mirror of
https://github.com/pomerium/pomerium.git
synced 2025-07-23 11:39:32 +02:00
core/proxy: support loading sessions from headers and query string (#5294)
core/proxy: support loading sessions from headers and query string (#5291) * core/proxy: support loading sessions from headers and query string * update test Co-authored-by: Caleb Doxsey <cdoxsey@pomerium.com>
This commit is contained in:
parent
3dadcf1825
commit
8b6dc27a01
8 changed files with 136 additions and 104 deletions
|
@ -6,11 +6,8 @@ import (
|
|||
|
||||
"github.com/pomerium/csrf"
|
||||
"github.com/pomerium/datasource/pkg/directory"
|
||||
"github.com/pomerium/pomerium/internal/encoding/jws"
|
||||
"github.com/pomerium/pomerium/internal/handlers"
|
||||
"github.com/pomerium/pomerium/internal/handlers/webauthn"
|
||||
"github.com/pomerium/pomerium/internal/httputil"
|
||||
"github.com/pomerium/pomerium/internal/sessions"
|
||||
"github.com/pomerium/pomerium/internal/urlutil"
|
||||
"github.com/pomerium/pomerium/pkg/grpc/databroker"
|
||||
"github.com/pomerium/pomerium/pkg/grpc/session"
|
||||
|
@ -31,33 +28,12 @@ func (p *Proxy) getSession(ctx context.Context, sessionID string) (s *session.Se
|
|||
return s, isImpersonated, err
|
||||
}
|
||||
|
||||
func (p *Proxy) getSessionState(r *http.Request) (sessions.State, error) {
|
||||
state := p.state.Load()
|
||||
|
||||
rawJWT, err := state.sessionStore.LoadSession(r)
|
||||
if err != nil {
|
||||
return sessions.State{}, err
|
||||
}
|
||||
|
||||
encoder, err := jws.NewHS256Signer(state.sharedKey)
|
||||
if err != nil {
|
||||
return sessions.State{}, err
|
||||
}
|
||||
|
||||
var sessionState sessions.State
|
||||
if err := encoder.Unmarshal([]byte(rawJWT), &sessionState); err != nil {
|
||||
return sessions.State{}, httputil.NewError(http.StatusBadRequest, err)
|
||||
}
|
||||
|
||||
return sessionState, nil
|
||||
}
|
||||
|
||||
func (p *Proxy) getUser(ctx context.Context, userID string) (*user.User, error) {
|
||||
client := p.state.Load().dataBrokerClient
|
||||
return user.Get(ctx, client, userID)
|
||||
}
|
||||
|
||||
func (p *Proxy) getUserInfoData(r *http.Request) (handlers.UserInfoData, error) {
|
||||
func (p *Proxy) getUserInfoData(r *http.Request) handlers.UserInfoData {
|
||||
options := p.currentOptions.Load()
|
||||
state := p.state.Load()
|
||||
|
||||
|
@ -66,7 +42,7 @@ func (p *Proxy) getUserInfoData(r *http.Request) (handlers.UserInfoData, error)
|
|||
BrandingOptions: options.BrandingOptions,
|
||||
}
|
||||
|
||||
ss, err := p.getSessionState(r)
|
||||
ss, err := p.state.Load().sessionStore.LoadSessionState(r)
|
||||
if err == nil {
|
||||
data.Session, data.IsImpersonated, err = p.getSession(r.Context(), ss.ID)
|
||||
if err != nil {
|
||||
|
@ -82,7 +58,7 @@ func (p *Proxy) getUserInfoData(r *http.Request) (handlers.UserInfoData, error)
|
|||
data.WebAuthnCreationOptions, data.WebAuthnRequestOptions, _ = p.webauthn.GetOptions(r)
|
||||
data.WebAuthnURL = urlutil.WebAuthnURL(r, urlutil.GetAbsoluteURL(r), state.sharedKey, r.URL.Query())
|
||||
p.fillEnterpriseUserInfoData(r.Context(), &data)
|
||||
return data, nil
|
||||
return data
|
||||
}
|
||||
|
||||
func (p *Proxy) fillEnterpriseUserInfoData(ctx context.Context, data *handlers.UserInfoData) {
|
||||
|
@ -109,7 +85,7 @@ func (p *Proxy) getWebauthnState(r *http.Request) (*webauthn.State, error) {
|
|||
options := p.currentOptions.Load()
|
||||
state := p.state.Load()
|
||||
|
||||
ss, err := p.getSessionState(r)
|
||||
ss, err := p.state.Load().sessionStore.LoadSessionState(r)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
@ -135,7 +111,7 @@ func (p *Proxy) getWebauthnState(r *http.Request) (*webauthn.State, error) {
|
|||
SharedKey: state.sharedKey,
|
||||
Client: state.dataBrokerClient,
|
||||
Session: s,
|
||||
SessionState: &ss,
|
||||
SessionState: ss,
|
||||
SessionStore: state.sessionStore,
|
||||
RelyingParty: webauthnutil.GetRelyingParty(r, state.dataBrokerClient),
|
||||
BrandingOptions: options.BrandingOptions,
|
||||
|
|
|
@ -80,19 +80,13 @@ func (p *Proxy) SignOut(w http.ResponseWriter, r *http.Request) error {
|
|||
}
|
||||
|
||||
func (p *Proxy) userInfo(w http.ResponseWriter, r *http.Request) error {
|
||||
data, err := p.getUserInfoData(r)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
data := p.getUserInfoData(r)
|
||||
handlers.UserInfo(data).ServeHTTP(w, r)
|
||||
return nil
|
||||
}
|
||||
|
||||
func (p *Proxy) deviceEnrolled(w http.ResponseWriter, r *http.Request) error {
|
||||
data, err := p.getUserInfoData(r)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
data := p.getUserInfoData(r)
|
||||
handlers.DeviceEnrolled(data).ServeHTTP(w, r)
|
||||
return nil
|
||||
}
|
||||
|
|
|
@ -15,7 +15,9 @@ import (
|
|||
|
||||
"github.com/pomerium/pomerium/config"
|
||||
"github.com/pomerium/pomerium/internal/atomicutil"
|
||||
"github.com/pomerium/pomerium/internal/encoding/jws"
|
||||
"github.com/pomerium/pomerium/internal/httputil"
|
||||
"github.com/pomerium/pomerium/internal/sessions"
|
||||
"github.com/pomerium/pomerium/internal/urlutil"
|
||||
)
|
||||
|
||||
|
@ -260,3 +262,78 @@ func TestProxy_registerDashboardHandlers_jwtEndpoint(t *testing.T) {
|
|||
assert.Equal(t, rawJWT, string(b))
|
||||
})
|
||||
}
|
||||
|
||||
func TestLoadSessionState(t *testing.T) {
|
||||
t.Parallel()
|
||||
|
||||
t.Run("no session", func(t *testing.T) {
|
||||
t.Parallel()
|
||||
|
||||
opts := testOptions(t)
|
||||
proxy, err := New(&config.Config{Options: opts})
|
||||
require.NoError(t, err)
|
||||
|
||||
r := httptest.NewRequest(http.MethodGet, "/.pomerium/", nil)
|
||||
w := httptest.NewRecorder()
|
||||
proxy.ServeHTTP(w, r)
|
||||
|
||||
assert.Equal(t, http.StatusOK, w.Code)
|
||||
assert.Contains(t, w.Body.String(), "window.POMERIUM_DATA")
|
||||
assert.NotContains(t, w.Body.String(), "___SESSION_ID___")
|
||||
})
|
||||
t.Run("cookie session", func(t *testing.T) {
|
||||
t.Parallel()
|
||||
|
||||
opts := testOptions(t)
|
||||
proxy, err := New(&config.Config{Options: opts})
|
||||
require.NoError(t, err)
|
||||
