mirror of
https://github.com/pomerium/pomerium.git
synced 2025-05-31 09:57:17 +02:00
authorize: fix domain check bug, rewrite url for forward auth, add dev script
This commit is contained in:
Caleb Doxsey
parent
170f7f07d3
commit
ea1c6efc24
5 changed files with 90 additions and 10 deletions
|
|
@ -12,15 +12,18 @@ allow {
|
||||||
token.payload.email = route_policies[route].allowed_users[_]
|
token.payload.email = route_policies[route].allowed_users[_]
|
||||||
token.valid
|
token.valid
|
||||||
count(deny)==0
|
count(deny)==0
|
||||||
|
trace(sprintf("allow by email (route=%v email=%v)", [route, token.payload.email]))
|
||||||
}
|
}
|
||||||
|
|
||||||
# allow group
|
# allow group
|
||||||
allow {
|
allow {
|
||||||
some route
|
some route
|
||||||
allowed_route(input.url, route_policies[route])
|
allowed_route(input.url, route_policies[route])
|
||||||
token.payload.groups[_] = route_policies[route].allowed_groups[_]
|
some group
|
||||||
|
token.payload.groups[group] == route_policies[route].allowed_groups[_]
|
||||||
token.valid
|
token.valid
|
||||||
count(deny)==0
|
count(deny)==0
|
||||||
|
trace(sprintf("allow by group (route=%v group=%v)", [route, group]))
|
||||||
}
|
}
|
||||||
|
|
||||||
# allow by impersonate email
|
# allow by impersonate email
|
||||||
|
|
@ -30,33 +33,40 @@ allow {
|
||||||
token.payload.impersonate_email = route_policies[route].allowed_users[_]
|
token.payload.impersonate_email = route_policies[route].allowed_users[_]
|
||||||
token.valid
|
token.valid
|
||||||
count(deny)==0
|
count(deny)==0
|
||||||
|
trace(sprintf("allow by impersonate email (route=%v email=%v)", [route, token.payload.impersonate_email]))
|
||||||
}
|
}
|
||||||
|
|
||||||
# allow by impersonate group
|
# allow by impersonate group
|
||||||
allow {
|
allow {
|
||||||
some route
|
some route
|
||||||
allowed_route(input.url, route_policies[route])
|
allowed_route(input.url, route_policies[route])
|
||||||
token.payload.impersonate_groups[_] = route_policies[route].allowed_groups[_]
|
some group
|
||||||
|
token.payload.impersonate_groups[group] == route_policies[route].allowed_groups[_]
|
||||||
token.valid
|
token.valid
|
||||||
count(deny)==0
|
count(deny)==0
|
||||||
|
trace(sprintf("allow by impersonate group (route=%v group=%v)", [route, group]))
|
||||||
}
|
}
|
||||||
|
|
||||||
# allow by domain
|
# allow by domain
|
||||||
allow {
|
allow {
|
||||||
some route
|
some route
|
||||||
allowed_route(input.url, route_policies[route])
|
allowed_route(input.url, route_policies[route])
|
||||||
allowed_user_domain(token.payload.email)
|
some domain
|
||||||
|
email_in_domain(token.payload.email, route_policies[route].allowed_domains[domain])
|
||||||
token.valid
|
token.valid
|
||||||
count(deny)==0
|
count(deny)==0
|
||||||
|
trace(sprintf("allow by domain (route=%v email=%v domain=%v)", [route, token.payload.email, domain]))
|
||||||
}
|
}
|
||||||
|
|
||||||
# allow by impersonate domain
|
# allow by impersonate domain
|
||||||
allow {
|
allow {
|
||||||
some route
|
some route
|
||||||
allowed_route(input.url, route_policies[route])
|
allowed_route(input.url, route_policies[route])
|
||||||
allowed_user_domain(token.payload.impersonate_email)
|
some domain
|
||||||
|
email_in_domain(token.payload.impersonate_email, route_policies[route].allowed_domains[domain])
|
||||||
token.valid
|
token.valid
|
||||||
count(deny)==0
|
count(deny)==0
|
||||||
|
trace(sprintf("allow by impersonate domain (route=%v email=%v domain=%v)", [route, token.payload.impersonate_email, domain]))
|
||||||
}
|
}
|
||||||
|
|
||||||
allowed_route(input_url, policy){
|
allowed_route(input_url, policy){
|
||||||
|
|
@ -114,7 +124,7 @@ normalize_url_path(str) = str {
|
||||||
str != ""
|
str != ""
|
||||||
}
|
}
|
||||||
|
|
||||||
allowed_user_domain(email){
|
email_in_domain(email, domain) {
|
||||||
x := split(email, "@")
|
x := split(email, "@")
|
||||||
count(x) == 2
|
count(x) == 2
|
||||||
x[1] == domain
|
x[1] == domain
|
||||||
|
|
|
||||||
|
|
@ -26,6 +26,29 @@ test_email_allowed {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
test_example {
|
||||||
|
user := io.jwt.encode_sign(jwt_header, {
|
||||||
|
"aud": ["example.com"],
|
||||||
|
"email": "joe@example.com"
|
||||||
|
}, signing_key)
|
||||||
|
not allow with data.route_policies as [
|
||||||
|
{
|
||||||
|
"source": "http://example.com",
|
||||||
|
"path": "/a",
|
||||||
|
"allowed_domains": ["example.com"]
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"source": "http://example.com",
|
||||||
|
"path": "/b",
|
||||||
|
"allowed_users": ["noone@pomerium.com"]
|
||||||
|
},
|
||||||
|
] with data.signing_key as signing_key with data.shared_key as shared_key with input as {
|
||||||
|
"url": "http://example.com/b",
|
||||||
|
"host": "example.com",
|
||||||
|
"user": user
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
test_email_denied {
|
test_email_denied {
|
||||||
user := io.jwt.encode_sign(jwt_header, {
|
user := io.jwt.encode_sign(jwt_header, {
|
||||||
"aud": ["example.com"],
|
"aud": ["example.com"],
|
||||||
|
|
|
||||||
File diff suppressed because one or more lines are too long
|
|
@ -115,6 +115,7 @@ func (p *Proxy) Verify(verifyOnly bool) http.Handler {
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return httputil.NewError(http.StatusBadRequest, err)
|
return httputil.NewError(http.StatusBadRequest, err)
|
||||||
}
|
}
|
||||||
|
originalRequest := p.getOriginalRequest(r, uri)
|
||||||
|
|
||||||
if _, err := sessions.FromContext(r.Context()); err != nil {
|
if _, err := sessions.FromContext(r.Context()); err != nil {
|
||||||
if verifyOnly {
|
if verifyOnly {
|
||||||
|
|
@ -130,10 +131,7 @@ func (p *Proxy) Verify(verifyOnly bool) http.Handler {
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
r.Host = uri.Host
|
if err := p.authorize(w, originalRequest); err != nil {
|
||||||
r.URL = uri
|
|
||||||
r.RequestURI = uri.String()
|
|
||||||
if err := p.authorize(w, r); err != nil {
|
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -143,3 +141,10 @@ func (p *Proxy) Verify(verifyOnly bool) http.Handler {
|
||||||
return nil
|
return nil
|
||||||
})
|
})
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func (p *Proxy) getOriginalRequest(r *http.Request, originalURL *url.URL) *http.Request {
|
||||||
|
originalRequest := r.Clone(r.Context())
|
||||||
|
originalRequest.Host = originalURL.Host
|
||||||
|
originalRequest.URL = originalURL
|
||||||
|
return originalRequest
|
||||||
|
}
|
||||||
|
|
|
||||||
42
scripts/build-dev-docker.bash
Executable file
42
scripts/build-dev-docker.bash
Executable file
|
|
@ -0,0 +1,42 @@
|
||||||
|
#!/bin/bash
|
||||||
|
set -euxo pipefail
|
||||||
|
|
||||||
|
_dir=/tmp/pomerium-dev-docker
|
||||||
|
mkdir -p "$_dir"
|
||||||
|
|
||||||
|
# build linux binary
|
||||||
|
env GOOS=linux \
|
||||||
|
GOARCH=amd64 \
|
||||||
|
CGO_ENABLED=0 \
|
||||||
|
GO111MODULE=on \
|
||||||
|
go build \
|
||||||
|
-ldflags "-s -w" \
|
||||||
|
-o "$_dir/pomerium" \
|
||||||
|
./cmd/pomerium
|
||||||
|
|
||||||
|
# build docker image
|
||||||
|
(
|
||||||
|
|
||||||
|
|
||||||
|
cd $_dir
|
||||||
|
cat <<EOF >config.yaml
|
||||||
|
|
||||||
|
EOF
|
||||||
|
cat <<EOF >Dockerfile
|
||||||
|
FROM gcr.io/distroless/base:debug
|
||||||
|
WORKDIR /pomerium
|
||||||
|
COPY pomerium /bin/pomerium
|
||||||
|
COPY config.yaml /pomerium/config.yaml
|
||||||
|
ENTRYPOINT [ "/bin/pomerium" ]
|
||||||
|
CMD ["-config","/pomerium/config.yaml"]
|
||||||
|
EOF
|
||||||
|
docker build --tag=pomerium/pomerium:dev .
|
||||||
|
|
||||||
|
# build for minikube
|
||||||
|
if command -v minikube >/dev/null 2>&1 ; then
|
||||||
|
eval "$(minikube docker-env --shell=bash)"
|
||||||
|
docker build --tag=pomerium/pomerium:dev .
|
||||||
|
fi
|
||||||
|
|
||||||
|
|
||||||
|
)
|
||||||
Loading…
Add table
Add a link
Reference in a new issue