3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-07-28 22:19:20 +02:00
Code Issues Projects Releases Packages Wiki Activity

proxy: add support for /.pomerium/jwt (#1446)

Browse source
This commit is contained in:
Caleb Doxsey 2020-09-23 07:55:12 -06:00 committed by GitHub
parent 2364da14c8
commit 852c96f22f
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 84 additions and 19 deletions
Download patch file Download diff file Expand all files Collapse all files

42
proxy/middleware.go
View file

@ -22,6 +22,28 @@ type authorizeResponse struct {
}
func (p *Proxy) isAuthorized(w http.ResponseWriter, r *http.Request) (*authorizeResponse, error) {
res, err := p.authorizeCheck(r)
if err != nil {
return nil, httputil.NewError(http.StatusInternalServerError, err)
}
ar := &authorizeResponse{}
switch res.HttpResponse.(type) {
case *envoy_service_auth_v2.CheckResponse_OkResponse:
for _, hdr := range res.GetOkResponse().GetHeaders() {
w.Header().Set(hdr.GetHeader().GetKey(), hdr.GetHeader().GetValue())
}
ar.authorized = true
ar.statusCode = res.GetStatus().Code
case *envoy_service_auth_v2.CheckResponse_DeniedResponse:
ar.statusCode = int32(res.GetDeniedResponse().GetStatus().Code)
default:
ar.statusCode = http.StatusInternalServerError
}
return ar, nil
}
func (p *Proxy) authorizeCheck(r *http.Request) (*envoy_service_auth_v2.CheckResponse, error) {
state := p.state.Load()
tm, err := ptypes.TimestampProto(time.Now())
@ -45,7 +67,7 @@ func (p *Proxy) isAuthorized(w http.ResponseWriter, r *http.Request) (*authorize
httpAttrs.Path += "?" + r.URL.RawQuery
}
res, err := state.authzClient.Check(r.Context(), &envoy_service_auth_v2.CheckRequest{
return state.authzClient.Check(r.Context(), &envoy_service_auth_v2.CheckRequest{
Attributes: &envoy_service_auth_v2.AttributeContext{
Request: &envoy_service_auth_v2.AttributeContext_Request{
Time: tm,
@ -53,24 +75,6 @@ func (p *Proxy) isAuthorized(w http.ResponseWriter, r *http.Request) (*authorize
},
},
})
if err != nil {
return nil, httputil.NewError(http.StatusInternalServerError, err)
}
ar := &authorizeResponse{}
switch res.HttpResponse.(type) {
case *envoy_service_auth_v2.CheckResponse_OkResponse:
for _, hdr := range res.GetOkResponse().GetHeaders() {
w.Header().Set(hdr.GetHeader().GetKey(), hdr.GetHeader().GetValue())
}
ar.authorized = true
ar.statusCode = res.GetStatus().Code
case *envoy_service_auth_v2.CheckResponse_DeniedResponse:
ar.statusCode = int32(res.GetDeniedResponse().GetStatus().Code)
default:
ar.statusCode = http.StatusInternalServerError
}
return ar, nil
}
// jwtClaimMiddleware logs and propagates JWT claim information via request headers