mirror of
https://github.com/pomerium/pomerium.git
synced 2025-04-29 18:36:30 +02:00
408f201d16
Currently, with impersonated request, the real user email/group still
has effects.
Example:
data.route_policies as [{
"source": "example.com",
"allowed_users": ["x@example.com"]
}] with
input.databroker_data as {
"session": {
"user_id": "user1"
},
"user": {
"email": "x@example.com"
}
} with
input.http as { "url": "http://example.com" } with
input.session as { "id": "session1", "impersonate_email": "y@example.com" }
Here user "x@example.com" is allowed, but was impersonated as
"y@example.com". As the rules indicated, the request must be denied,
because it only allows "x@example.com", not "y@example.com". The current
bug causes the request is still allowed.
To fix it, when evaluates rules for allowed email/group/domain, we must checking
that the impersonate email/groups is not set/empty.
Fixes #1091
|
||
|---|---|---|
| .. | ||
| autocert | ||
| cmd/pomerium | ||
| controlplane | ||
| databroker | ||
| directory | ||
| encoding | ||
| envoy | ||
| fileutil | ||
| frontend | ||
| hashutil | ||
| httputil | ||
| identity | ||
| log | ||
| middleware | ||
| protoutil | ||
| scheduler | ||
| sessions | ||
| telemetry | ||
| testutil | ||
| tripper | ||
| urlutil | ||
| version | ||