authenticate/proxy: add user impersonation, refresh, dashboard (#123)

proxy: Add user dashboard. [GH-123] proxy/authenticate: Add manual refresh of their session. [GH-73] authorize: Add administrator (super user) account support. [GH-110] internal/policy: Allow administrators to impersonate other users. [GH-110]
2025-08-03 00:40:25 +02:00 · 2019-05-26 12:33:00 -07:00 · 2019-05-26 12:33:00 -07:00 · 66b4c2d3cd
commit 66b4c2d3cd
parent dc2eb9668c
42 changed files with 1644 additions and 1006 deletions
--- a/authenticate/handlers.go
+++ b/authenticate/handlers.go
@ -12,13 +12,16 @@ import (
 	"github.com/pomerium/pomerium/internal/log"
 	"github.com/pomerium/pomerium/internal/middleware"
 	"github.com/pomerium/pomerium/internal/sessions"
-	"github.com/pomerium/pomerium/internal/version"
 )

 // CSPHeaders adds content security headers for authenticate's handlers
 var CSPHeaders = map[string]string{
-	"Content-Security-Policy": "default-src 'none'; style-src 'self' 'sha256-pSTVzZsFAqd2U3QYu+BoBDtuJWaPM/+qMy/dBRrhb5Y='; img-src 'self';",
-	"Referrer-Policy":         "Same-origin",
+	"Content-Security-Policy": "default-src 'none'; style-src 'self'" +
+		" 'sha256-z9MsgkMbQjRSLxzAfN55jB3a9pP0PQ4OHFH8b4iDP6s=' " +
+		" 'sha256-qnVkQSG7pWu17hBhIw0kCpfEB3XGvt0mNRa6+uM6OUU=' " +
+		" 'sha256-qOdRsNZhtR+htazbcy7guQl3Cn1cqOw1FcE4d3llae0='; " +
+		"img-src 'self';",
+	"Referrer-Policy": "Same-origin",
 }

 // Handler returns the authenticate service's HTTP request multiplexer, and routes.
@ -35,7 +38,7 @@ func (a *Authenticate) Handler() http.Handler {
 	mux.Handle("/oauth2/callback", c.ThenFunc(a.OAuthCallback))
 	// authenticate-server endpoints
 	mux.Handle("/sign_in", validate.ThenFunc(a.SignIn))
-	mux.Handle("/sign_out", validate.ThenFunc(a.SignOut)) // GET POST
+	mux.Handle("/sign_out", validate.ThenFunc(a.SignOut)) // POST
 	return mux
 }

@ -53,7 +56,7 @@ func (a *Authenticate) authenticate(w http.ResponseWriter, r *http.Request, sess
 		}
 		err = a.sessionStore.SaveSession(w, r, session)
 		if err != nil {
-			return fmt.Errorf("authenticate: refresh failed : %v", err)
+			return fmt.Errorf("authenticate: failed saving refreshed session : %v", err)
 		}
 	} else {
 		valid, err := a.provider.Validate(r.Context(), session.IDToken)
@ -86,14 +89,7 @@ func (a *Authenticate) SignIn(w http.ResponseWriter, r *http.Request) {
 		httputil.ErrorResponse(w, r, err.Error(), http.StatusInternalServerError)
 		return
 	}
-	a.ProxyCallback(w, r, session)
-}
-
-// ProxyCallback redirects the user back to proxy service along with an encrypted payload, as
-// url params, of the user's session state as specified in RFC6749 3.1.2.
-// https://tools.ietf.org/html/rfc6749#section-3.1.2
-func (a *Authenticate) ProxyCallback(w http.ResponseWriter, r *http.Request, session *sessions.SessionState) {
-	err := r.ParseForm()
+	err = r.ParseForm()
 	if err != nil {
 		httputil.ErrorResponse(w, r, err.Error(), http.StatusInternalServerError)
 		return
@ -104,14 +100,8 @@ func (a *Authenticate) ProxyCallback(w http.ResponseWriter, r *http.Request, ses
 		httputil.ErrorResponse(w, r, "no state parameter supplied", http.StatusForbidden)
 		return
 	}
-	// redirect url of proxy-service
-	redirectURI := r.Form.Get("redirect_uri")
-	if redirectURI == "" {
-		httputil.ErrorResponse(w, r, "no redirect_uri parameter supplied", http.StatusForbidden)
-		return
-	}

