authorize: use jwt insead of state struct (#514)

authenticate: unmarshal and verify state from jwt, instead of middleware
authorize: embed opa policy using statik
authorize: have IsAuthorized handle authorization for all routes
authorize: if no signing key is provided, one is generated
authorize: remove IsAdmin grpc endpoint
authorize/client: return authorize decision struct
cmd/pomerium: main logger no longer contains email and group
cryptutil: add ECDSA signing methods
dashboard: have impersonate form show up for all users, but have api gated by authz
docs: fix typo in signed jwt header
encoding/jws: remove unused es256 signer
frontend: namespace static web assets
internal/sessions: remove leeway to match authz policy
proxy:  move signing functionality to authz
proxy: remove jwt attestation from proxy (authZ does now)
proxy: remove non-signed headers from headers
proxy: remove special handling of x-forwarded-host
sessions: do not verify state in middleware
sessions: remove leeway from state to match authz
sessions/{all}: store jwt directly instead of state

Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>

internal/sessions/middleware_test.go

@@ -1,4 +1,4 @@
-package sessions
+package sessions_test
 
 import (
 	"context"
@@ -11,22 +11,40 @@ import (
 
 	"github.com/google/go-cmp/cmp"
 	"gopkg.in/square/go-jose.v2/jwt"
+
+	"github.com/pomerium/pomerium/internal/cryptutil"
+	"github.com/pomerium/pomerium/internal/encoding/jws"
+	"github.com/pomerium/pomerium/internal/sessions"
+	"github.com/pomerium/pomerium/internal/sessions/mock"
 )
 
 func TestNewContext(t *testing.T) {
 	tests := []struct {
 		name string
 		ctx  context.Context
-		t    *State
+		t    *sessions.State
 		err  error
 		want context.Context
 	}{
-		{"simple", context.Background(), &State{Email: "bdd@pomerium.io"}, nil, nil},
+		{"simple", context.Background(), &sessions.State{Email: "bdd@pomerium.io"}, nil, nil},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			ctxOut := NewContext(tt.ctx, tt.t, "", tt.err)
-			stateOut, _, errOut := FromContext(ctxOut)
+			signer, err := jws.NewHS256Signer(cryptutil.NewKey(), "issuer")
+			if err != nil {
+				t.Fatal(err)
+			}
+			jwt, err := signer.Marshal(tt.t)
+			if err != nil {
+				t.Fatal(err)
+			}
+			ctxOut := sessions.NewContext(tt.ctx, string(jwt), tt.err)
+			out, errOut := sessions.FromContext(ctxOut)
+			var stateOut sessions.State
+			err = signer.Unmarshal([]byte(out), &stateOut)
+			if err != nil {
+				t.Fatal(err)
+			}
 			if diff := cmp.Diff(tt.t.Email, stateOut.Email); diff != "" {
 				t.Errorf("NewContext() = %s", diff)
 			}
@@ -37,29 +55,9 @@ func TestNewContext(t *testing.T) {
 	}
 }
 
-func Test_contextKey_String(t *testing.T) {
-	tests := []struct {
-		name    string
-		keyName string
-		want    string
-	}{
-		{"simple example", "test", "context value test"},
-	}
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			k := &contextKey{
-				name: tt.keyName,
-			}
-			if got := k.String(); got != tt.want {
-				t.Errorf("contextKey.String() = %v, want %v", got, tt.want)
-			}
-		})
-	}
-}
-
 func testAuthorizer(next http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		_, _, err := FromContext(r.Context())
+		_, err := sessions.FromContext(r.Context())
 		if err != nil {
 			http.Error(w, err.Error(), http.StatusUnauthorized)
 			return
@@ -68,31 +66,6 @@ func testAuthorizer(next http.Handler) http.Handler {
 	})
 }
 
-var _ SessionStore = &store{}
-
-// Store is a mock implementation of the SessionStore interface
-type store struct {
-	ResponseSession string
-	Session         *State
-	SaveError       error
-	LoadError       error
-}
-
-// ClearSession clears the ResponseSession
-func (ms *store) ClearSession(http.ResponseWriter, *http.Request) {
-	ms.ResponseSession = ""
-}
-
-// LoadSession returns the session and a error
-func (ms store) LoadSession(*http.Request) (*State, string, error) {
-	return ms.Session, "", ms.LoadError
-}
-
-// SaveSession returns a save error.
-func (ms store) SaveSession(http.ResponseWriter, *http.Request, interface{}) error {
-	return ms.SaveError
-}
-
 func TestVerifier(t *testing.T) {
 	fnh := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		w.Header().Set("Content-Type", "text/plain; charset=utf-8")
@@ -102,14 +75,13 @@ func TestVerifier(t *testing.T) {
 
 	tests := []struct {
 		name       string
-		store      store
-		state      State
-		wantBody   string
+		store      mock.Store
+		state      sessions.State
 		wantStatus int
 	}{
-		{"empty session", store{}, State{}, "internal/sessions: session is not found\n", 401},
-		{"simple good load", store{Session: &State{Subject: "hi", Expiry: jwt.NewNumericDate(time.Now().Add(time.Second))}}, State{}, "OK", 200},
-		{"empty session", store{LoadError: errors.New("err")}, State{}, "err\n", 401},
+		{"empty session", mock.Store{LoadError: sessions.ErrNoSessionFound}, sessions.State{}, 401},
+		{"simple good load", mock.Store{Session: &sessions.State{Subject: "hi", Expiry: jwt.NewNumericDate(time.Now().Add(time.Second))}}, sessions.State{}, 200},
+		{"session error", mock.Store{LoadError: errors.New("err")}, sessions.State{}, 401},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
@@ -118,15 +90,11 @@ func TestVerifier(t *testing.T) {
 			r.Header.Set("Accept", "application/json")
 			w := httptest.NewRecorder()
 
-			got := RetrieveSession(tt.store)(testAuthorizer((fnh)))
+			got := sessions.RetrieveSession(tt.store)(testAuthorizer((fnh)))
 			got.ServeHTTP(w, r)
 
-			gotBody := w.Body.String()
 			gotStatus := w.Result().StatusCode
 
-			if diff := cmp.Diff(gotBody, tt.wantBody); diff != "" {
-				t.Errorf("RetrieveSession() = %v", diff)
-			}
 			if diff := cmp.Diff(gotStatus, tt.wantStatus); diff != "" {
 				t.Errorf("RetrieveSession() = %v", diff)
 			}