3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-05-24 22:47:14 +02:00
Code Issues Projects Releases Packages Wiki Activity

ppl: refactor authorize to evaluate PPL (#2224)

Browse source 
* ppl: refactor authorize to evaluate PPL

* remove opa test step

* add log statement

* simplify assignment

* deny with forbidden if logged in

* add safeEval function

* create evaluator-specific config and options

* embed the headers rego file directly
This commit is contained in:
Caleb Doxsey 2021-05-21 09:50:18 -06:00 committed by GitHub
parent 8c56d64f31
commit dad35bcfb0
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
26 changed files with 1451 additions and 2211 deletions
Download patch file Download diff file Expand all files Collapse all files

32
authorize/check_response_test.go
View file

@ -30,6 +30,7 @@ func TestAuthorize_okResponse(t *testing.T) {
AuthenticateURLString: "https://authenticate.example.com",
Policies: []config.Policy{{
Source: &config.StringURL{URL: &url.URL{Host: "example.com"}},
To: mustParseWeightedURLs(t, "https://to.example.com"),
SubPolicies: []config.SubPolicy{{
Rego: []string{"allow = true"},
}},
@ -62,45 +63,30 @@ func TestAuthorize_okResponse(t *testing.T) {
}{
{
"ok reply",
&evaluator.Result{Status: 0, Message: "ok"},
&evaluator.Result{Allow: true},
&envoy_service_auth_v3.CheckResponse{
Status: &status.Status{Code: 0, Message: "ok"},
Status: &status.Status{Code: 0, Message: "OK"},
},
},
{
"ok reply with k8s svc",
&evaluator.Result{
Status: 0,
Message: "ok",
MatchingPolicy: &config.Policy{
KubernetesServiceAccountToken: "k8s-svc-account",
},
},
&evaluator.Result{Allow: true},
&envoy_service_auth_v3.CheckResponse{
Status: &status.Status{Code: 0, Message: "ok"},
Status: &status.Status{Code: 0, Message: "OK"},
},
},
{
"ok reply with k8s svc impersonate",
&evaluator.Result{
Status: 0,
Message: "ok",
MatchingPolicy: &config.Policy{
KubernetesServiceAccountToken: "k8s-svc-account",
},
},
&evaluator.Result{Allow: true},
&envoy_service_auth_v3.CheckResponse{
Status: &status.Status{Code: 0, Message: "ok"},
Status: &status.Status{Code: 0, Message: "OK"},
},
},
{
"ok reply with jwt claims header",
&evaluator.Result{
Status: 0,
Message: "ok",
},
&evaluator.Result{Allow: true},
&envoy_service_auth_v3.CheckResponse{
Status: &status.Status{Code: 0, Message: "ok"},
Status: &status.Status{Code: 0, Message: "OK"},
},
},
}