mirror of
https://github.com/pomerium/pomerium.git
synced 2025-08-03 16:59:22 +02:00
authorize: use jwt insead of state struct (#514)
authenticate: unmarshal and verify state from jwt, instead of middleware
authorize: embed opa policy using statik
authorize: have IsAuthorized handle authorization for all routes
authorize: if no signing key is provided, one is generated
authorize: remove IsAdmin grpc endpoint
authorize/client: return authorize decision struct
cmd/pomerium: main logger no longer contains email and group
cryptutil: add ECDSA signing methods
dashboard: have impersonate form show up for all users, but have api gated by authz
docs: fix typo in signed jwt header
encoding/jws: remove unused es256 signer
frontend: namespace static web assets
internal/sessions: remove leeway to match authz policy
proxy: move signing functionality to authz
proxy: remove jwt attestation from proxy (authZ does now)
proxy: remove non-signed headers from headers
proxy: remove special handling of x-forwarded-host
sessions: do not verify state in middleware
sessions: remove leeway from state to match authz
sessions/{all}: store jwt directly instead of state
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
This commit is contained in:
Bobby DeSimone
GitHub
parent
a477af9378
commit
8d1732582e
61 changed files with 1083 additions and 1264 deletions
|
|
@ -11,7 +11,7 @@ import (
|
|||
|
||||
// IsAuthorized checks to see if a given user is authorized to make a request.
|
||||
func (a *Authorize) IsAuthorized(ctx context.Context, in *authorize.IsAuthorizedRequest) (*authorize.IsAuthorizedReply, error) {
|
||||
_, span := trace.StartSpan(ctx, "authorize.grpc.Authorize")
|
||||
ctx, span := trace.StartSpan(ctx, "authorize.grpc.IsAuthorized")
|
||||
defer span.End()
|
||||
|
||||
req := &evaluator.Request{
|
||||
|
|
@ -23,25 +23,7 @@ func (a *Authorize) IsAuthorized(ctx context.Context, in *authorize.IsAuthorized
|
|||
RemoteAddr: in.GetRequestRemoteAddr(),
|
||||
URL: in.GetRequestUrl(),
|
||||
}
|
||||
ok, err := a.pe.IsAuthorized(ctx, req)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
return &authorize.IsAuthorizedReply{IsValid: ok}, nil
|
||||
}
|
||||
|
||||
// IsAdmin checks to see if a given user has super user privleges.
|
||||
func (a *Authorize) IsAdmin(ctx context.Context, in *authorize.IsAdminRequest) (*authorize.IsAdminReply, error) {
|
||||
_, span := trace.StartSpan(ctx, "authorize.grpc.IsAdmin")
|
||||
defer span.End()
|
||||
req := &evaluator.Request{
|
||||
User: in.GetUserToken(),
|
||||
}
|
||||
ok, err := a.pe.IsAdmin(ctx, req)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
return &authorize.IsAdminReply{IsValid: ok}, nil
|
||||
return a.pe.IsAuthorized(ctx, req)
|
||||
}
|
||||
|
||||
type protoHeader map[string]*authorize.IsAuthorizedRequest_Headers
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue