3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-07-19 09:38:03 +02:00
Code Issues Projects Releases Packages Wiki Activity

Merge pull request from GHSA-pvrc-wvj2-f59p

Browse source 
* authorize: normalize URL query params

* config: enable envoy normalize_path option

* authorize: use route id from envoy for policy evaluation
This commit is contained in:
Kenneth Jenkins 2023-05-26 13:34:21 -07:00 committed by GitHub
parent 32985aabe6
commit 2bc2be793f
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
12 changed files with 255 additions and 208 deletions
Download patch file Download diff file Expand all files Collapse all files

1
config/envoyconfig/listeners.go
View file

@ -386,6 +386,7 @@ func (b *Builder) buildMainHTTPConnectionManagerFilter(
SkipXffAppend: options.SkipXffAppend,
XffNumTrustedHops: options.XffNumTrustedHops,
LocalReplyConfig: b.buildLocalReplyConfig(options, requireStrictTransportSecurity),
NormalizePath: wrapperspb.Bool(true),
}), nil
}

103
config/envoyconfig/listeners_test.go
View file

@ -215,6 +215,7 @@ func Test_buildMainHTTPConnectionManagerFilter(t *testing.T) {
}
}
],
"normalizePath": true,
"requestTimeout": "30s",
"routeConfig": {
"name": "main",
@ -244,15 +245,6 @@ func Test_buildMainHTTPConnectionManagerFilter(t *testing.T) {
}
}],
"routes": [
{
"name": "pomerium-path-/.pomerium/jwt",
"match": {
"path": "/.pomerium/jwt"
},
"route": {
"cluster": "pomerium-control-plane-http"
}
},
{
"name": "pomerium-path-/ping",
"match": {
@ -264,7 +256,11 @@ func Test_buildMainHTTPConnectionManagerFilter(t *testing.T) {
"typedPerFilterConfig": {
"envoy.filters.http.ext_authz": {
"@type": "type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthzPerRoute",
"disabled": true
"checkSettings": {
"contextExtensions": {
"internal": "true"
}
}
}
}
},
@ -279,7 +275,11 @@ func Test_buildMainHTTPConnectionManagerFilter(t *testing.T) {
"typedPerFilterConfig": {
"envoy.filters.http.ext_authz": {
"@type": "type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthzPerRoute",
"disabled": true
"checkSettings": {
"contextExtensions": {
"internal": "true"
}
}
}
}
},
@ -294,7 +294,11 @@ func Test_buildMainHTTPConnectionManagerFilter(t *testing.T) {
"typedPerFilterConfig": {
"envoy.filters.http.ext_authz": {
"@type": "type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthzPerRoute",
"disabled": true
"checkSettings": {
"contextExtensions": {
"internal": "true"
}
}
}
}
},
@ -309,7 +313,11 @@ func Test_buildMainHTTPConnectionManagerFilter(t *testing.T) {
"typedPerFilterConfig": {
"envoy.filters.http.ext_authz": {
"@type": "type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthzPerRoute",
"disabled": true
"checkSettings": {
"contextExtensions": {
"internal": "true"
}
}
}
}
},
@ -324,7 +332,11 @@ func Test_buildMainHTTPConnectionManagerFilter(t *testing.T) {
"typedPerFilterConfig": {
"envoy.filters.http.ext_authz": {
"@type": "type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthzPerRoute",
"disabled": true
"checkSettings": {
"contextExtensions": {
"internal": "true"
}
}
}
}
},
@ -339,7 +351,11 @@ func Test_buildMainHTTPConnectionManagerFilter(t *testing.T) {
"typedPerFilterConfig": {
"envoy.filters.http.ext_authz": {
"@type": "type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthzPerRoute",
"disabled": true
"checkSettings": {
"contextExtensions": {
"internal": "true"
}
}
}
}
},
@ -354,7 +370,11 @@ func Test_buildMainHTTPConnectionManagerFilter(t *testing.T) {
"typedPerFilterConfig": {
"envoy.filters.http.ext_authz": {
"@type": "type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthzPerRoute",
"disabled": true
"checkSettings": {
"contextExtensions": {
"internal": "true"
}
}
}
}
}
@ -385,15 +405,6 @@ func Test_buildMainHTTPConnectionManagerFilter(t *testing.T) {
}
}],
"routes": [
{
"name": "pomerium-path-/.pomerium/jwt",
"match": {
"path": "/.pomerium/jwt"
},
"route": {
"cluster": "pomerium-control-plane-http"
}
},
{
"name": "pomerium-path-/ping",
"match": {
@ -405,7 +416,11 @@ func Test_buildMainHTTPConnectionManagerFilter(t *testing.T) {
"typedPerFilterConfig": {
"envoy.filters.http.ext_authz": {
"@type": "type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthzPerRoute",
"disabled": true
"checkSettings": {
"contextExtensions": {
"internal": "true"
}
}
}
}
},
@ -420,7 +435,11 @@ func Test_buildMainHTTPConnectionManagerFilter(t *testing.T) {
"typedPerFilterConfig": {
"envoy.filters.http.ext_authz": {
"@type": "type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthzPerRoute",
"disabled": true
"checkSettings": {
"contextExtensions": {
"internal": "true"
}
}
}
}
},
@ -435,7 +454,11 @@ func Test_buildMainHTTPConnectionManagerFilter(t *testing.T) {
"typedPerFilterConfig": {
"envoy.filters.http.ext_authz": {
"@type": "type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthzPerRoute",
"disabled": true
"checkSettings": {
"contextExtensions": {
"internal": "true"
}
}
}
}
},
@ -450,7 +473,11 @@ func Test_buildMainHTTPConnectionManagerFilter(t *testing.T) {
"typedPerFilterConfig": {
"envoy.filters.http.ext_authz": {
"@type": "type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthzPerRoute",
"disabled": true
"checkSettings": {
"contextExtensions": {
"internal": "true"
}
}
}
}
},
@ -465,7 +492,11 @@ func Test_buildMainHTTPConnectionManagerFilter(t *testing.T) {
"typedPerFilterConfig": {
"envoy.filters.http.ext_authz": {
"@type": "type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthzPerRoute",
"disabled": true
"checkSettings": {
"contextExtensions": {
"internal": "true"
}
}
}
}
},
@ -480,7 +511,11 @@ func Test_buildMainHTTPConnectionManagerFilter(t *testing.T) {
"typedPerFilterConfig": {
"envoy.filters.http.ext_authz": {
"@type": "type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthzPerRoute",
"disabled": true
"checkSettings": {
"contextExtensions": {
"internal": "true"
}
}
}
}
},
@ -495,7 +530,11 @@ func Test_buildMainHTTPConnectionManagerFilter(t *testing.T) {
"typedPerFilterConfig": {
"envoy.filters.http.ext_authz": {
"@type": "type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthzPerRoute",
"disabled": true
"checkSettings": {
"contextExtensions": {
"internal": "true"
}
}
}
}
}

43
config/envoyconfig/per_filter_config.go Normal file
View file

@ -0,0 +1,43 @@
package envoyconfig
import (
"strconv"
envoy_extensions_filters_http_ext_authz_v3 "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/ext_authz/v3"
"github.com/golang/protobuf/ptypes/any"
)
// PerFilterConfigExtAuthzName is the name of the ext authz filter to apply config to
const PerFilterConfigExtAuthzName = "envoy.filters.http.ext_authz"
// PerFilterConfigExtAuthzContextExtensions returns a per-filter config for ext authz that disables ext-authz.
func PerFilterConfigExtAuthzContextExtensions(authzContextExtensions map[string]string) *any.Any {
return marshalAny(&envoy_extensions_filters_http_ext_authz_v3.ExtAuthzPerRoute{
Override: &envoy_extensions_filters_http_ext_authz_v3.ExtAuthzPerRoute_CheckSettings{
CheckSettings: &envoy_extensions_filters_http_ext_authz_v3.CheckSettings{
ContextExtensions: authzContextExtensions,
},
},
})
}
// PerFilterConfigExtAuthzDisabled returns a per-filter config for ext authz that disables ext-authz.
func PerFilterConfigExtAuthzDisabled() *any.Any {
return marshalAny(&envoy_extensions_filters_http_ext_authz_v3.ExtAuthzPerRoute{
Override: &envoy_extensions_filters_http_ext_authz_v3.ExtAuthzPerRoute_Disabled{
Disabled: true,
},
})
}
// MakeExtAuthzContextExtensions makes the ext authz context extensions.
func MakeExtAuthzContextExtensions(internal bool, routeID uint64) map[string]string {
return map[string]string{
"internal": strconv.FormatBool(internal),
}
}
// ExtAuthzContextExtensionsIsInternal returns true if the context extensions indicates the route is internal.
func ExtAuthzContextExtensionsIsInternal(extAuthzContextExtensions map[string]string) bool {
return extAuthzContextExtensions != nil && extAuthzContextExtensions["internal"] == "true"
}

