core/proxy: support loading sessions from headers and query string (#5294)

core/proxy: support loading sessions from headers and query string (#5291) * core/proxy: support loading sessions from headers and query string * update test Co-authored-by: Caleb Doxsey <cdoxsey@pomerium.com>
2025-07-23 11:39:32 +02:00 · 2024-09-19 12:03:58 -06:00 · 2024-09-19 12:03:58 -06:00 · 8b6dc27a01
commit 8b6dc27a01
parent 3dadcf1825
8 changed files with 136 additions and 104 deletions
--- a/proxy/data.go
+++ b/proxy/data.go
@ -6,11 +6,8 @@ import (

 	"github.com/pomerium/csrf"
 	"github.com/pomerium/datasource/pkg/directory"
-	"github.com/pomerium/pomerium/internal/encoding/jws"
 	"github.com/pomerium/pomerium/internal/handlers"
 	"github.com/pomerium/pomerium/internal/handlers/webauthn"
-	"github.com/pomerium/pomerium/internal/httputil"
-	"github.com/pomerium/pomerium/internal/sessions"
 	"github.com/pomerium/pomerium/internal/urlutil"
 	"github.com/pomerium/pomerium/pkg/grpc/databroker"
 	"github.com/pomerium/pomerium/pkg/grpc/session"
@ -31,33 +28,12 @@ func (p *Proxy) getSession(ctx context.Context, sessionID string) (s *session.Se
 	return s, isImpersonated, err
 }

-func (p *Proxy) getSessionState(r *http.Request) (sessions.State, error) {
-	state := p.state.Load()
-
-	rawJWT, err := state.sessionStore.LoadSession(r)
-	if err != nil {
-		return sessions.State{}, err
-	}
-
-	encoder, err := jws.NewHS256Signer(state.sharedKey)
-	if err != nil {
-		return sessions.State{}, err
-	}
-
-	var sessionState sessions.State
-	if err := encoder.Unmarshal([]byte(rawJWT), &sessionState); err != nil {
-		return sessions.State{}, httputil.NewError(http.StatusBadRequest, err)
-	}
-
-	return sessionState, nil
-}
-
 func (p *Proxy) getUser(ctx context.Context, userID string) (*user.User, error) {
 	client := p.state.Load().dataBrokerClient
 	return user.Get(ctx, client, userID)
 }

-func (p *Proxy) getUserInfoData(r *http.Request) (handlers.UserInfoData, error) {
+func (p *Proxy) getUserInfoData(r *http.Request) handlers.UserInfoData {
 	options := p.currentOptions.Load()
 	state := p.state.Load()

@ -66,7 +42,7 @@ func (p *Proxy) getUserInfoData(r *http.Request) (handlers.UserInfoData, error)
 		BrandingOptions: options.BrandingOptions,
 	}

-	ss, err := p.getSessionState(r)
+	ss, err := p.state.Load().sessionStore.LoadSessionState(r)
 	if err == nil {
 		data.Session, data.IsImpersonated, err = p.getSession(r.Context(), ss.ID)
 		if err != nil {
@ -82,7 +58,7 @@ func (p *Proxy) getUserInfoData(r *http.Request) (handlers.UserInfoData, error)
 	data.WebAuthnCreationOptions, data.WebAuthnRequestOptions, _ = p.webauthn.GetOptions(r)
 	data.WebAuthnURL = urlutil.WebAuthnURL(r, urlutil.GetAbsoluteURL(r), state.sharedKey, r.URL.Query())
 	p.fillEnterpriseUserInfoData(r.Context(), &data)
-	return data, nil
+	return data
 }

 func (p *Proxy) fillEnterpriseUserInfoData(ctx context.Context, data *handlers.UserInfoData) {
@ -109,7 +85,7 @@ func (p *Proxy) getWebauthnState(r *http.Request) (*webauthn.State, error) {
 	options := p.currentOptions.Load()
 	state := p.state.Load()

-	ss, err := p.getSessionState(r)
+	ss, err := p.state.Load().sessionStore.LoadSessionState(r)
 	if err != nil {
 		return nil, err
 	}
@ -135,7 +111,7 @@ func (p *Proxy) getWebauthnState(r *http.Request) (*webauthn.State, error) {
 		SharedKey:               state.sharedKey,
 		Client:                  state.dataBrokerClient,
 		Session:                 s,
-		SessionState:            &ss,
+		SessionState:            ss,
 		SessionStore:            state.sessionStore,
 		RelyingParty:            webauthnutil.GetRelyingParty(r, state.dataBrokerClient),
 		BrandingOptions:         options.BrandingOptions,
--- a/proxy/handlers.go
+++ b/proxy/handlers.go
@ -80,19 +80,13 @@ func (p *Proxy) SignOut(w http.ResponseWriter, r *http.Request) error {
 }

 func (p *Proxy) userInfo(w http.ResponseWriter, r *http.Request) error {
-	data, err := p.getUserInfoData(r)
-	if err != nil {
-		return err
-	}
+	data := p.getUserInfoData(r)
 	handlers.UserInfo(data).ServeHTTP(w, r)
 	return nil
 }

 func (p *Proxy) deviceEnrolled(w http.ResponseWriter, r *http.Request) error {
-	data, err := p.getUserInfoData(r)
-	if err != nil {
-		return err
-	}
+	data := p.getUserInfoData(r)
 	handlers.DeviceEnrolled(data).ServeHTTP(w, r)
 	return nil
 }
--- a/proxy/handlers_test.go
+++ b/proxy/handlers_test.go
@ -15,7 +15,9 @@ import (

 	"github.com/pomerium/pomerium/config"
 	"github.com/pomerium/pomerium/internal/atomicutil"
+	"github.com/pomerium/pomerium/internal/encoding/jws"
 	"github.com/pomerium/pomerium/internal/httputil"
+	"github.com/pomerium/pomerium/internal/sessions"
 	"github.com/pomerium/pomerium/internal/urlutil"
 )

@ -260,3 +262,78 @@ func TestProxy_registerDashboardHandlers_jwtEndpoint(t *testing.T) {
 		assert.Equal(t, rawJWT, string(b))
 	})
 }
+
+func TestLoadSessionState(t *testing.T) {
+	t.Parallel()
+
+	t.Run("no session", func(t *testing.T) {
+		t.Parallel()
+
+		opts := testOptions(t)
+		proxy, err := New(&config.Config{Options: opts})
+		require.NoError(t, err)
+
+		r := httptest.NewRequest(http.MethodGet, "/.pomerium/", nil)
+		w := httptest.NewRecorder()
+		proxy.ServeHTTP(w, r)
+
+		assert.Equal(t, http.StatusOK, w.Code)
+		assert.Contains(t, w.Body.String(), "window.POMERIUM_DATA")
+		assert.NotContains(t, w.Body.String(), "___SESSION_ID___")
+	})
+	t.Run("cookie session", func(t *testing.T) {
+		t.Parallel()
+
+		opts := testOptions(t)
+		proxy, err := New(&config.Config{Options: opts})
+		require.NoError(t, err)
+
+		session := encodeSession(t, opts, &sessions.State{
+			ID: "___SESSION_ID___",
+		})
+
+		r := httptest.NewRequest(http.MethodGet, "/.pomerium/", nil)
+		r.AddCookie(&http.Cookie{
+			Name:   opts.CookieName,
+			Domain: opts.CookieDomain,
+			Value:  session,
+		})
+		w := httptest.NewRecorder()
+		proxy.ServeHTTP(w, r)
+
+		assert.Equal(t, http.StatusOK, w.Code)
+		assert.Contains(t, w.Body.String(), "___SESSION_ID___")
+	})
+	t.Run("header session", func(t *testing.T) {
+		t.Parallel()
+
+		opts := testOptions(t)
+		proxy, err := New(&config.Config{Options: opts})
+		require.NoError(t, err)
+
+		session := encodeSession(t, opts, &sessions.State{
+			ID: "___SESSION_ID___",
+		})
+
+		r := httptest.NewRequest(http.MethodGet, "/.pomerium/", nil)
+		r.Header.Set("Authorization", "Bearer Pomerium-"+session)
+		w := httptest.NewRecorder()
+		proxy.ServeHTTP(w, r)
+
+		assert.Equal(t, http.StatusOK, w.Code)
+		assert.Contains(t, w.Body.String(), "___SESSION_ID___")
+	})
+}
+
+func encodeSession(t *testing.T, opts *config.Options, state *sessions.State) string {
+	sharedKey, err := opts.GetSharedKey()
+	require.NoError(t, err)
+
+	encoder, err := jws.NewHS256Signer(sharedKey)
+	require.NoError(t, err)
+
+	sessionBS, err := encoder.Marshal(state)
+	require.NoError(t, err)
+
+	return string(sessionBS)
+}
--- a/proxy/proxy.go
+++ b/proxy/proxy.go
@ -71,6 +71,7 @@ func New(cfg *config.Config) (*Proxy, error) {
 		currentOptions: config.NewAtomicOptions(),
 		currentRouter:  atomicutil.NewValue(httputil.NewRouter()),
 	}
+	p.OnConfigChange(context.Background(), cfg)
 	p.webauthn = webauthn.New(p.getWebauthnState)

 	metrics.AddPolicyCountCallback("pomerium-proxy", func() int64 {
--- a/proxy/state.go
+++ b/proxy/state.go
@ -2,17 +2,11 @@ package proxy

 import (
 	"context"
-	"crypto/cipher"
 	"net/http"
 	"net/url"

 	"github.com/pomerium/pomerium/config"
 	"github.com/pomerium/pomerium/internal/authenticateflow"
-	"github.com/pomerium/pomerium/internal/encoding"
-	"github.com/pomerium/pomerium/internal/encoding/jws"
-	"github.com/pomerium/pomerium/internal/sessions"
-	"github.com/pomerium/pomerium/internal/sessions/cookie"
-	"github.com/pomerium/pomerium/pkg/cryptutil"
 	"github.com/pomerium/pomerium/pkg/grpc"
 	"github.com/pomerium/pomerium/pkg/grpc/databroker"
 )
@ -25,24 +19,16 @@ type authenticateFlow interface {
 }

 type proxyState struct {
-	sharedKey    []byte
-	sharedCipher cipher.AEAD
-
 	authenticateURL          *url.URL
 	authenticateDashboardURL *url.URL
 	authenticateSigninURL    *url.URL
 	authenticateRefreshURL   *url.URL

-	encoder         encoding.MarshalUnmarshaler
-	cookieSecret    []byte
-	sessionStore    sessions.SessionStore
-	jwtClaimHeaders config.JWTClaimHeaders
-
-	dataBrokerClient databroker.DataBrokerServiceClient
-
+	sharedKey                           []byte
+	sessionStore                        *config.SessionStore
+	dataBrokerClient                    databroker.DataBrokerServiceClient
 	programmaticRedirectDomainWhitelist []string
-
-	authenticateFlow authenticateFlow
+	authenticateFlow                    authenticateFlow
 }

 func newProxyStateFromConfig(cfg *config.Config) (*proxyState, error) {
@ -53,49 +39,20 @@ func newProxyStateFromConfig(cfg *config.Config) (*proxyState, error) {

 	state := new(proxyState)

+	state.authenticateURL, err = cfg.Options.GetAuthenticateURL()
+	if err != nil {
+		return nil, err
+	}
+	state.authenticateDashboardURL = state.authenticateURL.ResolveReference(&url.URL{Path: "/.pomerium/"})
+	state.authenticateSigninURL = state.authenticateURL.ResolveReference(&url.URL{Path: signinURL})
+	state.authenticateRefreshURL = state.authenticateURL.ResolveReference(&url.URL{Path: refreshURL})
+
 	state.sharedKey, err = cfg.Options.GetSharedKey()
 	if err != nil {
 		return nil, err
 	}

-	state.sharedCipher, err = cryptutil.NewAEADCipher(state.sharedKey)
-	if err != nil {
-		return nil, err
-	}
-
-	state.cookieSecret, err = cfg.Options.GetCookieSecret()
-	if err != nil {
-		return nil, err
-	}
-
-	// used to load and verify JWT tokens signed by the authenticate service
-	state.encoder, err = jws.NewHS256Signer(state.sharedKey)
-	if err != nil {
-		return nil, err
-	}
-
-	state.jwtClaimHeaders = cfg.Options.JWTClaimsHeaders
-
-	// errors checked in ValidateOptions
-	state.authenticateURL, err = cfg.Options.GetAuthenticateURL()
-	if err != nil {
-		return nil, err
-	}
-
-	state.authenticateDashboardURL = state.authenticateURL.ResolveReference(&url.URL{Path: "/.pomerium/"})
-	state.authenticateSigninURL = state.authenticateURL.ResolveReference(&url.URL{Path: signinURL})
-	state.authenticateRefreshURL = state.authenticateURL.ResolveReference(&url.URL{Path: refreshURL})
-
-	state.sessionStore, err = cookie.NewStore(func() cookie.Options {
-		return cookie.Options{
-			Name:     cfg.Options.CookieName,
-			Domain:   cfg.Options.CookieDomain,
-			Secure:   true,
-			HTTPOnly: cfg.Options.CookieHTTPOnly,
-			Expire:   cfg.Options.CookieExpire,
-			SameSite: cfg.Options.GetCookieSameSite(),
-		}
-	}, state.encoder)
+	state.sessionStore, err = config.NewSessionStore(cfg.Options)
 	if err != nil {
 		return nil, err
 	}
@ -109,7 +66,6 @@ func newProxyStateFromConfig(cfg *config.Config) (*proxyState, error) {
 	if err != nil {
 		return nil, err
 	}
-
 	state.dataBrokerClient = databroker.NewDataBrokerServiceClient(dataBrokerConn)

 	state.programmaticRedirectDomainWhitelist = cfg.Options.ProgrammaticRedirectDomainWhitelist