mirror of
https://github.com/pomerium/pomerium.git
synced 2025-08-03 00:40:25 +02:00
proxy: fix forward auth, request signing
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
This commit is contained in:
parent
ec9607d1d5
commit
0f6a9d7f1d
32 changed files with 928 additions and 522 deletions
|
@ -24,10 +24,10 @@ import (
|
|||
// CSPHeaders are the content security headers added to the service's handlers
|
||||
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src
|
||||
var CSPHeaders = map[string]string{
|
||||
"Content-Security-Policy": "default-src 'none'; style-src 'self'" +
|
||||
" 'sha256-z9MsgkMbQjRSLxzAfN55jB3a9pP0PQ4OHFH8b4iDP6s=' " +
|
||||
" 'sha256-qnVkQSG7pWu17hBhIw0kCpfEB3XGvt0mNRa6+uM6OUU=' " +
|
||||
" 'sha256-qOdRsNZhtR+htazbcy7guQl3Cn1cqOw1FcE4d3llae0='; " +
|
||||
"Content-Security-Policy": "default-src 'none'; style-src " +
|
||||
"'sha256-spMkVDoBBY86p0RC1fBYwdnGyMypJM8eG57+p3VASyk=' " +
|
||||
"'sha256-qnVkQSG7pWu17hBhIw0kCpfEB3XGvt0mNRa6+uM6OUU=' " +
|
||||
"'sha256-qOdRsNZhtR+htazbcy7guQl3Cn1cqOw1FcE4d3llae0=';" +
|
||||
"img-src 'self';",
|
||||
"Referrer-Policy": "Same-origin",
|
||||
}
|
||||
|
@ -54,7 +54,8 @@ func (a *Authenticate) Handler() http.Handler {
|
|||
v := r.PathPrefix("/.pomerium").Subrouter()
|
||||
c := cors.New(cors.Options{
|
||||
AllowOriginRequestFunc: func(r *http.Request, _ string) bool {
|
||||
return middleware.ValidateRedirectURI(r, a.sharedKey)
|
||||
err := middleware.ValidateRequestURL(r, a.sharedKey)
|
||||
return err == nil
|
||||
},
|
||||
AllowCredentials: true,
|
||||
AllowedHeaders: []string{"*"},
|
||||
|
@ -111,71 +112,84 @@ func (a *Authenticate) refresh(w http.ResponseWriter, r *http.Request, s *sessio
|
|||
// RobotsTxt handles the /robots.txt route.
|
||||
func (a *Authenticate) RobotsTxt(w http.ResponseWriter, r *http.Request) {
|
||||
w.Header().Set("Content-Type", "text/plain; charset=utf-8")
|
||||
w.Header().Set("X-Content-Type-Options", "nosniff")
|
||||
w.WriteHeader(http.StatusOK)
|
||||
fmt.Fprintf(w, "User-agent: *\nDisallow: /")
|
||||
}
|
||||
|
||||
// SignIn handles to authenticating a user.
|
||||
func (a *Authenticate) SignIn(w http.ResponseWriter, r *http.Request) {
|
||||
// grab and parse our redirect_uri
|
||||
redirectURL, err := urlutil.ParseAndValidateURL(r.FormValue("redirect_uri"))
|
||||
redirectURL, err := urlutil.ParseAndValidateURL(r.FormValue(urlutil.QueryRedirectURI))
|
||||
if err != nil {
|
||||
httputil.ErrorResponse(w, r, httputil.Error("malformed redirect_uri", http.StatusBadRequest, err))
|
||||
return
|
||||
}
|
||||
// create a clone of the redirect URI, unless this is a programmatic request
|
||||
// in which case we will redirect back to proxy's callback endpoint
|
||||
callbackURL, _ := urlutil.DeepCopy(redirectURL)
|
||||
|
||||
q := redirectURL.Query()
|
||||
jwtAudience := []string{a.RedirectURL.Hostname(), redirectURL.Hostname()}
|
||||
|
||||
if q.Get("pomerium_programmatic_destination_url") != "" {
|
||||
callbackURL, err = urlutil.ParseAndValidateURL(q.Get("pomerium_programmatic_destination_url"))
|
||||
var callbackURL *url.URL
|
||||
// if the callback is explicitly set, set it and add an additional audience
|
||||
if callbackStr := r.FormValue(urlutil.QueryCallbackURI); callbackStr != "" {
|
||||
callbackURL, err = urlutil.ParseAndValidateURL(callbackStr)
|
||||
if err != nil {
|
||||
httputil.ErrorResponse(w, r, httputil.Error("", http.StatusBadRequest, err))
|
||||
httputil.ErrorResponse(w, r, httputil.Error(err.Error(), http.StatusBadRequest, err))
|
||||
return
|
||||
}
|
||||
jwtAudience = append(jwtAudience, callbackURL.Hostname())
|
||||
} else {
|
||||
// otherwise, assume callback is the same host as redirect
|
||||
callbackURL, _ = urlutil.DeepCopy(redirectURL)
|
||||
callbackURL.Path = "/.pomerium/callback/"
|
||||
callbackURL.RawQuery = ""
|
||||
}
|
||||
|
||||
// add an additional claim for the forward-auth host, if set
|
||||
if fwdAuth := r.FormValue(urlutil.QueryForwardAuth); fwdAuth != "" {
|
||||
jwtAudience = append(jwtAudience, fwdAuth)
|
||||
}
|
||||
|
||||
s, err := sessions.FromContext(r.Context())
|
||||
if err != nil {
|
||||
httputil.ErrorResponse(w, r, httputil.Error("", http.StatusBadRequest, err))
|
||||
httputil.ErrorResponse(w, r, httputil.Error(err.Error(), http.StatusBadRequest, err))
|
||||
return
|
||||
}
|
||||
s.SetImpersonation(q.Get("impersonate_email"), q.Get("impersonate_group"))
|
||||
|
||||
newSession := s.NewSession(a.RedirectURL.Host, []string{a.RedirectURL.Host, callbackURL.Host})
|
||||
if q.Get("pomerium_programmatic_destination_url") != "" {
|
||||
s.SetImpersonation(r.FormValue(urlutil.QueryImpersonateEmail), r.FormValue(urlutil.QueryImpersonateGroups))
|
||||
|
||||
newSession := s.NewSession(a.RedirectURL.Host, jwtAudience)
|
||||
|
||||
callbackParams := callbackURL.Query()
|
||||
|
||||
if r.FormValue(urlutil.QueryIsProgrammatic) == "true" {
|
||||
newSession.Programmatic = true
|
||||
encSession, err := a.encryptedEncoder.Marshal(newSession)
|
||||
if err != nil {
|
||||
httputil.ErrorResponse(w, r, httputil.Error("", http.StatusBadRequest, err))
|
||||
httputil.ErrorResponse(w, r, httputil.Error(err.Error(), http.StatusBadRequest, err))
|
||||
return
|
||||
}
|
||||
q.Set("pomerium_refresh_token", string(encSession))
|
||||
callbackParams.Set(urlutil.QueryRefreshToken, string(encSession))
|
||||
callbackParams.Set(urlutil.QueryIsProgrammatic, "true")
|
||||
}
|
||||
|
||||
// sign the route session, as a JWT
|
||||
signedJWT, err := a.sharedEncoder.Marshal(newSession.RouteSession(DefaultSessionDuration))
|
||||
if err != nil {
|
||||
httputil.ErrorResponse(w, r, httputil.Error("", http.StatusBadRequest, err))
|
||||
httputil.ErrorResponse(w, r, httputil.Error(err.Error(), http.StatusBadRequest, err))
|
||||
return
|
||||
}
|
||||
|
||||
// encrypt our route-based token JWT avoiding any accidental logging
|
||||
encryptedJWT := cryptutil.Encrypt(a.sharedCipher, signedJWT, nil)
|
||||
// base64 our encrypted payload for URL-friendlyness
|
||||
encodedJWT := base64.URLEncoding.EncodeToString(encryptedJWT)
|
||||
|
||||
// add our encoded and encrypted route-session JWT to a query param
|
||||
q.Set("pomerium_jwt", encodedJWT)
|
||||
|
||||
redirectURL.RawQuery = q.Encode()
|
||||
|
||||
callbackURL.Path = "/.pomerium/callback"
|
||||
callbackParams.Set(urlutil.QuerySessionEncrypted, encodedJWT)
|
||||
callbackParams.Set(urlutil.QueryRedirectURI, redirectURL.String())
|
||||
callbackURL.RawQuery = callbackParams.Encode()
|
||||
|
||||
// build our hmac-d redirect URL with our session, pointing back to the
|
||||
// proxy's callback URL which is responsible for setting our new route-session
|
||||
uri := urlutil.SignedRedirectURL(a.sharedKey, callbackURL, redirectURL)
|
||||
uri := urlutil.NewSignedURL(a.sharedKey, callbackURL)
|
||||
httputil.Redirect(w, r, uri.String(), http.StatusFound)
|
||||
}
|
||||
|
||||
|
@ -193,7 +207,7 @@ func (a *Authenticate) SignOut(w http.ResponseWriter, r *http.Request) {
|
|||
httputil.ErrorResponse(w, r, httputil.Error("could not revoke user session", http.StatusBadRequest, err))
|
||||
return
|
||||
}
|
||||
redirectURL, err := urlutil.ParseAndValidateURL(r.FormValue("redirect_uri"))
|
||||
redirectURL, err := urlutil.ParseAndValidateURL(r.FormValue(urlutil.QueryRedirectURI))
|
||||
if err != nil {
|
||||
httputil.ErrorResponse(w, r, httputil.Error("malformed redirect_uri", http.StatusBadRequest, err))
|
||||
return
|
||||
|
|
Loading…
Add table
Add a link
Reference in a new issue