pomerium

mirror of https://github.com/pomerium/pomerium.git synced 2025-04-30 10:56:28 +02:00

History

Cuong Manh Le 408f201d16 authorize/evaluator/opa/policy: fix allow rules with impersonate (#1094 ) Currently, with impersonated request, the real user email/group still has effects. Example: data.route_policies as [{ "source": "example.com", "allowed_users": ["x@example.com"] }] with input.databroker_data as { "session": { "user_id": "user1" }, "user": { "email": "x@example.com" } } with input.http as { "url": "http://example.com" } with input.session as { "id": "session1", "impersonate_email": "y@example.com" } Here user "x@example.com" is allowed, but was impersonated as "y@example.com". As the rules indicated, the request must be denied, because it only allows "x@example.com", not "y@example.com". The current bug causes the request is still allowed. To fix it, when evaluates rules for allowed email/group/domain, we must checking that the impersonate email/groups is not set/empty. Fixes #1091		2020-07-17 22:07:11 +07:00
..
clean-upstream.lua	envoy: fix lua warning (#731 )	2020-05-19 10:21:50 -06:00
ext-authz-set-cookie.lua	proxy: remove pomerium cookie and authorization from upstream requests (#687 )	2020-05-18 17:10:10 -04:00
statik.go	authorize/evaluator/opa/policy: fix allow rules with impersonate (#1094 )	2020-07-17 22:07:11 +07:00