ppl: support special characters in claim keys (#3640)

ppl: support special characters in claim keys (#3639)

* ppl: support special characters in claim keys

* fix test

Co-authored-by: Caleb Doxsey <cdoxsey@pomerium.com>

config/policy_ppl_test.go

@@ -751,6 +751,12 @@ else = [] {
 }
 
 object_get(obj, key, def) = value {
+	undefined := "10a0fd35-0f1a-4e5b-97ce-631e89e1bafa"
+	value = object.get(obj, key, undefined)
+	value != undefined
+}
+
+else = value {
 	segments := split(replace(key, ".", "/"), "/")
 	count(segments) == 2
 	o1 := object.get(obj, segments[0], {})

pkg/policy/criteria/claims_test.go

@@ -86,4 +86,28 @@ allow:
 		require.Equal(t, A{true, A{ReasonClaimOK}, M{}}, res["allow"])
 		require.Equal(t, A{false, A{}}, res["deny"])
 	})
+	t.Run("special keys", func(t *testing.T) {
+		res, err := evaluate(t, `
+allow:
+  and:
+    - claim/example.com/key: value
+`,
+			[]dataBrokerRecord{
+				&session.Session{
+					Id:     "SESSION_ID",
+					UserId: "USER_ID",
+					Claims: map[string]*structpb.ListValue{
+						"example.com/key": {Values: []*structpb.Value{structpb.NewStringValue("value")}},
+					},
+				},
+				&user.User{
+					Id:    "USER_ID",
+					Email: "test@example.com",
+				},
+			},
+			Input{Session: InputSession{ID: "SESSION_ID"}})
+		require.NoError(t, err)
+		require.Equal(t, A{true, A{ReasonClaimOK}, M{}}, res["allow"])
+		require.Equal(t, A{false, A{}}, res["deny"])
+	})
 }

pkg/policy/rules/rules.go

@@ -176,7 +176,12 @@ func ObjectGet() *ast.Rule {
 	return ast.MustParseRule(`
 # object_get is like object.get, but supports converting "/" in keys to separate lookups
 # rego doesn't support recursion, so we hard code a limited number of /'s
+
 object_get(obj, key, def) = value {
+	undefined := "10a0fd35-0f1a-4e5b-97ce-631e89e1bafa"
+	value = object.get(obj, key, undefined)
+	value != undefined
+} else = value {
 	segments := split(replace(key, ".", "/"), "/")
 	count(segments) == 2
 	o1 := object.get(obj, segments[0], {})