core/proxy: support loading sessions from headers and query string (#5294)

core/proxy: support loading sessions from headers and query string (#5291)

* core/proxy: support loading sessions from headers and query string

* update test

Co-authored-by: Caleb Doxsey <cdoxsey@pomerium.com>
This commit is contained in:
backport-actions-token[bot] 2024-09-19 12:03:58 -06:00 committed by GitHub
parent 3dadcf1825
commit 8b6dc27a01
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
8 changed files with 136 additions and 104 deletions

View file

@ -6,11 +6,8 @@ import (
"github.com/pomerium/csrf"
"github.com/pomerium/datasource/pkg/directory"
"github.com/pomerium/pomerium/internal/encoding/jws"
"github.com/pomerium/pomerium/internal/handlers"
"github.com/pomerium/pomerium/internal/handlers/webauthn"
"github.com/pomerium/pomerium/internal/httputil"
"github.com/pomerium/pomerium/internal/sessions"
"github.com/pomerium/pomerium/internal/urlutil"
"github.com/pomerium/pomerium/pkg/grpc/databroker"
"github.com/pomerium/pomerium/pkg/grpc/session"
@ -31,33 +28,12 @@ func (p *Proxy) getSession(ctx context.Context, sessionID string) (s *session.Se
return s, isImpersonated, err
}
func (p *Proxy) getSessionState(r *http.Request) (sessions.State, error) {
state := p.state.Load()
rawJWT, err := state.sessionStore.LoadSession(r)
if err != nil {
return sessions.State{}, err
}
encoder, err := jws.NewHS256Signer(state.sharedKey)
if err != nil {
return sessions.State{}, err
}
var sessionState sessions.State
if err := encoder.Unmarshal([]byte(rawJWT), &sessionState); err != nil {
return sessions.State{}, httputil.NewError(http.StatusBadRequest, err)
}
return sessionState, nil
}
func (p *Proxy) getUser(ctx context.Context, userID string) (*user.User, error) {
client := p.state.Load().dataBrokerClient
return user.Get(ctx, client, userID)
}
func (p *Proxy) getUserInfoData(r *http.Request) (handlers.UserInfoData, error) {
func (p *Proxy) getUserInfoData(r *http.Request) handlers.UserInfoData {
options := p.currentOptions.Load()
state := p.state.Load()
@ -66,7 +42,7 @@ func (p *Proxy) getUserInfoData(r *http.Request) (handlers.UserInfoData, error)
BrandingOptions: options.BrandingOptions,
}
ss, err := p.getSessionState(r)
ss, err := p.state.Load().sessionStore.LoadSessionState(r)
if err == nil {
data.Session, data.IsImpersonated, err = p.getSession(r.Context(), ss.ID)
if err != nil {
@ -82,7 +58,7 @@ func (p *Proxy) getUserInfoData(r *http.Request) (handlers.UserInfoData, error)
data.WebAuthnCreationOptions, data.WebAuthnRequestOptions, _ = p.webauthn.GetOptions(r)
data.WebAuthnURL = urlutil.WebAuthnURL(r, urlutil.GetAbsoluteURL(r), state.sharedKey, r.URL.Query())
p.fillEnterpriseUserInfoData(r.Context(), &data)
return data, nil
return data
}
func (p *Proxy) fillEnterpriseUserInfoData(ctx context.Context, data *handlers.UserInfoData) {
@ -109,7 +85,7 @@ func (p *Proxy) getWebauthnState(r *http.Request) (*webauthn.State, error) {
options := p.currentOptions.Load()
state := p.state.Load()
ss, err := p.getSessionState(r)
ss, err := p.state.Load().sessionStore.LoadSessionState(r)
if err != nil {
return nil, err
}
@ -135,7 +111,7 @@ func (p *Proxy) getWebauthnState(r *http.Request) (*webauthn.State, error) {
SharedKey: state.sharedKey,
Client: state.dataBrokerClient,
Session: s,
SessionState: &ss,
SessionState: ss,
SessionStore: state.sessionStore,
RelyingParty: webauthnutil.GetRelyingParty(r, state.dataBrokerClient),
BrandingOptions: options.BrandingOptions,

