From d54a30bb20a81877af6f5323e1253854d6cb5e6b Mon Sep 17 00:00:00 2001
From: Caleb Doxsey <cdoxsey@pomerium.com>
Date: Thu, 29 Jul 2021 14:50:14 -0600
Subject: [PATCH] fix headers

---
 authorize/evaluator/opa/policy/headers.rego | 31 ++++++++++-----------
 1 file changed, 14 insertions(+), 17 deletions(-)

diff --git a/authorize/evaluator/opa/policy/headers.rego b/authorize/evaluator/opa/policy/headers.rego
index f09e695a9..2a6b07ad5 100644
--- a/authorize/evaluator/opa/policy/headers.rego
+++ b/authorize/evaluator/opa/policy/headers.rego
@@ -26,20 +26,25 @@ package pomerium.headers
 # 5 minutes from now in seconds
 five_minutes := round((time.now_ns() / 1e9) + (60 * 5))
 
-session = s {
-	s = get_databroker_record("type.googleapis.com/user.ServiceAccount", input.session.id)
-	s != null
-} else = s {
-	s = get_databroker_record("type.googleapis.com/session.Session", input.session.id)
-	s != null
+session = v {
+	v = get_databroker_record("type.googleapis.com/user.ServiceAccount", input.session.id)
+	v != null
+} else = iv {
+	v = get_databroker_record("type.googleapis.com/session.Session", input.session.id)
+	v != null
+	object.get(v, "impersonate_session_id", "") != ""
+
+	iv = get_databroker_record("type.googleapis.com/session.Session", v.impersonate_session_id)
+	iv != null
+} else = v {
+	v = get_databroker_record("type.googleapis.com/session.Session", input.session.id)
+	v != null
+	object.get(v, "impersonate_session_id", "") == ""
 } else = {} {
 	true
 }
 
 user = u {
-	u = get_databroker_record("type.googleapis.com/user.User", session.impersonate_user_id)
-	u != null
-} else = u {
 	u = get_databroker_record("type.googleapis.com/user.User", session.user_id)
 	u != null
 } else = {} {
@@ -47,9 +52,6 @@ user = u {
 }
 
 directory_user = du {
-	du = get_databroker_record("type.googleapis.com/directory.User", session.impersonate_user_id)
-	du != null
-} else = du {
 	du = get_databroker_record("type.googleapis.com/directory.User", session.user_id)
 	du != null
 } else = {} {
@@ -57,9 +59,6 @@ directory_user = du {
 }
 
 group_ids = gs {
-	gs = session.impersonate_groups
-	gs != null
-} else = gs {
 	gs = directory_user.group_ids
 	gs != null
 } else = [] {
@@ -119,8 +118,6 @@ jwt_payload_user = v {
 }
 
 jwt_payload_email = v {
-	v = session.impersonate_email
-} else = v {
 	v = directory_user.email
 } else = v {
 	v = user.email