authorize: use jwt insead of state struct (#514)

authenticate: unmarshal and verify state from jwt, instead of middleware authorize: embed opa policy using statik authorize: have IsAuthorized handle authorization for all routes authorize: if no signing key is provided, one is generated authorize: remove IsAdmin grpc endpoint authorize/client: return authorize decision struct cmd/pomerium: main logger no longer contains email and group cryptutil: add ECDSA signing methods dashboard: have impersonate form show up for all users, but have api gated by authz docs: fix typo in signed jwt header encoding/jws: remove unused es256 signer frontend: namespace static web assets internal/sessions: remove leeway to match authz policy proxy: move signing functionality to authz proxy: remove jwt attestation from proxy (authZ does now) proxy: remove non-signed headers from headers proxy: remove special handling of x-forwarded-host sessions: do not verify state in middleware sessions: remove leeway from state to match authz sessions/{all}: store jwt directly instead of state Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
2025-07-31 23:41:09 +02:00 · 2020-03-10 11:19:26 -07:00 · 2020-03-10 11:19:26 -07:00 · 8d1732582e
commit 8d1732582e
parent a477af9378
61 changed files with 1083 additions and 1264 deletions
--- a/proxy/middleware.go
+++ b/proxy/middleware.go
@ -7,8 +7,10 @@ import (
 	"io"
 	"io/ioutil"
 	"net/http"
+	"strings"
+
+	"github.com/rs/zerolog"

-	"github.com/pomerium/pomerium/internal/encoding"
 	"github.com/pomerium/pomerium/internal/httputil"
 	"github.com/pomerium/pomerium/internal/log"
 	"github.com/pomerium/pomerium/internal/sessions"
@ -16,17 +18,6 @@ import (
 	"github.com/pomerium/pomerium/internal/urlutil"
 )

-const (
-	// HeaderJWT is the header key containing JWT signed user details.
-	HeaderJWT = "x-pomerium-jwt-assertion"
-	// HeaderUserID is the header key containing the user's id.
-	HeaderUserID = "x-pomerium-authenticated-user-id"
-	// HeaderEmail is the header key containing the user's email.
-	HeaderEmail = "x-pomerium-authenticated-user-email"
-	// HeaderGroups is the header key containing the user's groups.
-	HeaderGroups = "x-pomerium-authenticated-user-groups"
-)
-
 // AuthenticateSession is middleware to enforce a valid authentication
 // session state is retrieved from the users's request context.
 func (p *Proxy) AuthenticateSession(next http.Handler) http.Handler {
@ -34,111 +25,74 @@ func (p *Proxy) AuthenticateSession(next http.Handler) http.Handler {
 		ctx, span := trace.StartSpan(r.Context(), "proxy.AuthenticateSession")
 		defer span.End()

-		_, _, err := sessions.FromContext(ctx)
-		if errors.Is(err, sessions.ErrExpired) {
-			ctx, err = p.refresh(ctx, w, r)
-			if err != nil {
-				log.FromRequest(r).Warn().Err(err).Msg("proxy: refresh failed")
-				return p.redirectToSignin(w, r)
-			}
-			log.FromRequest(r).Info().Msg("proxy: refresh success")
-		} else if err != nil {
+		if _, err := sessions.FromContext(ctx); err != nil {
 			log.FromRequest(r).Debug().Err(err).Msg("proxy: session state")
 			return p.redirectToSignin(w, r)
 		}
-		p.addPomeriumHeaders(w, r)
 		next.ServeHTTP(w, r.WithContext(ctx))
 		return nil
 	})
 }

-func (p *Proxy) refresh(ctx context.Context, w http.ResponseWriter, r *http.Request) (context.Context, error) {
+func (p *Proxy) refresh(ctx context.Context, oldSession string) (string, error) {
 	ctx, span := trace.StartSpan(ctx, "proxy.AuthenticateSession/refresh")
 	defer span.End()
-	s, _, err := sessions.FromContext(ctx)
-	if !errors.Is(err, sessions.ErrExpired) || s == nil {
-		return nil, errors.New("proxy: unexpected session state for refresh")
+	s := &sessions.State{}
+	if err := p.encoder.Unmarshal([]byte(oldSession), s); err != nil {
+		return "", httputil.NewError(http.StatusBadRequest, err)
 	}
+
 	// 1 - build a signed url to call refresh on authenticate service
 	refreshURI := *p.authenticateRefreshURL
 	q := refreshURI.Query()
-	q.Set(urlutil.QueryAccessTokenID, s.AccessTokenID)      // hash value points to parent token
-	q.Set(urlutil.QueryAudience, urlutil.StripPort(r.Host)) // request's audience, this route
+	q.Set(urlutil.QueryAccessTokenID, s.AccessTokenID)          // hash value points to parent token
+	q.Set(urlutil.QueryAudience, strings.Join(s.Audience, ",")) // request's audience, this route
 	refreshURI.RawQuery = q.Encode()
 	signedRefreshURL := urlutil.NewSignedURL(p.SharedKey, &refreshURI).String()

 	// 2 -  http call to authenticate service
 	req, err := http.NewRequestWithContext(ctx, http.MethodGet, signedRefreshURL, nil)
 	if err != nil {
-		return nil, fmt.Errorf("proxy: refresh request: %v", err)
+		return "", fmt.Errorf("proxy: refresh request: %v", err)
 	}

 	req.Header.Set("X-Requested-With", "XmlHttpRequest")
 	req.Header.Set("Accept", "application/json")
 	res, err := httputil.DefaultClient.Do(req)
 	if err != nil {
-		return nil, fmt.Errorf("proxy: client err %s: %w", signedRefreshURL, err)
+		return "", fmt.Errorf("proxy: client err %s: %w", signedRefreshURL, err)
 	}
 	defer res.Body.Close()
-	jwtBytes, err := ioutil.ReadAll(io.LimitReader(res.Body, 4<<10))
+	newJwt, err := ioutil.ReadAll(io.LimitReader(res.Body, 4<<10))
 	if err != nil {
-		return nil, err
+		return "", err
 	}
 	// auth couldn't refersh the session, delete the session and reload via 302
 	if res.StatusCode != http.StatusOK {
-		return nil, fmt.Errorf("proxy: backend refresh failed: %s", jwtBytes)
+		return "", fmt.Errorf("proxy: backend refresh failed: %s", newJwt)
 	}

-	// 3 - save refreshed session to the client's session store
-	if err = p.sessionStore.SaveSession(w, r, jwtBytes); err != nil {
-		return nil, err
-	}
-	// 4 - add refreshed session to the current request context
-	var state sessions.State
-	if err := p.encoder.Unmarshal(jwtBytes, &state); err != nil {
-		return nil, err
-	}
-	if err := state.Verify(urlutil.StripPort(r.Host)); err != nil {
-		return nil, err
-	}
-	return sessions.NewContext(r.Context(), &state, string(jwtBytes), err), nil
+	return string(newJwt), nil
 }

 func (p *Proxy) redirectToSignin(w http.ResponseWriter, r *http.Request) error {
-	s, _, err := sessions.FromContext(r.Context())
-	p.sessionStore.ClearSession(w, r)
-	if s != nil && err != nil && s.Programmatic {
-		return httputil.NewError(http.StatusUnauthorized, err)
-	}
 	signinURL := *p.authenticateSigninURL
 	q := signinURL.Query()
 	q.Set(urlutil.QueryRedirectURI, urlutil.GetAbsoluteURL(r).String())
 	signinURL.RawQuery = q.Encode()
 	log.FromRequest(r).Debug().Str("url", signinURL.String()).Msg("proxy: redirectToSignin")
 	httputil.Redirect(w, r, urlutil.NewSignedURL(p.SharedKey, &signinURL).String(), http.StatusFound)
+	p.sessionStore.ClearSession(w, r)
 	return nil
 }

-func (p *Proxy) addPomeriumHeaders(w http.ResponseWriter, r *http.Request) {
-	s, _, err := sessions.FromContext(r.Context())
-	if err == nil && s != nil {
-		r.Header.Set(HeaderUserID, s.Subject)
-		r.Header.Set(HeaderEmail, s.RequestEmail())
-		r.Header.Set(HeaderGroups, s.RequestGroups())
-		w.Header().Set(HeaderUserID, s.Subject)
-		w.Header().Set(HeaderEmail, s.RequestEmail())
-		w.Header().Set(HeaderGroups, s.RequestGroups())
-	}
-}
-
 // AuthorizeSession is middleware to enforce a user is authorized for a request.
 // Session state is retrieved from the users's request context.
 func (p *Proxy) AuthorizeSession(next http.Handler) http.Handler {
 	return httputil.HandlerFunc(func(w http.ResponseWriter, r *http.Request) error {
 		ctx, span := trace.StartSpan(r.Context(), "proxy.AuthorizeSession")
 		defer span.End()
-		if err := p.authorize(r.WithContext(ctx)); err != nil {
-			log.FromRequest(r).Debug().Err(err).Msg("proxy: AuthorizeSession")
+		if err := p.authorize(w, r); err != nil {
 			return err
 		}
 		next.ServeHTTP(w, r.WithContext(ctx))
@ -146,43 +100,45 @@ func (p *Proxy) AuthorizeSession(next http.Handler) http.Handler {
 	})
 }