-	redirectURL, err := url.Parse(redirectURI)
+	redirectURL, err := url.Parse(r.Form.Get("redirect_uri"))
 	if err != nil {
 		httputil.ErrorResponse(w, r, "malformed redirect_uri parameter passed", http.StatusBadRequest)
 		return
@ -145,40 +135,11 @@ func (a *Authenticate) SignOut(w http.ResponseWriter, r *http.Request) {
 		httputil.ErrorResponse(w, r, err.Error(), http.StatusInternalServerError)
 		return
 	}
-	// pretty safe to say that no matter what heppanes here, we want to revoke the local session
 	redirectURI := r.Form.Get("redirect_uri")
 	session, err := a.sessionStore.LoadSession(r)
 	if err != nil {
-		log.Error().Err(err).Msg("authenticate: signout failed to load session")
-		httputil.ErrorResponse(w, r, "No session found to log out", http.StatusBadRequest)
-		return
-	}
-	if r.Method == http.MethodGet {
-		signature := r.Form.Get("sig")
-		timestamp := r.Form.Get("ts")
-		destinationURL, err := url.Parse(redirectURI)
-		if err != nil {
-			log.Error().Err(err).Msg("authenticate: malformed destination url")
-			httputil.ErrorResponse(w, r, "Malformed destination URL", http.StatusBadRequest)
-			return
-		}
-		t := struct {
-			Redirect    string
-			Signature   string
-			Timestamp   string
-			Destination string
-			Email       string
-			Version     string
-		}{
-			Redirect:    redirectURI,
-			Signature:   signature,
-			Timestamp:   timestamp,
-			Destination: destinationURL.Host,
-			Email:       session.Email,
-			Version:     version.FullVersion(),
-		}
-		a.templates.ExecuteTemplate(w, "sign_out.html", t)
-		w.WriteHeader(http.StatusOK)
+		log.Error().Err(err).Msg("authenticate: no session to signout, redirect and clear")
+		http.Redirect(w, r, redirectURI, http.StatusFound)
 		return
 	}
 	a.sessionStore.ClearSession(w, r)
@ -196,6 +157,7 @@ func (a *Authenticate) SignOut(w http.ResponseWriter, r *http.Request) {
 func (a *Authenticate) OAuthStart(w http.ResponseWriter, r *http.Request) {
 	authRedirectURL := a.RedirectURL.ResolveReference(r.URL)

+	// generate a nonce to check following authentication with the IdP
 	nonce := fmt.Sprintf("%x", cryptutil.GenerateKey())
 	a.csrfStore.SetCSRF(w, r, nonce)

@ -204,6 +166,7 @@ func (a *Authenticate) OAuthStart(w http.ResponseWriter, r *http.Request) {
 		httputil.ErrorResponse(w, r, "Invalid redirect parameter: redirect uri not from the root domain", http.StatusBadRequest)
 		return
 	}
+
 	// verify proxy url is from the root domain
 	proxyRedirectURL, err := url.Parse(authRedirectURL.Query().Get("redirect_uri"))
 	if err != nil || !middleware.SameSubdomain(proxyRedirectURL, a.RedirectURL) {
@ -221,6 +184,7 @@ func (a *Authenticate) OAuthStart(w http.ResponseWriter, r *http.Request) {

