mirror of
https://github.com/pomerium/pomerium.git
synced 2025-05-12 08:37:38 +02:00
Added gif to the readme.
Simplified, and de-duplicated many of the configuration settings. Removed configuration settings that could be deduced from other settings. Added some basic documentation. Removed the (duplicate?) user email domain validation check in proxy. Removed the ClientID middleware check. Added a shared key option to be used as a PSK instead of using the IDPs ClientID and ClientSecret. Removed the CookieSecure setting as we only support secure. Added a letsencrypt script to generate a wildcard certificate. Removed the argument in proxy's constructor that allowed arbitrary fucntions to be passed in as validators. Updated proxy's authenticator client to match the server implementation of just using a PSK. Moved debug-mode logging into the log package. Removed unused approval prompt setting. Fixed a bug where identity provider urls were hardcoded. Removed a bunch of unit tests. There have been so many changes many of these tests don't make sense and will need to be re-thought.
This commit is contained in:
Bobby DeSimone
parent
52a87b6e46
commit
90ab756de1
40 changed files with 409 additions and 1440 deletions
|
|
@ -40,47 +40,26 @@ func WithMethods(f http.HandlerFunc, methods ...string) http.HandlerFunc {
|
|||
}
|
||||
}
|
||||
|
||||
// ValidateClientID checks the request body or url for the client id and returns an error
|
||||
// if it does not match the proxy client id
|
||||
func ValidateClientID(f http.HandlerFunc, proxyClientID string) http.HandlerFunc {
|
||||
return func(rw http.ResponseWriter, req *http.Request) {
|
||||
// try to get the client id from the request body
|
||||
err := req.ParseForm()
|
||||
if err != nil {
|
||||
httputil.ErrorResponse(rw, req, err.Error(), http.StatusInternalServerError)
|
||||
return
|
||||
}
|
||||
|
||||
clientID := req.FormValue("client_id")
|
||||
if clientID == "" {
|
||||
// try to get the clientID from the query parameters
|
||||
clientID = req.URL.Query().Get("client_id")
|
||||
}
|
||||
|
||||
if clientID != proxyClientID {
|
||||
httputil.ErrorResponse(rw, req, "Invalid client_id parameter", http.StatusUnauthorized)
|
||||
return
|
||||
}
|
||||
f(rw, req)
|
||||
}
|
||||
}
|
||||
|
||||
// ValidateClientSecret checks the request header for the client secret and returns
|
||||
// an error if it does not match the proxy client secret
|
||||
func ValidateClientSecret(f http.HandlerFunc, proxyClientSecret string) http.HandlerFunc {
|
||||
func ValidateClientSecret(f http.HandlerFunc, sharedSecret string) http.HandlerFunc {
|
||||
return func(rw http.ResponseWriter, req *http.Request) {
|
||||
err := req.ParseForm()
|
||||
if err != nil {
|
||||
httputil.ErrorResponse(rw, req, err.Error(), http.StatusInternalServerError)
|
||||
return
|
||||
}
|
||||
clientSecret := req.Form.Get("client_secret")
|
||||
clientSecret := req.Form.Get("shared_secret")
|
||||
// check the request header for the client secret
|
||||
if clientSecret == "" {
|
||||
clientSecret = req.Header.Get("X-Client-Secret")
|
||||
}
|
||||
if clientSecret != proxyClientSecret {
|
||||
log.Error().Str("clientSecret", clientSecret).Str("proxyClientSecret", proxyClientSecret).Msg("oh")
|
||||
|
||||
if clientSecret != sharedSecret {
|
||||
log.Error().
|
||||
Str("clientSecret", clientSecret).
|
||||
Str("sharedSecret", sharedSecret).
|
||||
Msg("middleware.ValidateClientSecret")
|
||||
httputil.ErrorResponse(rw, req, "Invalid client secret", http.StatusUnauthorized)
|
||||
return
|
||||
}
|
||||
|
|
@ -122,7 +101,7 @@ func validRedirectURI(uri string, rootDomains []string) bool {
|
|||
|
||||
// ValidateSignature ensures the request is valid and has been signed with
|
||||
// the correspdoning client secret key
|
||||
func ValidateSignature(f http.HandlerFunc, proxyClientSecret string) http.HandlerFunc {
|
||||
func ValidateSignature(f http.HandlerFunc, sharedSecret string) http.HandlerFunc {
|
||||
return func(rw http.ResponseWriter, req *http.Request) {
|
||||
err := req.ParseForm()
|
||||
if err != nil {
|
||||
|
|
@ -132,7 +111,7 @@ func ValidateSignature(f http.HandlerFunc, proxyClientSecret string) http.Handle
|
|||
redirectURI := req.Form.Get("redirect_uri")
|
||||
sigVal := req.Form.Get("sig")
|
||||
timestamp := req.Form.Get("ts")
|
||||
if !validSignature(redirectURI, sigVal, timestamp, proxyClientSecret) {
|
||||
if !validSignature(redirectURI, sigVal, timestamp, sharedSecret) {
|
||||
httputil.ErrorResponse(rw, req, "Invalid redirect parameter", http.StatusBadRequest)
|
||||
return
|
||||
}
|
||||
|
|
@ -154,6 +133,7 @@ func ValidateHost(h http.Handler, mux map[string]*http.Handler) http.Handler {
|
|||
|
||||
// RequireHTTPS reroutes a HTTP request to HTTPS
|
||||
// todo(bdd) : this is unreliable unless behind another reverser proxy
|
||||
// todo(bdd) : header age seems extreme
|
||||
func RequireHTTPS(h http.Handler) http.Handler {
|
||||
return http.HandlerFunc(func(rw http.ResponseWriter, req *http.Request) {
|
||||
rw.Header().Set("Strict-Transport-Security", "max-age=31536000")
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue