authorize: fix domain check bug, rewrite url for forward auth, add dev script

2025-05-31 18:07:17 +02:00 · 2020-04-20 13:42:03 -06:00 · 2020-04-20 13:42:03 -06:00 · ea1c6efc24
commit ea1c6efc24
parent 170f7f07d3
5 changed files with 90 additions and 10 deletions
--- a/authorize/evaluator/opa/policy/authz.rego
+++ b/authorize/evaluator/opa/policy/authz.rego
@ -12,15 +12,18 @@ allow {
 	token.payload.email = route_policies[route].allowed_users[_]
 	token.valid
 	count(deny)==0
+	trace(sprintf("allow by email (route=%v email=%v)", [route, token.payload.email]))
 }

 # allow group
 allow {
 	some route
 	allowed_route(input.url, route_policies[route])
-	token.payload.groups[_] = route_policies[route].allowed_groups[_]
+	some group
+	token.payload.groups[group] == route_policies[route].allowed_groups[_]
 	token.valid
 	count(deny)==0
+	trace(sprintf("allow by group (route=%v group=%v)", [route, group]))
 }

 # allow by impersonate email
@ -30,33 +33,40 @@ allow {
 	token.payload.impersonate_email = route_policies[route].allowed_users[_]
 	token.valid
 	count(deny)==0
+	trace(sprintf("allow by impersonate email (route=%v email=%v)", [route, token.payload.impersonate_email]))
 }

 # allow by impersonate group
 allow {
 	some route
 	allowed_route(input.url, route_policies[route])
-	token.payload.impersonate_groups[_] = route_policies[route].allowed_groups[_]
+	some group
+	token.payload.impersonate_groups[group] == route_policies[route].allowed_groups[_]
 	token.valid
 	count(deny)==0
+	trace(sprintf("allow by impersonate group (route=%v group=%v)", [route, group]))
 }

 # allow by domain
 allow {
 	some route
 	allowed_route(input.url, route_policies[route])
-	allowed_user_domain(token.payload.email)
+	some domain
+	email_in_domain(token.payload.email, route_policies[route].allowed_domains[domain])
 	token.valid
 	count(deny)==0
+	trace(sprintf("allow by domain (route=%v email=%v domain=%v)", [route, token.payload.email, domain]))
 }

 # allow by impersonate domain
 allow {
 	some route
 	allowed_route(input.url, route_policies[route])
-	allowed_user_domain(token.payload.impersonate_email)
+	some domain
+	email_in_domain(token.payload.impersonate_email, route_policies[route].allowed_domains[domain])
 	token.valid
 	count(deny)==0
+	trace(sprintf("allow by impersonate domain (route=%v email=%v domain=%v)", [route, token.payload.impersonate_email, domain]))
 }

 allowed_route(input_url, policy){
@ -114,7 +124,7 @@ normalize_url_path(str) = str {
 	str != ""
 }

-allowed_user_domain(email){
+email_in_domain(email, domain) {
 	x := split(email, "@")
 	count(x) == 2
 	x[1] == domain
--- a/authorize/evaluator/opa/policy/authz_test.rego
+++ b/authorize/evaluator/opa/policy/authz_test.rego
@ -26,6 +26,29 @@ test_email_allowed {
 	}
 }

+test_example {
+	user := io.jwt.encode_sign(jwt_header, {
+		"aud": ["example.com"],
+		"email": "joe@example.com"
+	}, signing_key)
+	not allow with data.route_policies as [
+		{
+			"source": "http://example.com",
+			"path": "/a",
+			"allowed_domains": ["example.com"]
+		},
+		{
+			"source": "http://example.com",
+			"path": "/b",
+			"allowed_users": ["noone@pomerium.com"]
+		},
+	] with data.signing_key as signing_key with data.shared_key as shared_key with input as {
+		"url": "http://example.com/b",
+		"host": "example.com",
+		"user": user
+	}
+}
+
 test_email_denied {
 	user := io.jwt.encode_sign(jwt_header, {
 		"aud": ["example.com"],
--- a/authorize/evaluator/opa/policy/statik.go
+++ b/authorize/evaluator/opa/policy/statik.go
--- a/proxy/forward_auth.go
+++ b/proxy/forward_auth.go
@ -115,6 +115,7 @@ func (p *Proxy) Verify(verifyOnly bool) http.Handler {
 		if err != nil {
 			return httputil.NewError(http.StatusBadRequest, err)
 		}
+		originalRequest := p.getOriginalRequest(r, uri)

 		if _, err := sessions.FromContext(r.Context()); err != nil {
 			if verifyOnly {
@ -130,10 +131,7 @@ func (p *Proxy) Verify(verifyOnly bool) http.Handler {
 			return nil
 		}

-		r.Host = uri.Host
-		r.URL = uri
-		r.RequestURI = uri.String()
-		if err := p.authorize(w, r); err != nil {
+		if err := p.authorize(w, originalRequest); err != nil {
 			return err
 		}

@ -143,3 +141,10 @@ func (p *Proxy) Verify(verifyOnly bool) http.Handler {
 		return nil
 	})
 }
+
+func (p *Proxy) getOriginalRequest(r *http.Request, originalURL *url.URL) *http.Request {
+	originalRequest := r.Clone(r.Context())
+	originalRequest.Host = originalURL.Host
+	originalRequest.URL = originalURL
+	return originalRequest
+}
--- a/scripts/build-dev-docker.bash
+++ b/scripts/build-dev-docker.bash
@ -0,0 +1,42 @@
+#!/bin/bash
+set -euxo pipefail
+
+_dir=/tmp/pomerium-dev-docker
+mkdir -p "$_dir"
+
+# build linux binary
+env GOOS=linux \
+    GOARCH=amd64 \
+    CGO_ENABLED=0 \
+    GO111MODULE=on \
+    go build \
+    -ldflags "-s -w" \
+    -o "$_dir/pomerium" \
+    ./cmd/pomerium
+
+# build docker image
+(
+
+
+cd $_dir
+cat <<EOF >config.yaml
+
+EOF
+cat <<EOF >Dockerfile
+FROM gcr.io/distroless/base:debug
+WORKDIR /pomerium
+COPY pomerium /bin/pomerium
+COPY config.yaml /pomerium/config.yaml
+ENTRYPOINT [ "/bin/pomerium" ]
+CMD ["-config","/pomerium/config.yaml"]
+EOF
+docker build --tag=pomerium/pomerium:dev .
+
+# build for minikube
+if command -v minikube >/dev/null 2>&1 ; then
+  eval "$(minikube docker-env --shell=bash)"
+  docker build --tag=pomerium/pomerium:dev .
+fi
+
+
+)