 	// concat base64'd nonce and authenticate url to make state
 	state := base64.URLEncoding.EncodeToString([]byte(fmt.Sprintf("%v:%v", nonce, authRedirectURL.String())))
+
 	// build the provider sign in url
 	signInURL := a.provider.GetSignInURL(state)
 	http.Redirect(w, r, signInURL, http.StatusFound)
@ -242,12 +206,14 @@ func (a *Authenticate) OAuthCallback(w http.ResponseWriter, r *http.Request) {
 		httputil.ErrorResponse(w, r, "Internal Error", http.StatusInternalServerError)
 		return
 	}
-	// redirect back to the proxy-service
+	// redirect back to the proxy-service via sign_in
+	log.Info().Interface("redirect", redirect).Msg("proxy: OAuthCallback")
 	http.Redirect(w, r, redirect, http.StatusFound)
 }

 // getOAuthCallback completes the oauth cycle from an identity provider's callback
 func (a *Authenticate) getOAuthCallback(w http.ResponseWriter, r *http.Request) (string, error) {
+	// handle the callback response from the identity provider
 	err := r.ParseForm()
 	if err != nil {
 		return "", httputil.HTTPError{Code: http.StatusInternalServerError, Message: err.Error()}
@ -263,12 +229,14 @@ func (a *Authenticate) getOAuthCallback(w http.ResponseWriter, r *http.Request)
 		return "", httputil.HTTPError{Code: http.StatusBadRequest, Message: "Missing Code"}
 	}

+	// validate the returned code with the identity provider
 	session, err := a.provider.Authenticate(code)
 	if err != nil {
 		log.FromRequest(r).Error().Err(err).Msg("authenticate: error redeeming authenticate code")
 		return "", httputil.HTTPError{Code: http.StatusInternalServerError, Message: err.Error()}
 	}

+	// okay, time to go back to the proxy service.
 	bytes, err := base64.URLEncoding.DecodeString(r.Form.Get("state"))
 	if err != nil {
 		log.FromRequest(r).Error().Err(err).Msg("authenticate: failed decoding state")
@ -281,30 +249,26 @@ func (a *Authenticate) getOAuthCallback(w http.ResponseWriter, r *http.Request)
 	nonce := s[0]
 	redirect := s[1]
 	c, err := a.csrfStore.GetCSRF(r)
-	if err != nil {
-		log.FromRequest(r).Error().Err(err).Interface("s", s).Msg("authenticate: bad csrf")
-		return "", httputil.HTTPError{Code: http.StatusForbidden, Message: "Missing CSRF token"}
-	}
-	a.csrfStore.ClearCSRF(w, r)
-	if c.Value != nonce {
-		log.FromRequest(r).Error().Err(err).Msg("authenticate: csrf mismatch")
+	defer a.csrfStore.ClearCSRF(w, r)
+	if err != nil || c.Value != nonce {
+		log.FromRequest(r).Error().Err(err).Msg("authenticate: csrf failure")
 		return "", httputil.HTTPError{Code: http.StatusForbidden, Message: "CSRF failed"}
 	}
-
 	redirectURL, err := url.Parse(redirect)
 	if err != nil {
-		log.FromRequest(r).Error().Err(err).Msg("authenticate: couldn't parse redirect url")
-		return "", httputil.HTTPError{Code: http.StatusForbidden, Message: "Couldn't parse redirect url"}
+		log.FromRequest(r).Error().Err(err).Msg("authenticate: malformed redirect url")
+		return "", httputil.HTTPError{Code: http.StatusForbidden, Message: "Malformed redirect url"}
 	}
-
+	// sanity check, we are redirecting back to the same subdomain right?
 	if !middleware.SameSubdomain(redirectURL, a.RedirectURL) {
 		return "", httputil.HTTPError{Code: http.StatusForbidden, Message: "Invalid Redirect URI domain"}
 	}

 	err = a.sessionStore.SaveSession(w, r, session)
 	if err != nil {
-		log.Error().Err(err).Msg("internal error")
+		log.Error().Err(err).Msg("authenticate: failed saving new session")
 		return "", httputil.HTTPError{Code: http.StatusInternalServerError, Message: "Internal Error"}
 	}
+
 	return redirect, nil
 }