envoy: Initial changes

2025-05-10 23:57:34 +02:00 · 2020-05-18 16:34:31 -04:00 · 2020-05-18 16:34:31 -04:00 · 99e788a9b4
commit 99e788a9b4
parent 8f78497e99
107 changed files with 2542 additions and 3322 deletions
--- a/proxy/middleware.go
+++ b/proxy/middleware.go
@ -1,18 +1,16 @@
 package proxy

 import (
-	"context"
-	"errors"
 	"fmt"
-	"io"
-	"io/ioutil"
 	"net/http"
 	"strings"
+	"time"

+	envoy_service_auth_v2 "github.com/envoyproxy/go-control-plane/envoy/service/auth/v2"
+	"github.com/golang/protobuf/ptypes"
 	"github.com/gorilla/mux"
 	"github.com/rs/zerolog"

-	"github.com/pomerium/pomerium/internal/grpc/authorize"
 	"github.com/pomerium/pomerium/internal/httputil"
 	"github.com/pomerium/pomerium/internal/log"
 	"github.com/pomerium/pomerium/internal/sessions"
@ -36,47 +34,6 @@ func (p *Proxy) AuthenticateSession(next http.Handler) http.Handler {
 	})
 }

-func (p *Proxy) refresh(ctx context.Context, oldSession string) (string, error) {
-	ctx, span := trace.StartSpan(ctx, "proxy.AuthenticateSession/refresh")
-	defer span.End()
-	s := &sessions.State{}
-	if err := p.encoder.Unmarshal([]byte(oldSession), s); err != nil {
-		return "", httputil.NewError(http.StatusBadRequest, err)
-	}
-
-	// 1 - build a signed url to call refresh on authenticate service
-	refreshURI := *p.authenticateRefreshURL
-	q := refreshURI.Query()
-	q.Set(urlutil.QueryAccessTokenID, s.AccessTokenID)          // hash value points to parent token
-	q.Set(urlutil.QueryAudience, strings.Join(s.Audience, ",")) // request's audience, this route
-	refreshURI.RawQuery = q.Encode()
-	signedRefreshURL := urlutil.NewSignedURL(p.SharedKey, &refreshURI).String()
-
-	// 2 -  http call to authenticate service
-	req, err := http.NewRequestWithContext(ctx, http.MethodGet, signedRefreshURL, nil)
-	if err != nil {
-		return "", fmt.Errorf("proxy: refresh request: %v", err)
-	}
-
-	req.Header.Set("X-Requested-With", "XmlHttpRequest")
-	req.Header.Set("Accept", "application/json")
-	res, err := httputil.DefaultClient.Do(req)
-	if err != nil {
-		return "", fmt.Errorf("proxy: client err %s: %w", signedRefreshURL, err)
-	}
-	defer res.Body.Close()
-	newJwt, err := ioutil.ReadAll(io.LimitReader(res.Body, 4<<10))
-	if err != nil {
-		return "", err
-	}
-	// auth couldn't refersh the session, delete the session and reload via 302
-	if res.StatusCode != http.StatusOK {
-		return "", fmt.Errorf("proxy: backend refresh failed: %s", newJwt)
-	}
-
-	return string(newJwt), nil
-}
-
 func (p *Proxy) redirectToSignin(w http.ResponseWriter, r *http.Request) error {
 	signinURL := *p.authenticateSigninURL
 	q := signinURL.Query()
@ -88,61 +45,46 @@ func (p *Proxy) redirectToSignin(w http.ResponseWriter, r *http.Request) error {
 	return nil
 }

-// AuthorizeSession is middleware to enforce a user is authorized for a request.
-// Session state is retrieved from the users's request context.
-func (p *Proxy) AuthorizeSession(next http.Handler) http.Handler {
-	return httputil.HandlerFunc(func(w http.ResponseWriter, r *http.Request) error {
-		ctx, span := trace.StartSpan(r.Context(), "proxy.AuthorizeSession")
-		defer span.End()
-		authz, err := p.authorize(w, r)
-		if err != nil {
-			return err
-		}
-
-		r.Header.Set(httputil.HeaderPomeriumJWTAssertion, authz.GetSignedJwt())
-		next.ServeHTTP(w, r.WithContext(ctx))
-		return nil
-	})
-}
-
-func (p *Proxy) authorize(w http.ResponseWriter, r *http.Request) (*authorize.IsAuthorizedReply, error) {
-	ctx, span := trace.StartSpan(r.Context(), "proxy.authorize")
-	defer span.End()
-
-	jwt, _ := sessions.FromContext(ctx)
-
-	authz, err := p.AuthorizeClient.Authorize(ctx, jwt, r)
+func (p *Proxy) isAuthorized(r *http.Request) (bool, error) {
+	tm, err := ptypes.TimestampProto(time.Now())
 	if err != nil {
-		return nil, httputil.NewError(http.StatusInternalServerError, err)
+		return false, httputil.NewError(http.StatusInternalServerError, fmt.Errorf("error creating protobuf timestamp from current time: %w", err))
 	}

-	if authz.GetSessionExpired() {
-		newJwt, err := p.refresh(ctx, jwt)
-		if err != nil {
-			p.sessionStore.ClearSession(w, r)
-			log.FromRequest(r).Warn().Err(err).Msg("proxy: refresh failed")
-			return nil, p.redirectToSignin(w, r)
-		}
-		if err = p.sessionStore.SaveSession(w, r, newJwt); err != nil {
-			return nil, httputil.NewError(http.StatusUnauthorized, err)
-		}
-
-		authz, err = p.AuthorizeClient.Authorize(ctx, newJwt, r)
-		if err != nil {
-			return nil, httputil.NewError(http.StatusUnauthorized, err)
+	httpAttrs := &envoy_service_auth_v2.AttributeContext_HttpRequest{
+		Method:   "GET",
+		Headers:  map[string]string{},
+		Path:     r.URL.Path,
+		Host:     r.URL.Host,
+		Scheme:   r.URL.Scheme,
+		Fragment: r.URL.Fragment,
+	}
+	for k := range r.Header {
+		httpAttrs.Headers[k] = r.Header.Get(k)
+		if r.URL.RawQuery != "" {
+			// envoy expects the query string in the path
+			httpAttrs.Path += "?" + r.URL.RawQuery
 		}
 	}
-	if !authz.GetAllow() {
-		log.FromRequest(r).Warn().
-			Strs("reason", authz.GetDenyReasons()).
-			Bool("allow", authz.GetAllow()).
-			Bool("expired", authz.GetSessionExpired()).
-			Msg("proxy/authorize: deny")
-		return nil, httputil.NewError(http.StatusForbidden, errors.New("request denied"))
+
+	res, err := p.authzClient.Check(r.Context(), &envoy_service_auth_v2.CheckRequest{
+		Attributes: &envoy_service_auth_v2.AttributeContext{
+			Request: &envoy_service_auth_v2.AttributeContext_Request{
+				Time: tm,
+				Http: httpAttrs,
+			},
+		},
+	})
+	if err != nil {
+		return false, httputil.NewError(http.StatusInternalServerError, err)
 	}

-	return authz, nil
-
+	switch res.HttpResponse.(type) {
+	case *envoy_service_auth_v2.CheckResponse_OkResponse:
+		return true, nil
+	default:
+		return false, nil
+	}
 }

 // SetResponseHeaders sets a map of response headers.