3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-05-01 03:16:31 +02:00
Code Issues Projects Releases Packages Wiki Activity

authenticate: fix authenticate_internal_service_url for all in one (#4003)

Browse source
This commit is contained in:
Denis Mishin 2023-02-22 10:42:27 -05:00 committed by GitHub
parent 74fe336f5f
commit 62ca7ffaa2
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
5 changed files with 57 additions and 46 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

23
authorize/state.go
View file

@ -3,14 +3,12 @@ package authorize
import ( import (
"context" "context"
"fmt" "fmt"
"net/url"
googlegrpc "google.golang.org/grpc" googlegrpc "google.golang.org/grpc"
"github.com/pomerium/pomerium/authorize/evaluator" "github.com/pomerium/pomerium/authorize/evaluator"
"github.com/pomerium/pomerium/authorize/internal/store" "github.com/pomerium/pomerium/authorize/internal/store"
"github.com/pomerium/pomerium/config" "github.com/pomerium/pomerium/config"
"github.com/pomerium/pomerium/internal/httputil"
"github.com/pomerium/pomerium/pkg/grpc" "github.com/pomerium/pomerium/pkg/grpc"
"github.com/pomerium/pomerium/pkg/grpc/databroker" "github.com/pomerium/pomerium/pkg/grpc/databroker"
"github.com/pomerium/pomerium/pkg/hpke" "github.com/pomerium/pomerium/pkg/hpke"
@ -79,28 +77,11 @@ func newAuthorizeStateFromConfig(cfg *config.Config, store *store.Store) (*autho
return nil, fmt.Errorf("authorize: invalid session store: %w", err) return nil, fmt.Errorf("authorize: invalid session store: %w", err)
} }
authenticateURL, err := cfg.Options.GetAuthenticateURL()
if err != nil {
return nil, fmt.Errorf("authorize: invalid authenticate service url: %w", err)
}
state.hpkePrivateKey = hpke.DerivePrivateKey(sharedKey) state.hpkePrivateKey = hpke.DerivePrivateKey(sharedKey)
state.authenticateKeyFetcher, err = cfg.GetAuthenticateKeyFetcher()
jwksURL := authenticateURL.ResolveReference(&url.URL{
Path: "/.well-known/pomerium/jwks.json",
}).String()
transport := httputil.GetInsecureTransport()
ok, err := cfg.WillHaveCertificateForServerName(authenticateURL.Hostname())
if err != nil { if err != nil {
return nil, fmt.Errorf("authorize: error determining if authenticate service will have a certificate name: %w", err) return nil, fmt.Errorf("authorize: get authenticate JWKS key fetcher: %w", err)
} }
if ok {
transport, err = config.GetTLSClientTransport(cfg)
if err != nil {
return nil, fmt.Errorf("authorize: get tls client config: %w", err)
}
}
state.authenticateKeyFetcher = hpke.NewKeyFetcher(jwksURL, transport)
return state, nil return state, nil
} }

37
config/config.go
View file

@ -6,13 +6,17 @@ import (
"crypto/x509" "crypto/x509"
"encoding/base64" "encoding/base64"
"fmt" "fmt"
"net/http"
"net/url"
"github.com/pomerium/pomerium/internal/fileutil" "github.com/pomerium/pomerium/internal/fileutil"
"github.com/pomerium/pomerium/internal/hashutil" "github.com/pomerium/pomerium/internal/hashutil"
"github.com/pomerium/pomerium/internal/httputil"
"github.com/pomerium/pomerium/internal/log" "github.com/pomerium/pomerium/internal/log"
"github.com/pomerium/pomerium/internal/telemetry/metrics" "github.com/pomerium/pomerium/internal/telemetry/metrics"
"github.com/pomerium/pomerium/pkg/cryptutil" "github.com/pomerium/pomerium/pkg/cryptutil"
"github.com/pomerium/pomerium/pkg/derivecert" "github.com/pomerium/pomerium/pkg/derivecert"
"github.com/pomerium/pomerium/pkg/hpke"
) )
// MetricsScrapeEndpoint defines additional metrics endpoints that would be scraped and exposed by pomerium // MetricsScrapeEndpoint defines additional metrics endpoints that would be scraped and exposed by pomerium
@ -236,3 +240,36 @@ func (cfg *Config) GetCertificatePool() (*x509.CertPool, error) {
return pool, nil return pool, nil
} }
// GetAuthenticateKeyFetcher returns a key fetcher for the authenticate service
func (cfg *Config) GetAuthenticateKeyFetcher() (hpke.KeyFetcher, error) {
authenticateURL, transport, err := cfg.resolveAuthenticateURL()
if err != nil {
return nil, err
}
jwksURL := authenticateURL.ResolveReference(&url.URL{
Path: "/.well-known/pomerium/jwks.json",
}).String()
return hpke.NewKeyFetcher(jwksURL, transport), nil
}
func (cfg *Config) resolveAuthenticateURL() (*url.URL, *http.Transport, error) {
authenticateURL, err := cfg.Options.GetInternalAuthenticateURL()
if err != nil {
return nil, nil, fmt.Errorf("invalid authenticate service url: %w", err)
}
ok, err := cfg.WillHaveCertificateForServerName(authenticateURL.Hostname())
if err != nil {
return nil, nil, fmt.Errorf("error determining if authenticate service will have a certificate name: %w", err)
}
if !ok {
return authenticateURL, httputil.GetInsecureTransport(), nil
}
transport, err := GetTLSClientTransport(cfg)
if err != nil {
return nil, nil, fmt.Errorf("get tls client config: %w", err)
}
return authenticateURL, transport, nil
}

3
config/envoyconfig/routes.go
View file

@ -75,7 +75,8 @@ func (b *Builder) buildPomeriumHTTPRoutes(options *config.Options, host string)
} }
} }
// if we're handling authentication, add the oauth2 callback url // if we're handling authentication, add the oauth2 callback url
authenticateURL, err := options.GetInternalAuthenticateURL() // as the callback url is from the IdP, it is expected only on the public authenticate URL endpoint
authenticateURL, err := options.GetAuthenticateURL()
if err != nil { if err != nil {
return nil, err return nil, err
} }

11
internal/controlplane/server.go
View file

@ -5,6 +5,7 @@ import (
"net" "net"
"net/http" "net/http"
"net/http/pprof" "net/http/pprof"
"net/url"
"time" "time"
envoy_service_discovery_v3 "github.com/envoyproxy/go-control-plane/envoy/service/discovery/v3" envoy_service_discovery_v3 "github.com/envoyproxy/go-control-plane/envoy/service/discovery/v3"
@ -289,13 +290,21 @@ func (srv *Server) updateRouter(cfg *config.Config) error {
return err return err
} }
if srv.authenticateSvc != nil { if srv.authenticateSvc != nil {
authenticateURL, err := cfg.Options.GetInternalAuthenticateURL() seen := make(map[string]struct{})
// mount auth handler for both internal and external endpoints
for _, fn := range []func() (*url.URL, error){cfg.Options.GetAuthenticateURL, cfg.Options.GetInternalAuthenticateURL} {
authenticateURL, err := fn()
if err != nil { if err != nil {
return err return err
} }
authenticateHost := urlutil.StripPort(authenticateURL.Host) authenticateHost := urlutil.StripPort(authenticateURL.Host)
if _, ok := seen[authenticateHost]; ok {
continue
}
seen[authenticateHost] = struct{}{}
srv.authenticateSvc.Mount(httpRouter.Host(authenticateHost).Subrouter()) srv.authenticateSvc.Mount(httpRouter.Host(authenticateHost).Subrouter())
} }
}
if srv.proxySvc != nil { if srv.proxySvc != nil {
srv.proxySvc.Mount(httpRouter) srv.proxySvc.Mount(httpRouter)
} }

21
proxy/state.go
View file

@ -9,7 +9,6 @@ import (
"github.com/pomerium/pomerium/config" "github.com/pomerium/pomerium/config"
"github.com/pomerium/pomerium/internal/encoding" "github.com/pomerium/pomerium/internal/encoding"
"github.com/pomerium/pomerium/internal/encoding/jws" "github.com/pomerium/pomerium/internal/encoding/jws"
"github.com/pomerium/pomerium/internal/httputil"
"github.com/pomerium/pomerium/internal/sessions" "github.com/pomerium/pomerium/internal/sessions"
"github.com/pomerium/pomerium/internal/sessions/cookie" "github.com/pomerium/pomerium/internal/sessions/cookie"
"github.com/pomerium/pomerium/pkg/cryptutil" "github.com/pomerium/pomerium/pkg/cryptutil"
@ -49,11 +48,6 @@ func newProxyStateFromConfig(cfg *config.Config) (*proxyState, error) {
state := new(proxyState) state := new(proxyState)
authenticateURL, err := cfg.Options.GetAuthenticateURL()
if err != nil {
return nil, err
}
state.sharedKey, err = cfg.Options.GetSharedKey() state.sharedKey, err = cfg.Options.GetSharedKey()
if err != nil { if err != nil {
return nil, err return nil, err
@ -64,21 +58,10 @@ func newProxyStateFromConfig(cfg *config.Config) (*proxyState, error) {
return nil, err return nil, err
} }
jwksURL := authenticateURL.ResolveReference(&url.URL{ state.authenticateKeyFetcher, err = cfg.GetAuthenticateKeyFetcher()
Path: "/.well-known/pomerium/jwks.json",
}).String()
transport := httputil.GetInsecureTransport()
ok, err := cfg.WillHaveCertificateForServerName(authenticateURL.Hostname())
if err != nil { if err != nil {
return nil, fmt.Errorf("proxy: error determining if authenticate service will have a certificate name: %w", err) return nil, fmt.Errorf("authorize: get authenticate JWKS key fetcher: %w", err)
} }
if ok {
transport, err = config.GetTLSClientTransport(cfg)
if err != nil {
return nil, fmt.Errorf("proxy: get tls client config: %w", err)
}
}
state.authenticateKeyFetcher = hpke.NewKeyFetcher(jwksURL, transport)
state.sharedCipher, err = cryptutil.NewAEADCipher(state.sharedKey) state.sharedCipher, err = cryptutil.NewAEADCipher(state.sharedKey)
if err != nil { if err != nil {