3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-06-03 11:22:45 +02:00
Code Issues Projects Releases Packages Wiki Activity

config: preserve existing user when creating sessions from idp token (#5502)

Browse source 
* config: preserve existing user when creating sessions from idp token

* fix
This commit is contained in:
Caleb Doxsey 2025-02-27 09:05:31 -07:00 committed by GitHub
parent 932db70d96
commit cb5ee48323
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2 changed files with 77 additions and 17 deletions
Download patch file Download diff file Expand all files Collapse all files

45
config/session_test.go
View file

@ -13,6 +13,7 @@ import (
"github.com/google/go-cmp/cmp"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
"google.golang.org/protobuf/proto"
"google.golang.org/protobuf/types/known/timestamppb"
"github.com/pomerium/pomerium/internal/encoding/jws"
@ -416,19 +417,41 @@ func Test_newSessionFromIDPClaims(t *testing.T) {
}
}
func Test_newUserFromIDPClaims(t *testing.T) {
func Test_fillUserFromIDPClaims(t *testing.T) {
t.Parallel()
for _, tc := range []struct {
name string
claims jwtutil.Claims
expect *user.User
name string
claims jwtutil.Claims
current *user.User
expect *user.User
}{
{"empty claims", nil, &user.User{}},
{"empty claims", nil, nil, &user.User{}},
{"full claims", jwtutil.Claims{
"sub": "USER_ID",
"name": "NAME",
"email": "EMAIL",
}, nil, &user.User{
Id: "USER_ID",
Name: "NAME",
Email: "EMAIL",
Claims: identity.FlattenedClaims{
"sub": {"USER_ID"},
"name": {"NAME"},
"email": {"EMAIL"},
}.ToPB(),
}},
{"existing claims", jwtutil.Claims{
"sub": "USER_ID",
}, &user.User{
Id: "USER_ID",
Name: "NAME",
Email: "EMAIL",
Claims: identity.FlattenedClaims{
"sub": {"USER_ID"},
"name": {"NAME"},
"email": {"EMAIL"},
}.ToPB(),
}, &user.User{
Id: "USER_ID",
Name: "NAME",
@ -443,7 +466,11 @@ func Test_newUserFromIDPClaims(t *testing.T) {
t.Run(tc.name, func(t *testing.T) {
t.Parallel()
actual := new(incomingIDPTokenSessionCreator).newUserFromIDPClaims(tc.claims)
actual := new(user.User)
if tc.current != nil {
actual = proto.Clone(tc.current).(*user.User)
}
new(incomingIDPTokenSessionCreator).fillUserFromIDPClaims(actual, tc.claims)
testutil.AssertProtoEqual(t, tc.expect, actual)
})
}
@ -476,8 +503,7 @@ func TestIncomingIDPTokenSessionCreator_CreateSession(t *testing.T) {
require.NoError(t, err)
req.Header.Set(httputil.HeaderPomeriumIDPAccessToken, "ACCESS_TOKEN")
c := NewIncomingIDPTokenSessionCreator(
func(_ context.Context, recordType, _ string) (*databroker.Record, error) {
assert.Equal(t, "type.googleapis.com/session.Session", recordType)
func(_ context.Context, _, _ string) (*databroker.Record, error) {
return nil, storage.ErrNotFound
},
func(_ context.Context, records []*databroker.Record) error {
@ -518,8 +544,7 @@ func TestIncomingIDPTokenSessionCreator_CreateSession(t *testing.T) {
require.NoError(t, err)
req.Header.Set(httputil.HeaderPomeriumIDPIdentityToken, "IDENTITY_TOKEN")
c := NewIncomingIDPTokenSessionCreator(
func(_ context.Context, recordType, _ string) (*databroker.Record, error) {
assert.Equal(t, "type.googleapis.com/session.Session", recordType)
func(_ context.Context, _, _ string) (*databroker.Record, error) {
return nil, storage.ErrNotFound
},
func(_ context.Context, records []*databroker.Record) error {