authorize: use jwt insead of state struct (#514)

authenticate: unmarshal and verify state from jwt, instead of middleware authorize: embed opa policy using statik authorize: have IsAuthorized handle authorization for all routes authorize: if no signing key is provided, one is generated authorize: remove IsAdmin grpc endpoint authorize/client: return authorize decision struct cmd/pomerium: main logger no longer contains email and group cryptutil: add ECDSA signing methods dashboard: have impersonate form show up for all users, but have api gated by authz docs: fix typo in signed jwt header encoding/jws: remove unused es256 signer frontend: namespace static web assets internal/sessions: remove leeway to match authz policy proxy: move signing functionality to authz proxy: remove jwt attestation from proxy (authZ does now) proxy: remove non-signed headers from headers proxy: remove special handling of x-forwarded-host sessions: do not verify state in middleware sessions: remove leeway from state to match authz sessions/{all}: store jwt directly instead of state Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
2025-08-03 16:59:22 +02:00 · 2020-03-10 11:19:26 -07:00 · 2020-03-10 11:19:26 -07:00 · 8d1732582e
commit 8d1732582e
parent a477af9378
61 changed files with 1083 additions and 1264 deletions
--- a/authorize/authorize.go
+++ b/authorize/authorize.go
@ -4,8 +4,11 @@ package authorize // import "github.com/pomerium/pomerium/authorize"

 import (
 	"context"
+	"encoding/base64"
 	"fmt"

+	"gopkg.in/square/go-jose.v2"
+
 	"github.com/pomerium/pomerium/authorize/evaluator"
 	"github.com/pomerium/pomerium/authorize/evaluator/opa"
 	"github.com/pomerium/pomerium/config"
@ -48,12 +51,37 @@ func newPolicyEvaluator(opts *config.Options) (evaluator.Evaluator, error) {
 	ctx := context.Background()
 	ctx, span := trace.StartSpan(ctx, "authorize.newPolicyEvaluator")
 	defer span.End()
+	var jwk jose.JSONWebKey
+	if opts.SigningKey == "" {
+		key, err := cryptutil.NewSigningKey()
+		if err != nil {
+			return nil, fmt.Errorf("authorize: couldn't generate signing key: %w", err)
+		}
+		jwk.Key = key
+		pubKeyBytes, err := cryptutil.EncodePublicKey(&key.PublicKey)
+		if err != nil {
+			return nil, fmt.Errorf("authorize: encode public key: %w", err)
+		}
+		log.Info().Interface("PublicKey", pubKeyBytes).Msg("authorize: ecdsa public key")
+	} else {
+		decodedCert, err := base64.StdEncoding.DecodeString(opts.SigningKey)
+		if err != nil {
+			return nil, fmt.Errorf("authorize: failed to decode certificate cert %v: %w", decodedCert, err)
+		}
+		keyBytes, err := cryptutil.DecodePrivateKey((decodedCert))
+		if err != nil {
+			return nil, fmt.Errorf("authorize: couldn't generate signing key: %w", err)
+		}
+		jwk.Key = keyBytes
+	}

 	data := map[string]interface{}{
 		"shared_key":     opts.SharedKey,
 		"route_policies": opts.Policies,
 		"admins":         opts.Administrators,
+		"signing_key":    jwk,
 	}
+
 	return opa.New(ctx, &opa.Options{Data: data})
 }