diff --git a/authenticate/authenticate.go b/authenticate/authenticate.go index 206c0c3b6..9748f9e9a 100644 --- a/authenticate/authenticate.go +++ b/authenticate/authenticate.go @@ -7,9 +7,9 @@ import ( "errors" "fmt" - "github.com/pomerium/pomerium/authenticate/handlers/webauthn" "github.com/pomerium/pomerium/config" "github.com/pomerium/pomerium/internal/atomicutil" + "github.com/pomerium/pomerium/internal/handlers/webauthn" "github.com/pomerium/pomerium/internal/log" "github.com/pomerium/pomerium/pkg/cryptutil" ) diff --git a/authenticate/handlers.go b/authenticate/handlers.go index d81404f28..715f1d01b 100644 --- a/authenticate/handlers.go +++ b/authenticate/handlers.go @@ -18,8 +18,8 @@ import ( "github.com/pomerium/csrf" "github.com/pomerium/datasource/pkg/directory" - "github.com/pomerium/pomerium/authenticate/handlers" - "github.com/pomerium/pomerium/authenticate/handlers/webauthn" + "github.com/pomerium/pomerium/internal/handlers" + "github.com/pomerium/pomerium/internal/handlers/webauthn" "github.com/pomerium/pomerium/internal/httputil" "github.com/pomerium/pomerium/internal/identity" "github.com/pomerium/pomerium/internal/identity/manager" @@ -33,6 +33,7 @@ import ( "github.com/pomerium/pomerium/pkg/grpc/databroker" "github.com/pomerium/pomerium/pkg/grpc/session" "github.com/pomerium/pomerium/pkg/grpc/user" + "github.com/pomerium/pomerium/pkg/webauthnutil" ) // Handler returns the authenticate service's handler chain. @@ -544,7 +545,7 @@ func (a *Authenticate) getUserInfoData(r *http.Request) (handlers.UserInfoData, Id: pbSession.GetUserId(), } } - creationOptions, requestOptions, _ := a.webauthn.GetOptions(r.Context()) + creationOptions, requestOptions, _ := a.webauthn.GetOptions(r) data := handlers.UserInfoData{ CSRFToken: csrf.Token(r), @@ -715,15 +716,15 @@ func (a *Authenticate) getUser(ctx context.Context, userID string) (*user.User, return user.Get(ctx, client, userID) } -func (a *Authenticate) getWebauthnState(ctx context.Context) (*webauthn.State, error) { +func (a *Authenticate) getWebauthnState(r *http.Request) (*webauthn.State, error) { state := a.state.Load() - s, _, err := a.getCurrentSession(ctx) + s, _, err := a.getCurrentSession(r.Context()) if err != nil { return nil, err } - ss, err := a.getSessionFromCtx(ctx) + ss, err := a.getSessionFromCtx(r.Context()) if err != nil { return nil, err } @@ -752,7 +753,7 @@ func (a *Authenticate) getWebauthnState(ctx context.Context) (*webauthn.State, e Session: s, SessionState: ss, SessionStore: state.sessionStore, - RelyingParty: state.webauthnRelyingParty, + RelyingParty: webauthnutil.GetRelyingParty(r, state.dataBrokerClient), BrandingOptions: a.options.Load().BrandingOptions, }, nil } diff --git a/authenticate/handlers/handlers.go b/authenticate/handlers/handlers.go deleted file mode 100644 index 5e6ef3192..000000000 --- a/authenticate/handlers/handlers.go +++ /dev/null @@ -1,2 +0,0 @@ -// Package handlers contains various web handlers for the authenticate service. -package handlers diff --git a/authenticate/handlers_test.go b/authenticate/handlers_test.go index 8573538ff..17fd8313d 100644 --- a/authenticate/handlers_test.go +++ b/authenticate/handlers_test.go @@ -21,12 +21,12 @@ import ( "google.golang.org/grpc" "google.golang.org/protobuf/types/known/timestamppb" - "github.com/pomerium/pomerium/authenticate/handlers/webauthn" "github.com/pomerium/pomerium/config" "github.com/pomerium/pomerium/internal/atomicutil" "github.com/pomerium/pomerium/internal/encoding" "github.com/pomerium/pomerium/internal/encoding/jws" "github.com/pomerium/pomerium/internal/encoding/mock" + "github.com/pomerium/pomerium/internal/handlers/webauthn" "github.com/pomerium/pomerium/internal/httputil" "github.com/pomerium/pomerium/internal/identity" "github.com/pomerium/pomerium/internal/identity/oidc" diff --git a/authenticate/state.go b/authenticate/state.go index bc2c665ed..d9b77ef8f 100644 --- a/authenticate/state.go +++ b/authenticate/state.go @@ -18,8 +18,6 @@ import ( "github.com/pomerium/pomerium/pkg/cryptutil" "github.com/pomerium/pomerium/pkg/grpc" "github.com/pomerium/pomerium/pkg/grpc/databroker" - "github.com/pomerium/pomerium/pkg/webauthnutil" - "github.com/pomerium/webauthn" ) var outboundGRPCConnection = new(grpc.CachedOutboundGRPClientConn) @@ -46,8 +44,6 @@ type authenticateState struct { jwk *jose.JSONWebKeySet dataBrokerClient databroker.DataBrokerServiceClient - - webauthnRelyingParty *webauthn.RelyingParty } func newAuthenticateState() *authenticateState { @@ -153,10 +149,5 @@ func newAuthenticateStateFromConfig(cfg *config.Config) (*authenticateState, err state.dataBrokerClient = databroker.NewDataBrokerServiceClient(dataBrokerConn) - state.webauthnRelyingParty = webauthn.NewRelyingParty( - authenticateURL.String(), - webauthnutil.NewCredentialStorage(state.dataBrokerClient), - ) - return state, nil } diff --git a/go.sum b/go.sum index 06feebf6a..f3559ee2c 100644 --- a/go.sum +++ b/go.sum @@ -1085,7 +1085,6 @@ golang.org/x/crypto v0.0.0-20210711020723-a769d52b0f97/go.mod h1:GvvjBRRGRdwPK5y golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= golang.org/x/crypto v0.0.0-20211108221036-ceb1ce70b4fa/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= -golang.org/x/crypto v0.1.0/go.mod h1:RecgLatLF4+eUMCP1PoPZQb+cVrJcOPbHkTkbkB9sbw= golang.org/x/crypto v0.2.0 h1:BRXPfhNivWL5Yq0BGQ39a2sW6t44aODpfxkWjYdzewE= golang.org/x/crypto v0.2.0/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= @@ -1192,7 +1191,6 @@ golang.org/x/net v0.0.0-20220624214902-1bab6f366d9e/go.mod h1:XRhObCWvk6IyKnWLug golang.org/x/net v0.0.0-20220630215102-69896b714898/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= golang.org/x/net v0.0.0-20220826154423-83b083e8dc8b/go.mod h1:YDH+HFinaLZZlnHAfSS6ZXJJ9M9t4Dl22yv3iI2vPwk= -golang.org/x/net v0.1.0/go.mod h1:Cx3nUiGt4eDBEyega/BKRp+/AlGL8hYe7U9odMt2Cco= golang.org/x/net v0.2.0 h1:sZfSu1wtKLGlWI4ZZayP0ck9Y73K1ynO6gqzTdBVdPU= golang.org/x/net v0.2.0/go.mod h1:KqCZLdyyvdV855qA2rE3GC2aiw5xGR5TEjj8smXukLY= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= diff --git a/internal/controlplane/http.go b/internal/controlplane/http.go index 162254b47..d7ce27c5a 100644 --- a/internal/controlplane/http.go +++ b/internal/controlplane/http.go @@ -7,10 +7,11 @@ import ( "time" "github.com/CAFxX/httpcompression" - "github.com/gorilla/handlers" + gorillahandlers "github.com/gorilla/handlers" "github.com/gorilla/mux" "github.com/pomerium/pomerium/config" + "github.com/pomerium/pomerium/internal/handlers" "github.com/pomerium/pomerium/internal/httputil" "github.com/pomerium/pomerium/internal/log" "github.com/pomerium/pomerium/internal/telemetry" @@ -37,7 +38,7 @@ func (srv *Server) addHTTPMiddleware(root *mux.Router, cfg *config.Config) { Str("path", r.URL.String()). Msg("http-request") })) - root.Use(handlers.RecoveryHandler()) + root.Use(gorillahandlers.RecoveryHandler()) root.Use(log.HeadersHandler(httputil.HeadersXForwarded)) root.Use(log.RemoteAddrHandler("ip")) root.Use(log.UserAgentHandler("user_agent")) @@ -59,10 +60,10 @@ func (srv *Server) mountCommonEndpoints(root *mux.Router, cfg *config.Config) er return fmt.Errorf("invalid signing key: %w", err) } - root.HandleFunc("/healthz", httputil.HealthCheck) - root.HandleFunc("/ping", httputil.HealthCheck) - root.Handle("/.well-known/pomerium", httputil.WellKnownPomeriumHandler(authenticateURL)) - root.Handle("/.well-known/pomerium/", httputil.WellKnownPomeriumHandler(authenticateURL)) - root.Path("/.well-known/pomerium/jwks.json").Methods(http.MethodGet).Handler(httputil.JWKSHandler(rawSigningKey)) + root.HandleFunc("/healthz", handlers.HealthCheck) + root.HandleFunc("/ping", handlers.HealthCheck) + root.Handle("/.well-known/pomerium", handlers.WellKnownPomerium(authenticateURL)) + root.Handle("/.well-known/pomerium/", handlers.WellKnownPomerium(authenticateURL)) + root.Path("/.well-known/pomerium/jwks.json").Methods(http.MethodGet).Handler(handlers.JWKSHandler(rawSigningKey)) return nil } diff --git a/authenticate/handlers/device-enrolled.go b/internal/handlers/device-enrolled.go similarity index 100% rename from authenticate/handlers/device-enrolled.go rename to internal/handlers/device-enrolled.go diff --git a/internal/handlers/handlers.go b/internal/handlers/handlers.go new file mode 100644 index 000000000..cad896677 --- /dev/null +++ b/internal/handlers/handlers.go @@ -0,0 +1,2 @@ +// Package handlers contains HTTP handlers used by Pomerium. +package handlers diff --git a/internal/handlers/health_check.go b/internal/handlers/health_check.go new file mode 100644 index 000000000..3a77961ae --- /dev/null +++ b/internal/handlers/health_check.go @@ -0,0 +1,20 @@ +package handlers + +import ( + "fmt" + "net/http" +) + +// HealthCheck is a simple healthcheck handler that responds to GET and HEAD +// http requests. +func HealthCheck(w http.ResponseWriter, r *http.Request) { + if r.Method != http.MethodGet && r.Method != http.MethodHead { + http.Error(w, http.StatusText(http.StatusMethodNotAllowed), http.StatusMethodNotAllowed) + return + } + w.Header().Set("Content-Type", "text/plain") + w.WriteHeader(http.StatusOK) + if r.Method == http.MethodGet { + fmt.Fprintln(w, http.StatusText(http.StatusOK)) + } +} diff --git a/internal/handlers/health_check_test.go b/internal/handlers/health_check_test.go new file mode 100644 index 000000000..bbf5b83cd --- /dev/null +++ b/internal/handlers/health_check_test.go @@ -0,0 +1,36 @@ +package handlers + +import ( + "net/http" + "net/http/httptest" + "testing" +) + +func TestHealthCheck(t *testing.T) { + t.Parallel() + tests := []struct { + name string + method string + + wantStatus int + }{ + {"good - Get", http.MethodGet, http.StatusOK}, + {"good - Head", http.MethodHead, http.StatusOK}, + {"bad - Options", http.MethodOptions, http.StatusMethodNotAllowed}, + {"bad - Put", http.MethodPut, http.StatusMethodNotAllowed}, + {"bad - Post", http.MethodPost, http.StatusMethodNotAllowed}, + {"bad - route miss", http.MethodGet, http.StatusOK}, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + r := httptest.NewRequest(tt.method, "/", nil) + w := httptest.NewRecorder() + + HealthCheck(w, r) + if w.Code != tt.wantStatus { + t.Errorf("code differs. got %d want %d body: %s", w.Code, tt.wantStatus, w.Body.String()) + } + }) + } +} diff --git a/internal/handlers/jwks.go b/internal/handlers/jwks.go new file mode 100644 index 000000000..5b23ab18e --- /dev/null +++ b/internal/handlers/jwks.go @@ -0,0 +1,33 @@ +package handlers + +import ( + "encoding/base64" + "errors" + "net/http" + + "github.com/go-jose/go-jose/v3" + "github.com/rs/cors" + + "github.com/pomerium/pomerium/internal/httputil" + "github.com/pomerium/pomerium/pkg/cryptutil" +) + +// JWKSHandler returns the /.well-known/pomerium/jwks.json handler. +func JWKSHandler(rawSigningKey string) http.Handler { + return cors.AllowAll().Handler(httputil.HandlerFunc(func(w http.ResponseWriter, r *http.Request) error { + var jwks jose.JSONWebKeySet + if rawSigningKey != "" { + decodedCert, err := base64.StdEncoding.DecodeString(rawSigningKey) + if err != nil { + return httputil.NewError(http.StatusInternalServerError, errors.New("bad signing key")) + } + jwk, err := cryptutil.PublicJWKFromBytes(decodedCert) + if err != nil { + return httputil.NewError(http.StatusInternalServerError, errors.New("bad signing key")) + } + jwks.Keys = append(jwks.Keys, *jwk) + } + httputil.RenderJSON(w, http.StatusOK, jwks) + return nil + })) +} diff --git a/internal/handlers/jwks_test.go b/internal/handlers/jwks_test.go new file mode 100644 index 000000000..3c3442b89 --- /dev/null +++ b/internal/handlers/jwks_test.go @@ -0,0 +1,22 @@ +package handlers + +import ( + "net/http" + "net/http/httptest" + "testing" + + "github.com/stretchr/testify/assert" +) + +func TestJWKSHandler(t *testing.T) { + t.Parallel() + + t.Run("cors", func(t *testing.T) { + w := httptest.NewRecorder() + r := httptest.NewRequest(http.MethodOptions, "/", nil) + r.Header.Set("Origin", "https://www.example.com") + r.Header.Set("Access-Control-Request-Method", "GET") + JWKSHandler("").ServeHTTP(w, r) + assert.Equal(t, http.StatusNoContent, w.Result().StatusCode) + }) +} diff --git a/authenticate/handlers/signout.go