|
||||
session := encodeSession(t, opts, &sessions.State{
|
||||
ID: "___SESSION_ID___",
|
||||
})
|
||||
|
||||
r := httptest.NewRequest(http.MethodGet, "/.pomerium/", nil)
|
||||
r.AddCookie(&http.Cookie{
|
||||
Name: opts.CookieName,
|
||||
Domain: opts.CookieDomain,
|
||||
Value: session,
|
||||
})
|
||||
w := httptest.NewRecorder()
|
||||
proxy.ServeHTTP(w, r)
|
||||
|
||||
assert.Equal(t, http.StatusOK, w.Code)
|
||||
assert.Contains(t, w.Body.String(), "___SESSION_ID___")
|
||||
})
|
||||
t.Run("header session", func(t *testing.T) {
|
||||
t.Parallel()
|
||||
|
||||
opts := testOptions(t)
|
||||
proxy, err := New(&config.Config{Options: opts})
|
||||
require.NoError(t, err)
|
||||
|
||||
session := encodeSession(t, opts, &sessions.State{
|
||||
ID: "___SESSION_ID___",
|
||||
})
|
||||
|
||||
r := httptest.NewRequest(http.MethodGet, "/.pomerium/", nil)
|
||||
r.Header.Set("Authorization", "Bearer Pomerium-"+session)
|
||||
w := httptest.NewRecorder()
|
||||
proxy.ServeHTTP(w, r)
|
||||
|
||||
assert.Equal(t, http.StatusOK, w.Code)
|
||||
assert.Contains(t, w.Body.String(), "___SESSION_ID___")
|
||||
})
|
||||
}
|
||||
|
||||
func encodeSession(t *testing.T, opts *config.Options, state *sessions.State) string {
|
||||
sharedKey, err := opts.GetSharedKey()
|
||||
require.NoError(t, err)
|
||||
|
||||
encoder, err := jws.NewHS256Signer(sharedKey)
|
||||
require.NoError(t, err)
|
||||
|
||||
sessionBS, err := encoder.Marshal(state)
|
||||
require.NoError(t, err)
|
||||
|
||||
return string(sessionBS)
|
||||
}
|
||||
|
|
|
@ -71,6 +71,7 @@ func New(cfg *config.Config) (*Proxy, error) {
|
|||
currentOptions: config.NewAtomicOptions(),
|
||||
currentRouter: atomicutil.NewValue(httputil.NewRouter()),
|
||||
}
|
||||
p.OnConfigChange(context.Background(), cfg)
|
||||
p.webauthn = webauthn.New(p.getWebauthnState)
|
||||
|
||||
metrics.AddPolicyCountCallback("pomerium-proxy", func() int64 {
|
||||
|
|
|
@ -2,17 +2,11 @@ package proxy
|
|||
|
||||
import (
|
||||
"context"
|
||||
"crypto/cipher"
|
||||
"net/http"
|
||||
"net/url"
|
||||
|
||||
"github.com/pomerium/pomerium/config"
|
||||
"github.com/pomerium/pomerium/internal/authenticateflow"
|
||||
"github.com/pomerium/pomerium/internal/encoding"
|
||||
"github.com/pomerium/pomerium/internal/encoding/jws"
|
||||
"github.com/pomerium/pomerium/internal/sessions"
|
||||
"github.com/pomerium/pomerium/internal/sessions/cookie"
|
||||
"github.com/pomerium/pomerium/pkg/cryptutil"
|
||||
"github.com/pomerium/pomerium/pkg/grpc"
|
||||
"github.com/pomerium/pomerium/pkg/grpc/databroker"
|
||||
)
|
||||
|
@ -25,24 +19,16 @@ type authenticateFlow interface {
|
|||
}
|
||||
|
||||
type proxyState struct {
|
||||
sharedKey []byte
|
||||
sharedCipher cipher.AEAD
|
||||
|
||||
authenticateURL *url.URL
|
||||
authenticateDashboardURL *url.URL
|
||||
authenticateSigninURL *url.URL
|
||||
authenticateRefreshURL *url.URL
|
||||
|
||||
encoder encoding.MarshalUnmarshaler
|
||||
cookieSecret []byte
|
||||
sessionStore sessions.SessionStore
|
||||
jwtClaimHeaders config.JWTClaimHeaders
|
||||
|
||||
dataBrokerClient databroker.DataBrokerServiceClient
|
||||
|
||||
sharedKey []byte
|
||||
sessionStore *config.SessionStore
|
||||
dataBrokerClient databroker.DataBrokerServiceClient
|
||||
programmaticRedirectDomainWhitelist []string
|
||||
|
||||
authenticateFlow authenticateFlow
|
||||
authenticateFlow authenticateFlow
|
||||
}
|
||||
|
||||
func newProxyStateFromConfig(cfg *config.Config) (*proxyState, error) {
|
||||
|
@ -53,49 +39,20 @@ func newProxyStateFromConfig(cfg *config.Config) (*proxyState, error) {
|
|||
|
||||
state := new(proxyState)
|
||||
|
||||
state.authenticateURL, err = cfg.Options.GetAuthenticateURL()
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
state.authenticateDashboardURL = state.authenticateURL.ResolveReference(&url.URL{Path: "/.pomerium/"})
|
||||
state.authenticateSigninURL = state.authenticateURL.ResolveReference(&url.URL{Path: signinURL})
|
||||
state.authenticateRefreshURL = state.authenticateURL.ResolveReference(&url.URL{Path: refreshURL})
|
||||
|
||||
state.sharedKey, err = cfg.Options.GetSharedKey()
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
state.sharedCipher, err = cryptutil.NewAEADCipher(state.sharedKey)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
state.cookieSecret, err = cfg.Options.GetCookieSecret()
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
// used to load and verify JWT tokens signed by the authenticate service
|
||||
state.encoder, err = jws.NewHS256Signer(state.sharedKey)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
state.jwtClaimHeaders = cfg.Options.JWTClaimsHeaders
|
||||
|
||||
// errors checked in ValidateOptions
|
||||
state.authenticateURL, err = cfg.Options.GetAuthenticateURL()
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
state.authenticateDashboardURL = state.authenticateURL.ResolveReference(&url.URL{Path: "/.pomerium/"})
|
||||
state.authenticateSigninURL = state.authenticateURL.ResolveReference(&url.URL{Path: signinURL})
|
||||
state.authenticateRefreshURL = state.authenticateURL.ResolveReference(&url.URL{Path: refreshURL})
|
||||
|
||||
state.sessionStore, err = cookie.NewStore(func() cookie.Options {
|
||||
return cookie.Options{
|
||||
Name: cfg.Options.CookieName,
|
||||
Domain: cfg.Options.CookieDomain,
|
||||
Secure: true,
|
||||
HTTPOnly: cfg.Options.CookieHTTPOnly,
|
||||
Expire: cfg.Options.CookieExpire,
|
||||
SameSite: cfg.Options.GetCookieSameSite(),
|
||||
}
|
||||
}, state.encoder)
|
||||
state.sessionStore, err = config.NewSessionStore(cfg.Options)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
@ -109,7 +66,6 @@ func newProxyStateFromConfig(cfg *config.Config) (*proxyState, error) {
|
|||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
state.dataBrokerClient = databroker.NewDataBrokerServiceClient(dataBrokerConn)
|
||||
|
||||
state.programmaticRedirectDomainWhitelist = cfg.Options.ProgrammaticRedirectDomainWhitelist
|
||||
|
|
Loading…
Add table
Add a link
Reference in a new issue