sessions: check idp id to detect provider changes to force session invalidation (#3707)

* sessions: check idp id to detect provider changes to force session invalidation

* remove dead code

* fix test

config/identity.go

@@ -1,14 +1,16 @@
 package config
 
 import (
+	"github.com/pomerium/pomerium/internal/urlutil"
 	"github.com/pomerium/pomerium/pkg/grpc/identity"
 )
 
 // GetIdentityProviderForID returns the identity provider associated with the given IDP id.
 // If none is found the default provider is returned.
 func (o *Options) GetIdentityProviderForID(idpID string) (*identity.Provider, error) {
-	for _, policy := range o.GetAllPolicies() {
-		idp, err := o.GetIdentityProviderForPolicy(&policy) //nolint
+	for _, p := range o.GetAllPolicies() {
+		p := p
+		idp, err := o.GetIdentityProviderForPolicy(&p)
 		if err != nil {
 			return nil, err
 		}
@@ -48,3 +50,19 @@ func (o *Options) GetIdentityProviderForPolicy(policy *Policy) (*identity.Provid
 	idp.Id = idp.Hash()
 	return idp, nil
 }
+
+// GetIdentityProviderForRequestURL gets the identity provider associated with the given request URL.
+func (o *Options) GetIdentityProviderForRequestURL(requestURL string) (*identity.Provider, error) {
+	u, err := urlutil.ParseAndValidateURL(requestURL)
+	if err != nil {
+		return nil, err
+	}
+
+	for _, p := range o.GetAllPolicies() {
+		p := p
+		if p.Matches(*u) {
+			return o.GetIdentityProviderForPolicy(&p)
+		}
+	}
+	return o.GetIdentityProviderForPolicy(nil)
+}

config/session.go

@@ -0,0 +1,83 @@
+package config
+
+import (
+	"fmt"
+	"net/http"
+
+	"github.com/pomerium/pomerium/internal/encoding"
+	"github.com/pomerium/pomerium/internal/encoding/jws"
+	"github.com/pomerium/pomerium/internal/sessions"
+	"github.com/pomerium/pomerium/internal/sessions/cookie"
+	"github.com/pomerium/pomerium/internal/sessions/header"
+	"github.com/pomerium/pomerium/internal/sessions/queryparam"
+	"github.com/pomerium/pomerium/internal/urlutil"
+)
+
+// A SessionStore saves and loads sessions based on the options.
+type SessionStore struct {
+	options *Options
+	encoder encoding.MarshalUnmarshaler
+	loader  sessions.SessionLoader
+}
+
+// NewSessionStore creates a new SessionStore from the Options.
+func NewSessionStore(options *Options) (*SessionStore, error) {
+	store := &SessionStore{
+		options: options,
+	}
+
+	sharedKey, err := options.GetSharedKey()
+	if err != nil {
+		return nil, fmt.Errorf("config/sessions: shared_key is required: %w", err)
+	}
+
+	store.encoder, err = jws.NewHS256Signer(sharedKey)
+	if err != nil {
+		return nil, fmt.Errorf("config/sessions: invalid session encoder: %w", err)
+	}
+
+	cookieStore, err := cookie.NewStore(func() cookie.Options {
+		return cookie.Options{
+			Name:     options.CookieName,
+			Domain:   options.CookieDomain,
+			Secure:   options.CookieSecure,
+			HTTPOnly: options.CookieHTTPOnly,
+			Expire:   options.CookieExpire,
+		}
+	}, store.encoder)
+	if err != nil {
+		return nil, err
+	}
+	headerStore := header.NewStore(store.encoder)
+	queryParamStore := queryparam.NewStore(store.encoder, urlutil.QuerySession)
+	store.loader = sessions.MultiSessionLoader(cookieStore, headerStore, queryParamStore)
+
+	return store, nil
+}
+
+// LoadSessionState loads the session state from a request.
+func (store *SessionStore) LoadSessionState(r *http.Request) (*sessions.State, error) {
+	rawJWT, err := store.loader.LoadSession(r)
+	if err != nil {
+		return nil, err
+	}
+
+	var state sessions.State
+	err = store.encoder.Unmarshal([]byte(rawJWT), &state)
+	if err != nil {
+		return nil, err
+	}
+
+	// confirm that the identity provider id matches the state
+	idp, err := store.options.GetIdentityProviderForRequestURL(urlutil.GetAbsoluteURL(r).String())
+	if err != nil {
+		return nil, err
+	}
+
+	if idp.GetId() != state.IdentityProviderID {
+		return nil, fmt.Errorf("unexpected session state identity provider id: %s != %s",
+			idp.GetId(), state.IdentityProviderID)
+	}
+
+	return &state, nil
+}