b/internal/handlers/signout.go similarity index 100% rename from authenticate/handlers/signout.go rename to internal/handlers/signout.go diff --git a/authenticate/handlers/userinfo.go b/internal/handlers/userinfo.go similarity index 100% rename from authenticate/handlers/userinfo.go rename to internal/handlers/userinfo.go diff --git a/authenticate/handlers/webauthn/webauthn.go b/internal/handlers/webauthn/webauthn.go similarity index 98% rename from authenticate/handlers/webauthn/webauthn.go rename to internal/handlers/webauthn/webauthn.go index 84e792cf2..de784082e 100644 --- a/authenticate/handlers/webauthn/webauthn.go +++ b/internal/handlers/webauthn/webauthn.go @@ -59,7 +59,7 @@ type State struct { } // A StateProvider provides state for the handler. -type StateProvider = func(context.Context) (*State, error) +type StateProvider = func(*http.Request) (*State, error) // Handler is the WebAuthn device handler. type Handler struct { @@ -74,17 +74,17 @@ func New(getState StateProvider) *Handler { } // GetOptions returns the creation and request options for WebAuthn. -func (h *Handler) GetOptions(ctx context.Context) ( +func (h *Handler) GetOptions(r *http.Request) ( creationOptions *webauthn.PublicKeyCredentialCreationOptions, requestOptions *webauthn.PublicKeyCredentialRequestOptions, err error, ) { - state, err := h.getState(ctx) + state, err := h.getState(r) if err != nil { return nil, nil, err } - return h.getOptions(ctx, state, webauthnutil.DefaultDeviceType) + return h.getOptions(r.Context(), state, webauthnutil.DefaultDeviceType) } // ServeHTTP serves the HTTP handler. @@ -118,7 +118,7 @@ func (h *Handler) getOptions(ctx context.Context, state *State, deviceTypeParam } func (h *Handler) handle(w http.ResponseWriter, r *http.Request) error { - s, err := h.getState(r.Context()) + s, err := h.getState(r) if err != nil { return err } diff --git a/internal/handlers/well_known_pomerium.go b/internal/handlers/well_known_pomerium.go new file mode 100644 index 000000000..c9525deca --- /dev/null +++ b/internal/handlers/well_known_pomerium.go @@ -0,0 +1,29 @@ +package handlers + +import ( + "net/http" + "net/url" + + "github.com/rs/cors" + + "github.com/pomerium/csrf" + "github.com/pomerium/pomerium/internal/httputil" +) + +// WellKnownPomerium returns the /.well-known/pomerium handler. +func WellKnownPomerium(authenticateURL *url.URL) http.Handler { + return cors.AllowAll().Handler(httputil.HandlerFunc(func(w http.ResponseWriter, r *http.Request) error { + wellKnownURLs := struct { + OAuth2Callback string `json:"authentication_callback_endpoint"` // RFC6749 + JSONWebKeySetURL string `json:"jwks_uri"` // RFC7517 + FrontchannelLogoutURI string `json:"frontchannel_logout_uri"` // https://openid.net/specs/openid-connect-frontchannel-1_0.html + }{ + authenticateURL.ResolveReference(&url.URL{Path: "/oauth2/callback"}).String(), + authenticateURL.ResolveReference(&url.URL{Path: "/.well-known/pomerium/jwks.json"}).String(), + authenticateURL.ResolveReference(&url.URL{Path: "/.pomerium/sign_out"}).String(), + } + w.Header().Set("X-CSRF-Token", csrf.Token(r)) + httputil.RenderJSON(w, http.StatusOK, wellKnownURLs) + return nil + })) +} diff --git a/internal/handlers/well_known_pomerium_test.go b/internal/handlers/well_known_pomerium_test.go new file mode 100644 index 000000000..fc690e882 --- /dev/null +++ b/internal/handlers/well_known_pomerium_test.go @@ -0,0 +1,24 @@ +package handlers + +import ( + "net/http" + "net/http/httptest" + "net/url" + "testing" + + "github.com/stretchr/testify/assert" +) + +func TestWellKnownPomeriumHandler(t *testing.T) { + t.Parallel() + + t.Run("cors", func(t *testing.T) { + authenticateURL, _ := url.Parse("https://authenticate.example.com") + w := httptest.NewRecorder() + r := httptest.NewRequest(http.MethodOptions, "/", nil) + r.Header.Set("Origin", authenticateURL.String()) + r.Header.Set("Access-Control-Request-Method", "GET") + WellKnownPomerium(authenticateURL).ServeHTTP(w, r) + assert.Equal(t, http.StatusNoContent, w.Result().StatusCode) + }) +} diff --git a/internal/httputil/handlers.go b/internal/httputil/handlers.go index f775f5dd2..03826de57 100644 --- a/internal/httputil/handlers.go +++ b/internal/httputil/handlers.go @@ -2,34 +2,12 @@ package httputil import ( "bytes" - "encoding/base64" "encoding/json" "errors" "fmt" "net/http" - "net/url" - - "github.com/go-jose/go-jose/v3" - "github.com/rs/cors" - - "github.com/pomerium/csrf" - "github.com/pomerium/pomerium/pkg/cryptutil" ) -// HealthCheck is a simple healthcheck handler that responds to GET and HEAD -// http requests. -func HealthCheck(w http.ResponseWriter, r *http.Request) { - if r.Method != http.MethodGet && r.Method != http.MethodHead { - http.Error(w, http.StatusText(http.StatusMethodNotAllowed), http.StatusMethodNotAllowed) - return - } - w.Header().Set("Content-Type", "text/plain") - w.WriteHeader(http.StatusOK) - if r.Method == http.MethodGet { - fmt.Fprintln(w, http.StatusText(http.StatusOK)) - } -} - // Redirect wraps the std libs's redirect method indicating that pomerium is // the origin of the response. func Redirect(w http.ResponseWriter, r *http.Request, url string, code int) { @@ -72,41 +50,3 @@ func (f HandlerFunc) ServeHTTP(w http.ResponseWriter, r *http.Request) { e.ErrorResponse(r.Context(), w, r) } } - -// JWKSHandler returns the /.well-known/pomerium/jwks.json handler. -func JWKSHandler(rawSigningKey string) http.Handler { - return cors.AllowAll().Handler(HandlerFunc(func(w http.ResponseWriter, r *http.Request) error { - var jwks jose.JSONWebKeySet - if rawSigningKey != "" { - decodedCert, err := base64.StdEncoding.DecodeString(rawSigningKey) - if err != nil { - return NewError(http.StatusInternalServerError, errors.New("bad signing key")) - } - jwk, err := cryptutil.PublicJWKFromBytes(decodedCert) - if err != nil { - return NewError(http.StatusInternalServerError, errors.New("bad signing key")) - } - jwks.Keys = append(jwks.Keys, *jwk) - } - RenderJSON(w, http.StatusOK, jwks) - return nil - })) -} - -// WellKnownPomeriumHandler returns the /.well-known/pomerium handler. -func WellKnownPomeriumHandler(authenticateURL *url.URL) http.Handler { - return cors.AllowAll().Handler(HandlerFunc(func(w http.ResponseWriter, r *http.Request) error { - wellKnownURLs := struct { - OAuth2Callback string `json:"authentication_callback_endpoint"` // RFC6749 - JSONWebKeySetURL string `json:"jwks_uri"` // RFC7517 - FrontchannelLogoutURI string `json:"frontchannel_logout_uri"` // https://openid.net/specs/openid-connect-frontchannel-1_0.html - }{ - authenticateURL.ResolveReference(&url.URL{Path: "/oauth2/callback"}).String(), - authenticateURL.ResolveReference(&url.URL{Path: "/.well-known/pomerium/jwks.json"}).String(), - authenticateURL.ResolveReference(&url.URL{Path: "/.pomerium/sign_out"}).String(), - } - w.Header().Set("X-CSRF-Token", csrf.Token(r)) - RenderJSON(w, http.StatusOK, wellKnownURLs) - return nil - })) -} diff --git a/internal/httputil/handlers_test.go b/internal/httputil/handlers_test.go index 55e8ae2e5..60e4fda36 100644 --- a/internal/httputil/handlers_test.go +++ b/internal/httputil/handlers_test.go @@ -5,42 +5,11 @@ import ( "math" "net/http" "net/http/httptest" - "net/url" "testing" "github.com/google/go-cmp/cmp" - "github.com/stretchr/testify/assert" ) -func TestHealthCheck(t *testing.T) { - t.Parallel() - tests := []struct { - name string - method string - - wantStatus int - }{ - {"good - Get", http.MethodGet, http.StatusOK}, - {"good - Head", http.MethodHead, http.StatusOK}, - {"bad - Options", http.MethodOptions, http.StatusMethodNotAllowed}, - {"bad - Put", http.MethodPut, http.StatusMethodNotAllowed}, - {"bad - Post", http.MethodPost, http.StatusMethodNotAllowed}, - {"bad - route miss", http.MethodGet, http.StatusOK}, - } - - for _, tt := range tests { - t.Run(tt.name, func(t *testing.T) { - r := httptest.NewRequest(tt.method, "/", nil) - w := httptest.NewRecorder() - - HealthCheck(w, r) - if w.Code != tt.wantStatus { - t.Errorf("code differs. got %d want %d body: %s", w.Code, tt.wantStatus, w.Body.String()) - } - }) - } -} - func TestRedirect(t *testing.T) { t.Parallel() tests := []struct { @@ -150,30 +119,3 @@ func TestRenderJSON(t *testing.T) { }) } } - -func TestJWKSHandler(t *testing.T) { - t.Parallel() - - t.Run("cors", func(t *testing.T) { - w := httptest.NewRecorder() - r := httptest.NewRequest(http.MethodOptions, "/", nil) - r.Header.Set("Origin", "https://www.example.com") - r.Header.Set("Access-Control-Request-Method", "GET") - JWKSHandler("").ServeHTTP(w, r) - assert.Equal(t, http.StatusNoContent, w.Result().StatusCode) - }) -} - -func TestWellKnownPomeriumHandler(t *testing.T) { - t.Parallel() - - t.Run("cors", func(t *testing.T) { - authenticateURL, _ := url.Parse("https://authenticate.example.com") - w := httptest.NewRecorder() - r := httptest.NewRequest(http.MethodOptions, "/", nil) - r.Header.Set("Origin", authenticateURL.String()) - r.Header.Set("Access-Control-Request-Method", "GET") - WellKnownPomeriumHandler(authenticateURL).ServeHTTP(w, r) - assert.Equal(t, http.StatusNoContent, w.Result().StatusCode) - }) -} diff --git a/internal/urlutil/url.go b/internal/urlutil/url.go index 9c8fa443b..d1d3cd44b 100644 --- a/internal/urlutil/url.go +++ b/internal/urlutil/url.go @@ -92,6 +92,14 @@ func GetAbsoluteURL(r *http.Request) *url.URL { return u } +// GetOrigin gets the Origin header for a request, or builds the origin based on the request host. +func GetOrigin(r *http.Request) string { + if v := r.Header.Get("Origin"); v != "" { + return v + } + return "https://" + r.Host +} + // GetDomainsForURL returns the available domains for given url. // // For standard HTTP (80)/HTTPS (443) ports, it returns `example.com` and `example.com:`. diff --git a/pkg/webauthnutil/webauthnutil.go b/pkg/webauthnutil/webauthnutil.go index c46b62fe5..c475ba868 100644 --- a/pkg/webauthnutil/webauthnutil.go +++ b/pkg/webauthnutil/webauthnutil.go @@ -1,2 +1,15 @@ // Package webauthnutil contains types and functions for working with the webauthn package. package webauthnutil + +import ( + "net/http" + + "github.com/pomerium/pomerium/internal/urlutil" + "github.com/pomerium/pomerium/pkg/grpc/databroker" + "github.com/pomerium/webauthn" +) + +// GetRelyingParty gets a RelyingParty for the given request and databroker client. +func GetRelyingParty(r *http.Request, client databroker.DataBrokerServiceClient) *webauthn.RelyingParty { + return webauthn.NewRelyingParty(urlutil.GetOrigin(r), NewCredentialStorage(client)) +} diff --git a/proxy/data.go b/proxy/data.go new file mode 100644 index 000000000..cab09fb6d --- /dev/null +++ b/proxy/data.go @@ -0,0 +1,151 @@ +package proxy + +import ( + "context" + "net/http" + + "github.com/pomerium/csrf" + "github.com/pomerium/datasource/pkg/directory" + "github.com/pomerium/pomerium/internal/encoding/jws" + "github.com/pomerium/pomerium/internal/handlers" + "github.com/pomerium/pomerium/internal/handlers/webauthn" + "github.com/pomerium/pomerium/internal/httputil" + "github.com/pomerium/pomerium/internal/sessions" + "github.com/pomerium/pomerium/internal/urlutil" + "github.com/pomerium/pomerium/pkg/grpc/databroker" + "github.com/pomerium/pomerium/pkg/grpc/session" + "github.com/pomerium/pomerium/pkg/grpc/user" + "github.com/pomerium/pomerium/pkg/webauthnutil" +) + +func (p *Proxy) getSession(ctx context.Context, sessionID string) (s *session.Session, isImpersonated bool, err error) { + client := p.state.Load().dataBrokerClient + + isImpersonated = false + s, err = session.Get(ctx, client, sessionID) + if s.GetImpersonateSessionId() != "" { + s, err = session.Get(ctx, client, s.GetImpersonateSessionId()) + isImpersonated = true + } + + return s, isImpersonated, err +} + +func (p *Proxy) getSessionState(r *http.Request) (sessions.State, error) { + state := p.state.Load() + + rawJWT, err := state.sessionStore.LoadSession(r) + if err != nil { + return sessions.State{}, err + } + + encoder, err := jws.NewHS256Signer(state.sharedKey) + if err != nil { + return sessions.State{}, err + } + + var sessionState sessions.State + if err := encoder.Unmarshal([]byte(rawJWT), &sessionState); err != nil { + return