mirror of
https://github.com/pomerium/pomerium.git
synced 2025-07-06 03:18:03 +02:00
b0c2e2dede
Bumps the go group with 24 updates: | Package | From | To | | --- | --- | --- | | [cloud.google.com/go/storage](https://github.com/googleapis/google-cloud-go) | `1.53.0` | `1.55.0` | | [github.com/VictoriaMetrics/fastcache](https://github.com/VictoriaMetrics/fastcache) | `1.12.2` | `1.12.4` | | [github.com/aws/aws-sdk-go-v2/service/s3](https://github.com/aws/aws-sdk-go-v2) | `1.79.3` | `1.80.0` | | [github.com/docker/docker](https://github.com/docker/docker) | `28.1.1+incompatible` | `28.2.2+incompatible` | | [github.com/exaring/otelpgx](https://github.com/exaring/otelpgx) | `0.9.1` | `0.9.3` | | [github.com/google/go-jsonnet](https://github.com/google/go-jsonnet) | `0.20.0` | `0.21.0` | | [github.com/jackc/pgx/v5](https://github.com/jackc/pgx) | `5.7.4` | `5.7.5` | | [github.com/miekg/dns](https://github.com/miekg/dns) | `1.1.65` | `1.1.66` | | [github.com/minio/minio-go/v7](https://github.com/minio/minio-go) | `7.0.91` | `7.0.92` | | [github.com/open-policy-agent/opa](https://github.com/open-policy-agent/opa) | `1.4.2` | `1.5.0` | | [github.com/pires/go-proxyproto](https://github.com/pires/go-proxyproto) | `0.8.0` | `0.8.1` | | [github.com/quic-go/quic-go](https://github.com/quic-go/quic-go) | `0.51.0` | `0.52.0` | | [go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc](https://github.com/open-telemetry/opentelemetry-go-contrib) | `0.60.0` | `0.61.0` | | [go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp](https://github.com/open-telemetry/opentelemetry-go-contrib) | `0.60.0` | `0.61.0` | | [go.opentelemetry.io/contrib/propagators/autoprop](https://github.com/open-telemetry/opentelemetry-go-contrib) | `0.60.0` | `0.61.0` | | [go.opentelemetry.io/otel/bridge/opencensus](https://github.com/open-telemetry/opentelemetry-go) | `1.35.0` | `1.36.0` | | [go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc](https://github.com/open-telemetry/opentelemetry-go) | `1.35.0` | `1.36.0` | | [go.opentelemetry.io/otel/exporters/otlp/otlptrace](https://github.com/open-telemetry/opentelemetry-go) | `1.35.0` | `1.36.0` | | [go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc](https://github.com/open-telemetry/opentelemetry-go) | `1.35.0` | `1.36.0` | | [go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp](https://github.com/open-telemetry/opentelemetry-go) | `1.35.0` | `1.36.0` | | [go.opentelemetry.io/proto/otlp](https://github.com/open-telemetry/opentelemetry-proto-go) | `1.6.0` | `1.7.0` | | [google.golang.org/api](https://github.com/googleapis/google-api-go-client) | `0.230.0` | `0.235.0` | | [google.golang.org/genproto/googleapis/rpc](https://github.com/googleapis/go-genproto) | `0.0.0-20250428153025-10db94c68c34` | `0.0.0-20250528174236-200df99c418a` | | [google.golang.org/grpc](https://github.com/grpc/grpc-go) | `1.72.0` | `1.72.2` | Updates `cloud.google.com/go/storage` from 1.53.0 to 1.55.0 - [Release notes](https://github.com/googleapis/google-cloud-go/releases) - [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/CHANGES.md) - [Commits](googleapis/google-cloud-go@spanner/v1.53.0...spanner/v1.55.0) Updates `github.com/VictoriaMetrics/fastcache` from 1.12.2 to 1.12.4 - [Release notes](https://github.com/VictoriaMetrics/fastcache/releases) - [Commits](VictoriaMetrics/fastcache@v1.12.2...v1.12.4) Updates `github.com/aws/aws-sdk-go-v2/service/s3` from 1.79.3 to 1.80.0 - [Release notes](https://github.com/aws/aws-sdk-go-v2/releases) - [Changelog](https://github.com/aws/aws-sdk-go-v2/blob/main/changelog-template.json) - [Commits](aws/aws-sdk-go-v2@service/s3/v1.79.3...service/s3/v1.80.0) Updates `github.com/docker/docker` from 28.1.1+incompatible to 28.2.2+incompatible - [Release notes](https://github.com/docker/docker/releases) - [Commits](moby/moby@v28.1.1...v28.2.2) Updates `github.com/exaring/otelpgx` from 0.9.1 to 0.9.3 - [Release notes](https://github.com/exaring/otelpgx/releases) - [Commits](exaring/otelpgx@v0.9.1...v0.9.3) Updates `github.com/google/go-jsonnet` from 0.20.0 to 0.21.0 - [Release notes](https://github.com/google/go-jsonnet/releases) - [Changelog](https://github.com/google/go-jsonnet/blob/master/.goreleaser.yml) - [Commits](google/go-jsonnet@v0.20.0...v0.21.0) Updates `github.com/jackc/pgx/v5` from 5.7.4 to 5.7.5 - [Changelog](https://github.com/jackc/pgx/blob/master/CHANGELOG.md) - [Commits](jackc/pgx@v5.7.4...v5.7.5) Updates `github.com/miekg/dns` from 1.1.65 to 1.1.66 - [Changelog](https://github.com/miekg/dns/blob/master/Makefile.release) - [Commits](miekg/dns@v1.1.65...v1.1.66) Updates `github.com/minio/minio-go/v7` from 7.0.91 to 7.0.92 - [Release notes](https://github.com/minio/minio-go/releases) - [Commits](minio/minio-go@v7.0.91...v7.0.92) Updates `github.com/open-policy-agent/opa` from 1.4.2 to 1.5.0 - [Release notes](https://github.com/open-policy-agent/opa/releases) - [Changelog](https://github.com/open-policy-agent/opa/blob/main/CHANGELOG.md) - [Commits](open-policy-agent/opa@v1.4.2...v1.5.0) Updates `github.com/pires/go-proxyproto` from 0.8.0 to 0.8.1 - [Release notes](https://github.com/pires/go-proxyproto/releases) - [Commits](pires/go-proxyproto@v0.8.0...v0.8.1) Updates `github.com/quic-go/quic-go` from 0.51.0 to 0.52.0 - [Release notes](https://github.com/quic-go/quic-go/releases) - [Commits](quic-go/quic-go@v0.51.0...v0.52.0) Updates `go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc` from 0.60.0 to 0.61.0 - [Release notes](https://github.com/open-telemetry/opentelemetry-go-contrib/releases) - [Changelog](https://github.com/open-telemetry/opentelemetry-go-contrib/blob/main/CHANGELOG.md) - [Commits](open-telemetry/opentelemetry-go-contrib@zpages/v0.60.0...zpages/v0.61.0) Updates `go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp` from 0.60.0 to 0.61.0 - [Release notes](https://github.com/open-telemetry/opentelemetry-go-contrib/releases) - [Changelog](https://github.com/open-telemetry/opentelemetry-go-contrib/blob/main/CHANGELOG.md) - [Commits](open-telemetry/opentelemetry-go-contrib@zpages/v0.60.0...zpages/v0.61.0) Updates `go.opentelemetry.io/contrib/propagators/autoprop` from 0.60.0 to 0.61.0 - [Release notes](https://github.com/open-telemetry/opentelemetry-go-contrib/releases) - [Changelog](https://github.com/open-telemetry/opentelemetry-go-contrib/blob/main/CHANGELOG.md) - [Commits](open-telemetry/opentelemetry-go-contrib@zpages/v0.60.0...zpages/v0.61.0) Updates `go.opentelemetry.io/otel/bridge/opencensus` from 1.35.0 to 1.36.0 - [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases) - [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md) - [Commits](open-telemetry/opentelemetry-go@v1.35.0...v1.36.0) Updates `go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc` from 1.35.0 to 1.36.0 - [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases) - [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md) - [Commits](open-telemetry/opentelemetry-go@v1.35.0...v1.36.0) Updates `go.opentelemetry.io/otel/exporters/otlp/otlptrace` from 1.35.0 to 1.36.0 - [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases) - [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md) - [Commits](open-telemetry/opentelemetry-go@v1.35.0...v1.36.0) Updates `go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc` from 1.35.0 to 1.36.0 - [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases) - [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md) - [Commits](open-telemetry/opentelemetry-go@v1.35.0...v1.36.0) Updates `go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp` from 1.35.0 to 1.36.0 - [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases) - [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md) - [Commits](open-telemetry/opentelemetry-go@v1.35.0...v1.36.0) Updates `go.opentelemetry.io/proto/otlp` from 1.6.0 to 1.7.0 - [Release notes](https://github.com/open-telemetry/opentelemetry-proto-go/releases) - [Commits](open-telemetry/opentelemetry-proto-go@v1.6.0...v1.7.0) Updates `google.golang.org/api` from 0.230.0 to 0.235.0 - [Release notes](https://github.com/googleapis/google-api-go-client/releases) - [Changelog](https://github.com/googleapis/google-api-go-client/blob/main/CHANGES.md) - [Commits](googleapis/google-api-go-client@v0.230.0...v0.235.0) Updates `google.golang.org/genproto/googleapis/rpc` from 0.0.0-20250428153025-10db94c68c34 to 0.0.0-20250528174236-200df99c418a - [Commits](https://github.com/googleapis/go-genproto/commits) Updates `google.golang.org/grpc` from 1.72.0 to 1.72.2 - [Release notes](https://github.com/grpc/grpc-go/releases) - [Commits](grpc/grpc-go@v1.72.0...v1.72.2) --- updated-dependencies: - dependency-name: cloud.google.com/go/storage dependency-version: 1.55.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go - dependency-name: github.com/VictoriaMetrics/fastcache dependency-version: 1.12.4 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: go - dependency-name: github.com/aws/aws-sdk-go-v2/service/s3 dependency-version: 1.80.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go - dependency-name: github.com/docker/docker dependency-version: 28.2.2+incompatible dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go - dependency-name: github.com/exaring/otelpgx dependency-version: 0.9.3 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: go - dependency-name: github.com/google/go-jsonnet dependency-version: 0.21.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go - dependency-name: github.com/jackc/pgx/v5 dependency-version: 5.7.5 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: go - dependency-name: github.com/miekg/dns dependency-version: 1.1.66 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: go - dependency-name: github.com/minio/minio-go/v7 dependency-version: 7.0.92 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: go - dependency-name: github.com/open-policy-agent/opa dependency-version: 1.5.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go - dependency-name: github.com/pires/go-proxyproto dependency-version: 0.8.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: go - dependency-name: github.com/quic-go/quic-go dependency-version: 0.52.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go - dependency-name: go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc dependency-version: 0.61.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go - dependency-name: go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp dependency-version: 0.61.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go - dependency-name: go.opentelemetry.io/contrib/propagators/autoprop dependency-version: 0.61.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go - dependency-name: go.opentelemetry.io/otel/bridge/opencensus dependency-version: 1.36.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go - dependency-name: go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc dependency-version: 1.36.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go - dependency-name: go.opentelemetry.io/otel/exporters/otlp/otlptrace dependency-version: 1.36.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go - dependency-name: go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc dependency-version: 1.36.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go - dependency-name: go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp dependency-version: 1.36.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go - dependency-name: go.opentelemetry.io/proto/otlp dependency-version: 1.7.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go - dependency-name: google.golang.org/api dependency-version: 0.235.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go - dependency-name: google.golang.org/genproto/googleapis/rpc dependency-version: 0.0.0-20250528174236-200df99c418a dependency-type: direct:production update-type: version-update:semver-patch dependency-group: go - dependency-name: google.golang.org/grpc dependency-version: 1.72.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: go ... Signed-off-by: dependabot[bot] <support@github.com>
354 lines
11 KiB
Go
354 lines
11 KiB
Go
package evaluator
|
|
|
|
import (
|
|
"net/http"
|
|
"strings"
|
|
"testing"
|
|
"time"
|
|
|
|
"github.com/stretchr/testify/assert"
|
|
"github.com/stretchr/testify/require"
|
|
"google.golang.org/protobuf/proto"
|
|
"google.golang.org/protobuf/types/known/structpb"
|
|
"google.golang.org/protobuf/types/known/timestamppb"
|
|
|
|
"github.com/pomerium/pomerium/authorize/internal/store"
|
|
"github.com/pomerium/pomerium/config"
|
|
"github.com/pomerium/pomerium/pkg/contextutil"
|
|
"github.com/pomerium/pomerium/pkg/cryptutil"
|
|
"github.com/pomerium/pomerium/pkg/grpc/session"
|
|
"github.com/pomerium/pomerium/pkg/grpc/user"
|
|
"github.com/pomerium/pomerium/pkg/policy"
|
|
"github.com/pomerium/pomerium/pkg/policy/criteria"
|
|
"github.com/pomerium/pomerium/pkg/storage"
|
|
)
|
|
|
|
func TestPolicyEvaluator(t *testing.T) {
|
|
signingKey, err := cryptutil.NewSigningKey()
|
|
require.NoError(t, err)
|
|
encodedSigningKey, err := cryptutil.EncodePrivateKey(signingKey)
|
|
require.NoError(t, err)
|
|
privateJWK, err := cryptutil.PrivateJWKFromBytes(encodedSigningKey)
|
|
require.NoError(t, err)
|
|
|
|
var addDefaultClientCertificateRule bool
|
|
|
|
eval := func(t *testing.T, policy *config.Policy, data []proto.Message, input *PolicyRequest) (*PolicyResponse, error) {
|
|
ctx := t.Context()
|
|
ctx = storage.WithQuerier(ctx, storage.NewStaticQuerier(data...))
|
|
store := store.New()
|
|
store.UpdateJWTClaimHeaders(config.NewJWTClaimHeaders("email", "groups", "user", "CUSTOM_KEY"))
|
|
store.UpdateSigningKey(privateJWK)
|
|
e, err := NewPolicyEvaluator(ctx, store, policy, addDefaultClientCertificateRule)
|
|
require.NoError(t, err)
|
|
return e.Evaluate(ctx, input)
|
|
}
|
|
|
|
p1 := &config.Policy{
|
|
From: "https://from.example.com",
|
|
To: config.WeightedURLs{{URL: *mustParseURL("https://to.example.com")}},
|
|
AllowedUsers: []string{"u1@example.com"},
|
|
}
|
|
s1 := &session.Session{
|
|
Id: "s1",
|
|
UserId: "u1",
|
|
}
|
|
s2 := &session.Session{
|
|
Id: "s2",
|
|
UserId: "u2",
|
|
}
|
|
u1 := &user.User{
|
|
Id: "u1",
|
|
Email: "u1@example.com",
|
|
}
|
|
u2 := &user.User{
|
|
Id: "u2",
|
|
Email: "u2@example.com",
|
|
}
|
|
|
|
t.Run("allowed", func(t *testing.T) {
|
|
output, err := eval(t,
|
|
p1,
|
|
[]proto.Message{s1, u1, s2, u2},
|
|
&PolicyRequest{
|
|
HTTP: RequestHTTP{Method: http.MethodGet, URL: "https://from.example.com/path"},
|
|
Session: RequestSession{ID: "s1"},
|
|
})
|
|
require.NoError(t, err)
|
|
assert.Equal(t, &PolicyResponse{
|
|
Allow: NewRuleResult(true, criteria.ReasonEmailOK),
|
|
Deny: NewRuleResult(false),
|
|
Traces: []contextutil.PolicyEvaluationTrace{{Allow: true}},
|
|
}, output)
|
|
})
|
|
t.Run("forbidden", func(t *testing.T) {
|
|
output, err := eval(t,
|
|
p1,
|
|
[]proto.Message{s1, u1, s2, u2},
|
|
&PolicyRequest{
|
|
HTTP: RequestHTTP{Method: http.MethodGet, URL: "https://from.example.com/path"},
|
|
Session: RequestSession{ID: "s2"},
|
|
})
|
|
require.NoError(t, err)
|
|
assert.Equal(t, &PolicyResponse{
|
|
Allow: NewRuleResult(false, criteria.ReasonEmailUnauthorized, criteria.ReasonUserUnauthorized),
|
|
Deny: NewRuleResult(false),
|
|
Traces: []contextutil.PolicyEvaluationTrace{{}},
|
|
}, output)
|
|
})
|
|
|
|
// Enable client certificate validation.
|
|
addDefaultClientCertificateRule = true
|
|
|
|
t.Run("allowed with cert", func(t *testing.T) {
|
|
output, err := eval(t,
|
|
p1,
|
|
[]proto.Message{s1, u1, s2, u2},
|
|
&PolicyRequest{
|
|
HTTP: RequestHTTP{Method: http.MethodGet, URL: "https://from.example.com/path"},
|
|
Session: RequestSession{ID: "s1"},
|
|
|
|
IsValidClientCertificate: true,
|
|
})
|
|
require.NoError(t, err)
|
|
assert.Equal(t, &PolicyResponse{
|
|
Allow: NewRuleResult(true, criteria.ReasonEmailOK),
|
|
Deny: NewRuleResult(false, criteria.ReasonValidClientCertificate),
|
|
Traces: []contextutil.PolicyEvaluationTrace{{Allow: true}},
|
|
}, output)
|
|
})
|
|
t.Run("no cert", func(t *testing.T) {
|
|
output, err := eval(t,
|
|
p1,
|
|
[]proto.Message{s1, u1, s2, u2},
|
|
&PolicyRequest{
|
|
HTTP: RequestHTTP{Method: http.MethodGet, URL: "https://from.example.com/path"},
|
|
Session: RequestSession{ID: "s1"},
|
|
|
|
IsValidClientCertificate: false,
|
|
})
|
|
require.NoError(t, err)
|
|
assert.Equal(t, &PolicyResponse{
|
|
Allow: NewRuleResult(true, criteria.ReasonEmailOK),
|
|
Deny: NewRuleResult(true, criteria.ReasonClientCertificateRequired),
|
|
Traces: []contextutil.PolicyEvaluationTrace{{Allow: true, Deny: true}},
|
|
}, output)
|
|
})
|
|
t.Run("invalid cert", func(t *testing.T) {
|
|
output, err := eval(t,
|
|
p1,
|
|
[]proto.Message{s1, u1, s2, u2},
|
|
&PolicyRequest{
|
|
HTTP: RequestHTTP{
|
|
Method: http.MethodGet,
|
|
URL: "https://from.example.com/path",
|
|
ClientCertificate: ClientCertificateInfo{Presented: true},
|
|
},
|
|
Session: RequestSession{ID: "s1"},
|
|
|
|
IsValidClientCertificate: false,
|
|
})
|
|
require.NoError(t, err)
|
|
assert.Equal(t, &PolicyResponse{
|
|
Allow: NewRuleResult(true, criteria.ReasonEmailOK),
|
|
Deny: NewRuleResult(true, criteria.ReasonInvalidClientCertificate),
|
|
Traces: []contextutil.PolicyEvaluationTrace{{Allow: true, Deny: true}},
|
|
}, output)
|
|
})
|
|
t.Run("forbidden with cert", func(t *testing.T) {
|
|
output, err := eval(t,
|
|
p1,
|
|
[]proto.Message{s1, u1, s2, u2},
|
|
&PolicyRequest{
|
|
HTTP: RequestHTTP{Method: http.MethodGet, URL: "https://from.example.com/path"},
|
|
Session: RequestSession{ID: "s2"},
|
|
|
|
IsValidClientCertificate: true,
|
|
})
|
|
require.NoError(t, err)
|
|
assert.Equal(t, &PolicyResponse{
|
|
Allow: NewRuleResult(false, criteria.ReasonEmailUnauthorized, criteria.ReasonUserUnauthorized),
|
|
Deny: NewRuleResult(false, criteria.ReasonValidClientCertificate),
|
|
Traces: []contextutil.PolicyEvaluationTrace{{}},
|
|
}, output)
|
|
})
|
|
|
|
t.Run("ppl", func(t *testing.T) {
|
|
t.Run("allow", func(t *testing.T) {
|
|
rego, err := policy.GenerateRegoFromReader(strings.NewReader(`
|
|
- allow:
|
|
and:
|
