pomerium/authorize/evaluator/policy_evaluator_test.go
dependabot[bot] b0c2e2dede
chore(deps): bump the go group with 24 updates (#5638)
Bumps the go group with 24 updates:

| Package | From | To |
| --- | --- | --- |
| [cloud.google.com/go/storage](https://github.com/googleapis/google-cloud-go) | `1.53.0` | `1.55.0` |
| [github.com/VictoriaMetrics/fastcache](https://github.com/VictoriaMetrics/fastcache) | `1.12.2` | `1.12.4` |
| [github.com/aws/aws-sdk-go-v2/service/s3](https://github.com/aws/aws-sdk-go-v2) | `1.79.3` | `1.80.0` |
| [github.com/docker/docker](https://github.com/docker/docker) | `28.1.1+incompatible` | `28.2.2+incompatible` |
| [github.com/exaring/otelpgx](https://github.com/exaring/otelpgx) | `0.9.1` | `0.9.3` |
| [github.com/google/go-jsonnet](https://github.com/google/go-jsonnet) | `0.20.0` | `0.21.0` |
| [github.com/jackc/pgx/v5](https://github.com/jackc/pgx) | `5.7.4` | `5.7.5` |
| [github.com/miekg/dns](https://github.com/miekg/dns) | `1.1.65` | `1.1.66` |
| [github.com/minio/minio-go/v7](https://github.com/minio/minio-go) | `7.0.91` | `7.0.92` |
| [github.com/open-policy-agent/opa](https://github.com/open-policy-agent/opa) | `1.4.2` | `1.5.0` |
| [github.com/pires/go-proxyproto](https://github.com/pires/go-proxyproto) | `0.8.0` | `0.8.1` |
| [github.com/quic-go/quic-go](https://github.com/quic-go/quic-go) | `0.51.0` | `0.52.0` |
| [go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc](https://github.com/open-telemetry/opentelemetry-go-contrib) | `0.60.0` | `0.61.0` |
| [go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp](https://github.com/open-telemetry/opentelemetry-go-contrib) | `0.60.0` | `0.61.0` |
| [go.opentelemetry.io/contrib/propagators/autoprop](https://github.com/open-telemetry/opentelemetry-go-contrib) | `0.60.0` | `0.61.0` |
| [go.opentelemetry.io/otel/bridge/opencensus](https://github.com/open-telemetry/opentelemetry-go) | `1.35.0` | `1.36.0` |
| [go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc](https://github.com/open-telemetry/opentelemetry-go) | `1.35.0` | `1.36.0` |
| [go.opentelemetry.io/otel/exporters/otlp/otlptrace](https://github.com/open-telemetry/opentelemetry-go) | `1.35.0` | `1.36.0` |
| [go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc](https://github.com/open-telemetry/opentelemetry-go) | `1.35.0` | `1.36.0` |
| [go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp](https://github.com/open-telemetry/opentelemetry-go) | `1.35.0` | `1.36.0` |
| [go.opentelemetry.io/proto/otlp](https://github.com/open-telemetry/opentelemetry-proto-go) | `1.6.0` | `1.7.0` |
| [google.golang.org/api](https://github.com/googleapis/google-api-go-client) | `0.230.0` | `0.235.0` |
| [google.golang.org/genproto/googleapis/rpc](https://github.com/googleapis/go-genproto) | `0.0.0-20250428153025-10db94c68c34` | `0.0.0-20250528174236-200df99c418a` |
| [google.golang.org/grpc](https://github.com/grpc/grpc-go) | `1.72.0` | `1.72.2` |


Updates `cloud.google.com/go/storage` from 1.53.0 to 1.55.0
- [Release notes](https://github.com/googleapis/google-cloud-go/releases)
- [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/CHANGES.md)
- [Commits](googleapis/google-cloud-go@spanner/v1.53.0...spanner/v1.55.0)

Updates `github.com/VictoriaMetrics/fastcache` from 1.12.2 to 1.12.4
- [Release notes](https://github.com/VictoriaMetrics/fastcache/releases)
- [Commits](VictoriaMetrics/fastcache@v1.12.2...v1.12.4)

Updates `github.com/aws/aws-sdk-go-v2/service/s3` from 1.79.3 to 1.80.0
- [Release notes](https://github.com/aws/aws-sdk-go-v2/releases)
- [Changelog](https://github.com/aws/aws-sdk-go-v2/blob/main/changelog-template.json)
- [Commits](aws/aws-sdk-go-v2@service/s3/v1.79.3...service/s3/v1.80.0)

Updates `github.com/docker/docker` from 28.1.1+incompatible to 28.2.2+incompatible
- [Release notes](https://github.com/docker/docker/releases)
- [Commits](moby/moby@v28.1.1...v28.2.2)

Updates `github.com/exaring/otelpgx` from 0.9.1 to 0.9.3
- [Release notes](https://github.com/exaring/otelpgx/releases)
- [Commits](exaring/otelpgx@v0.9.1...v0.9.3)

Updates `github.com/google/go-jsonnet` from 0.20.0 to 0.21.0
- [Release notes](https://github.com/google/go-jsonnet/releases)
- [Changelog](https://github.com/google/go-jsonnet/blob/master/.goreleaser.yml)
- [Commits](google/go-jsonnet@v0.20.0...v0.21.0)

Updates `github.com/jackc/pgx/v5` from 5.7.4 to 5.7.5
- [Changelog](https://github.com/jackc/pgx/blob/master/CHANGELOG.md)
- [Commits](jackc/pgx@v5.7.4...v5.7.5)

Updates `github.com/miekg/dns` from 1.1.65 to 1.1.66
- [Changelog](https://github.com/miekg/dns/blob/master/Makefile.release)
- [Commits](miekg/dns@v1.1.65...v1.1.66)

Updates `github.com/minio/minio-go/v7` from 7.0.91 to 7.0.92
- [Release notes](https://github.com/minio/minio-go/releases)
- [Commits](minio/minio-go@v7.0.91...v7.0.92)

Updates `github.com/open-policy-agent/opa` from 1.4.2 to 1.5.0
- [Release notes](https://github.com/open-policy-agent/opa/releases)
- [Changelog](https://github.com/open-policy-agent/opa/blob/main/CHANGELOG.md)
- [Commits](open-policy-agent/opa@v1.4.2...v1.5.0)

Updates `github.com/pires/go-proxyproto` from 0.8.0 to 0.8.1
- [Release notes](https://github.com/pires/go-proxyproto/releases)
- [Commits](pires/go-proxyproto@v0.8.0...v0.8.1)

Updates `github.com/quic-go/quic-go` from 0.51.0 to 0.52.0
- [Release notes](https://github.com/quic-go/quic-go/releases)
- [Commits](quic-go/quic-go@v0.51.0...v0.52.0)

Updates `go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc` from 0.60.0 to 0.61.0
- [Release notes](https://github.com/open-telemetry/opentelemetry-go-contrib/releases)
- [Changelog](https://github.com/open-telemetry/opentelemetry-go-contrib/blob/main/CHANGELOG.md)
- [Commits](open-telemetry/opentelemetry-go-contrib@zpages/v0.60.0...zpages/v0.61.0)

Updates `go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp` from 0.60.0 to 0.61.0
- [Release notes](https://github.com/open-telemetry/opentelemetry-go-contrib/releases)
- [Changelog](https://github.com/open-telemetry/opentelemetry-go-contrib/blob/main/CHANGELOG.md)
- [Commits](open-telemetry/opentelemetry-go-contrib@zpages/v0.60.0...zpages/v0.61.0)

Updates `go.opentelemetry.io/contrib/propagators/autoprop` from 0.60.0 to 0.61.0
- [Release notes](https://github.com/open-telemetry/opentelemetry-go-contrib/releases)
- [Changelog](https://github.com/open-telemetry/opentelemetry-go-contrib/blob/main/CHANGELOG.md)
- [Commits](open-telemetry/opentelemetry-go-contrib@zpages/v0.60.0...zpages/v0.61.0)

Updates `go.opentelemetry.io/otel/bridge/opencensus` from 1.35.0 to 1.36.0
- [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases)
- [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md)
- [Commits](open-telemetry/opentelemetry-go@v1.35.0...v1.36.0)

Updates `go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc` from 1.35.0 to 1.36.0
- [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases)
- [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md)
- [Commits](open-telemetry/opentelemetry-go@v1.35.0...v1.36.0)