sessions.State{}, httputil.NewError(http.StatusBadRequest, err) + } + + return sessionState, nil +} + +func (p *Proxy) getUser(ctx context.Context, userID string) (*user.User, error) { + client := p.state.Load().dataBrokerClient + return user.Get(ctx, client, userID) +} + +func (p *Proxy) getUserInfoData(r *http.Request) (handlers.UserInfoData, error) { + options := p.currentOptions.Load() + state := p.state.Load() + + data := handlers.UserInfoData{ + CSRFToken: csrf.Token(r), + BrandingOptions: options.BrandingOptions, + } + + ss, err := p.getSessionState(r) + if err != nil { + return handlers.UserInfoData{}, err + } + + data.Session, data.IsImpersonated, err = p.getSession(r.Context(), ss.ID) + if err != nil { + data.Session = &session.Session{Id: ss.ID} + } + + data.User, err = p.getUser(r.Context(), data.Session.GetUserId()) + if err != nil { + data.User = &user.User{Id: data.Session.GetUserId()} + } + + data.WebAuthnCreationOptions, data.WebAuthnRequestOptions, _ = p.webauthn.GetOptions(r) + data.WebAuthnURL = urlutil.WebAuthnURL(r, urlutil.GetAbsoluteURL(r), state.sharedKey, r.URL.Query()) + p.fillEnterpriseUserInfoData(r.Context(), &data) + return data, nil +} + +func (p *Proxy) fillEnterpriseUserInfoData(ctx context.Context, data *handlers.UserInfoData) { + client := p.state.Load().dataBrokerClient + + res, _ := client.Get(ctx, &databroker.GetRequest{Type: "type.googleapis.com/pomerium.config.Config", Id: "dashboard"}) + data.IsEnterprise = res.GetRecord() != nil + if !data.IsEnterprise { + return + } + + data.DirectoryUser, _ = databroker.GetViaJSON[directory.User](ctx, client, directory.UserRecordType, data.Session.GetUserId()) + if data.DirectoryUser != nil { + for _, groupID := range data.DirectoryUser.GroupIDs { + directoryGroup, _ := databroker.GetViaJSON[directory.Group](ctx, client, directory.GroupRecordType, groupID) + if directoryGroup != nil { + data.DirectoryGroups = append(data.DirectoryGroups, directoryGroup) + } + } + } +} + +func (p *Proxy) getWebauthnState(r *http.Request) (*webauthn.State, error) { + options := p.currentOptions.Load() + state := p.state.Load() + + ss, err := p.getSessionState(r) + if err != nil { + return nil, err + } + + s, _, err := p.getSession(r.Context(), ss.ID) + if err != nil { + return nil, err + } + + authenticateURL, err := options.GetAuthenticateURL() + if err != nil { + return nil, err + } + + internalAuthenticateURL, err := options.GetInternalAuthenticateURL() + if err != nil { + return nil, err + } + + pomeriumDomains, err := options.GetAllRouteableHTTPDomains() + if err != nil { + return nil, err + } + + return &webauthn.State{ + AuthenticateURL: authenticateURL, + InternalAuthenticateURL: internalAuthenticateURL, + SharedKey: state.sharedKey, + Client: state.dataBrokerClient, + PomeriumDomains: pomeriumDomains, + Session: s, + SessionState: &ss, + SessionStore: state.sessionStore, + RelyingParty: webauthnutil.GetRelyingParty(r, state.dataBrokerClient), + BrandingOptions: options.BrandingOptions, + }, nil +} diff --git a/proxy/handlers.go b/proxy/handlers.go index e22980887..5c8ef42b2 100644 --- a/proxy/handlers.go +++ b/proxy/handlers.go @@ -10,6 +10,7 @@ import ( "github.com/gorilla/mux" + "github.com/pomerium/pomerium/internal/handlers" "github.com/pomerium/pomerium/internal/httputil" "github.com/pomerium/pomerium/internal/middleware" "github.com/pomerium/pomerium/internal/urlutil" @@ -22,9 +23,11 @@ func (p *Proxy) registerDashboardHandlers(r *mux.Router) *mux.Router { h.Use(middleware.SetHeaders(httputil.HeadersContentSecurityPolicy)) // special pomerium endpoints for users to view their session - h.Path("/").HandlerFunc(p.userInfo).Methods(http.MethodGet) - h.Path("/sign_out").Handler(httputil.HandlerFunc(p.SignOut)).Methods(http.MethodGet, http.MethodPost) + h.Path("/").Handler(httputil.HandlerFunc(p.userInfo)).Methods(http.MethodGet) + h.Path("/device-enrolled").Handler(httputil.HandlerFunc(p.deviceEnrolled)) h.Path("/jwt").Handler(httputil.HandlerFunc(p.jwtAssertion)).Methods(http.MethodGet) + h.Path("/sign_out").Handler(httputil.HandlerFunc(p.SignOut)).Methods(http.MethodGet, http.MethodPost) + h.Path("/webauthn").Handler(p.webauthn) // called following authenticate auth flow to grab a new or existing session // the route specific cookie is returned in a signed query params @@ -81,21 +84,22 @@ func (p *Proxy) SignOut(w http.ResponseWriter, r *http.Request) error { return nil } -func (p *Proxy) userInfo(w http.ResponseWriter, r *http.Request) { - state := p.state.Load() - - redirectURL := urlutil.GetAbsoluteURL(r).String() - if ref := r.Header.Get(httputil.HeaderReferrer); ref != "" { - redirectURL = ref +func (p *Proxy) userInfo(w http.ResponseWriter, r *http.Request) error { + data, err := p.getUserInfoData(r) + if err != nil { + return err } + handlers.UserInfo(data).ServeHTTP(w, r) + return nil +} - uri := state.authenticateDashboardURL.ResolveReference(&url.URL{ - RawQuery: url.Values{ - urlutil.QueryRedirectURI: {redirectURL}, - }.Encode(), - }) - uri = urlutil.NewSignedURL(state.sharedKey, uri).Sign() - httputil.Redirect(w, r, uri.String(), http.StatusFound) +func (p *Proxy) deviceEnrolled(w http.ResponseWriter, r *http.Request) error { + data, err := p.getUserInfoData(r) + if err != nil { + return err + } + handlers.DeviceEnrolled(data).ServeHTTP(w, r) + return nil } // Callback handles the result of a successful call to the authenticate service diff --git a/proxy/proxy.go b/proxy/proxy.go index 85f382be4..10005ba51 100644 --- a/proxy/proxy.go +++ b/proxy/proxy.go @@ -13,6 +13,7 @@ import ( "github.com/pomerium/pomerium/config" "github.com/pomerium/pomerium/internal/atomicutil" + "github.com/pomerium/pomerium/internal/handlers/webauthn" "github.com/pomerium/pomerium/internal/httputil" "github.com/pomerium/pomerium/internal/log" "github.com/pomerium/pomerium/internal/telemetry/metrics" @@ -54,6 +55,7 @@ type Proxy struct { state *atomicutil.Value[*proxyState] currentOptions *atomicutil.Value[*config.Options] currentRouter *atomicutil.Value[*mux.Router] + webauthn *webauthn.Handler } // New takes a Proxy service from options and a validation function. @@ -69,6 +71,7 @@ func New(cfg *config.Config) (*Proxy, error) { currentOptions: config.NewAtomicOptions(), currentRouter: atomicutil.NewValue(httputil.NewRouter()), } + p.webauthn = webauthn.New(p.getWebauthnState) metrics.AddPolicyCountCallback("pomerium-proxy", func() int64 { return int64(len(p.currentOptions.Load().GetAllPolicies())) diff --git a/proxy/state.go b/proxy/state.go index b4ed3cdfd..73893722b 100644 --- a/proxy/state.go +++ b/proxy/state.go @@ -1,6 +1,7 @@ package proxy import ( + "context" "crypto/cipher" "net/url" @@ -10,8 +11,12 @@ import ( "github.com/pomerium/pomerium/internal/sessions" "github.com/pomerium/pomerium/internal/sessions/cookie" "github.com/pomerium/pomerium/pkg/cryptutil" + "github.com/pomerium/pomerium/pkg/grpc" + "github.com/pomerium/pomerium/pkg/grpc/databroker" ) +var outboundGRPCConnection = new(grpc.CachedOutboundGRPClientConn) + type proxyState struct { sharedKey []byte sharedCipher cipher.AEAD @@ -26,6 +31,8 @@ type proxyState struct { sessionStore sessions.SessionStore jwtClaimHeaders config.JWTClaimHeaders + dataBrokerClient databroker.DataBrokerServiceClient + programmaticRedirectDomainWhitelist []string } @@ -36,6 +43,7 @@ func newProxyStateFromConfig(cfg *config.Config) (*proxyState, error) { } state := new(proxyState) + state.sharedKey, err = cfg.Options.GetSharedKey() if err != nil { return nil, err @@ -81,6 +89,19 @@ func newProxyStateFromConfig(cfg *config.Config) (*proxyState, error) { if err != nil { return nil, err } + + dataBrokerConn, err := outboundGRPCConnection.Get(context.Background(), &grpc.OutboundOptions{ + OutboundPort: cfg.OutboundPort, + InstallationID: cfg.Options.InstallationID, + ServiceName: cfg.Options.Services, + SignedJWTKey: state.sharedKey, + }) + if err != nil { + return nil, err + } + + state.dataBrokerClient = databroker.NewDataBrokerServiceClient(dataBrokerConn) + state.programmaticRedirectDomainWhitelist = cfg.Options.ProgrammaticRedirectDomainWhitelist return state, nil