config/session_test.go

@@ -0,0 +1,128 @@
+package config
+
+import (
+	"encoding/base64"
+	"net/http"
+	"net/url"
+	"testing"
+
+	"github.com/google/go-cmp/cmp"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	"github.com/pomerium/pomerium/internal/encoding/jws"
+	"github.com/pomerium/pomerium/internal/httputil"
+	"github.com/pomerium/pomerium/internal/sessions"
+	"github.com/pomerium/pomerium/internal/urlutil"
+	"github.com/pomerium/pomerium/pkg/cryptutil"
+)
+
+func TestSessionStore_LoadSessionState(t *testing.T) {
+	t.Parallel()
+
+	sharedKey := cryptutil.NewKey()
+	options := NewDefaultOptions()
+	options.SharedKey = base64.StdEncoding.EncodeToString(sharedKey)
+	options.Provider = "oidc"
+	options.ProviderURL = "https://oidc.example.com"
+	options.ClientID = "client_id"
+	options.ClientSecret = "client_secret"
+	options.Policies = append(options.Policies,
+		Policy{
+			From:            "https://p1.example.com",
+			To:              mustParseWeightedURLs(t, "https://p1"),
+			IDPClientID:     "client_id_1",
+			IDPClientSecret: "client_secret_1",
+		},
+		Policy{
+			From:            "https://p2.example.com",
+			To:              mustParseWeightedURLs(t, "https://p2"),
+			IDPClientID:     "client_id_2",
+			IDPClientSecret: "client_secret_2",
+		})
+	require.NoError(t, options.Validate())
+
+	store, err := NewSessionStore(options)
+	require.NoError(t, err)
+
+	idp1, err := options.GetIdentityProviderForPolicy(nil)
+	require.NoError(t, err)
+	require.NotNil(t, idp1)
+
+	idp2, err := options.GetIdentityProviderForPolicy(&options.Policies[0])
+	require.NoError(t, err)
+	require.NotNil(t, idp2)
+
+	idp3, err := options.GetIdentityProviderForPolicy(&options.Policies[1])
+	require.NoError(t, err)
+	require.NotNil(t, idp3)
+
+	makeJWS := func(t *testing.T, state *sessions.State) string {
+		e, err := jws.NewHS256Signer(sharedKey)
+		require.NoError(t, err)
+
+		rawJWS, err := e.Marshal(state)
+		require.NoError(t, err)
+
+		return string(rawJWS)
+	}
+
+	t.Run("mssing", func(t *testing.T) {
+		r, err := http.NewRequest(http.MethodGet, "https://p1.example.com", nil)
+		require.NoError(t, err)
+		s, err := store.LoadSessionState(r)
+		assert.ErrorIs(t, err, sessions.ErrNoSessionFound)
+		assert.Nil(t, s)
+	})
+	t.Run("query", func(t *testing.T) {
+		rawJWS := makeJWS(t, &sessions.State{
+			Issuer:             "authenticate.example.com",
+			ID:                 "example",
+			IdentityProviderID: idp2.GetId(),
+		})
+
+		r, err := http.NewRequest(http.MethodGet, "https://p1.example.com?"+url.Values{
+			urlutil.QuerySession: {rawJWS},
+		}.Encode(), nil)
+		require.NoError(t, err)
+		s, err := store.LoadSessionState(r)
+		assert.NoError(t, err)
+		assert.Empty(t, cmp.Diff(&sessions.State{
+			Issuer:             "authenticate.example.com",
+			ID:                 "example",
+			IdentityProviderID: idp2.GetId(),
+		}, s))
+	})
+	t.Run("header", func(t *testing.T) {
+		rawJWS := makeJWS(t, &sessions.State{
+			Issuer:             "authenticate.example.com",
+			ID:                 "example",
+			IdentityProviderID: idp3.GetId(),
+		})
+
+		r, err := http.NewRequest(http.MethodGet, "https://p2.example.com", nil)
+		require.NoError(t, err)
+		r.Header.Set(httputil.HeaderPomeriumAuthorization, rawJWS)
+		s, err := store.LoadSessionState(r)
+		assert.NoError(t, err)
+		assert.Empty(t, cmp.Diff(&sessions.State{
+			Issuer:             "authenticate.example.com",
+			ID:                 "example",
+			IdentityProviderID: idp3.GetId(),
+		}, s))
+	})
+	t.Run("wrong idp", func(t *testing.T) {
+		rawJWS := makeJWS(t, &sessions.State{
+			Issuer:             "authenticate.example.com",
+			ID:                 "example",
+			IdentityProviderID: idp1.GetId(),
+		})
+
+		r, err := http.NewRequest(http.MethodGet, "https://p2.example.com", nil)
+		require.NoError(t, err)
+		r.Header.Set(httputil.HeaderPomeriumAuthorization, rawJWS)
+		s, err := store.LoadSessionState(r)
+		assert.Error(t, err)
+		assert.Nil(t, s)
+	})
+}