core/proxy: support loading sessions from headers and query string (#5294)

core/proxy: support loading sessions from headers and query string (#5291)

* core/proxy: support loading sessions from headers and query string

* update test

Co-authored-by: Caleb Doxsey <cdoxsey@pomerium.com>

proxy/state.go

@@ -2,17 +2,11 @@ package proxy
 
 import (
 	"context"
-	"crypto/cipher"
 	"net/http"
 	"net/url"
 
 	"github.com/pomerium/pomerium/config"
 	"github.com/pomerium/pomerium/internal/authenticateflow"
-	"github.com/pomerium/pomerium/internal/encoding"
-	"github.com/pomerium/pomerium/internal/encoding/jws"
-	"github.com/pomerium/pomerium/internal/sessions"
-	"github.com/pomerium/pomerium/internal/sessions/cookie"
-	"github.com/pomerium/pomerium/pkg/cryptutil"
 	"github.com/pomerium/pomerium/pkg/grpc"
 	"github.com/pomerium/pomerium/pkg/grpc/databroker"
 )
@@ -25,24 +19,16 @@ type authenticateFlow interface {
 }
 
 type proxyState struct {
-	sharedKey    []byte
-	sharedCipher cipher.AEAD
-
 	authenticateURL          *url.URL
 	authenticateDashboardURL *url.URL
 	authenticateSigninURL    *url.URL
 	authenticateRefreshURL   *url.URL
 
-	encoder         encoding.MarshalUnmarshaler
-	cookieSecret    []byte
-	sessionStore    sessions.SessionStore
-	jwtClaimHeaders config.JWTClaimHeaders
-
-	dataBrokerClient databroker.DataBrokerServiceClient
-
+	sharedKey                           []byte
+	sessionStore                        *config.SessionStore
+	dataBrokerClient                    databroker.DataBrokerServiceClient
 	programmaticRedirectDomainWhitelist []string
-
-	authenticateFlow authenticateFlow
+	authenticateFlow                    authenticateFlow
 }
 
 func newProxyStateFromConfig(cfg *config.Config) (*proxyState, error) {
@@ -53,49 +39,20 @@ func newProxyStateFromConfig(cfg *config.Config) (*proxyState, error) {
 
 	state := new(proxyState)
 
+	state.authenticateURL, err = cfg.Options.GetAuthenticateURL()
+	if err != nil {
+		return nil, err
+	}
+	state.authenticateDashboardURL = state.authenticateURL.ResolveReference(&url.URL{Path: "/.pomerium/"})
+	state.authenticateSigninURL = state.authenticateURL.ResolveReference(&url.URL{Path: signinURL})
+	state.authenticateRefreshURL = state.authenticateURL.ResolveReference(&url.URL{Path: refreshURL})
+
 	state.sharedKey, err = cfg.Options.GetSharedKey()
 	if err != nil {
 		return nil, err
 	}
 
-	state.sharedCipher, err = cryptutil.NewAEADCipher(state.sharedKey)
-	if err != nil {
-		return nil, err
-	}
-
-	state.cookieSecret, err = cfg.Options.GetCookieSecret()
-	if err != nil {
-		return nil, err
-	}
-
-	// used to load and verify JWT tokens signed by the authenticate service
-	state.encoder, err = jws.NewHS256Signer(state.sharedKey)
-	if err != nil {
-		return nil, err
-	}
-
-	state.jwtClaimHeaders = cfg.Options.JWTClaimsHeaders
-
-	// errors checked in ValidateOptions
-	state.authenticateURL, err = cfg.Options.GetAuthenticateURL()
-	if err != nil {
-		return nil, err
-	}
-
-	state.authenticateDashboardURL = state.authenticateURL.ResolveReference(&url.URL{Path: "/.pomerium/"})
-	state.authenticateSigninURL = state.authenticateURL.ResolveReference(&url.URL{Path: signinURL})
-	state.authenticateRefreshURL = state.authenticateURL.ResolveReference(&url.URL{Path: refreshURL})
-
-	state.sessionStore, err = cookie.NewStore(func() cookie.Options {
-		return cookie.Options{
-			Name:     cfg.Options.CookieName,
-			Domain:   cfg.Options.CookieDomain,
-			Secure:   true,
-			HTTPOnly: cfg.Options.CookieHTTPOnly,
-			Expire:   cfg.Options.CookieExpire,
-			SameSite: cfg.Options.GetCookieSameSite(),
-		}
-	}, state.encoder)
+	state.sessionStore, err = config.NewSessionStore(cfg.Options)
 	if err != nil {
 		return nil, err
 	}
@@ -109,7 +66,6 @@ func newProxyStateFromConfig(cfg *config.Config) (*proxyState, error) {
 	if err != nil {
 		return nil, err
 	}
-
 	state.dataBrokerClient = databroker.NewDataBrokerServiceClient(dataBrokerConn)
 
 	state.programmaticRedirectDomainWhitelist = cfg.Options.ProgrammaticRedirectDomainWhitelist