cmd/pomerium: add check for service validity

proxy: update key check error message to check 32 bytes authenticate: update key check error message to check 32 bytes docs: update readme for clarity
2025-06-14 08:42:51 +02:00 · 2019-01-19 11:29:22 -08:00 · 2019-01-19 11:29:22 -08:00 · 2c7a7f2e02
commit 2c7a7f2e02
parent 9404dafcf4
6 changed files with 24 additions and 40 deletions
--- a/README.md
+++ b/README.md
@ -1,4 +1,4 @@
-<img  height="175" src="./docs/.vuepress/public/logo.svg" alt="logo" align="right" >
+<img  height="100" src="./docs/.vuepress/public/logo.svg" alt="logo" align="right" >
 # Pomerium
@ -11,8 +11,8 @@ Pomerium is a tool for managing secure access to internal applications and resou
 Use Pomerium to:
- provide a unified gateway to internal corporate applications.
+- provide a unified gateway (reverse-proxy) to internal corporate applications.
- enforce dynamic access policies based on context, identity, and device state.
+- enforce dynamic access policy based on context, identity, and device state.
 - deploy mutual authenticated encryption (mTLS).
 - aggregate logging and telemetry data.
--- a/authenticate/authenticate.go
+++ b/authenticate/authenticate.go
@ -94,20 +94,10 @@ func (o *Options) Validate() error {
 	}
 	decodedCookieSecret, err := base64.StdEncoding.DecodeString(o.CookieSecret)
 	if err != nil {
-		return fmt.Errorf("authenticate options: cookie secret invalid"+
+		return fmt.Errorf("cookie secret is invalid base64: %v", err)
 			"must be a base64-encoded, 256 bit key e.g. `head -c32 /dev/urandom | base64`"+
 			"got %q", err)
 	}
-	validCookieSecretLength := false
+	if len(decodedCookieSecret) != 32 {
-	for _, i := range []int{32, 64} {
+		return fmt.Errorf("cookie secret expects 32 bytes but got %d", len(decodedCookieSecret))
 		if len(decodedCookieSecret) == i {
 			validCookieSecretLength = true
 		}
 	}
 	if !validCookieSecretLength {
 		return fmt.Errorf("authenticate options: invalid cookie secret strength want"+
 			" 32 to 64 bytes, got %d bytes", len(decodedCookieSecret))
 	}
 	return nil
@ -127,9 +117,7 @@ type Authenticator struct {
 	SessionLifetimeTTL time.Duration
 	decodedCookieSecret []byte
 	templates    *template.Template
 	// sesion related
 	csrfStore    sessions.CSRFStore
 	sessionStore sessions.SessionStore
 	cipher       cryptutil.Cipher
--- a/cmd/pomerium/main.go
+++ b/cmd/pomerium/main.go
@ -1,4 +1,4 @@
-package main
+package main // import "github.com/pomerium/pomerium/cmd/pomerium"
 import (
 	"flag"
@ -18,13 +18,12 @@ import (
 var (
 	debugFlag   = flag.Bool("debug", false, "run server in debug mode, changes log output to STDOUT and level to info")
 	versionFlag = flag.Bool("version", false, "prints the version")
 	// validServics = []string{"all", "proxy", "authenticate"}
 )
 func main() {
 	mainOpts, err := optionsFromEnvConfig()
 	if err != nil {
-		log.Fatal().Err(err).Msg("cmd/pomerium : failed to parse authenticator settings")
+		log.Fatal().Err(err).Msg("cmd/pomerium: failed to parse authenticator settings")
 	}
 	flag.Parse()
 	if *debugFlag || mainOpts.Debug {
@ -41,7 +40,7 @@ func main() {
 	if mainOpts.Services == "all" || mainOpts.Services == "authenticator" {
 		authOpts, err := authenticate.OptionsFromEnvConfig()
 		if err != nil {
-			log.Fatal().Err(err).Msg("cmd/pomerium : failed to parse authenticator settings")
+			log.Fatal().Err(err).Msg("cmd/pomerium: failed to parse authenticator settings")
 		}
 		emailValidator := func(p *authenticate.Authenticator) error {
 			p.Validator = options.NewEmailValidator(authOpts.AllowedDomains)
@ -50,7 +49,7 @@ func main() {
 		authenticator, err = authenticate.NewAuthenticator(authOpts, emailValidator)
 		if err != nil {
-			log.Fatal().Err(err).Msg("cmd/pomerium : failed to create authenticator")
+			log.Fatal().Err(err).Msg("cmd/pomerium: failed to create authenticator")
 		}
 		authHost = authOpts.RedirectURL.Host
 	}
@ -59,12 +58,12 @@ func main() {
 	if mainOpts.Services == "all" || mainOpts.Services == "proxy" {
 		proxyOpts, err := proxy.OptionsFromEnvConfig()
 		if err != nil {
-			log.Fatal().Err(err).Msg("cmd/pomerium : failed to parse proxy settings")
+			log.Fatal().Err(err).Msg("cmd/pomerium: failed to parse proxy settings")
 		}
 		p, err = proxy.NewProxy(proxyOpts)
 		if err != nil {
-			log.Fatal().Err(err).Msg("cmd/pomerium : failed to create proxy")
+			log.Fatal().Err(err).Msg("cmd/pomerium: failed to create proxy")
 		}
 	}
@ -87,7 +86,7 @@ func main() {
 		CertFile: mainOpts.CertFile,
 		KeyFile:  mainOpts.KeyFile,
 	}
-	log.Fatal().Err(https.ListenAndServeTLS(httpOpts, topMux)).Msg("cmd/pomerium : fatal")
+	log.Fatal().Err(https.ListenAndServeTLS(httpOpts, topMux)).Msg("cmd/pomerium: fatal")
 }
 // Options are the global environmental flags used to set up pomerium's services.
@ -124,6 +123,9 @@ func optionsFromEnvConfig() (*Options, error) {
 	if err := envconfig.Process("", o); err != nil {
 		return nil, err
 	}
 	if !isValidService(o.Services) {
 		return nil, fmt.Errorf("%s is an invalid service type",o.Services)
 	}
 	return o, nil
 }
--- a/cmd/pomerium/main_test.go
+++ b/cmd/pomerium/main_test.go
@ -1,4 +1,4 @@
-package main
+package main // import "github.com/pomerium/pomerium/cmd/pomerium"
 import (
 	"os"
@ -19,6 +19,7 @@ func Test_optionsFromEnvConfig(t *testing.T) {
 	}{
 		{"good default with no env settings", defaultOptions, "", "", false},
 		{"good service", defaultOptions, "SERVICES", "all", false},
 		{"invalid service type", nil, "SERVICES", "invalid", true},
 		{"bad debug boolean", nil, "POMERIUM_DEBUG", "yes", true},
 	}
 	for _, tt := range tests {
--- a/docs/guide/readme.md
+++ b/docs/guide/readme.md
@ -7,9 +7,8 @@
 * Grab Pomerium's included example [`docker-compose.yml`](https://raw.githubusercontent.com/pomerium/pomerium/master/docker-compose.yml) directly or by cloning the repository.
 * Update `docker-compose.yml` to match your [identity provider] settings. 
 * Copy your subdomain's wild-card TLS certificate next to the compose file. If you don't have one handy, the included [script] generates one from [LetsEncrypt].
-* Run docker compose by runnig the command `$ docker-compose up`. 
+* Run docker-compose by runnig the command `$ docker-compose up`. 
-* Included with Pomerium is two test apps [helloworld] and [httpbin]. Pomerium is configured to delegate access to both.
+* Pomerium is configured to delegate access to two test apps [helloworld] and [httpbin]. Navigate to `hello.corp.example.com` or `httpbin.corp.example.com`. You should see something like the following in your browser and in your terminal. 
 * Navigate to `hello.corp.example.com` or `httpbin.corp.example.com`. You should see something like the following in your browser and in your terminal. 
 ![Getting started](./get-started.gif)
--- a/proxy/proxy.go
+++ b/proxy/proxy.go
@ -96,16 +96,10 @@ func (o *Options) Validate() error {
 	}
 	decodedCookieSecret, err := base64.StdEncoding.DecodeString(o.CookieSecret)
 	if err != nil {
-		return errors.New("cookie secret is invalid (e.g. `head -c32 /dev/urandom | base64`) ")
+		return fmt.Errorf("cookie secret is invalid base64: %v", err)
 	}
-	validCookieSecretLength := false
+	if len(decodedCookieSecret) != 32 {
-	for _, i := range []int{32, 64} {
+		return fmt.Errorf("cookie secret expects 32 bytes but got %d", len(decodedCookieSecret))
 		if len(decodedCookieSecret) == i {
 			validCookieSecretLength = true
 		}
 	}
 	if !validCookieSecretLength {
 		return fmt.Errorf("cookie secret is invalid, must be 32 or 64 bytes but got %d bytes (e.g. `head -c33 /dev/urandom | base64`) ", len(decodedCookieSecret))
 	}
 	return nil
 }