41
config/envoyconfig/routes.go
View file

@ -58,19 +58,16 @@ func (b *Builder) buildPomeriumHTTPRoutes(options *config.Options, domain string
}
if !isFrontingAuthenticate {
routes = append(routes,
// enable ext_authz
b.buildControlPlanePathRoute("/.pomerium/jwt", true),
// disable ext_authz and passthrough to proxy handlers
b.buildControlPlanePathRoute("/ping", false),
b.buildControlPlanePathRoute("/healthz", false),
b.buildControlPlanePathRoute("/.pomerium", false),
b.buildControlPlanePrefixRoute("/.pomerium/", false),
b.buildControlPlanePathRoute("/.well-known/pomerium", false),
b.buildControlPlanePrefixRoute("/.well-known/pomerium/", false),
b.buildControlPlanePathRoute("/ping"),
b.buildControlPlanePathRoute("/healthz"),
b.buildControlPlanePathRoute("/.pomerium"),
b.buildControlPlanePrefixRoute("/.pomerium/"),
b.buildControlPlanePathRoute("/.well-known/pomerium"),
b.buildControlPlanePrefixRoute("/.well-known/pomerium/"),
)
// per #837, only add robots.txt if there are no unauthenticated routes
if !hasPublicPolicyMatchingURL(options, url.URL{Scheme: "https", Host: domain, Path: "/robots.txt"}) {
routes = append(routes, b.buildControlPlanePathRoute("/robots.txt", false))
routes = append(routes, b.buildControlPlanePathRoute("/robots.txt"))
}
}
// if we're handling authentication, add the oauth2 callback url
@ -80,8 +77,8 @@ func (b *Builder) buildPomeriumHTTPRoutes(options *config.Options, domain string
}
if config.IsAuthenticate(options.Services) && hostMatchesDomain(authenticateURL, domain) {
routes = append(routes,
b.buildControlPlanePathRoute(options.AuthenticateCallbackPath, false),
b.buildControlPlanePathRoute("/", false),
b.buildControlPlanePathRoute(options.AuthenticateCallbackPath),
b.buildControlPlanePathRoute("/"),
)
}
// if we're the proxy and this is the forward-auth url
@ -164,7 +161,7 @@ func (b *Builder) buildControlPlanePathAndQueryRoute(path string, queryparams []
}, nil
}
func (b *Builder) buildControlPlanePathRoute(path string, protected bool) *envoy_config_route_v3.Route {
func (b *Builder) buildControlPlanePathRoute(path string) *envoy_config_route_v3.Route {
r := &envoy_config_route_v3.Route{
Name: "pomerium-path-" + path,
Match: &envoy_config_route_v3.RouteMatch{
@ -177,16 +174,14 @@ func (b *Builder) buildControlPlanePathRoute(path string, protected bool) *envoy
},
},
},
}
if !protected {
r.TypedPerFilterConfig = map[string]*any.Any{
"envoy.filters.http.ext_authz": disableExtAuthz,
}
TypedPerFilterConfig: map[string]*any.Any{
PerFilterConfigExtAuthzName: PerFilterConfigExtAuthzContextExtensions(MakeExtAuthzContextExtensions(true, 0)),
},
}
return r
}
func (b *Builder) buildControlPlanePrefixRoute(prefix string, protected bool) *envoy_config_route_v3.Route {
func (b *Builder) buildControlPlanePrefixRoute(prefix string) *envoy_config_route_v3.Route {
r := &envoy_config_route_v3.Route{
Name: "pomerium-prefix-" + prefix,
Match: &envoy_config_route_v3.RouteMatch{
@ -199,11 +194,9 @@ func (b *Builder) buildControlPlanePrefixRoute(prefix string, protected bool) *e
},
},
},
}
if !protected {
r.TypedPerFilterConfig = map[string]*any.Any{
"envoy.filters.http.ext_authz": disableExtAuthz,
}
TypedPerFilterConfig: map[string]*any.Any{
PerFilterConfigExtAuthzName: PerFilterConfigExtAuthzContextExtensions(MakeExtAuthzContextExtensions(true, 0)),
},
}
return r
}

87
config/envoyconfig/routes_test.go
View file

@ -54,28 +54,26 @@ func Test_buildGRPCRoutes(t *testing.T) {
func Test_buildPomeriumHTTPRoutes(t *testing.T) {
b := &Builder{filemgr: filemgr.NewManager()}
routeString := func(typ, name string, protected bool) string {
str := `{
routeString := func(typ, name string) string {
return `{
"name": "pomerium-` + typ + `-` + name + `",
"match": {
"` + typ + `": "` + name + `"
},
"route": {
"cluster": "pomerium-control-plane-http"
}
`
if !protected {
str += `,
},
"typedPerFilterConfig": {
"envoy.filters.http.ext_authz": {
"@type": "type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthzPerRoute",
"disabled": true
"envoy.filters.http.ext_authz": {
"@type": "type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthzPerRoute",
"checkSettings": {
"contextExtensions": {
"internal": "true"
}
}
}
`
}
str += "}"
return str
}
}`
}
t.Run("authenticate", func(t *testing.T) {
options := &config.Options{
@ -88,16 +86,15 @@ func Test_buildPomeriumHTTPRoutes(t *testing.T) {
require.NoError(t, err)
testutil.AssertProtoJSONEqual(t, `[
`+routeString("path", "/.pomerium/jwt", true)+`,
`+routeString("path", "/ping", false)+`,
`+routeString("path", "/healthz", false)+`,
`+routeString("path", "/.pomerium", false)+`,
`+routeString("prefix", "/.pomerium/", false)+`,
`+routeString("path", "/.well-known/pomerium", false)+`,
`+routeString("prefix", "/.well-known/pomerium/", false)+`,
`+routeString("path", "/robots.txt", false)+`,
`+routeString("path", "/oauth2/callback", false)+`,
`+routeString("path", "/", false)+`
`+routeString("path", "/ping")+`,
`+routeString("path", "/healthz")+`,
`+routeString("path", "/.pomerium")+`,
`+routeString("prefix", "/.pomerium/")+`,
`+routeString("path", "/.well-known/pomerium")+`,
`+routeString("prefix", "/.well-known/pomerium/")+`,
`+routeString("path", "/robots.txt")+`,
`+routeString("path", "/oauth2/callback")+`,
`+routeString("path", "/")+`
]`, routes)
})
t.Run("proxy fronting authenticate", func(t *testing.T) {
@ -127,14 +124,13 @@ func Test_buildPomeriumHTTPRoutes(t *testing.T) {
require.NoError(t, err)
testutil.AssertProtoJSONEqual(t, `[
`+routeString("path", "/.pomerium/jwt", true)+`,
`+routeString("path", "/ping", false)+`,
`+routeString("path", "/healthz", false)+`,
`+routeString("path", "/.pomerium", false)+`,
`+routeString("prefix", "/.pomerium/", false)+`,
`+routeString("path", "/.well-known/pomerium", false)+`,
`+routeString("prefix", "/.well-known/pomerium/", false)+`,
`+routeString("path", "/robots.txt", false)+`
`+routeString("path", "/ping")+`,
`+routeString("path", "/healthz")+`,
`+routeString("path", "/.pomerium")+`,
`+routeString("prefix", "/.pomerium/")+`,
`+routeString("path", "/.well-known/pomerium")+`,
`+routeString("prefix", "/.well-known/pomerium/")+`,
`+routeString("path", "/robots.txt")+`
]`, routes)
})
@ -155,20 +151,19 @@ func Test_buildPomeriumHTTPRoutes(t *testing.T) {
require.NoError(t, err)
testutil.AssertProtoJSONEqual(t, `[
`+routeString("path", "/.pomerium/jwt", true)+`,
`+routeString("path", "/ping", false)+`,
`+routeString("path", "/healthz", false)+`,
`+routeString("path", "/.pomerium", false)+`,
`+routeString("prefix", "/.pomerium/", false)+`,
`+routeString("path", "/.well-known/pomerium", false)+`,
`+routeString("prefix", "/.well-known/pomerium/", false)+`
`+routeString("path", "/ping")+`,
`+routeString("path", "/healthz")+`,
`+routeString("path", "/.pomerium")+`,
`+routeString("prefix", "/.pomerium/")+`,
`+routeString("path", "/.well-known/pomerium")+`,
`+routeString("prefix", "/.well-known/pomerium/")+`
]`, routes)
})
}
func Test_buildControlPlanePathRoute(t *testing.T) {
b := &Builder{filemgr: filemgr.NewManager()}
route := b.buildControlPlanePathRoute("/hello/world", false)
route := b.buildControlPlanePathRoute("/hello/world")
testutil.AssertProtoJSONEqual(t, `
{
"name": "pomerium-path-/hello/world",
@ -181,7 +176,11 @@ func Test_buildControlPlanePathRoute(t *testing.T) {
"typedPerFilterConfig": {
"envoy.filters.http.ext_authz": {
"@type": "type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthzPerRoute",
"disabled": true
"checkSettings": {
"contextExtensions": {
"internal": "true"
}
}
}
}
}
@ -190,7 +189,7 @@ func Test_buildControlPlanePathRoute(t *testing.T) {
func Test_buildControlPlanePrefixRoute(t *testing.T) {
b := &Builder{filemgr: filemgr.NewManager()}
route := b.buildControlPlanePrefixRoute("/hello/world/", false)
route := b.buildControlPlanePrefixRoute("/hello/world/")
testutil.AssertProtoJSONEqual(t, `
{
"name": "pomerium-prefix-/hello/world/",
@ -203,7 +202,11 @@ func Test_buildControlPlanePrefixRoute(t *testing.T) {
"typedPerFilterConfig": {
"envoy.filters.http.ext_authz": {
"@type": "type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthzPerRoute",
"disabled": true
"checkSettings": {
"contextExtensions": {
"internal": "true"
}
}
}
}
}

4
config/policy_ppl.go
View file

@ -13,10 +13,6 @@ func (p *Policy) ToPPL() *parser.Policy {
ppl := &parser.Policy{}
allowRule := parser.Rule{Action: parser.ActionAllow}
allowRule.Or = append(allowRule.Or,
parser.Criterion{
Name: "pomerium_routes",
})
if p.AllowPublicUnauthenticatedAccess {
allowRule.Or = append(allowRule.Or,
parser.Criterion{

11
config/policy_ppl_test.go
View file

@ -57,15 +57,6 @@ default allow = [false, set()]
default deny = [false, set()]
pomerium_routes_0 = [true, {"pomerium-route"}] {
contains(input.http.url, "/.pomerium/")
not contains(input.http.url, "/.pomerium/jwt")
}
else = [false, {"non-pomerium-route"}] {
true
}
accept_0 = [true, {"accept"}]
cors_preflight_0 = [true, {"cors-request"}] {
@ -413,7 +404,7 @@ else = [false, {"user-unauthenticated"}] {
}
or_0 = v {
results := [pomerium_routes_0, accept_0, cors_preflight_0, authenticated_user_0, domain_0, domain_1, domain_2, domain_3, domain_4, claim_0, claim_1, claim_2, claim_3, user_0, email_0, user_1, email_1, user_2, email_2, user_3, email_3, user_4, email_4]
results := [accept_0, cors_preflight_0, authenticated_user_0, domain_0, domain_1, domain_2, domain_3, domain_4, claim_0, claim_1, claim_2, claim_3, user_0, email_0, user_1, email_1, user_2, email_2, user_3, email_3, user_4, email_4]
normalized := [normalize_criterion_result(x) | x := results[i]]
v := merge_with_or(normalized)
}