authorize: bypass data in rego for databroker data (#2041)

pomerium · Mar 30, 2021 · 4218f49 · 4218f49
1 parent 76bc7a7
commit 4218f49
Show file tree

Hide file tree

Showing 7 changed files with 140 additions and 138 deletions.
diff --git a/authorize/evaluator/evaluator.go b/authorize/evaluator/evaluator.go
@@ -59,6 +59,7 @@ func New(options *config.Options, store *Store) (*Evaluator, error) {
 		rego.Module("pomerium.authz", string(authzPolicy)),
 		rego.Query("result = data.pomerium.authz"),
 		getGoogleCloudServerlessHeadersRegoOption,
+		store.GetDataBrokerRecordOption(),
 	)
 
 	e.query, err = e.rego.PrepareForEval(context.Background())

diff --git a/authorize/evaluator/evaluator_test.go b/authorize/evaluator/evaluator_test.go
@@ -12,6 +12,8 @@ import (
 	"github.com/google/uuid"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
+	"google.golang.org/protobuf/types/known/anypb"
+	"google.golang.org/protobuf/types/known/timestamppb"
 
 	"github.com/pomerium/pomerium/config"
 	"github.com/pomerium/pomerium/pkg/grpc/databroker"
@@ -168,18 +170,18 @@ func BenchmarkEvaluator_Evaluate(b *testing.B) {
 
 	lastSessionID := ""
 
-	for i := 0; i < 100; i++ {
+	for i := 0; i < 100000; i++ {
 		sessionID := uuid.New().String()
 		lastSessionID = sessionID
 		userID := uuid.New().String()
-		data, _ := ptypes.MarshalAny(&session.Session{
+		data, _ := anypb.New(&session.Session{
 			Version: fmt.Sprint(i),
 			Id:      sessionID,
 			UserId:  userID,
 			IdToken: &session.IDToken{
 				Issuer:   "benchmark",
 				Subject:  userID,
-				IssuedAt: ptypes.TimestampNow(),
+				IssuedAt: timestamppb.Now(),
 			},
 			OauthToken: &session.OAuthToken{
 				AccessToken:  "ACCESS TOKEN",
@@ -193,7 +195,7 @@ func BenchmarkEvaluator_Evaluate(b *testing.B) {
 			Id:      sessionID,
 			Data:    data,
 		})
-		data, _ = ptypes.MarshalAny(&user.User{
+		data, _ = anypb.New(&user.User{
 			Version: fmt.Sprint(i),
 			Id:      userID,
 		})
@@ -203,6 +205,29 @@ func BenchmarkEvaluator_Evaluate(b *testing.B) {
 			Id:      userID,
 			Data:    data,
 		})
+
+		data, _ = anypb.New(&directory.User{
+			Version:  fmt.Sprint(i),
+			Id:       userID,
+			GroupIds: []string{"1", "2", "3", "4"},
+		})
+		store.UpdateRecord(&databroker.Record{
+			Version: uint64(i),
+			Type:    data.TypeUrl,
+			Id:      userID,
+			Data:    data,
+		})
+
+		data, _ = anypb.New(&directory.Group{
+			Version: fmt.Sprint(i),
+			Id:      fmt.Sprint(i),
+		})
+		store.UpdateRecord(&databroker.Record{
+			Version: uint64(i),
+			Type:    data.TypeUrl,
+			Id:      fmt.Sprint(i),
+			Data:    data,
+		})
 	}
 
 	b.ResetTimer()

diff --git a/authorize/evaluator/opa/policy/authz.rego b/authorize/evaluator/opa/policy/authz.rego
@@ -10,30 +10,30 @@ route_policy_idx := first_allowed_route_policy_idx(input.http.url)
 route_policy := data.route_policies[route_policy_idx]
 
 session = s {
-	s = object_get(data.databroker_data["type.googleapis.com"]["user.ServiceAccount"], input.session.id, null)
+	s = get_databroker_record("type.googleapis.com/user.ServiceAccount", input.session.id)
 	s != null
 } else = s {
-	s = object_get(data.databroker_data["type.googleapis.com"]["session.Session"], input.session.id, null)
+	s = get_databroker_record("type.googleapis.com/session.Session", input.session.id)
 	s != null
 } else = {} {
 	true
 }
 
 user = u {
-	u = object_get(data.databroker_data["type.googleapis.com"]["user.User"], session.impersonate_user_id, null)
+	u = get_databroker_record("type.googleapis.com/user.User", session.impersonate_user_id)
 	u != null
 } else = u {
-	u = object_get(data.databroker_data["type.googleapis.com"]["user.User"], session.user_id, null)
+	u = get_databroker_record("type.googleapis.com/user.User", session.user_id)
 	u != null
 } else = {} {
 	true
 }
 
 directory_user = du {
-	du = object_get(data.databroker_data["type.googleapis.com"]["directory.User"], session.impersonate_user_id, null)
+	du = get_databroker_record("type.googleapis.com/directory.User", session.impersonate_user_id)
 	du != null
 } else = du {
-	du = object_get(data.databroker_data["type.googleapis.com"]["directory.User"], session.user_id, null)
+	du = get_databroker_record("type.googleapis.com/directory.User", session.user_id)
 	du != null
 } else = {} {
 	true
@@ -212,7 +212,7 @@ jwt_payload_groups = v {
 	v = array.concat(group_ids, get_databroker_group_names(group_ids))
 	v != []
 } else = v {
-	v = session.claims["groups"]
+	v = session.claims.groups
 	v != null
 } else = [] {
 	true
@@ -398,11 +398,11 @@ are_claims_allowed(a, b) {
 }
 
 get_databroker_group_names(ids) = gs {
-	gs := [name | id := ids[i]; group := data.databroker_data["type.googleapis.com"]["directory.Group"][id]; name := group.name]
+	gs := [name | id := ids[i]; group := get_databroker_record("type.googleapis.com/directory.Group", id); name := group.name]
 }
 
 get_databroker_group_emails(ids) = gs {
-	gs := [email | id := ids[i]; group := data.databroker_data["type.googleapis.com"]["directory.Group"][id]; email := group.email]
+	gs := [email | id := ids[i]; group := get_databroker_record("type.googleapis.com/directory.Group", id); email := group.email]
 }
 
 get_header_string_value(obj) = s {

diff --git a/authorize/evaluator/opa/policy/authz_test.rego b/authorize/evaluator/opa/policy/authz_test.rego
@@ -1,9 +1,11 @@
 package pomerium.authz
 
 get_google_cloud_serverless_headers(serviceAccount, audience) = h {
-    h := {
-        "Authorization": "Bearer xxx"
-    }
+	h := {"Authorization": "Bearer xxx"}
+}
+
+get_databroker_record(typeURL, id) = v {
+	v := object_get(data.databroker_data, typeURL, null)[id]
 }
 
 test_email_allowed {

diff --git a/authorize/evaluator/opa_test.go b/authorize/evaluator/opa_test.go
@@ -34,7 +34,7 @@ func TestOPA(t *testing.T) {
 	publicJWK, err := cryptutil.PublicJWKFromBytes(encodedSigningKey, jose.ES256)
 	require.NoError(t, err)
 
-	eval := func(policies []config.Policy, data []proto.Message, req *Request, isValidClientCertificate bool) rego.Result {
+	eval := func(t *testing.T, policies []config.Policy, data []proto.Message, req *Request, isValidClientCertificate bool) rego.Result {
 		authzPolicy, err := readPolicy()
 		require.NoError(t, err)
 		store := NewStoreFromProtos(data...)
@@ -47,6 +47,7 @@ func TestOPA(t *testing.T) {
 			rego.Module("pomerium.authz", string(authzPolicy)),
 			rego.Query("result = data.pomerium.authz"),
 			getGoogleCloudServerlessHeadersRegoOption,
+			store.GetDataBrokerRecordOption(),
 		)
 		q, err := r.PrepareForEval(context.Background())
 		require.NoError(t, err)
@@ -59,14 +60,14 @@ func TestOPA(t *testing.T) {
 	}
 
