mirror of
https://github.com/pomerium/pomerium.git
synced 2025-04-30 10:56:28 +02:00
8d1732582e
authenticate: unmarshal and verify state from jwt, instead of middleware
authorize: embed opa policy using statik
authorize: have IsAuthorized handle authorization for all routes
authorize: if no signing key is provided, one is generated
authorize: remove IsAdmin grpc endpoint
authorize/client: return authorize decision struct
cmd/pomerium: main logger no longer contains email and group
cryptutil: add ECDSA signing methods
dashboard: have impersonate form show up for all users, but have api gated by authz
docs: fix typo in signed jwt header
encoding/jws: remove unused es256 signer
frontend: namespace static web assets
internal/sessions: remove leeway to match authz policy
proxy: move signing functionality to authz
proxy: remove jwt attestation from proxy (authZ does now)
proxy: remove non-signed headers from headers
proxy: remove special handling of x-forwarded-host
sessions: do not verify state in middleware
sessions: remove leeway from state to match authz
sessions/{all}: store jwt directly instead of state
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
50 lines
1.3 KiB
Go
50 lines
1.3 KiB
Go
package authorize
|
|
|
|
import (
|
|
"testing"
|
|
|
|
"github.com/pomerium/pomerium/config"
|
|
)
|
|
|
|
func TestNew(t *testing.T) {
|
|
t.Parallel()
|
|
policies := testPolicies(t)
|
|
tests := []struct {
|
|
name string
|
|
SharedKey string
|
|
Policies []config.Policy
|
|
wantErr bool
|
|
}{
|
|
{"good", "gXK6ggrlIW2HyKyUF9rUO4azrDgxhDPWqw9y+lJU7B8=", policies, false},
|
|
{"bad shared secret", "AZA85podM73CjLCjViDNz1EUvvejKpWp7Hysr0knXA==", policies, true},
|
|
{"really bad shared secret", "sup", policies, true},
|
|
{"validation error, short secret", "AZA85podM73CjLCjViDNz1EUvvejKpWp7Hysr0knXA==", policies, true},
|
|
{"empty options", "", []config.Policy{}, true}, // special case
|
|
|
|
}
|
|
for _, tt := range tests {
|
|
t.Run(tt.name, func(t *testing.T) {
|
|
o := config.Options{SharedKey: tt.SharedKey, Policies: tt.Policies}
|
|
if tt.name == "empty options" {
|
|
o = config.Options{}
|
|
}
|
|
_, err := New(o)
|
|
if (err != nil) != tt.wantErr {
|
|
t.Errorf("New() error = %v, wantErr %v", err, tt.wantErr)
|
|
return
|
|
}
|
|
})
|
|
}
|
|
}
|
|
|
|
func testPolicies(t *testing.T) []config.Policy {
|
|
testPolicy := config.Policy{From: "https://pomerium.io", To: "http://httpbin.org", AllowedUsers: []string{"test@gmail.com"}}
|
|
err := testPolicy.Validate()
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
policies := []config.Policy{
|
|
testPolicy,
|
|
}
|
|
return policies
|
|
}
|