3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-05-10 23:57:34 +02:00
Code Issues Projects Releases Packages Wiki Activity

envoy: Initial changes

Browse source
This commit is contained in:
Travis Groth 2020-05-18 16:34:31 -04:00
parent 8f78497e99
commit 99e788a9b4
107 changed files with 2542 additions and 3322 deletions
Download patch file Download diff file Expand all files Collapse all files

49
proxy/forward_auth.go
View file

@ -107,7 +107,6 @@ func (p *Proxy) Verify(verifyOnly bool) http.Handler {
if uriString == "" {
if r.Header.Get(httputil.HeaderForwardedProto) == "" || r.Header.Get(httputil.HeaderForwardedHost) == "" {
return httputil.NewError(http.StatusBadRequest, errors.New("no uri to validate"))
}
uriString = r.Header.Get(httputil.HeaderForwardedProto) + "://" + r.Header.Get(httputil.HeaderForwardedHost)
}
@ -116,32 +115,38 @@ func (p *Proxy) Verify(verifyOnly bool) http.Handler {
if err != nil {
return httputil.NewError(http.StatusBadRequest, err)
}
originalRequest := p.getOriginalRequest(r, uri)
authz, err := p.authorize(w, originalRequest)
original := p.getOriginalRequest(r, uri)
authorized, err := p.isAuthorized(original)
if err != nil {
// no session, so redirect
if _, err := sessions.FromContext(r.Context()); err != nil {
if verifyOnly {
return httputil.NewError(http.StatusUnauthorized, err)
}
authN := *p.authenticateSigninURL
q := authN.Query()
q.Set(urlutil.QueryCallbackURI, uri.String())
q.Set(urlutil.QueryRedirectURI, uri.String()) // final destination
q.Set(urlutil.QueryForwardAuth, urlutil.StripPort(r.Host)) // add fwd auth to trusted audience
authN.RawQuery = q.Encode()
httputil.Redirect(w, r, urlutil.NewSignedURL(p.SharedKey, &authN).String(), http.StatusFound)
return nil
}
return err
return httputil.NewError(http.StatusBadRequest, err)
}
w.Header().Set(httputil.HeaderPomeriumJWTAssertion, authz.GetSignedJwt())
if authorized {
w.Header().Set("Content-Type", "text/plain; charset=utf-8")
w.WriteHeader(http.StatusOK)
fmt.Fprintf(w, "Access to %s is allowed.", uri.Host)
return nil
}
w.Header().Set("Content-Type", "text/plain; charset=utf-8")
w.WriteHeader(http.StatusOK)
fmt.Fprintf(w, "Access to %s is allowed.", uri.Host)
_, err = sessions.FromContext(r.Context())
hasSession := err == nil
if hasSession {
return httputil.NewError(http.StatusForbidden, errors.New("access denied"))
}
if verifyOnly {
return httputil.NewError(http.StatusUnauthorized, err)
}
// redirect to authenticate
authN := *p.authenticateSigninURL
q := authN.Query()
q.Set(urlutil.QueryCallbackURI, uri.String())
q.Set(urlutil.QueryRedirectURI, uri.String()) // final destination
q.Set(urlutil.QueryForwardAuth, urlutil.StripPort(r.Host)) // add fwd auth to trusted audience
authN.RawQuery = q.Encode()
httputil.Redirect(w, r, urlutil.NewSignedURL(p.SharedKey, &authN).String(), http.StatusFound)
return nil
})
}