3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-08-02 08:19:23 +02:00
Code Issues Projects Releases Packages Wiki Activity

Merge pull request from GHSA-pvrc-wvj2-f59p

Browse source 
* authorize: use route id from envoy for policy evaluation

* authorize: normalize URL query params

* config: enable envoy normalize_path option

* fix tests

---------

Co-authored-by: Kenneth Jenkins <51246568+kenjenkins@users.noreply.github.com>
This commit is contained in:
Caleb Doxsey 2023-05-26 14:34:21 -06:00 committed by GitHub
parent 37c8dcc9db
commit d315e68335
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
13 changed files with 503 additions and 289 deletions
Download patch file Download diff file Expand all files Collapse all files

65
pkg/policy/criteria/pomerium_routes.go
View file

@ -1,65 +0,0 @@
package criteria
import (
"github.com/open-policy-agent/opa/ast"
"github.com/pomerium/pomerium/internal/urlutil"
"github.com/pomerium/pomerium/pkg/policy/generator"
"github.com/pomerium/pomerium/pkg/policy/parser"
"github.com/pomerium/pomerium/pkg/policy/rules"
)
type pomeriumRoutesCriterion struct {
g *Generator
}
func (pomeriumRoutesCriterion) DataType() generator.CriterionDataType {
return generator.CriterionDataTypeUnused
}
func (pomeriumRoutesCriterion) Name() string {
return "pomerium_routes"
}
func (c pomeriumRoutesCriterion) GenerateRule(_ string, _ parser.Value) (*ast.Rule, []*ast.Rule, error) {
r1 := c.g.NewRule(c.Name())
r1.Head.Value = NewCriterionTerm(true, ReasonPomeriumRoute)
r1.Body = ast.Body{
ast.MustParseExpr(`session := get_session(input.session.id)`),
ast.MustParseExpr(`session.id != ""`),
ast.MustParseExpr(`contains(input.http.url, "/.pomerium/")`),
}
r2 := c.g.NewRule(c.Name())
r2.Head.Value = NewCriterionTerm(true, ReasonPomeriumRoute)
r2.Body = ast.Body{
ast.MustParseExpr(`contains(input.http.url, "/.pomerium/")`),
ast.MustParseExpr(`not contains(input.http.url, "/.pomerium/jwt")`),
ast.MustParseExpr(`not contains(input.http.url, "` + urlutil.WebAuthnURLPath + `")`),
}
r1.Else = r2
r3 := c.g.NewRule(c.Name())
r3.Head.Value = NewCriterionTerm(false, ReasonUserUnauthenticated)
r3.Body = ast.Body{
ast.MustParseExpr(`contains(input.http.url, "/.pomerium/")`),
}
r2.Else = r3
r4 := c.g.NewRule(c.Name())
r4.Head.Value = NewCriterionTerm(false, ReasonNonPomeriumRoute)
r3.Else = r4
return r1, []*ast.Rule{
rules.GetSession(),
}, nil
}
// PomeriumRoutes returns a Criterion on that allows access to pomerium routes.
func PomeriumRoutes(generator *Generator) Criterion {
return pomeriumRoutesCriterion{g: generator}
}
func init() {
Register(PomeriumRoutes)
}