3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-06-01 10:22:43 +02:00
Code Issues Projects Releases Packages Wiki Activity

config: support files for shared_secret, client_secret, cookie_secret and signing_key (#3453)

Browse source
This commit is contained in:
Caleb Doxsey 2022-06-29 10:44:08 -06:00 committed by GitHub
parent 1eca93cc75
commit 86625a4ddb
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
11 changed files with 136 additions and 34 deletions
Download patch file Download diff file Expand all files Collapse all files

6
authenticate/authenticate.go
View file

@ -23,7 +23,11 @@ func ValidateOptions(o *config.Options) error {
if _, err := cryptutil.NewAEADCipher(sharedKey); err != nil {
return fmt.Errorf("authenticate: 'SHARED_SECRET' invalid: %w", err)
}
if _, err := cryptutil.NewAEADCipherFromBase64(o.CookieSecret); err != nil {
cookieSecret, err := o.GetCookieSecret()
if err != nil {
return fmt.Errorf("authenticate: 'COOKIE_SECRET' invalid: %w", err)
}
if _, err := cryptutil.NewAEADCipher(cookieSecret); err != nil {
return fmt.Errorf("authenticate: 'COOKIE_SECRET' invalid %w", err)
}
if o.AuthenticateCallbackPath == "" {

5
authenticate/identity.go
View file

@ -19,7 +19,10 @@ func defaultGetIdentityProvider(options *config.Options, idpID string) (identity
}
redirectURL.Path = options.AuthenticateCallbackPath
idp := options.GetIdentityProviderForID(idpID)
idp, err := options.GetIdentityProviderForID(idpID)
if err != nil {
return nil, err
}
return identity.NewAuthenticator(oauth.Options{
RedirectURL: redirectURL,
ProviderName: idp.GetType(),

8
authenticate/state.go
View file

@ -101,7 +101,7 @@ func newAuthenticateStateFromConfig(cfg *config.Config) (*authenticateState, err
}
// private state encoder setup, used to encrypt oauth2 tokens
state.cookieSecret, err = base64.StdEncoding.DecodeString(cfg.Options.CookieSecret)
state.cookieSecret, err = cfg.Options.GetCookieSecret()
if err != nil {
return nil, err
}
@ -131,7 +131,11 @@ func newAuthenticateStateFromConfig(cfg *config.Config) (*authenticateState, err
state.sessionStore = cookieStore
state.sessionLoaders = []sessions.SessionLoader{headerStore, cookieStore}
state.jwk = new(jose.JSONWebKeySet)
if cfg.Options.SigningKey != "" {
signingKey, err := cfg.Options.GetSigningKey()
if err != nil {
return nil, err
}
if signingKey != "" {
decodedCert, err := base64.StdEncoding.DecodeString(cfg.Options.SigningKey)
if err != nil {
return nil, fmt.Errorf("authenticate: failed to decode signing key: %w", err)