3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-05-20 20:47:16 +02:00
Code Issues Projects Releases Packages Wiki Activity

proxy: support certificate authority to verify server (#49)

Browse source
This commit is contained in:
Michael Barrientos 2019-02-18 09:58:05 -08:00 committed by Bobby DeSimone
parent ede412448a
commit 7b1e832b45
6 changed files with 50 additions and 7 deletions
Download patch file Download diff file Expand all files Collapse all files

7
helm/templates/deployment.yaml
View file

@ -74,6 +74,13 @@ spec:
name: {{ template "pomerium.fullname" . }} name: {{ template "pomerium.fullname" . }}
key: certificate-key key: certificate-key
{{- end }} {{- end }}
{{- if .Values.config.ca }}
- name: CERTIFICATE_AUTHORITY
valueFrom:
secretKeyRef:
name: {{ template "pomerium.fullname" . }}
key: certificate-authority
{{- end }}
{{- if or (eq .Values.config.services "authenticate") (eq .Values.config.services "all") }} {{- if or (eq .Values.config.services "authenticate") (eq .Values.config.services "all") }}
- name: REDIRECT_URL - name: REDIRECT_URL
value: {{ .Values.authenticate.redirectUrl }} value: {{ .Values.authenticate.redirectUrl }}

3
helm/templates/secret.yaml
View file

@ -22,3 +22,6 @@ data:
{{- if .Values.config.key }} {{- if .Values.config.key }}
certificate-key: {{ .Values.config.key | b64enc | quote }} certificate-key: {{ .Values.config.key | b64enc | quote }}
{{- end }} {{- end }}
{{- if .Values.config.ca }}
certificate-authority: {{ .Values.config.ca | b64enc | quote }}
{{- end }}

9
helm/values.yaml
View file

@ -19,13 +19,14 @@ authenticate:
# All below required if config.serviceModes is "proxy" or "all" # All below required if config.serviceModes is "proxy" or "all"
proxy: proxy:
authenticateServiceUrl: https://example.com/oauth2/callback authenticateServiceUrl: https://example.com/oauth2/callback
routes: routes: {}
"http.corp.example.com": "httpbin.org" # routes:
# "http.corp.example.com": "httpbin.org"
# For any other settings that are optional # For any other settings that are optional
# ADDRESS, POMERIUM_DEBUG, CERTIFICATE_FILE, CERTIFICATE_KEY_FILE # ADDRESS, POMERIUM_DEBUG, CERTIFICATE_FILE, CERTIFICATE_KEY_FILE, CERTIFICATE_AUTHORITY_FILE,
# PROXY_ROOT_DOMAIN, COOKIE_DOMAIN, COOKIE_EXPIRE, COOKIE_REFRESH, COOKIE_SECURE, COOKIE_HTTP_ONLY, IDP_SCOPES # PROXY_ROOT_DOMAIN, COOKIE_DOMAIN, COOKIE_EXPIRE, COOKIE_REFRESH, COOKIE_SECURE, COOKIE_HTTP_ONLY, IDP_SCOPES
# DEFAULT_UPSTREAM_TIMEOUT, PASS_ACCESS_TOKEN, SESSION_VALID_TTL, SESSION_LIFETIME_TTL, GRACE_PERIOD_TTL # AUTHENTICATE_INTERNAL_URL, AUTHENTICATE_SERVICE_PORT, OVERRIDE_CERTIFICATE_NAME, DEFAULT_UPSTREAM_TIMEOUT, COOKIE_LIFETIME,
extraEnv: {} extraEnv: {}
extraArgs: {} extraArgs: {}

4
proxy/authenticator/authenticator.go
View file

@ -31,6 +31,10 @@ type Options struct {
OverrideCertificateName string OverrideCertificateName string
// Shared secret is used to authenticate a authenticate-client with a authenticate-server. // Shared secret is used to authenticate a authenticate-client with a authenticate-server.
SharedSecret string SharedSecret string
// CA specifies the base64 encoded TLS certificate authority to use.
CA string
// CAFile specifies the TLS certificate authority file to use.
CAFile string
} }
// New returns a new authenticate service client. Takes a client implementation name as an argument. // New returns a new authenticate service client. Takes a client implementation name as an argument.

30
proxy/authenticator/grpc.go
View file

@ -3,8 +3,10 @@ import (
"context" "context"
"crypto/tls" "crypto/tls"
"crypto/x509" "crypto/x509"
"encoding/base64"
"errors" "errors"
"fmt" "fmt"
"io/ioutil"
"strings" "strings"
"time" "time"
@ -39,9 +41,31 @@ func NewGRPC(opts *Options) (p *AuthenticateGRPC, err error) {
connAddr = fmt.Sprintf("%s:%d", connAddr, opts.Port) connAddr = fmt.Sprintf("%s:%d", connAddr, opts.Port)
} }
cp, err := x509.SystemCertPool() var cp *x509.CertPool
if err != nil { if opts.CA != "" || opts.CAFile != "" {
return nil, err cp = x509.NewCertPool()
var ca []byte
var err error
if opts.CA != "" {
ca, err = base64.StdEncoding.DecodeString(opts.CA)
if err != nil {
return nil, fmt.Errorf("failed to decode certificate authority: %v", err)
}
} else {
ca, err = ioutil.ReadFile(opts.CAFile)
if err != nil {
return nil, fmt.Errorf("certificate authority file %v not readable: %v", opts.CAFile, err)
}
}
if ok := cp.AppendCertsFromPEM(ca); !ok {
return nil, fmt.Errorf("failed to append CA cert to certPool")
}
} else {
newCp, err := x509.SystemCertPool()
if err != nil {
return nil, err
}
cp = newCp
} }
log.Info(). log.Info().

4
proxy/proxy.go
View file

@ -37,6 +37,8 @@ type Options struct {
AuthenticateInternalAddr string `envconfig:"AUTHENTICATE_INTERNAL_URL"` AuthenticateInternalAddr string `envconfig:"AUTHENTICATE_INTERNAL_URL"`
OverrideCertificateName string `envconfig:"OVERRIDE_CERTIFICATE_NAME"` OverrideCertificateName string `envconfig:"OVERRIDE_CERTIFICATE_NAME"`
AuthenticatePort int `envconfig:"AUTHENTICATE_SERVICE_PORT"` AuthenticatePort int `envconfig:"AUTHENTICATE_SERVICE_PORT"`
CA string `envconfig:"CERTIFICATE_AUTHORITY"`
CAFile string `envconfig:"CERTIFICATE_AUTHORITY_FILE"`
// SigningKey is a base64 encoded private key used to add a JWT-signature to proxied requests. // SigningKey is a base64 encoded private key used to add a JWT-signature to proxied requests.
// See : https://www.pomerium.io/guide/signed-headers.html // See : https://www.pomerium.io/guide/signed-headers.html
@ -207,6 +209,8 @@ func New(opts *Options) (*Proxy, error) {
OverrideCertificateName: opts.OverrideCertificateName, OverrideCertificateName: opts.OverrideCertificateName,
SharedSecret: opts.SharedKey, SharedSecret: opts.SharedKey,
Port: opts.AuthenticatePort, Port: opts.AuthenticatePort,
CA: opts.CA,
CAFile: opts.CAFile,
}) })
return p, nil return p, nil
} }