mirror of
https://github.com/pomerium/pomerium.git
synced 2025-08-03 16:59:22 +02:00
proxy: verify endpoint strip added callback params (#368)
- proxy: use distinct host route for forward-auth handlers - proxy: have auth middleware set pomerium headers for request and response
This commit is contained in:
Bobby DeSimone
GitHub
parent
0e85b2b1cb
commit
7d7e997e79
7 changed files with 141 additions and 111 deletions
|
|
@ -16,8 +16,9 @@ import (
|
|||
"github.com/pomerium/pomerium/internal/urlutil"
|
||||
)
|
||||
|
||||
// registerHelperHandlers returns the proxy service's ServeMux
|
||||
func (p *Proxy) registerHelperHandlers(r *mux.Router) *mux.Router {
|
||||
// registerDashboardHandlers returns the proxy service's ServeMux
|
||||
func (p *Proxy) registerDashboardHandlers(r *mux.Router) *mux.Router {
|
||||
// dashboard subrouter
|
||||
h := r.PathPrefix(dashboardURL).Subrouter()
|
||||
// 1. Retrieve the user session and add it to the request context
|
||||
h.Use(sessions.RetrieveSession(p.sessionStore))
|
||||
|
|
@ -35,7 +36,6 @@ func (p *Proxy) registerHelperHandlers(r *mux.Router) *mux.Router {
|
|||
h.HandleFunc("/impersonate", p.Impersonate).Methods(http.MethodPost)
|
||||
h.HandleFunc("/sign_out", p.SignOut).Methods(http.MethodGet, http.MethodPost)
|
||||
h.HandleFunc("/refresh", p.ForceRefresh).Methods(http.MethodPost)
|
||||
h.HandleFunc("/verify", p.Verify).Queries("uri", "{uri}").Methods(http.MethodGet)
|
||||
return r
|
||||
}
|
||||
|
||||
|
|
@ -152,49 +152,87 @@ func (p *Proxy) Impersonate(w http.ResponseWriter, r *http.Request) {
|
|||
http.Redirect(w, r, dashboardURL, http.StatusFound)
|
||||
}
|
||||
|
||||
// Verify checks a user's credentials for an arbitrary host. If the user is
|
||||
// properly authenticated and is authorized to access the supplied host,
|
||||
// a 200 http status code is returned. If the user is not authenticated, they
|
||||
func (p *Proxy) registerFwdAuthHandlers() http.Handler {
|
||||
r := httputil.NewRouter()
|
||||
r.StrictSlash(true)
|
||||
r.Use(sessions.RetrieveSession(p.sessionStore))
|
||||
r.HandleFunc("/", p.VerifyAndSignin).Queries("uri", "{uri}").Methods(http.MethodGet)
|
||||
r.HandleFunc("/verify", p.VerifyOnly).Queries("uri", "{uri}").Methods(http.MethodGet)
|
||||
return r
|
||||
}
|
||||
|
||||
// VerifyAndSignin checks a user's credentials for an arbitrary host. If the user
|
||||
// is properly authenticated and is authorized to access the supplied host,
|
||||
// a `200` http status code is returned. If the user is not authenticated, they
|
||||
// will be redirected to the authenticate service to sign in with their identity
|
||||
// provider. If the user is unauthorized, they will be given a 403 http status.
|
||||
func (p *Proxy) Verify(w http.ResponseWriter, r *http.Request) {
|
||||
// provider. If the user is unauthorized, a `401` error is returned.
|
||||
func (p *Proxy) VerifyAndSignin(w http.ResponseWriter, r *http.Request) {
|
||||
uri, err := urlutil.ParseAndValidateURL(r.FormValue("uri"))
|
||||
if err != nil || uri.String() == "" {
|
||||
httputil.ErrorResponse(w, r, httputil.Error("bad verification uri given", http.StatusBadRequest, nil))
|
||||
return
|
||||
}
|
||||
if err := p.authenticate(w, r); err != nil {
|
||||
uri := urlutil.SignedRedirectURL(p.SharedKey, p.authenticateSigninURL, urlutil.GetAbsoluteURL(r))
|
||||
http.Redirect(w, r, uri.String(), http.StatusFound)
|
||||
}
|
||||
if err := p.authorize(r, uri); err != nil {
|
||||
httputil.ErrorResponse(w, r, httputil.Error("", http.StatusUnauthorized, err))
|
||||
return
|
||||
}
|
||||
// check the queryparams to see if this check immediately followed
|
||||
// authentication. If so, redirect back to the originally requested hostname.