View file

@ -80,19 +80,13 @@ func (p *Proxy) SignOut(w http.ResponseWriter, r *http.Request) error {
}
func (p *Proxy) userInfo(w http.ResponseWriter, r *http.Request) error {
data, err := p.getUserInfoData(r)
if err != nil {
return err
}
data := p.getUserInfoData(r)
handlers.UserInfo(data).ServeHTTP(w, r)
return nil
}
func (p *Proxy) deviceEnrolled(w http.ResponseWriter, r *http.Request) error {
data, err := p.getUserInfoData(r)
if err != nil {
return err
}
data := p.getUserInfoData(r)
handlers.DeviceEnrolled(data).ServeHTTP(w, r)
return nil
}

View file

@ -15,7 +15,9 @@ import (
"github.com/pomerium/pomerium/config"
"github.com/pomerium/pomerium/internal/atomicutil"
"github.com/pomerium/pomerium/internal/encoding/jws"
"github.com/pomerium/pomerium/internal/httputil"
"github.com/pomerium/pomerium/internal/sessions"
"github.com/pomerium/pomerium/internal/urlutil"
)
@ -260,3 +262,78 @@ func TestProxy_registerDashboardHandlers_jwtEndpoint(t *testing.T) {
assert.Equal(t, rawJWT, string(b))
})
}
func TestLoadSessionState(t *testing.T) {
t.Parallel()
t.Run("no session", func(t *testing.T) {
t.Parallel()
opts := testOptions(t)
proxy, err := New(&config.Config{Options: opts})
require.NoError(t, err)
r := httptest.NewRequest(http.MethodGet, "/.pomerium/", nil)
w := httptest.NewRecorder()
proxy.ServeHTTP(w, r)
assert.Equal(t, http.StatusOK, w.Code)
assert.Contains(t, w.Body.String(), "window.POMERIUM_DATA")
assert.NotContains(t, w.Body.String(), "___SESSION_ID___")
})
t.Run("cookie session", func(t *testing.T) {
t.Parallel()
opts := testOptions(t)
proxy, err := New(&config.Config{Options: opts})
require.NoError(t, err)
session := encodeSession(t, opts, &sessions.State{
ID: "___SESSION_ID___",
})
r := httptest.NewRequest(http.MethodGet, "/.pomerium/", nil)
r.AddCookie(&http.Cookie{
Name: opts.CookieName,
Domain: opts.CookieDomain,
Value: session,
})
w := httptest.NewRecorder()
proxy.ServeHTTP(w, r)
assert.Equal(t, http.StatusOK, w.Code)
assert.Contains(t, w.Body.String(), "___SESSION_ID___")
})
t.Run("header session", func(t *testing.T) {
t.Parallel()
opts := testOptions(t)
proxy, err := New(&config.Config{Options: opts})
require.NoError(t, err)
session := encodeSession(t, opts, &sessions.State{
ID: "___SESSION_ID___",
})
r := httptest.NewRequest(http.MethodGet, "/.pomerium/", nil)
r.Header.Set("Authorization", "Bearer Pomerium-"+session)
w := httptest.NewRecorder()
proxy.ServeHTTP(w, r)
assert.Equal(t, http.StatusOK, w.Code)
assert.Contains(t, w.Body.String(), "___SESSION_ID___")
})
}
func encodeSession(t *testing.T, opts *config.Options, state *sessions.State) string {
sharedKey, err := opts.GetSharedKey()
require.NoError(t, err)
encoder, err := jws.NewHS256Signer(sharedKey)
require.NoError(t, err)
sessionBS, err := encoder.Marshal(state)
require.NoError(t, err)
return string(sessionBS)
}

View file

@ -71,6 +71,7 @@ func New(cfg *config.Config) (*Proxy, error) {
currentOptions: config.NewAtomicOptions(),
currentRouter: atomicutil.NewValue(httputil.NewRouter()),
}
p.OnConfigChange(context.Background(), cfg)
p.webauthn = webauthn.New(p.getWebauthnState)
metrics.AddPolicyCountCallback("pomerium-proxy", func() int64 {