-func (p *Proxy) authorize(r *http.Request) error {
-	s, jwt, err := sessions.FromContext(r.Context())
+func (p *Proxy) authorize(w http.ResponseWriter, r *http.Request) error {
+	ctx, span := trace.StartSpan(r.Context(), "proxy.authorize")
+	defer span.End()
+	jwt, err := sessions.FromContext(ctx)
 	if err != nil {
 		return httputil.NewError(http.StatusInternalServerError, err)
 	}
-	authorized, err := p.AuthorizeClient.Authorize(r.Context(), jwt, r)
+	authz, err := p.AuthorizeClient.Authorize(ctx, jwt, r)
 	if err != nil {
-		return err
-	} else if !authorized {
-		return httputil.NewError(http.StatusForbidden, fmt.Errorf("%s is not authorized for %s", s.RequestEmail(), r.Host))
+		return httputil.NewError(http.StatusInternalServerError, err)
 	}
-	return nil
-}
+	if authz.GetSessionExpired() {
+		newJwt, err := p.refresh(ctx, jwt)
+		if err != nil {
+			p.sessionStore.ClearSession(w, r)
+			log.FromRequest(r).Warn().Err(err).Msg("proxy: refresh failed")
+			return p.redirectToSignin(w, r)
+		}
+		if err = p.sessionStore.SaveSession(w, r, newJwt); err != nil {
+			return httputil.NewError(http.StatusUnauthorized, err)
+		}

-// SignRequest is middleware that signs a JWT that contains a user's id,
-// email, and group. Session state is retrieved from the users's request context
-func (p *Proxy) SignRequest(signer encoding.Marshaler) func(next http.Handler) http.Handler {
-	return func(next http.Handler) http.Handler {
-		return httputil.HandlerFunc(func(w http.ResponseWriter, r *http.Request) error {
-			ctx, span := trace.StartSpan(r.Context(), "proxy.SignRequest")
-			defer span.End()
-			s, _, err := sessions.FromContext(r.Context())
-			if err != nil {
-				return httputil.NewError(http.StatusForbidden, err)
-			}
-			newSession := s.NewSession(r.Host, []string{r.Host})
-			jwt, err := signer.Marshal(newSession.RouteSession())
-			if err != nil {
-				log.FromRequest(r).Error().Err(err).Msg("proxy: failed signing jwt")
-			} else {
-				r.Header.Set(HeaderJWT, string(jwt))
-				w.Header().Set(HeaderJWT, string(jwt))
-			}
-			next.ServeHTTP(w, r.WithContext(ctx))
-			return nil
-		})
+		authz, err = p.AuthorizeClient.Authorize(ctx, newJwt, r)
+		if err != nil {
+			return httputil.NewError(http.StatusUnauthorized, err)
+		}
 	}
+	if !authz.GetAllow() {
+		log.FromRequest(r).Warn().
+			Strs("reason", authz.GetDenyReasons()).
+			Bool("allow", authz.GetAllow()).
+			Bool("expired", authz.GetSessionExpired()).
+			Msg("proxy/authorize: deny")
+		return httputil.NewError(http.StatusUnauthorized, errors.New("request denied"))
+	}
+
+	r.Header.Set(httputil.HeaderPomeriumJWTAssertion, authz.GetSignedJwt())
+	w.Header().Set(httputil.HeaderPomeriumJWTAssertion, authz.GetSignedJwt())
+	return nil
 }

 // SetResponseHeaders sets a map of response headers.
@ -198,3 +154,26 @@ func SetResponseHeaders(headers map[string]string) func(next http.Handler) http.
 		})
 	}
 }
+
+func (p *Proxy) userDetailsLoggerMiddleware(next http.Handler) http.Handler {
+	return httputil.HandlerFunc(func(w http.ResponseWriter, r *http.Request) error {
+		if jwt, err := sessions.FromContext(r.Context()); err == nil {
+			var s sessions.State
+			if err := p.encoder.Unmarshal([]byte(jwt), &s); err == nil {
+				l := log.Ctx(r.Context())
+				l.UpdateContext(func(c zerolog.Context) zerolog.Context {
+					return c.Strs("groups", s.Groups)
+				})
+				l.UpdateContext(func(c zerolog.Context) zerolog.Context {
+					return c.Str("email", s.Email)
+				})
+				l.UpdateContext(func(c zerolog.Context) zerolog.Context {
+					return c.Str("user-id", s.User)
+				})
+			}
+		}
+		next.ServeHTTP(w, r)
+		return nil
+	})
+
+}