3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-07-23 11:39:32 +02:00
Code Issues Projects Releases Packages Wiki Activity

hpke: fix hpke key fetcher when using self-signed certificates

Browse source
This commit is contained in:
Caleb Doxsey 2023-01-06 09:54:17 -07:00
parent 488bcd6f72
commit 0c70fd3a1f
3 changed files with 23 additions and 11 deletions
Download patch file Download diff file Expand all files Collapse all files

7
authorize/state.go
View file

@ -10,6 +10,7 @@ import (
"github.com/pomerium/pomerium/authorize/evaluator"
"github.com/pomerium/pomerium/authorize/internal/store"
"github.com/pomerium/pomerium/config"
"github.com/pomerium/pomerium/internal/httputil"
"github.com/pomerium/pomerium/pkg/grpc"
"github.com/pomerium/pomerium/pkg/grpc/databroker"
"github.com/pomerium/pomerium/pkg/hpke"
@ -88,11 +89,7 @@ func newAuthorizeStateFromConfig(cfg *config.Config, store *store.Store) (*autho
jwksURL := authenticateURL.ResolveReference(&url.URL{
Path: "/.well-known/pomerium/jwks.json",
}).String()
transport, err := config.GetTLSClientTransport(cfg)
if err != nil {
return nil, fmt.Errorf("authorize: get tls client config: %w", err)
}
state.authenticateKeyFetcher = hpke.NewKeyFetcher(jwksURL, transport)
state.authenticateKeyFetcher = hpke.NewKeyFetcher(jwksURL, httputil.GetInsecureTransport())
return state, nil
}

19
internal/httputil/transport.go Normal file
View file

@ -0,0 +1,19 @@
package httputil
import (
"crypto/tls"
"net/http"
)
// GetInsecureTransport returns an HTTP transport which skips TLS verification.
func GetInsecureTransport() *http.Transport {
transport := http.DefaultTransport.(*http.Transport).Clone()
transport.Dial = nil
transport.DialContext = nil
transport.DialTLS = nil
transport.DialTLSContext = nil
transport.TLSClientConfig = &tls.Config{
InsecureSkipVerify: true,
}
return transport
}

8
proxy/state.go
View file

@ -3,12 +3,12 @@ package proxy
import (
"context"
"crypto/cipher"
"fmt"
"net/url"
"github.com/pomerium/pomerium/config"
"github.com/pomerium/pomerium/internal/encoding"
"github.com/pomerium/pomerium/internal/encoding/jws"
"github.com/pomerium/pomerium/internal/httputil"
"github.com/pomerium/pomerium/internal/sessions"
"github.com/pomerium/pomerium/internal/sessions/cookie"
"github.com/pomerium/pomerium/pkg/cryptutil"
@ -66,11 +66,7 @@ func newProxyStateFromConfig(cfg *config.Config) (*proxyState, error) {
jwksURL := authenticateURL.ResolveReference(&url.URL{
Path: "/.well-known/pomerium/jwks.json",
}).String()
transport, err := config.GetTLSClientTransport(cfg)
if err != nil {
return nil, fmt.Errorf("authorize: get tls client config: %w", err)
}
state.authenticateKeyFetcher = hpke.NewKeyFetcher(jwksURL, transport)
state.authenticateKeyFetcher = hpke.NewKeyFetcher(jwksURL, httputil.GetInsecureTransport())
state.sharedCipher, err = cryptutil.NewAEADCipher(state.sharedKey)
if err != nil {