Updates `go.opentelemetry.io/otel/exporters/otlp/otlptrace` from 1.35.0 to 1.36.0
- [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases)
- [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md)
- [Commits](open-telemetry/opentelemetry-go@v1.35.0...v1.36.0)

Updates `go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc` from 1.35.0 to 1.36.0
- [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases)
- [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md)
- [Commits](open-telemetry/opentelemetry-go@v1.35.0...v1.36.0)

Updates `go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp` from 1.35.0 to 1.36.0
- [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases)
- [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md)
- [Commits](open-telemetry/opentelemetry-go@v1.35.0...v1.36.0)

Updates `go.opentelemetry.io/proto/otlp` from 1.6.0 to 1.7.0
- [Release notes](https://github.com/open-telemetry/opentelemetry-proto-go/releases)
- [Commits](open-telemetry/opentelemetry-proto-go@v1.6.0...v1.7.0)

Updates `google.golang.org/api` from 0.230.0 to 0.235.0
- [Release notes](https://github.com/googleapis/google-api-go-client/releases)
- [Changelog](https://github.com/googleapis/google-api-go-client/blob/main/CHANGES.md)
- [Commits](googleapis/google-api-go-client@v0.230.0...v0.235.0)

Updates `google.golang.org/genproto/googleapis/rpc` from 0.0.0-20250428153025-10db94c68c34 to 0.0.0-20250528174236-200df99c418a
- [Commits](https://github.com/googleapis/go-genproto/commits)

Updates `google.golang.org/grpc` from 1.72.0 to 1.72.2
- [Release notes](https://github.com/grpc/grpc-go/releases)
- [Commits](grpc/grpc-go@v1.72.0...v1.72.2)

---
updated-dependencies:
- dependency-name: cloud.google.com/go/storage
  dependency-version: 1.55.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: go
- dependency-name: github.com/VictoriaMetrics/fastcache
  dependency-version: 1.12.4
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: go
- dependency-name: github.com/aws/aws-sdk-go-v2/service/s3
  dependency-version: 1.80.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: go
- dependency-name: github.com/docker/docker
  dependency-version: 28.2.2+incompatible
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: go
- dependency-name: github.com/exaring/otelpgx
  dependency-version: 0.9.3
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: go
- dependency-name: github.com/google/go-jsonnet
  dependency-version: 0.21.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: go
- dependency-name: github.com/jackc/pgx/v5
  dependency-version: 5.7.5
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: go
- dependency-name: github.com/miekg/dns
  dependency-version: 1.1.66
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: go
- dependency-name: github.com/minio/minio-go/v7
  dependency-version: 7.0.92
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: go
- dependency-name: github.com/open-policy-agent/opa
  dependency-version: 1.5.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: go
- dependency-name: github.com/pires/go-proxyproto
  dependency-version: 0.8.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: go
- dependency-name: github.com/quic-go/quic-go
  dependency-version: 0.52.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: go
- dependency-name: go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc
  dependency-version: 0.61.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: go
- dependency-name: go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp
  dependency-version: 0.61.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: go
- dependency-name: go.opentelemetry.io/contrib/propagators/autoprop
  dependency-version: 0.61.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: go
- dependency-name: go.opentelemetry.io/otel/bridge/opencensus
  dependency-version: 1.36.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: go
- dependency-name: go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc
  dependency-version: 1.36.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: go
- dependency-name: go.opentelemetry.io/otel/exporters/otlp/otlptrace
  dependency-version: 1.36.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: go
- dependency-name: go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc
  dependency-version: 1.36.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: go
- dependency-name: go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp
  dependency-version: 1.36.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: go
- dependency-name: go.opentelemetry.io/proto/otlp
  dependency-version: 1.7.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: go
- dependency-name: google.golang.org/api
  dependency-version: 0.235.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: go
- dependency-name: google.golang.org/genproto/googleapis/rpc
  dependency-version: 0.0.0-20250528174236-200df99c418a
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: go
- dependency-name: google.golang.org/grpc
  dependency-version: 1.72.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: go
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-06-17 09:36:50 -07:00

