proxy: fix forward auth, request signing

Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
This commit is contained in:
Bobby DeSimone 2019-11-25 14:29:52 -08:00
parent ec9607d1d5
commit 0f6a9d7f1d
No known key found for this signature in database
GPG key ID: AEE4CF12FE86D07E
32 changed files with 928 additions and 522 deletions

View file

@ -24,10 +24,10 @@ import (
// CSPHeaders are the content security headers added to the service's handlers
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src
var CSPHeaders = map[string]string{
"Content-Security-Policy": "default-src 'none'; style-src 'self'" +
" 'sha256-z9MsgkMbQjRSLxzAfN55jB3a9pP0PQ4OHFH8b4iDP6s=' " +
" 'sha256-qnVkQSG7pWu17hBhIw0kCpfEB3XGvt0mNRa6+uM6OUU=' " +
" 'sha256-qOdRsNZhtR+htazbcy7guQl3Cn1cqOw1FcE4d3llae0='; " +
"Content-Security-Policy": "default-src 'none'; style-src " +
"'sha256-spMkVDoBBY86p0RC1fBYwdnGyMypJM8eG57+p3VASyk=' " +
"'sha256-qnVkQSG7pWu17hBhIw0kCpfEB3XGvt0mNRa6+uM6OUU=' " +
"'sha256-qOdRsNZhtR+htazbcy7guQl3Cn1cqOw1FcE4d3llae0=';" +
"img-src 'self';",
"Referrer-Policy": "Same-origin",
}
@ -54,7 +54,8 @@ func (a *Authenticate) Handler() http.Handler {
v := r.PathPrefix("/.pomerium").Subrouter()
c := cors.New(cors.Options{
AllowOriginRequestFunc: func(r *http.Request, _ string) bool {
return middleware.ValidateRedirectURI(r, a.sharedKey)
err := middleware.ValidateRequestURL(r, a.sharedKey)
return err == nil
},
AllowCredentials: true,
AllowedHeaders: []string{"*"},
@ -111,71 +112,84 @@ func (a *Authenticate) refresh(w http.ResponseWriter, r *http.Request, s *sessio
// RobotsTxt handles the /robots.txt route.
func (a *Authenticate) RobotsTxt(w http.ResponseWriter, r *http.Request) {
w.Header().Set("Content-Type", "text/plain; charset=utf-8")
w.Header().Set("X-Content-Type-Options", "nosniff")
w.WriteHeader(http.StatusOK)
fmt.Fprintf(w, "User-agent: *\nDisallow: /")
}
// SignIn handles to authenticating a user.
func (a *Authenticate) SignIn(w http.ResponseWriter, r *http.Request) {
// grab and parse our redirect_uri
redirectURL, err := urlutil.ParseAndValidateURL(r.FormValue("redirect_uri"))
redirectURL, err := urlutil.ParseAndValidateURL(r.FormValue(urlutil.QueryRedirectURI))
if err != nil {
httputil.ErrorResponse(w, r, httputil.Error("malformed redirect_uri", http.StatusBadRequest, err))
return
}
// create a clone of the redirect URI, unless this is a programmatic request
// in which case we will redirect back to proxy's callback endpoint
callbackURL, _ := urlutil.DeepCopy(redirectURL)
q := redirectURL.Query()
jwtAudience := []string{a.RedirectURL.Hostname(), redirectURL.Hostname()}
if q.Get("pomerium_programmatic_destination_url") != "" {
callbackURL, err = urlutil.ParseAndValidateURL(q.Get("pomerium_programmatic_destination_url"))
var callbackURL *url.URL
// if the callback is explicitly set, set it and add an additional audience
if callbackStr := r.FormValue(urlutil.QueryCallbackURI); callbackStr != "" {
callbackURL, err = urlutil.ParseAndValidateURL(callbackStr)
if err != nil {
httputil.ErrorResponse(w, r, httputil.Error("", http.StatusBadRequest, err))
httputil.ErrorResponse(w, r, httputil.Error(err.Error(), http.StatusBadRequest, err))
return
}
jwtAudience = append(jwtAudience, callbackURL.Hostname())
} else {
// otherwise, assume callback is the same host as redirect
callbackURL, _ = urlutil.DeepCopy(redirectURL)
callbackURL.Path = "/.pomerium/callback/"
callbackURL.RawQuery = ""
}
// add an additional claim for the forward-auth host, if set
if fwdAuth := r.FormValue(urlutil.QueryForwardAuth); fwdAuth != "" {
jwtAudience = append(jwtAudience, fwdAuth)
}
s, err := sessions.FromContext(r.Context())
if err != nil {
httputil.ErrorResponse(w, r, httputil.Error("", http.StatusBadRequest, err))
httputil.ErrorResponse(w, r, httputil.Error(err.Error(), http.StatusBadRequest, err))
return
}
s.SetImpersonation(q.Get("impersonate_email"), q.Get("impersonate_group"))
newSession := s.NewSession(a.RedirectURL.Host, []string{a.RedirectURL.Host, callbackURL.Host})
if q.Get("pomerium_programmatic_destination_url") != "" {
s.SetImpersonation(r.FormValue(urlutil.QueryImpersonateEmail), r.FormValue(urlutil.QueryImpersonateGroups))
newSession := s.NewSession(a.RedirectURL.Host, jwtAudience)
callbackParams := callbackURL.Query()
if r.FormValue(urlutil.QueryIsProgrammatic) == "true" {
newSession.Programmatic = true
encSession, err := a.encryptedEncoder.Marshal(newSession)
if err != nil {
httputil.ErrorResponse(w, r, httputil.Error("", http.StatusBadRequest, err))
httputil.ErrorResponse(w, r, httputil.Error(err.Error(), http.StatusBadRequest, err))
return
}
q.Set("pomerium_refresh_token", string(encSession))
callbackParams.Set(urlutil.QueryRefreshToken, string(encSession))
callbackParams.Set(urlutil.QueryIsProgrammatic, "true")
}
// sign the route session, as a JWT
signedJWT, err := a.sharedEncoder.Marshal(newSession.RouteSession(DefaultSessionDuration))
if err != nil {
httputil.ErrorResponse(w, r, httputil.Error("", http.StatusBadRequest, err))
httputil.ErrorResponse(w, r, httputil.Error(err.Error(), http.StatusBadRequest, err))
return
}
// encrypt our route-based token JWT avoiding any accidental logging
encryptedJWT := cryptutil.Encrypt(a.sharedCipher, signedJWT, nil)
// base64 our encrypted payload for URL-friendlyness
encodedJWT := base64.URLEncoding.EncodeToString(encryptedJWT)
// add our encoded and encrypted route-session JWT to a query param
q.Set("pomerium_jwt", encodedJWT)
redirectURL.RawQuery = q.Encode()
callbackURL.Path = "/.pomerium/callback"
callbackParams.Set(urlutil.QuerySessionEncrypted, encodedJWT)
callbackParams.Set(urlutil.QueryRedirectURI, redirectURL.String())
callbackURL.RawQuery = callbackParams.Encode()
// build our hmac-d redirect URL with our session, pointing back to the
// proxy's callback URL which is responsible for setting our new route-session
uri := urlutil.SignedRedirectURL(a.sharedKey, callbackURL, redirectURL)
uri := urlutil.NewSignedURL(a.sharedKey, callbackURL)
httputil.Redirect(w, r, uri.String(), http.StatusFound)
}
@ -193,7 +207,7 @@ func (a *Authenticate) SignOut(w http.ResponseWriter, r *http.Request) {
httputil.ErrorResponse(w, r, httputil.Error("could not revoke user session", http.StatusBadRequest, err))
return
}
redirectURL, err := urlutil.ParseAndValidateURL(r.FormValue("redirect_uri"))
redirectURL, err := urlutil.ParseAndValidateURL(r.FormValue(urlutil.QueryRedirectURI))
if err != nil {
httputil.ErrorResponse(w, r, httputil.Error("malformed redirect_uri", http.StatusBadRequest, err))
return