3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-08-06 02:09:15 +02:00
Code Issues Projects Releases Packages Wiki Activity

authorize: filter only by group ID

Browse source 
Rework the JWT groups filtering option to filter only by ID (before
looking up group names).
This commit is contained in:
Kenneth Jenkins 2025-01-21 13:15:47 -08:00
parent 0bd6d8cc83
commit ed6d5247c1
1 changed files with 11 additions and 19 deletions
Download patch file Download diff file Expand all files Collapse all files

30
authorize/evaluator/headers_evaluator_evaluation.go
View file

@ -312,8 +312,17 @@ func (e *headersEvaluatorEvaluation) getJWTPayloadEmail(ctx context.Context) str
} }
func (e *headersEvaluatorEvaluation) getJWTPayloadGroups(ctx context.Context) []string { func (e *headersEvaluatorEvaluation) getJWTPayloadGroups(ctx context.Context) []string {
groups := e.getFilteredGroups(ctx) groupIDs := e.getGroupIDs(ctx)
if len(groupIDs) > 0 {
groupIDs = e.filterGroups(groupIDs)
groups := make([]string, 0, len(groupIDs)*2)
groups = append(groups, groupIDs...)
groups = append(groups, e.getDataBrokerGroupNames(ctx, groupIDs)...)
return groups
}
s, _ := e.getSessionOrServiceAccount(ctx)
groups, _ := getClaimStringSlice(s, "groups")
if groups == nil { if groups == nil {
// If there are no groups, marshal this claim as an empty list rather than a JSON null, // If there are no groups, marshal this claim as an empty list rather than a JSON null,
// for better compatibility with third-party libraries. // for better compatibility with third-party libraries.
@ -323,9 +332,7 @@ func (e *headersEvaluatorEvaluation) getJWTPayloadGroups(ctx context.Context) []
return groups return groups
} }
func (e *headersEvaluatorEvaluation) getFilteredGroups(ctx context.Context) []string { func (e *headersEvaluatorEvaluation) filterGroups(groups []string) []string {
groups := e.getAllGroups(ctx)
// Apply the global groups filter or the per-route groups filter, if either is enabled. // Apply the global groups filter or the per-route groups filter, if either is enabled.
filters := make([]config.JWTGroupsFilter, 0, 2) filters := make([]config.JWTGroupsFilter, 0, 2)
if f := e.evaluator.store.GetJWTGroupsFilter(); f.Enabled() { if f := e.evaluator.store.GetJWTGroupsFilter(); f.Enabled() {
@ -348,21 +355,6 @@ func (e *headersEvaluatorEvaluation) getFilteredGroups(ctx context.Context) []st
}) })
} }
// getAllGroups returns the full group names/IDs list (without any filtering).
func (e *headersEvaluatorEvaluation) getAllGroups(ctx context.Context) []string {
groupIDs := e.getGroupIDs(ctx)
if len(groupIDs) > 0 {
groups := make([]string, 0, len(groupIDs)*2)
groups = append(groups, groupIDs...)
groups = append(groups, e.getDataBrokerGroupNames(ctx, groupIDs)...)
return groups
}
s, _ := e.getSessionOrServiceAccount(ctx)
groups, _ := getClaimStringSlice(s, "groups")
return groups
}
func (e *headersEvaluatorEvaluation) getJWTPayloadSID() string { func (e *headersEvaluatorEvaluation) getJWTPayloadSID() string {
return e.request.Session.ID return e.request.Session.ID
} }