354 lines
11 KiB
Go

package evaluator
import (
"net/http"
"strings"
"testing"
"time"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
"google.golang.org/protobuf/proto"
"google.golang.org/protobuf/types/known/structpb"
"google.golang.org/protobuf/types/known/timestamppb"
"github.com/pomerium/pomerium/authorize/internal/store"
"github.com/pomerium/pomerium/config"
"github.com/pomerium/pomerium/pkg/contextutil"
"github.com/pomerium/pomerium/pkg/cryptutil"
"github.com/pomerium/pomerium/pkg/grpc/session"
"github.com/pomerium/pomerium/pkg/grpc/user"
"github.com/pomerium/pomerium/pkg/policy"
"github.com/pomerium/pomerium/pkg/policy/criteria"
"github.com/pomerium/pomerium/pkg/storage"
)
func TestPolicyEvaluator(t *testing.T) {
signingKey, err := cryptutil.NewSigningKey()
require.NoError(t, err)
encodedSigningKey, err := cryptutil.EncodePrivateKey(signingKey)
require.NoError(t, err)
privateJWK, err := cryptutil.PrivateJWKFromBytes(encodedSigningKey)
require.NoError(t, err)
var addDefaultClientCertificateRule bool
eval := func(t *testing.T, policy *config.Policy, data []proto.Message, input *PolicyRequest) (*PolicyResponse, error) {
ctx := t.Context()
ctx = storage.WithQuerier(ctx, storage.NewStaticQuerier(data...))
store := store.New()
store.UpdateJWTClaimHeaders(config.NewJWTClaimHeaders("email", "groups", "user", "CUSTOM_KEY"))
store.UpdateSigningKey(privateJWK)
e, err := NewPolicyEvaluator(ctx, store, policy, addDefaultClientCertificateRule)
require.NoError(t, err)
return e.Evaluate(ctx, input)
}
p1 := &config.Policy{
From: "https://from.example.com",
To: config.WeightedURLs{{URL: *mustParseURL("https://to.example.com")}},
AllowedUsers: []string{"u1@example.com"},
}
s1 := &session.Session{
Id: "s1",
UserId: "u1",
}
s2 := &session.Session{
Id: "s2",
UserId: "u2",
}
u1 := &user.User{
Id: "u1",
Email: "u1@example.com",
}
u2 := &user.User{
Id: "u2",
Email: "u2@example.com",
}
t.Run("allowed", func(t *testing.T) {
output, err := eval(t,
p1,
[]proto.Message{s1, u1, s2, u2},
&PolicyRequest{
HTTP: RequestHTTP{Method: http.MethodGet, URL: "https://from.example.com/path"},
Session: RequestSession{ID: "s1"},
})
require.NoError(t, err)
assert.Equal(t, &PolicyResponse{
Allow: NewRuleResult(true, criteria.ReasonEmailOK),
Deny: NewRuleResult(false),
Traces: []contextutil.PolicyEvaluationTrace{{Allow: true}},
}, output)
})
t.Run("forbidden", func(t *testing.T) {
output, err := eval(t,
p1,
[]proto.Message{s1, u1, s2, u2},
&PolicyRequest{
HTTP: RequestHTTP{Method: http.MethodGet, URL: "https://from.example.com/path"},
Session: RequestSession{ID: "s2"},
})
require.NoError(t, err)
assert.Equal(t, &PolicyResponse{
Allow: NewRuleResult(false, criteria.ReasonEmailUnauthorized, criteria.ReasonUserUnauthorized),
Deny: NewRuleResult(false),
Traces: []contextutil.PolicyEvaluationTrace{{}},
}, output)
})
// Enable client certificate validation.
addDefaultClientCertificateRule = true
t.Run("allowed with cert", func(t *testing.T) {
output, err := eval(t,
p1,
[]proto.Message{s1, u1, s2, u2},
&PolicyRequest{
HTTP: RequestHTTP{Method: http.MethodGet, URL: "https://from.example.com/path"},
Session: RequestSession{ID: "s1"},
IsValidClientCertificate: true,
})
require.NoError(t, err)
assert.Equal(t, &PolicyResponse{
Allow: NewRuleResult(true, criteria.ReasonEmailOK),
Deny: NewRuleResult(false, criteria.ReasonValidClientCertificate),
