3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-05-27 16:07:19 +02:00
Code Issues Projects Releases Packages Wiki Activity

authorize: use opa for policy engine (#474)

Browse source 
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
This commit is contained in:
Bobby DeSimone 2020-02-02 11:18:22 -08:00 committed by GitHub
parent 111aa8f4d5
commit 2f13488598
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
45 changed files with 1022 additions and 872 deletions
Download patch file Download diff file Expand all files Collapse all files

12
proxy/proxy.go
View file

@ -176,7 +176,8 @@ func New(opts config.Options) (*Proxy, error) {
return p, err
}
// UpdateOptions updates internal structures based on config.Options
// UpdateOptions implements the OptionsUpdater interface and updates internal
// structures based on config.Options
func (p *Proxy) UpdateOptions(o config.Options) error {
if p == nil {
return nil
@ -273,12 +274,13 @@ func (p *Proxy) reverseProxyHandler(r *mux.Router, policy config.Policy) (*mux.R
// 4. Retrieve the user session and add it to the request context
rp.Use(sessions.RetrieveSession(p.sessionLoaders...))
// 5. Strip the user session cookie from the downstream request
rp.Use(middleware.StripCookie(p.cookieOptions.Name))
// 6. AuthN - Verify the user is authenticated. Set email, group, & id headers
// 5. AuthN - Verify the user is authenticated. Set email, group, & id headers
rp.Use(p.AuthenticateSession)
// 7. AuthZ - Verify the user is authorized for route
// 6. AuthZ - Verify the user is authorized for route
rp.Use(p.AuthorizeSession)
// 7. Strip the user session cookie from the downstream request
rp.Use(middleware.StripCookie(p.cookieOptions.Name))
// Optional: Add a signed JWT attesting to the user's id, email, and group
if len(p.signingKey) != 0 {
signer, err := jws.NewES256Signer(p.signingKey, policy.Destination.Host)