mirror of
https://github.com/pomerium/pomerium.git
synced 2025-08-06 10:21:05 +02:00
authorize: add name claim (#3238)
This commit is contained in:
Caleb Doxsey
GitHub
parent
6914fb8abf
commit
d299b42509
2 changed files with 16 additions and 1 deletions
|
|
@ -10,6 +10,7 @@ import (
|
||||||
"github.com/stretchr/testify/assert"
|
"github.com/stretchr/testify/assert"
|
||||||
"github.com/stretchr/testify/require"
|
"github.com/stretchr/testify/require"
|
||||||
"google.golang.org/protobuf/proto"
|
"google.golang.org/protobuf/proto"
|
||||||
|
"google.golang.org/protobuf/types/known/structpb"
|
||||||
|
|
||||||
"github.com/pomerium/pomerium/config"
|
"github.com/pomerium/pomerium/config"
|
||||||
"github.com/pomerium/pomerium/pkg/cryptutil"
|
"github.com/pomerium/pomerium/pkg/cryptutil"
|
||||||
|
|
@ -81,7 +82,11 @@ func TestHeadersEvaluator(t *testing.T) {
|
||||||
output, err := eval(t,
|
output, err := eval(t,
|
||||||
[]proto.Message{
|
[]proto.Message{
|
||||||
&session.Session{Id: "s1", ImpersonateSessionId: proto.String("s2"), UserId: "u1"},
|
&session.Session{Id: "s1", ImpersonateSessionId: proto.String("s2"), UserId: "u1"},
|
||||||
&session.Session{Id: "s2", UserId: "u2"},
|
&session.Session{Id: "s2", UserId: "u2", Claims: map[string]*structpb.ListValue{
|
||||||
|
"name": {Values: []*structpb.Value{
|
||||||
|
structpb.NewStringValue("n1"),
|
||||||
|
}},
|
||||||
|
}},
|
||||||
},
|
},
|
||||||
&HeadersRequest{
|
&HeadersRequest{
|
||||||
FromAudience: "from.example.com",
|
FromAudience: "from.example.com",
|
||||||
|
|
@ -105,6 +110,7 @@ func TestHeadersEvaluator(t *testing.T) {
|
||||||
assert.Equal(t, "s1", claims["sid"], "should set session id to input session id")
|
assert.Equal(t, "s1", claims["sid"], "should set session id to input session id")
|
||||||
assert.Equal(t, "u2", claims["sub"], "should set subject to user id")
|
assert.Equal(t, "u2", claims["sub"], "should set subject to user id")
|
||||||
assert.Equal(t, "u2", claims["user"], "should set user to user id")
|
assert.Equal(t, "u2", claims["user"], "should set user to user id")
|
||||||
|
assert.Equal(t, "n1", claims["name"], "should set name")
|
||||||
})
|
})
|
||||||
|
|
||||||
t.Run("access token", func(t *testing.T) {
|
t.Run("access token", func(t *testing.T) {
|
||||||
|
|
|
||||||
|
|
@ -142,6 +142,14 @@ jwt_payload_groups = v {
|
||||||
true
|
true
|
||||||
}
|
}
|
||||||
|
|
||||||
|
jwt_payload_name = v {
|
||||||
|
v = get_header_string_value(session.claims.name)
|
||||||
|
} else = v {
|
||||||
|
v = get_header_string_value(user.claims.name)
|
||||||
|
} else = "" {
|
||||||
|
true
|
||||||
|
}
|
||||||
|
|
||||||
# the session id is always set to the input session id, even if impersonating
|
# the session id is always set to the input session id, even if impersonating
|
||||||
jwt_payload_sid := input.session.id
|
jwt_payload_sid := input.session.id
|
||||||
|
|
||||||
|
|
@ -156,6 +164,7 @@ base_jwt_claims := [
|
||||||
["email", jwt_payload_email],
|
["email", jwt_payload_email],
|
||||||
["groups", jwt_payload_groups],
|
["groups", jwt_payload_groups],
|
||||||
["sid", jwt_payload_sid],
|
["sid", jwt_payload_sid],
|
||||||
|
["name", jwt_payload_name],
|
||||||
]
|
]
|
||||||
|
|
||||||
additional_jwt_claims := [[k, v] |
|
additional_jwt_claims := [[k, v] |
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue