mirror of
https://github.com/pomerium/pomerium.git
synced 2025-07-24 20:18:13 +02:00
authorize: use jwt insead of state struct (#514)
authenticate: unmarshal and verify state from jwt, instead of middleware
authorize: embed opa policy using statik
authorize: have IsAuthorized handle authorization for all routes
authorize: if no signing key is provided, one is generated
authorize: remove IsAdmin grpc endpoint
authorize/client: return authorize decision struct
cmd/pomerium: main logger no longer contains email and group
cryptutil: add ECDSA signing methods
dashboard: have impersonate form show up for all users, but have api gated by authz
docs: fix typo in signed jwt header
encoding/jws: remove unused es256 signer
frontend: namespace static web assets
internal/sessions: remove leeway to match authz policy
proxy: move signing functionality to authz
proxy: remove jwt attestation from proxy (authZ does now)
proxy: remove non-signed headers from headers
proxy: remove special handling of x-forwarded-host
sessions: do not verify state in middleware
sessions: remove leeway from state to match authz
sessions/{all}: store jwt directly instead of state
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
This commit is contained in:
Bobby DeSimone
GitHub
parent
a477af9378
commit
8d1732582e
61 changed files with 1083 additions and 1264 deletions
|
|
@ -4,15 +4,12 @@ import (
|
|||
"context"
|
||||
"errors"
|
||||
"net/http"
|
||||
|
||||
"github.com/pomerium/pomerium/internal/urlutil"
|
||||
)
|
||||
|
||||
// Context keys
|
||||
var (
|
||||
SessionCtxKey = &contextKey{"Session"}
|
||||
SessionJWTCtxKey = &contextKey{"SessionJWT"}
|
||||
ErrorCtxKey = &contextKey{"Error"}
|
||||
SessionCtxKey = &contextKey{"Session"}
|
||||
ErrorCtxKey = &contextKey{"Error"}
|
||||
)
|
||||
|
||||
// RetrieveSession takes a slice of session loaders and tries to find a valid
|
||||
|
|
@ -27,8 +24,8 @@ func retrieve(s ...SessionLoader) func(http.Handler) http.Handler {
|
|||
return func(next http.Handler) http.Handler {
|
||||
hfn := func(w http.ResponseWriter, r *http.Request) {
|
||||
ctx := r.Context()
|
||||
state, jwt, err := retrieveFromRequest(r, s...)
|
||||
ctx = NewContext(ctx, state, jwt, err)
|
||||
jwt, err := retrieveFromRequest(r, s...)
|
||||
ctx = NewContext(ctx, jwt, err)
|
||||
next.ServeHTTP(w, r.WithContext(ctx))
|
||||
}
|
||||
return http.HandlerFunc(hfn)
|
||||
|
|
@ -37,36 +34,31 @@ func retrieve(s ...SessionLoader) func(http.Handler) http.Handler {
|
|||
|
||||
// retrieveFromRequest extracts sessions state from the request by calling
|
||||
// token find functions in the order they where provided.
|
||||
func retrieveFromRequest(r *http.Request, sessions ...SessionLoader) (*State, string, error) {
|
||||
func retrieveFromRequest(r *http.Request, sessions ...SessionLoader) (string, error) {
|
||||
for _, s := range sessions {
|
||||
state, jwt, err := s.LoadSession(r)
|
||||
jwt, err := s.LoadSession(r)
|
||||
if err != nil && !errors.Is(err, ErrNoSessionFound) {
|
||||
return state, jwt, err
|
||||
}
|
||||
if state != nil {
|
||||
//todo(bdd): have authz verify
|
||||
err := state.Verify(urlutil.StripPort(r.Host))
|
||||
return state, jwt, err // N.B.: state is _not_ nil
|
||||
return "", err
|
||||
} else if err == nil {
|
||||
return jwt, nil
|
||||
}
|
||||
}
|
||||
|
||||
return nil, "", ErrNoSessionFound
|
||||
return "", ErrNoSessionFound
|
||||
}
|
||||
|
||||
// NewContext sets context values for the user session state and error.
|
||||
func NewContext(ctx context.Context, t *State, jwt string, err error) context.Context {
|
||||
ctx = context.WithValue(ctx, SessionCtxKey, t)
|
||||
ctx = context.WithValue(ctx, SessionJWTCtxKey, jwt)
|
||||
func NewContext(ctx context.Context, jwt string, err error) context.Context {
|
||||
ctx = context.WithValue(ctx, SessionCtxKey, jwt)
|
||||
ctx = context.WithValue(ctx, ErrorCtxKey, err)
|
||||
return ctx
|
||||
}
|
||||
|
||||
// FromContext retrieves context values for the user session state and error.
|
||||
func FromContext(ctx context.Context) (*State, string, error) {
|
||||
state, _ := ctx.Value(SessionCtxKey).(*State)
|
||||
jwt, _ := ctx.Value(SessionJWTCtxKey).(string)
|
||||
func FromContext(ctx context.Context) (string, error) {
|
||||
jwt, _ := ctx.Value(SessionCtxKey).(string)
|
||||
err, _ := ctx.Value(ErrorCtxKey).(error)
|
||||
return state, jwt, err
|
||||
return jwt, err
|
||||
}
|
||||
|
||||
// contextKey is a value for use with context.WithValue. It's used as
|
||||
|
|
@ -75,7 +67,3 @@ func FromContext(ctx context.Context) (*State, string, error) {
|
|||
type contextKey struct {
|
||||
name string
|
||||
}
|
||||
|
||||
func (k *contextKey) String() string {
|
||||
return "context value " + k.name
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue