3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-07-29 22:48:15 +02:00
Code Issues Projects Releases Packages Wiki Activity
pomerium/authorize/evaluator/opa/policy/authz.rego
Caleb Doxsey 25b697a13d
authorize: allow access by user id (#1850)
2021-02-03 07:15:44 -07:00

288 lines
7.1 KiB
Rego
Raw Blame History

package pomerium.authz
default allow = false
route_policy_idx := first_allowed_route_policy_idx(input.http.url)
route_policy := data.route_policies[route_policy_idx]
session = s {
s = object_get(data.databroker_data["type.googleapis.com"]["user.ServiceAccount"], input.session.id, null)
s != null
} else = s {
s = object_get(data.databroker_data["type.googleapis.com"]["session.Session"], input.session.id, null)
s != null
} else = {} {
true
}
user = u {
u = object_get(data.databroker_data["type.googleapis.com"]["user.User"], session.impersonate_user_id, null)
u != null
} else = u {
u = object_get(data.databroker_data["type.googleapis.com"]["user.User"], session.user_id, null)
u != null
} else = {} {
true
}
directory_user = du {
du = object_get(data.databroker_data["type.googleapis.com"]["directory.User"], session.impersonate_user_id, null)
du != null
} else = du {
du = object_get(data.databroker_data["type.googleapis.com"]["directory.User"], session.user_id, null)
du != null
} else = {} {
true
}
group_ids = gs {
gs = session.impersonate_group_ids
gs != null
} else = gs {
gs = directory_user.group_ids
gs != null
} else = [] {
true
}
groups := array.concat(group_ids, array.concat(get_databroker_group_names(group_ids), get_databroker_group_emails(group_ids)))
all_allowed_domains := get_allowed_domains(route_policy)
all_allowed_groups := get_allowed_groups(route_policy)
all_allowed_users := get_allowed_users(route_policy)
all_allowed_idp_claims := get_allowed_idp_claims(route_policy)
is_impersonating := count(session.impersonate_email) > 0
# allow public
allow {
route_policy.AllowPublicUnauthenticatedAccess == true
}
# allow cors preflight
allow {
route_policy.CORSAllowPreflight == true
input.http.method == "OPTIONS"
count(object.get(input.http.headers, "Access-Control-Request-Method", [])) > 0
count(object.get(input.http.headers, "Origin", [])) > 0
}
# allow any authenticated user
allow {
route_policy.AllowAnyAuthenticatedUser == true
session.user_id != ""
}
# allow by user email
allow {
not is_impersonating
user.email == all_allowed_users[_]
}
# allow by user id
allow {
not is_impersonating
user.id == all_allowed_users[_]
}
# allow group
allow {
not is_impersonating
some group
groups[_] = group
all_allowed_groups[_] = group
}
# allow by impersonate email
allow {
is_impersonating
all_allowed_users[_] = session.impersonate_email
}
# allow by impersonate group
allow {
is_impersonating
some group
session.impersonate_groups[_] = group
all_allowed_groups[_] = group
}
# allow by domain
allow {
not is_impersonating
some domain
email_in_domain(user.email, all_allowed_domains[domain])
}
# allow by impersonate domain
allow {
is_impersonating
some domain
email_in_domain(session.impersonate_email, all_allowed_domains[domain])
}
# allow by arbitrary idp claims
allow {
are_claims_allowed(all_allowed_idp_claims[_], session.claims)
}
allow {
are_claims_allowed(all_allowed_idp_claims[_], user.claims)
}
# allow pomerium urls
allow {
contains(input.http.url, "/.pomerium/")
}
deny[reason] {
reason = [495, "invalid client certificate"]
is_boolean(input.is_valid_client_certificate)
not input.is_valid_client_certificate
}
# returns the first matching route
first_allowed_route_policy_idx(input_url) = first_policy_idx {
first_policy_idx := [idx | some idx, policy; policy = data.route_policies[idx]; allowed_route(input.http.url, policy)][0]
}
allowed_route(input_url, policy) {
input_url_obj := parse_url(input_url)
allowed_route_source(input_url_obj, policy)
allowed_route_prefix(input_url_obj, policy)
allowed_route_path(input_url_obj, policy)
allowed_route_regex(input_url_obj, policy)
}
allowed_route_source(input_url_obj, policy) {
object.get(policy, "source", "") == ""
}
allowed_route_source(input_url_obj, policy) {
object.get(policy, "source", "") != ""
source_url_obj := parse_url(policy.source)
input_url_obj.host == source_url_obj.host
}
allowed_route_prefix(input_url_obj, policy) {
object.get(policy, "prefix", "") == ""
}
allowed_route_prefix(input_url_obj, policy) {
object.get(policy, "prefix", "") != ""
startswith(input_url_obj.path, policy.prefix)
}
allowed_route_path(input_url_obj, policy) {
object.get(policy, "path", "") == ""
}
allowed_route_path(input_url_obj, policy) {
object.get(policy, "path", "") != ""
policy.path == input_url_obj.path
}
allowed_route_regex(input_url_obj, policy) {
object.get(policy, "regex", "") == ""
}
allowed_route_regex(input_url_obj, policy) {
object.get(policy, "regex", "") != ""
re_match(policy.regex, input_url_obj.path)
}
parse_url(str) = {"scheme": scheme, "host": host, "path": path} {
[_, scheme, host, rawpath] = regex.find_all_string_submatch_n(`(?:((?:tcp[+])?http[s]?)://)?([^/]+)([^?#]*)`, str, 1)[0]
path = normalize_url_path(rawpath)
}
normalize_url_path(str) = "/" {
str == ""
}
normalize_url_path(str) = str {
str != ""
}
email_in_domain(email, domain) {
x := split(email, "@")
count(x) == 2
x[1] == domain
}
element_in_list(list, elem) {
list[_] = elem
}
get_allowed_users(policy) = v {
sub_allowed_users = [sp.allowed_users | sp := policy.sub_policies[_]]
v := {x | x = array.concat(policy.allowed_users, [u | u := policy.sub_policies[_].allowed_users[_]])[_]}
}
get_allowed_domains(policy) = v {
v := {x | x = array.concat(policy.allowed_domains, [u | u := policy.sub_policies[_].allowed_domains[_]])[_]}
}
get_allowed_groups(policy) = v {
v := {x | x = array.concat(policy.allowed_groups, [u | u := policy.sub_policies[_].allowed_groups[_]])[_]}
}
get_allowed_idp_claims(policy) = v {
v := array.concat([policy.allowed_idp_claims], [u | u := policy.sub_policies[_].allowed_idp_claims])
}
are_claims_allowed(a, b) {
is_object(a)
is_object(b)
avs := a[ak]
bvs := object.get(b, ak, null)
is_array(avs)
is_array(bvs)
avs[_] == bvs[_]
}
get_databroker_group_names(ids) = gs {
gs := [name | id := ids[i]; group := data.databroker_data["type.googleapis.com"]["directory.Group"][id]; name := group.name]
}
get_databroker_group_emails(ids) = gs {
gs := [email | id := ids[i]; group := data.databroker_data["type.googleapis.com"]["directory.Group"][id]; email := group.email]
}
# object_get is like object.get, but supports converting "/" in keys to separate lookups
# rego doesn't support recursion, so we hard code a limited number of /'s
object_get(obj, key, def) = value {
segments := split(key, "/")
count(segments) == 2
o1 := object.get(obj, segments[0], {})
value = object.get(o1, segments[1], def)
} else = value {
segments := split(key, "/")
count(segments) == 3
o1 := object.get(obj, segments[0], {})
o2 := object.get(o1, segments[1], {})
value = object.get(o2, segments[2], def)
} else = value {
segments := split(key, "/")
count(segments) == 4
o1 := object.get(obj, segments[0], {})
o2 := object.get(o1, segments[1], {})
o3 := object.get(o2, segments[2], {})
value = object.get(o3, segments[3], def)
} else = value {
segments := split(key, "/")
count(segments) == 5
o1 := object.get(obj, segments[0], {})
o2 := object.get(o1, segments[1], {})
o3 := object.get(o2, segments[2], {})
o4 := object.get(o3, segments[3], {})
value = object.get(o4, segments[4], def)
} else = value {
value = object.get(obj, key, def)
}
Reference in a new issue View git blame Copy permalink