|
- accept: 1
|
|
`))
|
|
require.NoError(t, err)
|
|
p := &config.Policy{
|
|
From: "https://from.example.com",
|
|
To: config.WeightedURLs{{URL: *mustParseURL("https://to.example.com")}},
|
|
SubPolicies: []config.SubPolicy{
|
|
{ID: "p1", Rego: []string{rego}},
|
|
},
|
|
}
|
|
output, err := eval(t,
|
|
p,
|
|
[]proto.Message{s1, u1, s2, u2},
|
|
&PolicyRequest{
|
|
HTTP: RequestHTTP{Method: http.MethodGet, URL: "https://from.example.com/path"},
|
|
Session: RequestSession{ID: "s1"},
|
|
|
|
IsValidClientCertificate: true,
|
|
})
|
|
require.NoError(t, err)
|
|
assert.Equal(t, &PolicyResponse{
|
|
Allow: NewRuleResult(true, criteria.ReasonAccept),
|
|
Deny: NewRuleResult(false, criteria.ReasonValidClientCertificate),
|
|
Traces: []contextutil.PolicyEvaluationTrace{{}, {ID: "p1", Allow: true}},
|
|
}, output)
|
|
})
|
|
t.Run("deny", func(t *testing.T) {
|
|
rego, err := policy.GenerateRegoFromReader(strings.NewReader(`
|
|
- deny:
|
|
and:
|
|
- accept: 1
|
|
`))
|
|
require.NoError(t, err)
|
|
p := &config.Policy{
|
|
From: "https://from.example.com",
|
|
To: config.WeightedURLs{{URL: *mustParseURL("https://to.example.com")}},
|
|
SubPolicies: []config.SubPolicy{
|
|
{ID: "p1", Rego: []string{rego}},
|
|
},
|
|
}
|
|
output, err := eval(t,
|
|
p,
|
|
[]proto.Message{s1, u1, s2, u2},
|
|
&PolicyRequest{
|
|
HTTP: RequestHTTP{Method: http.MethodGet, URL: "https://from.example.com/path"},
|
|
Session: RequestSession{ID: "s1"},
|
|
|
|
IsValidClientCertificate: true,
|
|
})
|
|
require.NoError(t, err)
|
|
assert.Equal(t, &PolicyResponse{
|
|
Allow: NewRuleResult(false),
|
|
Deny: NewRuleResult(true, criteria.ReasonAccept),
|
|
Traces: []contextutil.PolicyEvaluationTrace{{}, {ID: "p1", Deny: true}},
|
|
}, output)
|
|
})
|
|
t.Run("client certificate", func(t *testing.T) {
|
|
rego, err := policy.GenerateRegoFromReader(strings.NewReader(`
|
|
- deny:
|
|
and:
|
|
- invalid_client_certificate: 1
|
|
- accept: 1
|
|
`))
|
|
require.NoError(t, err)
|
|
p := &config.Policy{
|
|
From: "https://from.example.com",
|
|
To: config.WeightedURLs{{URL: *mustParseURL("https://to.example.com")}},
|
|
SubPolicies: []config.SubPolicy{
|
|
{ID: "p1", Rego: []string{rego}},
|
|
},
|
|
}
|
|
output, err := eval(t,
|
|
p,
|
|
[]proto.Message{s1, u1, s2, u2},
|
|
&PolicyRequest{
|
|
HTTP: RequestHTTP{Method: http.MethodGet, URL: "https://from.example.com/path"},
|
|
Session: RequestSession{ID: "s1"},
|
|
|
|
IsValidClientCertificate: false,
|
|
})
|
|
require.NoError(t, err)
|
|
assert.Equal(t, &PolicyResponse{
|
|
Allow: NewRuleResult(false),
|
|
Deny: NewRuleResult(true, criteria.ReasonAccept, criteria.ReasonClientCertificateRequired),
|
|
Traces: []contextutil.PolicyEvaluationTrace{{Deny: true}, {ID: "p1", Deny: true}},
