenticatedUser:        true,
 		AllowedDomains:                   []string{"a.example.com", "b.example.com"},
-		AllowedGroups:                    []string{"group1", "group2"},
 		AllowedUsers:                     []string{"user1", "user2"},
 		AllowedIDPClaims: map[string][]interface{}{
 			"family_name": {"Smith", "Jones"},
@ -24,7 +23,6 @@ func TestPolicy_ToPPL(t *testing.T) {
 		SubPolicies: []SubPolicy{
 			{
 				AllowedDomains: []string{"c.example.com", "d.example.com"},
-				AllowedGroups:  []string{"group3", "group4"},
 				AllowedUsers:   []string{"user3", "user4"},
 				AllowedIDPClaims: map[string][]interface{}{
 					"given_name": {"John"},
@ -32,7 +30,6 @@ func TestPolicy_ToPPL(t *testing.T) {
 			},
 			{
 				AllowedDomains: []string{"e.example.com"},
-				AllowedGroups:  []string{"group5"},
 				AllowedUsers:   []string{"user5"},
 				AllowedIDPClaims: map[string][]interface{}{
 					"timezone": {"EST"},
@ -175,161 +172,6 @@ else = [false, {"user-unauthenticated"}] {
 	true
 }

-groups_0 = [true, {"groups-ok"}] {
-	session := get_session(input.session.id)
-	directory_user := get_directory_user(session)
-	group_ids := get_group_ids(session, directory_user)
-	group_names := [directory_group.name |
-		some i
-		group_id := group_ids[i]
-		directory_group := get_directory_group(group_id)
-		directory_group != null
-		directory_group.name != null
-	]
-	group_emails := [directory_group.email |
-		some i
-		group_id := group_ids[i]
-		directory_group := get_directory_group(group_id)
-		directory_group != null
-		directory_group.email != null
-	]
-	groups = array.concat(group_ids, array.concat(group_names, group_emails))
-	count([true | some v; v = groups[_0]; v == "group1"]) > 0
-}
-
-else = [false, {"groups-unauthorized"}] {
-	session := get_session(input.session.id)
-	session.id != ""
-}
-
-else = [false, {"user-unauthenticated"}] {
-	true
-}
-
-groups_1 = [true, {"groups-ok"}] {
-	session := get_session(input.session.id)
-	directory_user := get_directory_user(session)
-	group_ids := get_group_ids(session, directory_user)
-	group_names := [directory_group.name |
-		some i
-		group_id := group_ids[i]
-		directory_group := get_directory_group(group_id)
-		directory_group != null
-		directory_group.name != null
-	]
-	group_emails := [directory_group.email |
-		some i
-		group_id := group_ids[i]
-		directory_group := get_directory_group(group_id)
-		directory_group != null
-		directory_group.email != null
-	]
-	groups = array.concat(group_ids, array.concat(group_names, group_emails))
-	count([true | some v; v = groups[_0]; v == "group2"]) > 0
-}
-
-else = [false, {"groups-unauthorized"}] {
-	session := get_session(input.session.id)
-	session.id != ""
-}
-
-else = [false, {"user-unauthenticated"}] {
-	true
-}
-
-groups_2 = [true, {"groups-ok"}] {
-	session := get_session(input.session.id)
-	directory_user := get_directory_user(session)
-	group_ids := get_group_ids(session, directory_user)
-	group_names := [directory_group.name |
-		some i
-		group_id := group_ids[i]
-		directory_group := get_directory_group(group_id)
-		directory_group != null
-		directory_group.name != null
-	]
-	group_emails := [directory_group.email |
-		some i
-		group_id := group_ids[i]
-		directory_group := get_directory_group(group_id)
-		directory_group != null
-		directory_group.email != null
-	]
-	groups = array.concat(group_ids, array.concat(group_names, group_emails))
-	count([true | some v; v = groups[_0]; v == "group3"]) > 0
-}
-
-else = [false, {"groups-unauthorized"}] {
-	session := get_session(input.session.id)
-	session.id != ""
-}
-
-else = [false, {"user-unauthenticated"}] {
-	true
-}
-
-groups_3 = [true, {"groups-ok"}] {
-	session := get_session(input.session.id)
-	directory_user := get_directory_user(session)
-	group_ids := get_group_ids(session, directory_user)
-	group_names := [directory_group.name |
-		some i
-		group_id := group_ids[i]
-		directory_group := get_directory_group(group_id)
-		directory_group != null
-		directory_group.name != null
-	]
-	group_emails := [directory_group.email |
-		some i
-		group_id := group_ids[i]
-		directory_group := get_directory_group(group_id)
-		directory_group != null
-		directory_group.email != null
-	]
-	groups = array.concat(group_ids, array.concat(group_names, group_emails))
-	count([true | some v; v = groups[_0]; v == "group4"]) > 0
-}
-
-else = [false, {"groups-unauthorized"}] {
-	session := get_session(input.session.id)
-	session.id != ""
-}
-
-else = [false, {"user-unauthenticated"}] {
-	true
-}
-
-groups_4 = [true, {"groups-ok"}] {
-	session := get_session(input.session.id)
-	directory_user := get_directory_user(session)
-	group_ids := get_group_ids(session, directory_user)
-	group_names := [directory_group.name |
-		some i
-		group_id := group_ids[i]
-		directory_group := get_directory_group(group_id)
-		directory_group != null
-		directory_group.name != null
-	]
-	group_emails := [directory_group.email |
-		some i
-		group_id := group_ids[i]
-		directory_group := get_directory_group(group_id)
-		directory_group != null
-		directory_group.email != null
-	]
-	groups = array.concat(group_ids, array.concat(group_names, group_emails))
-	count([true | some v; v = groups[_0]; v == "group5"]) > 0
-}
-
-else = [false, {"groups-unauthorized"}] {
-	session := get_session(input.session.id)
-	session.id != ""
-}
-
-else = [false, {"user-unauthenticated"}] {
-	true
-}
-
 claim_0 = [true, {"claim-ok"}] {
 	rule_data := "Smith"
 	rule_path := "family_name"
@ -570,7 +412,7 @@ else = [false, {"user-unauthenticated"}] {
 }

 or_0 = v {
-	results := [pomerium_routes_0, accept_0, cors_preflight_0, authenticated_user_0, domain_0, domain_1, domain_2, domain_3, domain_4, groups_0, groups_1, groups_2, groups_3, groups_4, claim_0, claim_1, claim_2, claim_3, user_0, email_0, user_1, email_1, user_2, email_2, user_3, email_3, user_4, email_4]
+	results := [pomerium_routes_0, accept_0, cors_preflight_0, authenticated_user_0, domain_0, domain_1, domain_2, domain_3, domain_4, claim_0, claim_1, claim_2, claim_3, user_0, email_0, user_1, email_1, user_2, email_2, user_3, email_3, user_4, email_4]
 	normalized := [normalize_criterion_result(x) | x := results[i]]
 	v := merge_with_or(normalized)
 }
@ -715,24 +557,6 @@ else = {} {
 	true
 }

-get_directory_user(session) = v {
-	v = get_databroker_record("type.googleapis.com/directory.User", session.user_id)
-	v != null
-}
-
-else = "" {
-	true
-}
-
-get_directory_group(id) = v {
-	v = get_databroker_record("type.googleapis.com/directory.Group", id)
-	v != null
-}
-
-else = {} {
-	true
-}
-
 get_user_email(session, user) = v {
 	v = user.email
 }
@ -741,15 +565,6 @@ else = "" {
 	true
 }

-get_group_ids(session, directory_user) = v {
-	v = directory_user.group_ids
-	v != null
-}
-
-else = [] {
-	true
-}
-
 object_get(obj, key, def) = value {
 	undefined := "10a0fd35-0f1a-4e5b-97ce-631e89e1bafa"
 	value = object.get(obj, key, undefined)