 	t.Run("client certificate", func(t *testing.T) {
-		res := eval(nil, nil, &Request{}, false)
+		res := eval(t, nil, nil, &Request{}, false)
 		assert.Equal(t,
 			A{A{json.Number("495"), "invalid client certificate"}},
 			res.Bindings["result"].(M)["deny"])
 	})
 	t.Run("identity_headers", func(t *testing.T) {
 		t.Run("kubernetes", func(t *testing.T) {
-			res := eval([]config.Policy{{
+			res := eval(t, []config.Policy{{
 				Source: &config.StringURL{URL: mustParseURL("https://from.example.com")},
 				To: config.WeightedURLs{
 					{URL: *mustParseURL("https://to.example.com")},
@@ -98,7 +99,7 @@ func TestOPA(t *testing.T) {
 		})
 		t.Run("google_cloud_serverless", func(t *testing.T) {
 			withMockGCP(t, func() {
-				res := eval([]config.Policy{{
+				res := eval(t, []config.Policy{{
 					Source: &config.StringURL{URL: mustParseURL("https://from.example.com")},
 					To: config.WeightedURLs{
 						{URL: *mustParseURL("https://to.example.com")},
@@ -130,7 +131,7 @@ func TestOPA(t *testing.T) {
 	})
 	t.Run("jwt", func(t *testing.T) {
 		evalJWT := func(msgs ...proto.Message) M {
-			res := eval([]config.Policy{{
+			res := eval(t, []config.Policy{{
 				Source: &config.StringURL{URL: mustParseURL("https://from.example.com:8000")},
 				To: config.WeightedURLs{
 					{URL: *mustParseURL("https://to.example.com")},
@@ -226,7 +227,7 @@ func TestOPA(t *testing.T) {
 	})
 	t.Run("email", func(t *testing.T) {
 		t.Run("allowed", func(t *testing.T) {
-			res := eval([]config.Policy{
+			res := eval(t, []config.Policy{
 				{
 					Source: &config.StringURL{URL: mustParseURL("https://from.example.com:8000")},
 					To: config.WeightedURLs{
@@ -255,7 +256,7 @@ func TestOPA(t *testing.T) {
 			assert.True(t, res.Bindings["result"].(M)["allow"].(bool))
 		})
 		t.Run("denied", func(t *testing.T) {
-			res := eval([]config.Policy{
+			res := eval(t, []config.Policy{
 				{
 					Source: &config.StringURL{URL: mustParseURL("https://from.example.com")},
 					To: config.WeightedURLs{
@@ -286,7 +287,7 @@ func TestOPA(t *testing.T) {
 	})
 	t.Run("impersonate email", func(t *testing.T) {
 		t.Run("allowed", func(t *testing.T) {
-			res := eval([]config.Policy{
+			res := eval(t, []config.Policy{
 				{
 					Source: &config.StringURL{URL: mustParseURL("https://from.example.com")},
 					To: config.WeightedURLs{
@@ -316,7 +317,7 @@ func TestOPA(t *testing.T) {
 			assert.True(t, res.Bindings["result"].(M)["allow"].(bool))
 		})
 		t.Run("denied", func(t *testing.T) {
-			res := eval([]config.Policy{
+			res := eval(t, []config.Policy{
 				{
 					Source: &config.StringURL{URL: mustParseURL("https://from.example.com")},
 					To: config.WeightedURLs{
@@ -347,7 +348,7 @@ func TestOPA(t *testing.T) {
 		})
 	})
 	t.Run("user_id", func(t *testing.T) {
-		res := eval([]config.Policy{
+		res := eval(t, []config.Policy{
 			{
 				Source: &config.StringURL{URL: mustParseURL("https://from.example.com")},
 				To: config.WeightedURLs{
@@ -377,7 +378,7 @@ func TestOPA(t *testing.T) {
 	})
 	t.Run("domain", func(t *testing.T) {
 		t.Run("allowed", func(t *testing.T) {
-			res := eval([]config.Policy{
+			res := eval(t, []config.Policy{
 				{
 					Source: &config.StringURL{URL: mustParseURL("https://from.example.com")},
 					To: config.WeightedURLs{
@@ -407,7 +408,7 @@ func TestOPA(t *testing.T) {
 			assert.True(t, res.Bindings["result"].(M)["allow"].(bool))
 		})
 		t.Run("denied", func(t *testing.T) {
-			res := eval([]config.Policy{
+			res := eval(t, []config.Policy{
 				{
 					Source: &config.StringURL{URL: mustParseURL("https://from.example.com")},
 					To: config.WeightedURLs{
@@ -438,7 +439,7 @@ func TestOPA(t *testing.T) {
 	})
 	t.Run("impersonate domain", func(t *testing.T) {
 		t.Run("allowed", func(t *testing.T) {
-			res := eval([]config.Policy{
+			res := eval(t, []config.Policy{
 				{
 					Source: &config.StringURL{URL: mustParseURL("https://from.example.com")},
 					To: config.WeightedURLs{
@@ -468,7 +469,7 @@ func TestOPA(t *testing.T) {
 			assert.True(t, res.Bindings["result"].(M)["allow"].(bool))
 		})
 		t.Run("denied", func(t *testing.T) {
-			res := eval([]config.Policy{
+			res := eval(t, []config.Policy{
 				{
 					Source: &config.StringURL{URL: mustParseURL("https://from.example.com")},
 					To: config.WeightedURLs{
@@ -502,7 +503,7 @@ func TestOPA(t *testing.T) {
 		t.Run("allowed", func(t *testing.T) {
 			for _, nm := range []string{"group1", "group1name", "group1@example.com"} {
 				t.Run(nm, func(t *testing.T) {
-					res := eval([]config.Policy{
+					res := eval(t, []config.Policy{
 						{
 							Source: &config.StringURL{URL: mustParseURL("https://from.example.com")},
 							To: config.WeightedURLs{
@@ -542,7 +543,7 @@ func TestOPA(t *testing.T) {
 			}
 		})
 		t.Run("denied", func(t *testing.T) {
-			res := eval([]config.Policy{
+			res := eval(t, []config.Policy{
 				{
 					Source: &config.StringURL{URL: mustParseURL("https://from.example.com")},
 					To: config.WeightedURLs{
@@ -581,7 +582,7 @@ func TestOPA(t *testing.T) {
 		})
 	})
 	t.Run("impersonate groups", func(t *testing.T) {
-		res := eval([]config.Policy{
+		res := eval(t, []config.Policy{
 			{
 				Source: &config.StringURL{URL: mustParseURL("https://from.example.com")},
 				To: config.WeightedURLs{
@@ -617,7 +618,7 @@ func TestOPA(t *testing.T) {
 		assert.True(t, res.Bindings["result"].(M)["allow"].(bool))
 	})
 	t.Run("any authenticated user", func(t *testing.T) {
-		res := eval([]config.Policy{
+		res := eval(t, []config.Policy{
 			{
 				Source: &config.StringURL{URL: mustParseURL("https://from.example.com")},
 				To: config.WeightedURLs{