evaluator: use impersonate groups if impersonate email is set (#1701)

pomerium · Dec 21, 2020 · 4eec2ed · 4eec2ed
1 parent c367498
commit 4eec2ed
Show file tree

Hide file tree

Showing 3 changed files with 13 additions and 10 deletions.
diff --git a/authorize/evaluator/opa/policy/authz.rego b/authorize/evaluator/opa/policy/authz.rego
@@ -14,6 +14,8 @@ all_allowed_groups := get_allowed_groups(route_policy)
 all_allowed_users := get_allowed_users(route_policy)
 all_allowed_idp_claims := get_allowed_idp_claims(route_policy)
 
+is_impersonating := count(input.session.impersonate_email) > 0
+
 # allow public
 allow {
 	route_policy.AllowPublicUnauthenticatedAccess == true
@@ -35,39 +37,42 @@ allow {
 
 # allow by email
 allow {
+	not is_impersonating
 	user.email == all_allowed_users[_]
-	input.session.impersonate_email == ""
 }
 
 # allow group
 allow {
+	not is_impersonating
 	some group
 	groups[_] = group
 	all_allowed_groups[_] = group
-	input.session.impersonate_groups == null
 }
 
 # allow by impersonate email
 allow {
+	is_impersonating
 	all_allowed_users[_] = input.session.impersonate_email
 }
 
 # allow by impersonate group
 allow {
+	is_impersonating
 	some group
 	input.session.impersonate_groups[_] = group
 	all_allowed_groups[_] = group
 }
 
 # allow by domain
 allow {
+	not is_impersonating
 	some domain
 	email_in_domain(user.email, all_allowed_domains[domain])
-	input.session.impersonate_email == ""
 }
 
 # allow by impersonate domain
 allow {
+	is_impersonating
 	some domain
 	email_in_domain(input.session.impersonate_email, all_allowed_domains[domain])
 }

diff --git a/authorize/evaluator/opa/policy/authz_test.rego b/authorize/evaluator/opa/policy/authz_test.rego
@@ -70,7 +70,7 @@ test_group_allowed {
 			"groups": ["1"]
 		} with
 		input.http as { "url": "http://example.com" } with
-		input.session as { "id": "session1", "impersonate_groups": null }
+		input.session as { "id": "session1" }
 }
 
 test_impersonate_groups_not_allowed {
@@ -86,12 +86,10 @@ test_impersonate_groups_not_allowed {
 			"user": {
 				"email": "x@example.com"
 			},
-			"directory_user": {
-			    "groups": ["1"]
-			}
+			"groups": ["1"]
 		} with
 		input.http as { "url": "http://example.com" } with
-		input.session as { "id": "session1", "impersonate_groups": ["2"] }
+		input.session as { "id": "session1", "impersonate_email": "y@example.com", "impersonate_groups": ["2"] }
 }
 
 test_impersonate_groups_allowed {
@@ -112,7 +110,7 @@ test_impersonate_groups_allowed {
 			}
 		} with
 		input.http as { "url": "http://example.com" } with
-		input.session as { "id": "session1", "impersonate_groups": ["2"] }
+		input.session as { "id": "session1", "impersonate_email": "y@example.com", "impersonate_groups": ["2"] }
 }
 
 test_domain_allowed {

diff --git a/authorize/evaluator/opa/policy/statik.go b/authorize/evaluator/opa/policy/statik.go