/
policy_evaluator_test.go
297 lines (279 loc) · 9.19 KB
/
policy_evaluator_test.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
package evaluator
import (
"context"
"strings"
"testing"
"time"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
"google.golang.org/protobuf/proto"
"google.golang.org/protobuf/types/known/structpb"
"google.golang.org/protobuf/types/known/timestamppb"
"github.com/pomerium/pomerium/authorize/internal/store"
"github.com/pomerium/pomerium/config"
"github.com/pomerium/pomerium/pkg/contextutil"
"github.com/pomerium/pomerium/pkg/cryptutil"
"github.com/pomerium/pomerium/pkg/grpc/session"
"github.com/pomerium/pomerium/pkg/grpc/user"
"github.com/pomerium/pomerium/pkg/policy"
"github.com/pomerium/pomerium/pkg/policy/criteria"
"github.com/pomerium/pomerium/pkg/storage"
)
func TestPolicyEvaluator(t *testing.T) {
signingKey, err := cryptutil.NewSigningKey()
require.NoError(t, err)
encodedSigningKey, err := cryptutil.EncodePrivateKey(signingKey)
require.NoError(t, err)
privateJWK, err := cryptutil.PrivateJWKFromBytes(encodedSigningKey)
require.NoError(t, err)
eval := func(t *testing.T, policy *config.Policy, data []proto.Message, input *PolicyRequest) (*PolicyResponse, error) {
ctx := context.Background()
ctx = storage.WithQuerier(ctx, storage.NewStaticQuerier(data...))
store := store.New()
store.UpdateIssuer("authenticate.example.com")
store.UpdateJWTClaimHeaders(config.NewJWTClaimHeaders("email", "groups", "user", "CUSTOM_KEY"))
store.UpdateSigningKey(privateJWK)
e, err := NewPolicyEvaluator(ctx, store, policy)
require.NoError(t, err)
return e.Evaluate(ctx, input)
}
p1 := &config.Policy{
From: "https://from.example.com",
To: config.WeightedURLs{{URL: *mustParseURL("https://to.example.com")}},
AllowedUsers: []string{"u1@example.com"},
}
s1 := &session.Session{
Id: "s1",
UserId: "u1",
}
s2 := &session.Session{
Id: "s2",
UserId: "u2",
}
u1 := &user.User{
Id: "u1",
Email: "u1@example.com",
}
u2 := &user.User{
Id: "u2",
Email: "u2@example.com",
}
t.Run("allowed", func(t *testing.T) {
output, err := eval(t,
p1,
[]proto.Message{s1, u1, s2, u2},
&PolicyRequest{
HTTP: RequestHTTP{Method: "GET", URL: "https://from.example.com/path"},
Session: RequestSession{ID: "s1"},
IsValidClientCertificate: true,
})
require.NoError(t, err)
assert.Equal(t, &PolicyResponse{
Allow: NewRuleResult(true, criteria.ReasonEmailOK),
Deny: NewRuleResult(false, criteria.ReasonValidClientCertificateOrNoneRequired),
Traces: []contextutil.PolicyEvaluationTrace{{Allow: true}},
}, output)
})
t.Run("invalid cert", func(t *testing.T) {
output, err := eval(t,
p1,
[]proto.Message{s1, u1, s2, u2},
&PolicyRequest{
HTTP: RequestHTTP{Method: "GET", URL: "https://from.example.com/path"},
Session: RequestSession{ID: "s1"},
IsValidClientCertificate: false,
})
require.NoError(t, err)
assert.Equal(t, &PolicyResponse{
Allow: NewRuleResult(true, criteria.ReasonEmailOK),
Deny: NewRuleResult(true, criteria.ReasonInvalidClientCertificate),
Traces: []contextutil.PolicyEvaluationTrace{{Allow: true, Deny: true}},
}, output)
})
t.Run("forbidden", func(t *testing.T) {
output, err := eval(t,
p1,
[]proto.Message{s1, u1, s2, u2},
&PolicyRequest{
HTTP: RequestHTTP{Method: "GET", URL: "https://from.example.com/path"},
Session: RequestSession{ID: "s2"},
IsValidClientCertificate: true,
})
require.NoError(t, err)
assert.Equal(t, &PolicyResponse{
Allow: NewRuleResult(false, criteria.ReasonEmailUnauthorized, criteria.ReasonNonPomeriumRoute, criteria.ReasonUserUnauthorized),
Deny: NewRuleResult(false, criteria.ReasonValidClientCertificateOrNoneRequired),
Traces: []contextutil.PolicyEvaluationTrace{{}},
}, output)
})
t.Run("ppl", func(t *testing.T) {
t.Run("allow", func(t *testing.T) {
rego, err := policy.GenerateRegoFromReader(strings.NewReader(`
- allow:
and:
- accept: 1
`))
require.NoError(t, err)
p := &config.Policy{
From: "https://from.example.com",
To: config.WeightedURLs{{URL: *mustParseURL("https://to.example.com")}},
SubPolicies: []config.SubPolicy{
{ID: "p1", Rego: []string{rego}},
},
}
output, err := eval(t,
p,
[]proto.Message{s1, u1, s2, u2},
&PolicyRequest{
HTTP: RequestHTTP{Method: "GET", URL: "https://from.example.com/path"},
Session: RequestSession{ID: "s1"},
IsValidClientCertificate: true,
})
require.NoError(t, err)
assert.Equal(t, &PolicyResponse{
Allow: NewRuleResult(true, criteria.ReasonAccept),
Deny: NewRuleResult(false, criteria.ReasonValidClientCertificateOrNoneRequired),
Traces: []contextutil.PolicyEvaluationTrace{{}, {ID: "p1", Allow: true}},
}, output)
})
t.Run("deny", func(t *testing.T) {
rego, err := policy.GenerateRegoFromReader(strings.NewReader(`
- deny:
and:
- accept: 1
`))
require.NoError(t, err)
p := &config.Policy{
From: "https://from.example.com",
To: config.WeightedURLs{{URL: *mustParseURL("https://to.example.com")}},
SubPolicies: []config.SubPolicy{
{ID: "p1", Rego: []string{rego}},
},
}
output, err := eval(t,
p,
[]proto.Message{s1, u1, s2, u2},
&PolicyRequest{
HTTP: RequestHTTP{Method: "GET", URL: "https://from.example.com/path"},
Session: RequestSession{ID: "s1"},
IsValidClientCertificate: true,
})
require.NoError(t, err)
assert.Equal(t, &PolicyResponse{
Allow: NewRuleResult(false, criteria.ReasonNonPomeriumRoute),
Deny: NewRuleResult(true, criteria.ReasonAccept),
Traces: []contextutil.PolicyEvaluationTrace{{}, {ID: "p1", Deny: true}},
}, output)
})
t.Run("client certificate", func(t *testing.T) {
rego, err := policy.GenerateRegoFromReader(strings.NewReader(`
- deny:
and:
- invalid_client_certificate: 1
- accept: 1
`))
require.NoError(t, err)
p := &config.Policy{
From: "https://from.example.com",
To: config.WeightedURLs{{URL: *mustParseURL("https://to.example.com")}},
SubPolicies: []config.SubPolicy{
{ID: "p1", Rego: []string{rego}},
},
}
output, err := eval(t,
p,
[]proto.Message{s1, u1, s2, u2},
&PolicyRequest{
HTTP: RequestHTTP{Method: "GET", URL: "https://from.example.com/path"},
Session: RequestSession{ID: "s1"},
IsValidClientCertificate: false,
})
require.NoError(t, err)
assert.Equal(t, &PolicyResponse{
Allow: NewRuleResult(false, criteria.ReasonNonPomeriumRoute),
Deny: NewRuleResult(true, criteria.ReasonAccept, criteria.ReasonInvalidClientCertificate),
Traces: []contextutil.PolicyEvaluationTrace{{Deny: true}, {ID: "p1", Deny: true}},
}, output)
})
})
t.Run("cidr", func(t *testing.T) {
r1 := &structpb.Struct{Fields: map[string]*structpb.Value{
"$index": structpb.NewStructValue(&structpb.Struct{Fields: map[string]*structpb.Value{
"cidr": structpb.NewStringValue("192.168.0.0/16"),
}}),
"country": structpb.NewStringValue("US"),
}}
p := &config.Policy{
From: "https://from.example.com",
To: config.WeightedURLs{{URL: *mustParseURL("https://to.example.com")}},
SubPolicies: []config.SubPolicy{
{ID: "p1", Rego: []string{`
package pomerium.policy
allow {
record := get_databroker_record("type.googleapis.com/google.protobuf.Struct", "192.168.0.7")
record.country == "US"
}
`}},
},
}
output, err := eval(t,
p,
[]proto.Message{s1, u1, s2, u2, r1},
&PolicyRequest{
HTTP: RequestHTTP{Method: "GET", URL: "https://from.example.com/path"},
Session: RequestSession{ID: "s1"},
IsValidClientCertificate: true,
})
require.NoError(t, err)
assert.Equal(t, &PolicyResponse{
Allow: NewRuleResult(true),
Deny: NewRuleResult(false, criteria.ReasonValidClientCertificateOrNoneRequired),
Traces: []contextutil.PolicyEvaluationTrace{{}, {ID: "p1", Allow: true}},
}, output)
})
t.Run("service account", func(t *testing.T) {
output, err := eval(t,
p1,
[]proto.Message{
u1,
&user.ServiceAccount{
Id: "sa1",
UserId: "u1",
},
},
&PolicyRequest{
HTTP: RequestHTTP{Method: "GET", URL: "https://from.example.com/path"},
Session: RequestSession{ID: "sa1"},
IsValidClientCertificate: true,
})
require.NoError(t, err)
assert.Equal(t, &PolicyResponse{
Allow: NewRuleResult(true, criteria.ReasonEmailOK),
Deny: NewRuleResult(false, criteria.ReasonValidClientCertificateOrNoneRequired),
Traces: []contextutil.PolicyEvaluationTrace{{Allow: true}},
}, output)
})
t.Run("expired service account", func(t *testing.T) {
output, err := eval(t,
p1,
[]proto.Message{
u1,
&user.ServiceAccount{
Id: "sa1",
UserId: "u1",
ExpiresAt: timestamppb.New(time.Now().Add(-time.Second)),
},
},
&PolicyRequest{
HTTP: RequestHTTP{Method: "GET", URL: "https://from.example.com/path"},
Session: RequestSession{ID: "sa1"},
IsValidClientCertificate: true,
})
require.NoError(t, err)
assert.Equal(t, &PolicyResponse{
Allow: NewRuleResult(false, criteria.ReasonNonPomeriumRoute, criteria.ReasonUserUnauthenticated),
Deny: NewRuleResult(false, criteria.ReasonValidClientCertificateOrNoneRequired),
Traces: []contextutil.PolicyEvaluationTrace{{Allow: false}},
}, output)
})
}