cmd/pomerium: add check for service validity

proxy: update key check error message to check 32 bytes authenticate: update key check error message to check 32 bytes docs: update readme for clarity
2025-06-02 19:04:14 +02:00 · 2019-01-19 11:29:22 -08:00 · 2019-01-19 11:29:22 -08:00 · 2c7a7f2e02
commit 2c7a7f2e02
parent 9404dafcf4
6 changed files with 24 additions and 40 deletions
--- a/README.md
+++ b/README.md
@ -1,4 +1,4 @@
-<img  height="175" src="./docs/.vuepress/public/logo.svg" alt="logo" align="right" >
+<img  height="100" src="./docs/.vuepress/public/logo.svg" alt="logo" align="right" >

 # Pomerium

@ -11,8 +11,8 @@ Pomerium is a tool for managing secure access to internal applications and resou

 Use Pomerium to:

- provide a unified gateway to internal corporate applications.
- enforce dynamic access policies based on context, identity, and device state.
+- provide a unified gateway (reverse-proxy) to internal corporate applications.
+- enforce dynamic access policy based on context, identity, and device state.
 - deploy mutual authenticated encryption (mTLS).
 - aggregate logging and telemetry data.

--- a/authenticate/authenticate.go
+++ b/authenticate/authenticate.go
@ -94,20 +94,10 @@ func (o *Options) Validate() error {
 	}
 	decodedCookieSecret, err := base64.StdEncoding.DecodeString(o.CookieSecret)
 	if err != nil {
-		return fmt.Errorf("authenticate options: cookie secret invalid"+
-			"must be a base64-encoded, 256 bit key e.g. `head -c32 /dev/urandom | base64`"+
-			"got %q", err)
+		return fmt.Errorf("cookie secret is invalid base64: %v", err)
 	}
-	validCookieSecretLength := false
-	for _, i := range []int{32, 64} {
-		if len(decodedCookieSecret) == i {
-			validCookieSecretLength = true
-		}
-	}
-
-	if !validCookieSecretLength {
-		return fmt.Errorf("authenticate options: invalid cookie secret strength want"+
-			" 32 to 64 bytes, got %d bytes", len(decodedCookieSecret))
+	if len(decodedCookieSecret) != 32 {
+		return fmt.Errorf("cookie secret expects 32 bytes but got %d", len(decodedCookieSecret))
 	}

 	return nil
@ -127,9 +117,7 @@ type Authenticator struct {

 	SessionLifetimeTTL time.Duration

-	decodedCookieSecret []byte
 	templates    *template.Template
-	// sesion related
 	csrfStore    sessions.CSRFStore
 	sessionStore sessions.SessionStore
 	cipher       cryptutil.Cipher
--- a/cmd/pomerium/main.go
+++ b/cmd/pomerium/main.go
@ -1,4 +1,4 @@
-package main
+package main // import "github.com/pomerium/pomerium/cmd/pomerium"

 import (
 	"flag"
@ -18,7 +18,6 @@ import (
 var (
 	debugFlag   = flag.Bool("debug", false, "run server in debug mode, changes log output to STDOUT and level to info")
 	versionFlag = flag.Bool("version", false, "prints the version")
-	// validServics = []string{"all", "proxy", "authenticate"}
 )

 func main() {
@ -124,6 +123,9 @@ func optionsFromEnvConfig() (*Options, error) {
 	if err := envconfig.Process("", o); err != nil {
 		return nil, err
 	}
+	if !isValidService(o.Services) {
+		return nil, fmt.Errorf("%s is an invalid service type",o.Services)
+	}
 	return o, nil
 }

--- a/cmd/pomerium/main_test.go
+++ b/cmd/pomerium/main_test.go
@ -1,4 +1,4 @@
-package main
+package main // import "github.com/pomerium/pomerium/cmd/pomerium"

 import (
 	"os"
@ -19,6 +19,7 @@ func Test_optionsFromEnvConfig(t *testing.T) {
 	}{
 		{"good default with no env settings", defaultOptions, "", "", false},
 		{"good service", defaultOptions, "SERVICES", "all", false},
+		{"invalid service type", nil, "SERVICES", "invalid", true},
 		{"bad debug boolean", nil, "POMERIUM_DEBUG", "yes", true},
 	}
 	for _, tt := range tests {
--- a/docs/guide/readme.md
+++ b/docs/guide/readme.md
@ -7,9 +7,8 @@
 * Grab Pomerium's included example [`docker-compose.yml`](https://raw.githubusercontent.com/pomerium/pomerium/master/docker-compose.yml) directly or by cloning the repository.
 * Update `docker-compose.yml` to match your [identity provider] settings. 
 * Copy your subdomain's wild-card TLS certificate next to the compose file. If you don't have one handy, the included [script] generates one from [LetsEncrypt].
-* Run docker compose by runnig the command `$ docker-compose up`. 
-* Included with Pomerium is two test apps [helloworld] and [httpbin]. Pomerium is configured to delegate access to both.
-* Navigate to `hello.corp.example.com` or `httpbin.corp.example.com`. You should see something like the following in your browser and in your terminal. 
+* Run docker-compose by runnig the command `$ docker-compose up`. 
+* Pomerium is configured to delegate access to two test apps [helloworld] and [httpbin]. Navigate to `hello.corp.example.com` or `httpbin.corp.example.com`. You should see something like the following in your browser and in your terminal. 

 ![Getting started](./get-started.gif)

--- a/proxy/proxy.go
+++ b/proxy/proxy.go
@ -96,16 +96,10 @@ func (o *Options) Validate() error {
 	}
 	decodedCookieSecret, err := base64.StdEncoding.DecodeString(o.CookieSecret)
 	if err != nil {
-		return errors.New("cookie secret is invalid (e.g. `head -c32 /dev/urandom | base64`) ")
+		return fmt.Errorf("cookie secret is invalid base64: %v", err)
 	}
-	validCookieSecretLength := false
-	for _, i := range []int{32, 64} {
-		if len(decodedCookieSecret) == i {
-			validCookieSecretLength = true
-		}
-	}
-	if !validCookieSecretLength {
-		return fmt.Errorf("cookie secret is invalid, must be 32 or 64 bytes but got %d bytes (e.g. `head -c33 /dev/urandom | base64`) ", len(decodedCookieSecret))
+	if len(decodedCookieSecret) != 32 {
+		return fmt.Errorf("cookie secret expects 32 bytes but got %d", len(decodedCookieSecret))
 	}
 	return nil
 }