|
|
}, output)
|
|
})
|
|
})
|
|
t.Run("cidr", func(t *testing.T) {
|
|
r1 := &structpb.Struct{Fields: map[string]*structpb.Value{
|
|
"$index": structpb.NewStructValue(&structpb.Struct{Fields: map[string]*structpb.Value{
|
|
"cidr": structpb.NewStringValue("192.168.0.0/16"),
|
|
}}),
|
|
"country": structpb.NewStringValue("US"),
|
|
}}
|
|
|
|
p := &config.Policy{
|
|
From: "https://from.example.com",
|
|
To: config.WeightedURLs{{URL: *mustParseURL("https://to.example.com")}},
|
|
SubPolicies: []config.SubPolicy{
|
|
{ID: "p1", Rego: []string{`
|
|
package pomerium.policy
|
|
|
|
allow {
|
|
record := get_databroker_record("type.googleapis.com/google.protobuf.Struct", "192.168.0.7")
|
|
record.country == "US"
|
|
}
|
|
`}},
|
|
},
|
|
}
|
|
output, err := eval(t,
|
|
p,
|
|
[]proto.Message{s1, u1, s2, u2, r1},
|
|
&PolicyRequest{
|
|
HTTP: RequestHTTP{Method: http.MethodGet, URL: "https://from.example.com/path"},
|
|
Session: RequestSession{ID: "s1"},
|
|
|
|
IsValidClientCertificate: true,
|
|
})
|
|
require.NoError(t, err)
|
|
assert.Equal(t, &PolicyResponse{
|
|
Allow: NewRuleResult(true),
|
|
Deny: NewRuleResult(false, criteria.ReasonValidClientCertificate),
|
|
Traces: []contextutil.PolicyEvaluationTrace{{}, {ID: "p1", Allow: true}},
|
|
}, output)
|
|
})
|
|
t.Run("service account", func(t *testing.T) {
|
|
output, err := eval(t,
|
|
p1,
|
|
[]proto.Message{
|
|
u1,
|
|
&user.ServiceAccount{
|
|
Id: "sa1",
|
|
UserId: "u1",
|
|
},
|
|
},
|
|
&PolicyRequest{
|
|
HTTP: RequestHTTP{Method: http.MethodGet, URL: "https://from.example.com/path"},
|
|
Session: RequestSession{ID: "sa1"},
|
|
|
|
IsValidClientCertificate: true,
|
|
})
|
|
require.NoError(t, err)
|
|
assert.Equal(t, &PolicyResponse{
|
|
Allow: NewRuleResult(true, criteria.ReasonEmailOK),
|
|
Deny: NewRuleResult(false, criteria.ReasonValidClientCertificate),
|
|
Traces: []contextutil.PolicyEvaluationTrace{{Allow: true}},
|
|
}, output)
|
|
})
|
|
t.Run("expired service account", func(t *testing.T) {
|
|
output, err := eval(t,
|
|
p1,
|
|
[]proto.Message{
|
|
u1,
|
|
&user.ServiceAccount{
|
|
Id: "sa1",
|
|
UserId: "u1",
|
|
ExpiresAt: timestamppb.New(time.Now().Add(-time.Second)),
|
|
},
|
|
},
|
|
&PolicyRequest{
|
|
HTTP: RequestHTTP{Method: http.MethodGet, URL: "https://from.example.com/path"},
|
|
Session: RequestSession{ID: "sa1"},
|
|
|
|
IsValidClientCertificate: true,
|
|
})
|
|
require.NoError(t, err)
|
|
assert.Equal(t, &PolicyResponse{
|
|
Allow: NewRuleResult(false, criteria.ReasonUserUnauthenticated),
|
|
Deny: NewRuleResult(false, criteria.ReasonValidClientCertificate),
|
|
Traces: []contextutil.PolicyEvaluationTrace{{Allow: false}},
|
|
}, output)
|
|
})
|
|
}
|