ppl: refactor authorize to evaluate PPL (#2224)

* ppl: refactor authorize to evaluate PPL * remove opa test step * add log statement * simplify assignment * deny with forbidden if logged in * add safeEval function * create evaluator-specific config and options * embed the headers rego file directly
2025-07-19 09:38:03 +02:00 · 2021-05-21 09:50:18 -06:00 · 2021-05-21 09:50:18 -06:00 · dad35bcfb0
commit dad35bcfb0
parent 8c56d64f31
26 changed files with 1451 additions and 2211 deletions
--- a/authorize/evaluator/headers_evaluator_test.go
+++ b/authorize/evaluator/headers_evaluator_test.go
@ -0,0 +1,62 @@
+package evaluator
+
+import (
+	"context"
+	"math"
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"google.golang.org/protobuf/proto"
+	"gopkg.in/square/go-jose.v2"
+	"gopkg.in/square/go-jose.v2/jwt"
+
+	"github.com/pomerium/pomerium/config"
+
+	"github.com/pomerium/pomerium/pkg/cryptutil"
+)
+
+func TestHeadersEvaluator(t *testing.T) {
+	type A = []interface{}
+	type M = map[string]interface{}
+
+	signingKey, err := cryptutil.NewSigningKey()
+	require.NoError(t, err)
+	encodedSigningKey, err := cryptutil.EncodePrivateKey(signingKey)
+	require.NoError(t, err)
+	privateJWK, err := cryptutil.PrivateJWKFromBytes(encodedSigningKey, jose.ES256)
+	require.NoError(t, err)
+	publicJWK, err := cryptutil.PublicJWKFromBytes(encodedSigningKey, jose.ES256)
+	require.NoError(t, err)
+
+	eval := func(t *testing.T, data []proto.Message, input *HeadersRequest) (*HeadersResponse, error) {
+		store := NewStoreFromProtos(math.MaxUint64, data...)
+		store.UpdateIssuer("authenticate.example.com")
+		store.UpdateJWTClaimHeaders(config.NewJWTClaimHeaders("email", "groups", "user", "CUSTOM_KEY"))
+		store.UpdateSigningKey(privateJWK)
+		e, err := NewHeadersEvaluator(context.Background(), store)
+		require.NoError(t, err)
+		return e.Evaluate(context.Background(), input)
+	}
+
+	t.Run("jwt", func(t *testing.T) {
+		output, err := eval(t,
+			[]proto.Message{},
+			&HeadersRequest{
+				FromAudience: "from.example.com",
+				ToAudience:   "to.example.com",
+			})
+		require.NoError(t, err)
+
+		rawJWT, err := jwt.ParseSigned(output.Headers.Get("X-Pomerium-Jwt-Assertion"))
+		require.NoError(t, err)
+
+		var claims M
+		err = rawJWT.Claims(publicJWK, &claims)
+		require.NoError(t, err)
+
+		assert.LessOrEqual(t, claims["exp"], float64(time.Now().Add(time.Minute*6).Unix()),
+			"JWT should expire within 5 minutes, but got: %v", claims["exp"])
+	})
+}