3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-06-20 11:38:07 +02:00
Code Issues Projects Releases Packages Wiki Activity

authenticate: make session default match IDP (#416)

Browse source 
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
This commit is contained in:
Bobby DeSimone 2019-12-04 22:22:10 -08:00 committed by Bobby DeSimone
parent 1b7b9162b6
commit 4d17d3ba59
No known key found for this signature in database
GPG key ID: AEE4CF12FE86D07E
5 changed files with 10 additions and 16 deletions
Download patch file Download diff file Expand all files Collapse all files

5
authenticate/authenticate.go
View file

@ -7,7 +7,6 @@ import (
"fmt"
"html/template"
"net/url"
"time"
"github.com/pomerium/pomerium/config"
"github.com/pomerium/pomerium/internal/cryptutil"
@ -22,10 +21,6 @@ import (
const callbackPath = "/oauth2/callback"
// DefaultSessionDuration is the default time a managed route session is
// valid for.
var DefaultSessionDuration = time.Minute * 10
// ValidateOptions checks that configuration are complete and valid.
// Returns on first error found.
func ValidateOptions(o config.Options) error {

7
authenticate/handlers.go
View file

@ -55,6 +55,9 @@ func (a *Authenticate) Handler() http.Handler {
c := cors.New(cors.Options{
AllowOriginRequestFunc: func(r *http.Request, _ string) bool {
err := middleware.ValidateRequestURL(r, a.sharedKey)
if err != nil {
log.FromRequest(r).Info().Err(err).Msg("authenticate: origin blocked")
}
return err == nil
},
AllowCredentials: true,
@ -171,7 +174,7 @@ func (a *Authenticate) SignIn(w http.ResponseWriter, r *http.Request) {
}
// sign the route session, as a JWT
signedJWT, err := a.sharedEncoder.Marshal(newSession.RouteSession(DefaultSessionDuration))
signedJWT, err := a.sharedEncoder.Marshal(newSession.RouteSession())
if err != nil {
httputil.ErrorResponse(w, r, httputil.Error(err.Error(), http.StatusBadRequest, err))
return
@ -337,7 +340,7 @@ func (a *Authenticate) RefreshAPI(w http.ResponseWriter, r *http.Request) {
return
}
signedJWT, err := a.sharedEncoder.Marshal(newSession.RouteSession(DefaultSessionDuration))
signedJWT, err := a.sharedEncoder.Marshal(newSession.RouteSession())
if err != nil {
httputil.ErrorResponse(w, r, httputil.Error("", http.StatusInternalServerError, err))
return

6
internal/sessions/state.go
View file

@ -108,10 +108,8 @@ func (s State) NewSession(issuer string, audience []string) *State {
return &s
}
// RouteSession creates a route session with access tokens stripped and a
// custom validity period.
func (s State) RouteSession(validity time.Duration) *State {
s.Expiry = jwt.NewNumericDate(timeNow().Add(validity))
// RouteSession creates a route session with access tokens stripped.
func (s State) RouteSession() *State {
s.AccessToken = nil
return &s
}

5
internal/sessions/state_test.go
View file

@ -99,11 +99,10 @@ func TestState_RouteSession(t *testing.T) {
issuer string
audience []string
validity time.Duration
want *State
}{
{"good", "authenticate.x.y.z", []string{"http.x.y.z"}, jwt.NewNumericDate(timeNow()), nil, "authenticate.a.b.c", []string{"http.a.b.c"}, 20 * time.Second, &State{Issuer: "authenticate.a.b.c", Audience: []string{"http.a.b.c"}, NotBefore: jwt.NewNumericDate(timeNow()), IssuedAt: jwt.NewNumericDate(timeNow()), Expiry: jwt.NewNumericDate(timeNow().Add(20 * time.Second))}},
{"good", "authenticate.x.y.z", []string{"http.x.y.z"}, jwt.NewNumericDate(timeNow()), nil, "authenticate.a.b.c", []string{"http.a.b.c"}, &State{Issuer: "authenticate.a.b.c", Audience: []string{"http.a.b.c"}, NotBefore: jwt.NewNumericDate(timeNow()), IssuedAt: jwt.NewNumericDate(timeNow()), Expiry: jwt.NewNumericDate(timeNow())}},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
@ -117,7 +116,7 @@ func TestState_RouteSession(t *testing.T) {
cmpopts.IgnoreUnexported(State{}),
}
got := s.NewSession(tt.issuer, tt.audience)
got = got.RouteSession(tt.validity)
got = got.RouteSession()
if diff := cmp.Diff(got, tt.want, cmpOpts...); diff != "" {
t.Errorf("State.RouteSession() = %s", diff)
}

3
proxy/middleware.go
View file

@ -3,7 +3,6 @@ package proxy // import "github.com/pomerium/pomerium/proxy"
import (
"fmt"
"net/http"
"time"
"github.com/pomerium/pomerium/internal/encoding"
"github.com/pomerium/pomerium/internal/httputil"
@ -108,7 +107,7 @@ func (p *Proxy) SignRequest(signer encoding.Marshaler) func(next http.Handler) h
return
}
newSession := s.NewSession(r.Host, []string{r.Host})
jwt, err := signer.Marshal(newSession.RouteSession(time.Minute))
jwt, err := signer.Marshal(newSession.RouteSession())
if err != nil {
log.FromRequest(r).Error().Err(err).Msg("proxy: failed signing jwt")
} else {