mirror of
https://github.com/pomerium/pomerium.git
synced 2025-05-31 18:07:17 +02:00
408f201d16
Currently, with impersonated request, the real user email/group still
has effects.
Example:
data.route_policies as [{
"source": "example.com",
"allowed_users": ["x@example.com"]
}] with
input.databroker_data as {
"session": {
"user_id": "user1"
},
"user": {
"email": "x@example.com"
}
} with
input.http as { "url": "http://example.com" } with
input.session as { "id": "session1", "impersonate_email": "y@example.com" }
Here user "x@example.com" is allowed, but was impersonated as
"y@example.com". As the rules indicated, the request must be denied,
because it only allows "x@example.com", not "y@example.com". The current
bug causes the request is still allowed.
To fix it, when evaluates rules for allowed email/group/domain, we must checking
that the impersonate email/groups is not set/empty.
Fixes #1091
|
||
|---|---|---|
| .. | ||
| evaluator | ||
| authorize.go | ||
| authorize_test.go | ||
| check_response.go | ||
| google_cloud_serverless.go | ||
| google_cloud_serverless_test.go | ||
| grpc.go | ||
| grpc_test.go | ||
| run.go | ||
| session.go | ||
| session_test.go | ||