3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-04-30 10:56:28 +02:00
Code Issues Projects Releases Packages Wiki Activity

make the session id per-idp

Browse source
This commit is contained in:
Caleb Doxsey 2025-02-18 08:24:11 -07:00
parent 1908ca2697
commit 244d8a9260
2 changed files with 24 additions and 33 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

46
config/session.go
View file

@ -2,7 +2,6 @@ package config
import ( import (
"context" "context"
"encoding/binary"
"fmt" "fmt"
"net/http" "net/http"
"strings" "strings"
@ -22,6 +21,7 @@ import (
"github.com/pomerium/pomerium/internal/urlutil" "github.com/pomerium/pomerium/internal/urlutil"
"github.com/pomerium/pomerium/pkg/authenticateapi" "github.com/pomerium/pomerium/pkg/authenticateapi"
"github.com/pomerium/pomerium/pkg/grpc/databroker" "github.com/pomerium/pomerium/pkg/grpc/databroker"
identitypb "github.com/pomerium/pomerium/pkg/grpc/identity"
"github.com/pomerium/pomerium/pkg/grpc/session" "github.com/pomerium/pomerium/pkg/grpc/session"
"github.com/pomerium/pomerium/pkg/grpc/user" "github.com/pomerium/pomerium/pkg/grpc/user"
"github.com/pomerium/pomerium/pkg/grpcutil" "github.com/pomerium/pomerium/pkg/grpcutil"
@ -173,7 +173,12 @@ func (c *incomingIDPTokenSessionCreator) createSessionAccessToken(
policy *Policy, policy *Policy,
rawAccessToken string, rawAccessToken string,
) (*session.Session, error) { ) (*session.Session, error) {
sessionID := getAccessTokenSessionID(policy, rawAccessToken) idp, err := cfg.Options.GetIdentityProviderForPolicy(policy)
if err != nil {
return nil, fmt.Errorf("error getting identity provider to verify access token: %w", err)
}
sessionID := getAccessTokenSessionID(idp, rawAccessToken)
s, err := c.getSession(ctx, sessionID) s, err := c.getSession(ctx, sessionID)
if err == nil { if err == nil {
return s, nil return s, nil
@ -181,11 +186,6 @@ func (c *incomingIDPTokenSessionCreator) createSessionAccessToken(
return nil, err return nil, err
} }
idp, err := cfg.Options.GetIdentityProviderForPolicy(policy)
if err != nil {
return nil, fmt.Errorf("error getting identity provider to verify access token: %w", err)
}
authenticateURL, transport, err := cfg.resolveAuthenticateURL() authenticateURL, transport, err := cfg.resolveAuthenticateURL()
if err != nil { if err != nil {
return nil, fmt.Errorf("error resolving authenticate url to verify access token: %w", err) return nil, fmt.Errorf("error resolving authenticate url to verify access token: %w", err)
@ -222,7 +222,12 @@ func (c *incomingIDPTokenSessionCreator) createSessionForIdentityToken(
policy *Policy, policy *Policy,
rawIdentityToken string, rawIdentityToken string,
) (*session.Session, error) { ) (*session.Session, error) {
sessionID := getIdentityTokenSessionID(policy, rawIdentityToken) idp, err := cfg.Options.GetIdentityProviderForPolicy(policy)
if err != nil {
return nil, fmt.Errorf("error getting identity provider to verify identity token: %w", err)
}
sessionID := getIdentityTokenSessionID(idp, rawIdentityToken)
s, err := c.getSession(ctx, sessionID) s, err := c.getSession(ctx, sessionID)
if err == nil { if err == nil {
return s, nil return s, nil
@ -230,11 +235,6 @@ func (c *incomingIDPTokenSessionCreator) createSessionForIdentityToken(
return nil, err return nil, err
} }
idp, err := cfg.Options.GetIdentityProviderForPolicy(policy)
if err != nil {
return nil, fmt.Errorf("error getting identity provider to verify identity token: %w", err)
}
authenticateURL, transport, err := cfg.resolveAuthenticateURL() authenticateURL, transport, err := cfg.resolveAuthenticateURL()
if err != nil { if err != nil {
return nil, fmt.Errorf("error resolving authenticate url to verify identity token: %w", err) return nil, fmt.Errorf("error resolving authenticate url to verify identity token: %w", err)
@ -417,26 +417,22 @@ func (cfg *Config) GetIncomingIDPIdentityTokenForPolicy(policy *Policy, r *http.
var accessTokenUUIDNamespace = uuid.MustParse("0194f6f8-e760-76a0-8917-e28ac927a34d") var accessTokenUUIDNamespace = uuid.MustParse("0194f6f8-e760-76a0-8917-e28ac927a34d")
func getAccessTokenSessionID(policy *Policy, rawAccessToken string) string { func getAccessTokenSessionID(idp *identitypb.Provider, rawAccessToken string) string {
namespace := accessTokenUUIDNamespace namespace := accessTokenUUIDNamespace
// make the session ID per-route // make the session ID per-idp settings
if policy != nil { if idp != nil {
var data [8]byte namespace = uuid.NewSHA1(namespace, []byte(idp.GetId()))
binary.BigEndian.PutUint64(data[:], policy.MustRouteID())
namespace = uuid.NewSHA1(namespace, data[:])
} }
return uuid.NewSHA1(namespace, []byte(rawAccessToken)).String() return uuid.NewSHA1(namespace, []byte(rawAccessToken)).String()
} }
var identityTokenUUIDNamespace = uuid.MustParse("0194f6f9-aec0-704e-bb4a-51054f17ad17") var identityTokenUUIDNamespace = uuid.MustParse("0194f6f9-aec0-704e-bb4a-51054f17ad17")
func getIdentityTokenSessionID(policy *Policy, rawIdentityToken string) string { func getIdentityTokenSessionID(idp *identitypb.Provider, rawIdentityToken string) string {
namespace := identityTokenUUIDNamespace namespace := identityTokenUUIDNamespace
// make the session ID per-route // make the session ID per-idp settings
if policy != nil { if idp != nil {
var data [8]byte namespace = uuid.NewSHA1(namespace, []byte(idp.GetId()))
binary.BigEndian.PutUint64(data[:], policy.MustRouteID())
namespace = uuid.NewSHA1(namespace, data[:])
} }
return uuid.NewSHA1(namespace, []byte(rawIdentityToken)).String() return uuid.NewSHA1(namespace, []byte(rawIdentityToken)).String()
} }

11
config/session_test.go
View file

@ -19,6 +19,7 @@ import (
"github.com/pomerium/pomerium/internal/testutil" "github.com/pomerium/pomerium/internal/testutil"
"github.com/pomerium/pomerium/internal/urlutil" "github.com/pomerium/pomerium/internal/urlutil"
"github.com/pomerium/pomerium/pkg/cryptutil" "github.com/pomerium/pomerium/pkg/cryptutil"
identitypb "github.com/pomerium/pomerium/pkg/grpc/identity"
"github.com/pomerium/pomerium/pkg/grpc/session" "github.com/pomerium/pomerium/pkg/grpc/session"
"github.com/pomerium/pomerium/pkg/grpc/user" "github.com/pomerium/pomerium/pkg/grpc/user"
"github.com/pomerium/pomerium/pkg/identity" "github.com/pomerium/pomerium/pkg/identity"
@ -177,14 +178,8 @@ func Test_getTokenSessionID(t *testing.T) {
assert.Equal(t, "532b0a3d-b413-50a0-8c9f-e6eb340a05d3", getAccessTokenSessionID(nil, "TOKEN")) assert.Equal(t, "532b0a3d-b413-50a0-8c9f-e6eb340a05d3", getAccessTokenSessionID(nil, "TOKEN"))
assert.Equal(t, "e0b8096c-54dd-5623-8098-5488f9c302db", getIdentityTokenSessionID(nil, "TOKEN")) assert.Equal(t, "e0b8096c-54dd-5623-8098-5488f9c302db", getIdentityTokenSessionID(nil, "TOKEN"))
assert.Equal(t, "c58990ec-85d4-5054-b27f-e7c5d9c602c5", getAccessTokenSessionID(&Policy{ assert.Equal(t, "9c99d1d0-805e-51cb-b808-772ab654268b", getAccessTokenSessionID(&identitypb.Provider{Id: "IDP1"}, "TOKEN"))
From: "https://from.example.com", assert.Equal(t, "0fe0e289-40bb-5ffe-b328-e290e043a652", getIdentityTokenSessionID(&identitypb.Provider{Id: "IDP1"}, "TOKEN"))
Response: &DirectResponse{Status: 204},
}, "TOKEN"))
assert.Equal(t, "4dff4540-493b-502a-bdec-2f346e6e480d", getIdentityTokenSessionID(&Policy{
From: "https://from.example.com",
Response: &DirectResponse{Status: 204},
}, "TOKEN"))
} }
func TestGetIncomingIDPAccessTokenForPolicy(t *testing.T) { func TestGetIncomingIDPAccessTokenForPolicy(t *testing.T) {