3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-06-06 21:04:39 +02:00
Code Issues Projects Releases Packages Wiki Activity

authenticate: make session default match IDP (#416)

Browse source 
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
This commit is contained in:
Bobby DeSimone 2019-12-04 22:22:10 -08:00 committed by GitHub
parent 59f1838996
commit 487fc655d6
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
5 changed files with 10 additions and 16 deletions
Download patch file Download diff file Expand all files Collapse all files

5
authenticate/authenticate.go
View file

@ -7,7 +7,6 @@ import (
"fmt" "fmt"
"html/template" "html/template"
"net/url" "net/url"
"time"
"github.com/pomerium/pomerium/config" "github.com/pomerium/pomerium/config"
"github.com/pomerium/pomerium/internal/cryptutil" "github.com/pomerium/pomerium/internal/cryptutil"
@ -22,10 +21,6 @@ import (
const callbackPath = "/oauth2/callback" const callbackPath = "/oauth2/callback"
// DefaultSessionDuration is the default time a managed route session is
// valid for.
var DefaultSessionDuration = time.Minute * 10
// ValidateOptions checks that configuration are complete and valid. // ValidateOptions checks that configuration are complete and valid.
// Returns on first error found. // Returns on first error found.
func ValidateOptions(o config.Options) error { func ValidateOptions(o config.Options) error {

7
authenticate/handlers.go
View file

@ -44,6 +44,9 @@ func (a *Authenticate) Handler() http.Handler {
c := cors.New(cors.Options{ c := cors.New(cors.Options{
AllowOriginRequestFunc: func(r *http.Request, _ string) bool { AllowOriginRequestFunc: func(r *http.Request, _ string) bool {
err := middleware.ValidateRequestURL(r, a.sharedKey) err := middleware.ValidateRequestURL(r, a.sharedKey)
if err != nil {
log.FromRequest(r).Info().Err(err).Msg("authenticate: origin blocked")
}
return err == nil return err == nil
}, },
AllowCredentials: true, AllowCredentials: true,
@ -167,7 +170,7 @@ func (a *Authenticate) SignIn(w http.ResponseWriter, r *http.Request) {
} }
// sign the route session, as a JWT // sign the route session, as a JWT
signedJWT, err := a.sharedEncoder.Marshal(newSession.RouteSession(DefaultSessionDuration)) signedJWT, err := a.sharedEncoder.Marshal(newSession.RouteSession())
if err != nil { if err != nil {
httputil.ErrorResponse(w, r, httputil.Error(err.Error(), http.StatusBadRequest, err)) httputil.ErrorResponse(w, r, httputil.Error(err.Error(), http.StatusBadRequest, err))
return return
@ -333,7 +336,7 @@ func (a *Authenticate) RefreshAPI(w http.ResponseWriter, r *http.Request) {
return return
} }
signedJWT, err := a.sharedEncoder.Marshal(newSession.RouteSession(DefaultSessionDuration)) signedJWT, err := a.sharedEncoder.Marshal(newSession.RouteSession())
if err != nil { if err != nil {
httputil.ErrorResponse(w, r, httputil.Error("", http.StatusInternalServerError, err)) httputil.ErrorResponse(w, r, httputil.Error("", http.StatusInternalServerError, err))
return return

6
internal/sessions/state.go
View file

@ -108,10 +108,8 @@ func (s State) NewSession(issuer string, audience []string) *State {
return &s return &s
} }
// RouteSession creates a route session with access tokens stripped and a // RouteSession creates a route session with access tokens stripped.
// custom validity period. func (s State) RouteSession() *State {
func (s State) RouteSession(validity time.Duration) *State {
s.Expiry = jwt.NewNumericDate(timeNow().Add(validity))
s.AccessToken = nil s.AccessToken = nil
return &s return &s
} }

5
internal/sessions/state_test.go
View file

@ -99,11 +99,10 @@ func TestState_RouteSession(t *testing.T) {
issuer string issuer string
audience []string audience []string
validity time.Duration
want *State want *State
}{ }{
{"good", "authenticate.x.y.z", []string{"http.x.y.z"}, jwt.NewNumericDate(timeNow()), nil, "authenticate.a.b.c", []string{"http.a.b.c"}, 20 * time.Second, &State{Issuer: "authenticate.a.b.c", Audience: []string{"http.a.b.c"}, NotBefore: jwt.NewNumericDate(timeNow()), IssuedAt: jwt.NewNumericDate(timeNow()), Expiry: jwt.NewNumericDate(timeNow().Add(20 * time.Second))}}, {"good", "authenticate.x.y.z", []string{"http.x.y.z"}, jwt.NewNumericDate(timeNow()), nil, "authenticate.a.b.c", []string{"http.a.b.c"}, &State{Issuer: "authenticate.a.b.c", Audience: []string{"http.a.b.c"}, NotBefore: jwt.NewNumericDate(timeNow()), IssuedAt: jwt.NewNumericDate(timeNow()), Expiry: jwt.NewNumericDate(timeNow())}},
} }
for _, tt := range tests { for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) { t.Run(tt.name, func(t *testing.T) {
@ -117,7 +116,7 @@ func TestState_RouteSession(t *testing.T) {
cmpopts.IgnoreUnexported(State{}), cmpopts.IgnoreUnexported(State{}),
} }
got := s.NewSession(tt.issuer, tt.audience) got := s.NewSession(tt.issuer, tt.audience)
got = got.RouteSession(tt.validity) got = got.RouteSession()
if diff := cmp.Diff(got, tt.want, cmpOpts...); diff != "" { if diff := cmp.Diff(got, tt.want, cmpOpts...); diff != "" {
t.Errorf("State.RouteSession() = %s", diff) t.Errorf("State.RouteSession() = %s", diff)
} }

3
proxy/middleware.go
View file

@ -3,7 +3,6 @@ package proxy // import "github.com/pomerium/pomerium/proxy"
import ( import (
"fmt" "fmt"
"net/http" "net/http"
"time"
"github.com/pomerium/pomerium/internal/encoding" "github.com/pomerium/pomerium/internal/encoding"
"github.com/pomerium/pomerium/internal/httputil" "github.com/pomerium/pomerium/internal/httputil"
@ -108,7 +107,7 @@ func (p *Proxy) SignRequest(signer encoding.Marshaler) func(next http.Handler) h
return return
} }
newSession := s.NewSession(r.Host, []string{r.Host}) newSession := s.NewSession(r.Host, []string{r.Host})
jwt, err := signer.Marshal(newSession.RouteSession(time.Minute)) jwt, err := signer.Marshal(newSession.RouteSession())
if err != nil { if err != nil {
log.FromRequest(r).Error().Err(err).Msg("proxy: failed signing jwt") log.FromRequest(r).Error().Err(err).Msg("proxy: failed signing jwt")
} else { } else {