View file

@ -2,17 +2,11 @@ package proxy
import (
"context"
"crypto/cipher"
"net/http"
"net/url"
"github.com/pomerium/pomerium/config"
"github.com/pomerium/pomerium/internal/authenticateflow"
"github.com/pomerium/pomerium/internal/encoding"
"github.com/pomerium/pomerium/internal/encoding/jws"
"github.com/pomerium/pomerium/internal/sessions"
"github.com/pomerium/pomerium/internal/sessions/cookie"
"github.com/pomerium/pomerium/pkg/cryptutil"
"github.com/pomerium/pomerium/pkg/grpc"
"github.com/pomerium/pomerium/pkg/grpc/databroker"
)
@ -25,24 +19,16 @@ type authenticateFlow interface {
}
type proxyState struct {
sharedKey []byte
sharedCipher cipher.AEAD
authenticateURL *url.URL
authenticateDashboardURL *url.URL
authenticateSigninURL *url.URL
authenticateRefreshURL *url.URL
encoder encoding.MarshalUnmarshaler
cookieSecret []byte
sessionStore sessions.SessionStore
jwtClaimHeaders config.JWTClaimHeaders
dataBrokerClient databroker.DataBrokerServiceClient
sharedKey []byte
sessionStore *config.SessionStore
dataBrokerClient databroker.DataBrokerServiceClient
programmaticRedirectDomainWhitelist []string
authenticateFlow authenticateFlow
authenticateFlow authenticateFlow
}
func newProxyStateFromConfig(cfg *config.Config) (*proxyState, error) {
@ -53,49 +39,20 @@ func newProxyStateFromConfig(cfg *config.Config) (*proxyState, error) {
state := new(proxyState)
state.authenticateURL, err = cfg.Options.GetAuthenticateURL()
if err != nil {
return nil, err
}
state.authenticateDashboardURL = state.authenticateURL.ResolveReference(&url.URL{Path: "/.pomerium/"})
state.authenticateSigninURL = state.authenticateURL.ResolveReference(&url.URL{Path: signinURL})
state.authenticateRefreshURL = state.authenticateURL.ResolveReference(&url.URL{Path: refreshURL})
state.sharedKey, err = cfg.Options.GetSharedKey()
if err != nil {
return nil, err
}
state.sharedCipher, err = cryptutil.NewAEADCipher(state.sharedKey)
if err != nil {
return nil, err
}
state.cookieSecret, err = cfg.Options.GetCookieSecret()
if err != nil {
return nil, err
}
// used to load and verify JWT tokens signed by the authenticate service
state.encoder, err = jws.NewHS256Signer(state.sharedKey)
if err != nil {
return nil, err
}
state.jwtClaimHeaders = cfg.Options.JWTClaimsHeaders
// errors checked in ValidateOptions
state.authenticateURL, err = cfg.Options.GetAuthenticateURL()
if err != nil {
return nil, err
}
state.authenticateDashboardURL = state.authenticateURL.ResolveReference(&url.URL{Path: "/.pomerium/"})
state.authenticateSigninURL = state.authenticateURL.ResolveReference(&url.URL{Path: signinURL})
state.authenticateRefreshURL = state.authenticateURL.ResolveReference(&url.URL{Path: refreshURL})
state.sessionStore, err = cookie.NewStore(func() cookie.Options {
return cookie.Options{
Name: cfg.Options.CookieName,
Domain: cfg.Options.CookieDomain,
Secure: true,
HTTPOnly: cfg.Options.CookieHTTPOnly,
Expire: cfg.Options.CookieExpire,
SameSite: cfg.Options.GetCookieSameSite(),
}
}, state.encoder)
state.sessionStore, err = config.NewSessionStore(cfg.Options)
if err != nil {
return nil, err
}
@ -109,7 +66,6 @@ func newProxyStateFromConfig(cfg *config.Config) (*proxyState, error) {
if err != nil {
return nil, err
}
state.dataBrokerClient = databroker.NewDataBrokerServiceClient(dataBrokerConn)
state.programmaticRedirectDomainWhitelist = cfg.Options.ProgrammaticRedirectDomainWhitelist