Traces: []contextutil.PolicyEvaluationTrace{{Allow: true}},
}, output)
})
t.Run("no cert", func(t *testing.T) {
output, err := eval(t,
p1,
[]proto.Message{s1, u1, s2, u2},
&PolicyRequest{
HTTP: RequestHTTP{Method: http.MethodGet, URL: "https://from.example.com/path"},
Session: RequestSession{ID: "s1"},
IsValidClientCertificate: false,
})
require.NoError(t, err)
assert.Equal(t, &PolicyResponse{
Allow: NewRuleResult(true, criteria.ReasonEmailOK),
Deny: NewRuleResult(true, criteria.ReasonClientCertificateRequired),
Traces: []contextutil.PolicyEvaluationTrace{{Allow: true, Deny: true}},
}, output)
})
t.Run("invalid cert", func(t *testing.T) {
output, err := eval(t,
p1,
[]proto.Message{s1, u1, s2, u2},
&PolicyRequest{
HTTP: RequestHTTP{
Method: http.MethodGet,
URL: "https://from.example.com/path",
ClientCertificate: ClientCertificateInfo{Presented: true},
},
Session: RequestSession{ID: "s1"},
IsValidClientCertificate: false,
})
require.NoError(t, err)
assert.Equal(t, &PolicyResponse{
Allow: NewRuleResult(true, criteria.ReasonEmailOK),
Deny: NewRuleResult(true, criteria.ReasonInvalidClientCertificate),
Traces: []contextutil.PolicyEvaluationTrace{{Allow: true, Deny: true}},
}, output)
})
t.Run("forbidden with cert", func(t *testing.T) {
output, err := eval(t,
p1,
[]proto.Message{s1, u1, s2, u2},
&PolicyRequest{
HTTP: RequestHTTP{Method: http.MethodGet, URL: "https://from.example.com/path"},
Session: RequestSession{ID: "s2"},
IsValidClientCertificate: true,
})
require.NoError(t, err)
assert.Equal(t, &PolicyResponse{
Allow: NewRuleResult(false, criteria.ReasonEmailUnauthorized, criteria.ReasonUserUnauthorized),
Deny: NewRuleResult(false, criteria.ReasonValidClientCertificate),
Traces: []contextutil.PolicyEvaluationTrace{{}},
}, output)
})
t.Run("ppl", func(t *testing.T) {
t.Run("allow", func(t *testing.T) {
rego, err := policy.GenerateRegoFromReader(strings.NewReader(`
- allow:
and:
- accept: 1
`))
require.NoError(t, err)
p := &config.Policy{
From: "https://from.example.com",
To: config.WeightedURLs{{URL: *mustParseURL("https://to.example.com")}},
SubPolicies: []config.SubPolicy{
{ID: "p1", Rego: []string{rego}},
},
}
output, err := eval(t,
p,
[]proto.Message{s1, u1, s2, u2},
&PolicyRequest{
HTTP: RequestHTTP{Method: http.MethodGet, URL: "https://from.example.com/path"},
Session: RequestSession{ID: "s1"},
IsValidClientCertificate: true,
})
require.NoError(t, err)
assert.Equal(t, &PolicyResponse{
Allow: NewRuleResult(true, criteria.ReasonAccept),
Deny: NewRuleResult(false, criteria.ReasonValidClientCertificate),
Traces: []contextutil.PolicyEvaluationTrace{{}, {ID: "p1", Allow: true}},
}, output)
})
t.Run("deny", func(t *testing.T) {
rego, err := policy.GenerateRegoFromReader(strings.NewReader(`
- deny:
and:
- accept: 1
`))
require.NoError(t, err)
p := &config.Policy{
From: "https://from.example.com",
To: config.WeightedURLs{{URL: *mustParseURL("https://to.example.com")}},
SubPolicies: []config.SubPolicy{
{ID: "p1", Rego: []string{rego}},
},
}
output, err := eval(t,
p,
[]proto.Message{s1, u1, s2, u2},
&PolicyRequest{
HTTP: RequestHTTP{Method: http.MethodGet, URL: "https://from.example.com/path"},
Session: RequestSession{ID: "s1"},
IsValidClientCertificate: true,
})
require.NoError(t, err)
assert.Equal(t, &PolicyResponse{
Allow: NewRuleResult(false),
Deny: NewRuleResult(true, criteria.ReasonAccept),
Traces: []contextutil.PolicyEvaluationTrace{{}, {ID: "p1", Deny: true}},
}, output)
})
t.Run("client certificate", func(t *testing.T) {
rego, err := policy.GenerateRegoFromReader(strings.NewReader(`
- deny:
and:
- invalid_client_certificate: 1
- accept: 1
`))
require.NoError(t, err)
p := &config.Policy{
From: "https://from.example.com",
To: config.WeightedURLs{{URL: *mustParseURL("https://to.example.com")}},
SubPolicies: []config.SubPolicy{
{ID: "p1", Rego: []string{rego}},
},
}
output, err := eval(t,
p,
[]proto.Message{s1, u1, s2, u2},
&PolicyRequest{
HTTP: RequestHTTP{Method: http.MethodGet, URL: "https://from.example.com/path"},
Session: RequestSession{ID: "s1"},
IsValidClientCertificate: false,
})
require.NoError(t, err)
assert.Equal(t, &PolicyResponse{
Allow: NewRuleResult(false),
Deny: NewRuleResult(true, criteria.ReasonAccept, criteria.ReasonClientCertificateRequired),
Traces: []contextutil.PolicyEvaluationTrace{{Deny: true}, {ID: "p1", Deny: true}},
}, output)
})
})
t.Run("cidr", func(t *testing.T) {
r1 := &structpb.Struct{Fields: map[string]*structpb.Value{
"$index": structpb.NewStructValue(&structpb.Struct{Fields: map[string]*structpb.Value{
"cidr": structpb.NewStringValue("192.168.0.0/16"),
}}),
"country": structpb.NewStringValue("US"),
}}
p := &config.Policy{
From: "https://from.example.com",
To: config.WeightedURLs{{URL: *mustParseURL("https://to.example.com")}},
SubPolicies: []config.SubPolicy{
{ID: "p1", Rego: []string{`
package pomerium.policy
allow {
record := get_databroker_record("type.googleapis.com/google.protobuf.Struct", "192.168.0.7")
record.country == "US"
}
`}},
},
}
output, err := eval(t,
p,
[]proto.Message{s1, u1, s2, u2, r1},
&PolicyRequest{
HTTP: RequestHTTP{Method: http.MethodGet, URL: "https://from.example.com/path"},
Session: RequestSession{ID: "s1"},
IsValidClientCertificate: true,
})
require.NoError(t, err)
assert.Equal(t, &PolicyResponse{
Allow: NewRuleResult(true),
Deny: NewRuleResult(false, criteria.ReasonValidClientCertificate),
Traces: []contextutil.PolicyEvaluationTrace{{}, {ID: "p1", Allow: true}},
}, output)
})
t.Run("service account", func(t *testing.T) {
output, err := eval(t,
p1,
[]proto.Message{
u1,
&user.ServiceAccount{
Id: "sa1",
UserId: "u1",
},
},
&PolicyRequest{
HTTP: RequestHTTP{Method: http.MethodGet, URL: "https://from.example.com/path"},
Session: RequestSession{ID: "sa1"},
IsValidClientCertificate: true,
})
require.NoError(t, err)
assert.Equal(t, &PolicyResponse{
Allow: NewRuleResult(true, criteria.ReasonEmailOK),
Deny: NewRuleResult(false, criteria.ReasonValidClientCertificate),
Traces: []contextutil.PolicyEvaluationTrace{{Allow: true}},
}, output)
})
t.Run("expired service account", func(t *testing.T) {
output, err := eval(t,
p1,
[]proto.Message{
u1,
&user.ServiceAccount{
Id: "sa1",
UserId: "u1",
ExpiresAt: timestamppb.New(time.Now().Add(-time.Second)),
},
},
&PolicyRequest{
HTTP: RequestHTTP{Method: http.MethodGet, URL: "https://from.example.com/path"},
Session: RequestSession{ID: "sa1"},
IsValidClientCertificate: true,
})
require.NoError(t, err)
assert.Equal(t, &PolicyResponse{
Allow: NewRuleResult(false, criteria.ReasonUserUnauthenticated),
Deny: NewRuleResult(false, criteria.ReasonValidClientCertificate),
Traces: []contextutil.PolicyEvaluationTrace{{Allow: false}},
}, output)
})
}