|
||||
if isCallback := r.URL.Query().Get(callbackQueryParam); isCallback == "true" {
|
||||
q := uri.Query()
|
||||
q.Del(callbackQueryParam)
|
||||
uri.RawQuery = q.Encode()
|
||||
http.Redirect(w, r, uri.String(), http.StatusFound)
|
||||
return
|
||||
}
|
||||
|
||||
w.Header().Set("Content-Type", "text/plain; charset=utf-8")
|
||||
w.Header().Set("X-Content-Type-Options", "nosniff")
|
||||
w.WriteHeader(http.StatusOK)
|
||||
|
||||
}
|
||||
|
||||
// VerifyOnly checks a user's credentials for an arbitrary host. If the user
|
||||
// is properly authenticated and is authorized to access the supplied host,
|
||||
// a `200` http status code is returned otherwise a `401` error is returned.
|
||||
func (p *Proxy) VerifyOnly(w http.ResponseWriter, r *http.Request) {
|
||||
uri, err := urlutil.ParseAndValidateURL(r.FormValue("uri"))
|
||||
if err != nil || uri.String() == "" {
|
||||
httputil.ErrorResponse(w, r, httputil.Error("bad verification uri given", http.StatusBadRequest, nil))
|
||||
return
|
||||
}
|
||||
if err := p.authenticate(w, r); err != nil {
|
||||
httputil.ErrorResponse(w, r, httputil.Error("", http.StatusUnauthorized, err))
|
||||
return
|
||||
}
|
||||
if err := p.authorize(r, uri); err != nil {
|
||||
httputil.ErrorResponse(w, r, httputil.Error("", http.StatusUnauthorized, err))
|
||||
return
|
||||
}
|
||||
|
||||
w.Header().Set("Content-Type", "text/plain; charset=utf-8")
|
||||
w.Header().Set("X-Content-Type-Options", "nosniff")
|
||||
w.WriteHeader(http.StatusOK)
|
||||
}
|
||||
|
||||
func (p *Proxy) authorize(r *http.Request, uri *url.URL) error {
|
||||
// attempt to retrieve the user session from the request context, validity
|
||||
// of the identity session is asserted by the middleware chain
|
||||
s, err := sessions.FromContext(r.Context())
|
||||
if err != nil {
|
||||
httputil.ErrorResponse(w, r, err)
|
||||
return
|
||||
return err
|
||||
}
|
||||
// query the authorization service to see if the session's user has
|
||||
// the appropriate authorization to access the given hostname
|
||||
authorized, err := p.AuthorizeClient.Authorize(r.Context(), uri.Host, s)
|
||||
if err != nil {
|
||||
httputil.ErrorResponse(w, r, err)
|
||||
return
|
||||
return err
|
||||
} else if !authorized {
|
||||
errMsg := fmt.Sprintf("%s is not authorized for this route", s.RequestEmail())
|
||||
httputil.ErrorResponse(w, r, httputil.Error(errMsg, http.StatusForbidden, nil))
|
||||
return
|
||||
return fmt.Errorf("%s is not authorized for %s", s.RequestEmail(), uri.String())
|
||||
}
|
||||
// check the queryparams to see if this check immediately followed
|
||||
// authentication. If so, redirect back to the originally requested hostname.
|
||||
if isCallback := r.URL.Query().Get("pomerium-auth-callback"); isCallback == "true" {
|
||||
http.Redirect(w, r, uri.String(), http.StatusFound)
|
||||
return
|
||||
}
|
||||
|
||||
// User is authenticated and authorized for the given host.
|
||||
w.Header().Set("Content-Type", "text/plain; charset=utf-8")
|
||||
w.Header().Set("X-Content-Type-Options", "nosniff")
|
||||
w.Header().Set(HeaderUserID, s.User)
|
||||
w.Header().Set(HeaderEmail, s.RequestEmail())
|
||||
w.Header().Set(HeaderGroups, s.RequestGroups())
|
||||
w.WriteHeader(http.StatusOK)
|
||||
fmt.Fprintf(w, "%s is authorized for %s.", s.Email, uri.String())
|
||||
return nil
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue